Friday Flash 10.23.20

25 Days Until our Fall Training Conference!

We have less than a month to go until the Coalition’s 2020 Fall Training Conference: Focusing On The Business Of Government. This virtual training event will take place on November 17 – 18, and it is a “must attend” event for all members! Registration is underway, and we thank our early sponsors whose generous support helps make this event possible, including Title Sponsors – AvKARE and First Nation Group; Gold Sponsors – CACI, SheppardMullin, and The Gormley Group; and Silver Sponsors– BD and SAIC.

Two weeks ago, this blog provided a detailed description of the different panels and topics available to our conference attendees, and I encourage you to review the entire draft agenda. This blog’s focus will be on the Business Intelligence Sessions (the breakouts). During these one-hour sessions, you will receive a frontline perspective on key government programs that impact your business today and in the future. To see the invited speakers for the breakout sessions, check out the draft agenda.

Day One Business Intelligence Sessions (Nov. 17 at 3:45pm)

  • Office Products: GSA’s Northeast and Caribbean Acquisition Center will provide an update on recent office products initiatives.
  • Industrial Products: Attendees will hear an update from GSA’s Heartland Acquisition Center about the recent industrial products initiatives.
  • Furniture: The GSA IWA Center will discuss the Furniture Category and the management of the GSA Schedules.
  • Services: GSA will provide an update on the latest Professional Services Category initiatives. 
  • IT: GSA leadership will provide attendees up-to-the-minute news about IT initiatives under the IT Category.
  • DLA MSPV and ECAT Programs: Attendees will hear from DLA’s MSPV and ECAT programs on their work supporting both DoD and VA customers.
  • VA Pharmaceuticals: The VA PBM and Orlaithe Consulting will update attendees about the annual covered drug pricing update process, the latest on the VA’s Temporary Suspension of Drug Representative Visits, and more.
  • Non-Expendable Equipment Program: Attendees will learn the latest about the VA’s Non-Expendable Equipment program.

Day Two Business Intelligence Sessions (Nov. 18 at 3pm)

  • VA MSPV Program: We will learn the latest about the VA’s path forward with the MSPV-NG and MSPV 2.0 programs.
  • VA Federal Supply Schedules: Attendees will hear an update on the VA Federal Supply Schedules.
  • Prosthetics and Biologics: VA will provide us the latest information on their prosthetics and biologics contracting programs.
  • DoD Pharmaceuticals: Gmehlin, along with the new DHA POD Industry Liaison Officer, Dr. Julia Trang, agreed to meet with attendees to discuss DHA’s pharmaceutical programs and the response to COVID-19. 
  • GAO Insights on VA Medical Supply Chain – MSVP and FSS: Attendees will hear from the GAO about their recent report on how the VA can improve its management of the MSPV program and its future decision-making.
  • Update from the Southwest Supply Acquisition Center: We will learn about initiatives and updates within the SSAC.
  • GWAC/MAC: With CIO-SP4, NASA SEWP, OASIS, and Alliant 2 more important than ever, the program managers for these contracts will be on tap to provide updates on new initiatives.
  • Global Supply/4PL: GSA Leadership will update attendees on the latest initiatives for GSA’s Global Supply/4PL solutions.

We look forward to your participation at our 2020 Fall Training Conference: Focusing On The Business Of Government – don’t forget to register today!

 

MAS Refresh and Mass Mod with New SINs Planned for November 

The General Services Administration (GSA) is planning to issue GSA Multiple Award Schedule (MAS) Solicitation 47QSMD20R0001 – Refresh #5 and an associated mass modification to all existing contracts next month. Contractors will have 90 days to accept the mass mod. Refresh #5 and the mass mod includes the following changes: 

MAS Solicitation Changes: 

  • Incorporate a new Section 889 “Part B” Representation Requirement in the System for Award Management (SAM). 
  • Remove GSAR 552.204-70 Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment.  
  • Update vendor templates for Agent Authorization Letter and Request to Hold Continuous Contracts.  

 Category-Specific Changes:  

  • Large Category H – Professional Services   
    • new Special Item Numbers (SINs) added 
      • Environmental Remediation Services – Multiple Industries 
      • Engineering Services Related to Military, Aerospace Equipment, or Military Weapons, the National Energy Policy Act of 1992, Marine Engineering and/or Naval Architecture 
      • Engineering Research and Development for Aircraft, Aircraft Engine, and Engine Parts 
      • Engineering Research and Development for: Other Aircraft Parts and Auxiliary Equipment, Guided Missiles, and Space Vehicles, their Propulsion Units, and Propulsion Parts 
      • Research and Development in Nanotechnology 
      • Research and Development in Biotechnology 
      • Research and Development in Social Sciences and Humanities 
    • existing SIN descriptions updated 

See the GSA Interact post here. 

 

DoD Section 889 Waiver Extended through Sept 2022

The Director of National Intelligence (DNI) has extended a waiver for the Department of Defense (DoD) under Section 889 (d)(2).  The waiver would allow DoD to continue to execute procurement actions for specific Product Service Codes (PSC) deemed to be of low risk potential but are necessary to execute the Defense Department’s mission.  The DoD’s temporary waiver has been extended to September 30, 2022, per a DNI memo dated September 29, 2020.  For more on contractor requirements under Section 889 of the National Defense Authorization Act of FY2019, visit the Coalition’s resource page here.

 

NSA Warns of Cybersecurity Vulnerabilities for Defense Industrial Base 

According to Federal Computer Week, the National Security Agency (NSA) released details on 25 existing vulnerabilities that state-sponsored Chinese threat groups are using to try to hack networks belonging to the defense industrial base, the Department of Defense (DoD), and other national security systems . NSA issued an advisory on October 20 that details these vulnerabilities and exposures, which are patchable bugs that are being leveraged by these hackers. In its advisory, NSA explains that “it is critical that network defenders prioritize patching and mitigation efforts.” 

The exposures exist across a variety of systems, including email, application, and domain services. Most commonly, however, the exposures involve tools that manage connections between networks and the open internet. Most of these bugs have been identified in previous years, and all already have patches that address them. In a statement, NSA Cybersecurity Director Anne Neuberger said that “we hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems.” 

Currently, DoD is making the effort to improve contractor cyber hygiene through the Cybersecurity Maturity Model Certification (CMMC) program. CMMC requires compliance with the National Institute of Standards and Technology guidelines for safeguarding government information in non-governmental systems.   

 

New Federal Council Works to Address Supply Chain Risk Management 

On October 19, Federal News Network reported on the Federal Acquisition Security Council (FASC), which was created by Congress as part of the Secure Technology Act. FASC released its strategic plan to Congress to address supply chain risks for agencies. FASC’s strategy is based on three principles:  

  • Standards, guidelines, and practices for federal supply chain risk programs 
  • Information sharing 
  • Stakeholder engagement 

Each of these pillars has several statutory mandates and strategic activities that aim to satisfy these requirements. For example, FASC wants to raise the maturity level of supply chain risk management practices for all agencies in order to address the first pillar. Under each strategic activity, there are specific actions that the council will take to combat supply chain challenges. FASC completed its first major action in September by releasing an interim rule that implements the Federal Acquisition Supply Chain Security Act of 2018, which was signed into law in 2018. The council is also working with GSA to develop a governmentwide acquisition approach for addressing supply chain threats centrally and by individual agencies. Kelley Artz, GSA’s Senior Leader for Supply Chain Risk Management, said that her office is planning to create a supply chain framework for all agency-run contract vehicles based on the National Institute of Standards and Technology (NIST) Special Publication 800-161. GSA also created an agencywide supply chain risk review board. 

The council has designated a FASC working group with representatives from each department and agency that is on the council and will bring in support from other agencies as needed. The working group will assess strategic activities and determine appropriate supporting actions, as well as the level of effort needed for implementation. Additionally, FASC will make legislative and policy recommendations in regard to supply chain risk management. Lisa Barr, FASC project lead, stated that an interagency working group will be looking at shared services and common contracts over the next several months.  

 

Seeking Comments on Federal Acquisition Security Council (FASC) Interim Rule 

On September 1, the Office of Management and Budget (OMB) released an interim final rule with request for comments. This interim rule is being issued by the Federal Acquisition Security Council (FASC) to implement subchapter III of chapter 13 of title 41 of the US Code, which includes implementation of the laws that govern the sharing of supply chain risk information, the operation of the FASC, and the exercise of the FASC’s authority to recommend issuance of removal and exclusion orders to address supply chain security risks.   

The Coalition is considering submitting comments on the interim rule.  If you are interested in us submitting comments, please contact Samantha Holt at SHolt@thecgp.org by COB Monday, October 26. Responses are due to OMB by November 2. 

 

Webinar: What Contractors Need to Know about the Executive Order on Combating Race and Sex Stereotyping, Oct 28 

Please join the Coalition on October 28 as we host Trina Fairley Barlow and Rebecca L. Springer, both Partners at Crowell & Moring, for awebinaron the recent EO on Combating Race and Sex Stereotyping.  

                                                           

On September 22, 2020, the White House issued Executive Order 13950 – Combating Race and Sex Stereotyping, which prohibits federal contractors and grantees from providing training or other programming that “inculcates in its employees any form of race or sex stereotyping” or assigns “fault, blame or bias to a race of sex…because of their race of sex.”  Penalties for violation of the Executive Order may include contract suspension, cancellation or debarment.    

This presentation will explain the types of training and other programming prohibited by the Executive Order, discuss the recent guidance issued by the Office of Federal Contract Compliance Programs, identify key upcoming deadlines and governmental enforcement plans, and share next steps for contractors and grantees to consider as they assess and implement their internal compliance strategies. 

Clickhereto register.  

 

Webinar: How Supply Chain Security Fits Into CMMC, October 29 

The Coalition is pleased to host Bob Metzger of Rogers Joseph O’Donnell, PC, and Emile Monette from Synopsys, Inc., for a webinar on How Supply Chain Security Fits Into CMMC.  This webinar will take place on October 29 from 12:00 pm – 1:00 pm EST. 

As concerns the supply chain, the presentation will address distinct risks to hardware, software, logistics and the workforce. They will review the range of Congressional and agency initiatives already underway or in the works.  They will also consider how emerging standards and best practices will influence government and industry measures to protect OT and supply chain security, and will discuss key enabling technologies, such as supply chain illumination.  Regardless of whether there is a change in Administration, we expect new laws, regulations and government policies, as well as acquisition and oversight measures like those DoD has recently applied for cyber security to continue and potentially even increase.  Their intent is to help companies understand the emerging cyber supply chain risk management landscape and plan now for the new requirements that lie ahead. 

Click here to register. 

 

Two More Weeks to Nominate an Outstanding Agency or Contractor for a 2020 EIP Award 

We are pleased to announce the Excellence in Partnership (EIP) Awards will continue in 2020 and the awardees will be announced and recognized during the two-day virtual event.  The EIP Awards honor individuals and organizations in the acquisition community who have made significant contributions to the procurement system by delivering best value and meeting agency missions. Historically, these awards have recognized individuals, organizations, and contractors involved in procurement with GSA, VA, DOD, DHS, and other government agencies.    

This year’s category awards include:  

  • Lifetime Acquisition Excellence Award    
    • Presented to an individual in the contracting community (government or industry) for demonstrating a life-long commitment to advancing “common sense in government procurement.”    
  • Acquisition Excellence Award    
    • Presented to an organization or individual (government or contractor) for outstanding performance in meeting the mission-critical needs of a Federal agency through a government contract.     
  • Excellence in Innovation Award    
    • Presented to an organization or individual (government or contractor) for creating innovative solutions and/or an innovative process for a Federal agency that improves and facilitates mission performance.     
  • Advocating for Veterans Award    
    • Presented to an organization or individual (government or contractor) for promoting and executing a successful program that supports veterans.    

Clickhereto submit your nomination for a 2020 EIP Award. Nominations are due by November 3, 2020. If you have questions or need assistance regarding the EIP Awards, please contact Michael Hanafin atmhanafin@thecgp.org.  

 

GSA Seeking Member Input on Polaris Small Business GWAC RFI 

On October 16, the General Services Administration (GSA) released the Polaris Governmentwide Acquisition Contract (GWAC) Request for Information (RFI). The Polaris is the new GSA small business GWAC. This RFI is to gauge the capabilities present in the small business IT community and their alignment with customer agency requirements. The RFI will be open until 5 pm Central Time on October 30, 2020. Questions related to the Polaris RFI should be sent to Polaris@gsa.gov. See the Polaris RFI here. 

In addition, the Coalition will be discussing GSA’s acquisition strategy for Polaris during the IT/Services Committee meeting on Nov. 4 at 10:30 am, Our guest speakers will be Keith Nakasone, Deputy Assistant Commissioner of Acquisition, and Carlton Shufflebarger, Executive Director of IT Services for the IT Category.  The objective of the meeting will be to provide GSA with industry input on the next-generation Small Business GWAC. GSA is planning to release a Polaris RFI by the end of the month.  

If you would like to join the virtual meeting, please RSVP to Michael Hanafin atmhanafin@thecgp.org.   

 

Two Bid Protests Filed Filed on OASIS Unrestricted On-Ramp 

Last month, the General Services Administration (GSA) announced the award of on-ramps for the OASIS Unrestricted contract under Pools 1, 3, and 4. The on-ramps added 40 contractors to each of the Pools. Last weektwo bid protests were filed with the Government Accountability Office (GAO) over the on-ramps. GAO is expected to decide on the on-ramps by January 25, 2021.  

 

FPDS Reports Successfully Transition to beta.SAM.gov 

On Saturday, October 17, the General Services Administration (GSA) posted a notice on Interact that the Federal Procurement Data System (FPDS) reports module successfully transferred to beta.SAM.gov. Beta.SAM.gov is now the only place to create and run static, standard, administrative, and ad hoc contract data reports. While core capabilities of these reports have not changed for static, standard, and administrative reports, the tool used to create ad hoc reports has. GSA has a library of training resources available on the Contract Data page. Ad hoc reports created and ran in FPDS.gov before January 31 have been converted and made available in beta.SAM.gov. Ad hoc reports created after this date will have to be recreated in beta.SAM.gov. 

 

Legal Corner: DoD’s Cybersecurity Rule Will Expand Assessments of Defense Industry to Safeguard Unclassified Information, Raising New Implementation Issues

Authors: Alexander Canizares and Richard Oehler, Perkins Coie

The Legal Corner provides the legal community with an opportunity to share insights and comments on legal issues of the day. The comments herein do not necessarily reflect the views of The Coalition for Government Procurement. 

The U.S. Department of Defense (DoD) has issued a long-awaited interim rule to safeguard unclassified information in the possession of defense contractors by making periodic assessments of a company’s cybersecurity compliance a condition of eligibility for a contract award.

DoD’s interim rule was published in the Federal Register on September 29, 2020, and will take effect November 30, 2020, subject to becoming final later after receipt of comments. DoD’s decision to implement the rule before it becomes final—citing the need for urgency—unfortunately limits the opportunity for DoD to receive input.

DoD’s rule provides a regulatory framework for its Cybersecurity Maturity Model Certification (CMMC) program, which will be introduced into new contracts over the next five years. The rule also provides for a separate track of assessments that will apply to contractors that possess government information that requires safeguarding using controls set forth in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

The interim rule has significant compliance and cost implications for the Defense Industrial Base (DIB). This update provides an overview of DoD’s interim rule and several key open issues.

DoD’s Revised Contract Clauses

According to the interim rule, defense contractors “must begin viewing cybersecurity as a part of doing business” in order to protect themselves and to “protect national security.”

The interim rule sets forth a two-pronged approach to implementing cybersecurity requirements.

  • First, the interim rule puts previously announced details related to CMMC into a regulatory and contractual framework to be rolled out over the next five years.
  • Second, it adopts a new, parallel track of assessments to verify that contractors are complying with NIST SP 800-171 and government assessors will assume a role in that process.

The interim rule proposes three new standard contract clauses under Part 252 of the DFARS and amends other DFARS subparts as part of a broad overhaul of existing cybersecurity requirements.

CMMC and Third-Party Verification

Released in January 2020, CMMC is a risk-based model designed to measure a contractor’s protection of information that supplements the requirements in NIST SP 800-171 with additional practices and processes that vary according to the CMMC level.

The interim rule outlines DoD’s plan to insert CMMC requirements into new contracts as follows.

  • Between now and October 2025, DoD’s Office of the Undersecretary of Defense for Acquisition and Sustainment will determine which contracts will include CMMC as a requirement. DoD anticipates that nearly 130,000 entities will pursue CMMC certification during this five-year period.
  • Once fully implemented, CMMC will be required for all DoD solicitations and contracts above the micro-purchase threshold, except for commercial off-the-shelf contracts.
  • As of October 1, 2025, to be eligible for a contract subject to CMMC, a contractor must be certified at one of five CMMC levels as of the time of award, based on an assessment performed by a Third-Party Assessment Organization (C3PAO) overseen by the CMMC Accreditation Body (CMMC-AB). Contractors must maintain a certificate for the duration of the contract.
  • A contractor can achieve a CMMC level for its entire enterprise network or particular segments or enclaves, depending on where the information is located.
  • A new clause, DFARS 252.204-7021, must be flowed down in subcontracts, except for commercial off-the-shelf item subcontracts. Primes must “ensure” that, prior to awarding a subcontract, the subcontractor has a current CMMC certificate at the “appropriate” CMMC level based on the information to be made available.
  • DoD’s interim rule anticipates assessment-related disputes but offers few details. Contractors may bring challenges before the CMMC-AB “related to claimed errors, malfeasance, or ethical lapses” by a C3PAO and then seek further review before the CMMC-AB. The standards that will be applied to resolve disputes remain unclear.

According to the rule, more than 163,000 small entities will need CMMC certification. The rule states that the average annual costs for small businesses to obtain CMMC certification will range from $1,000 for CMMC Level 1 to more than $60,000 for Level 3. Obtaining CMMC Level 5 certification is projected to cost more than $480,000 annually.

NIST SP 800-171 Assessments

The interim rule adopts important changes applicable to companies whose contracts include the existing cybersecurity clause at DFARS 252.204-7012. That clause requires contractors that store, process, or transmit Covered Defense Information (CDI) to maintain “adequate security” on their information systems by, at a minimum, adopting controls set forth in NIST SP 800-171. The clause also requires contractors to report cyber incidents.

Noting that to date, contractors have been permitted to stop short of implementing all of the 110 security requirements in NIST SP 800-171, the rule calls for “correcting” implementation gaps “immediately.”

Under the rule, companies subject to NIST SP 800-171 will undergo one of three types of assessments using a “NIST SP 800-171 DoD Assessment Methodology.”

  • Basic Assessments will be self-assessments performed by contractors that indicate how many NIST SP 800-171 requirements the contractor has yet to implement. For example, a company that implemented all 110 NIST SP 800-171 controls will have a score of 110.
  • To be considered for award of a DoD contract, a company that has a “covered” contractor information system under DFARS 252.204-7012 must have, at a minimum, a Basic Assessment that is current, i.e., not more than three years old.
  • The requirement to have a Basic Assessment will be phased in over a three-year period, incorporated into new solicitations and contract clauses in new contracts and orders.
  • Medium and High Assessments may be performed by the government at its discretion after contract award based on the “criticality” of the program or the nature of the information at issue. DoD expects that Medium and High Assessments will be conducted on a “finite number” of awardees each year.
  • The results of a NIST SP 800-171 assessment will be documented in DoD’s Supplier Performance Risk System (SPRS). Prior to contract award, contracting officers will verify in SPRS that offerors have a current NIST SP 800-171 DoD assessment on record.
  • The DoD assessments will be valid for three years and then must be renewed.

According to DoD, its methodology will enable assessments at the “entity level,” avoiding duplicative or repetitive assessments on a contract-by-contract basis. Also, according to the rule, CMMC assessments “shall not duplicate” efforts from any comparable DoD assessment, except in rare circumstances. The manner in which CMMC will coexist with these assessments remains unclear.

Next Steps and Implementation Issues

DoD’s interim rule represents a significant step with vast consequences for defense contractors. Significant implementation challenges, however, remain.

  • DoD’s decision to forego traditional notice-and-comment rulemaking, citing urgent and compelling circumstances, is unfortunate because it limits industry feedback on a major program. Nevertheless, the final rule can change based on comments received by November 30, 2020, and this introduces a degree of uncertainty.
  • The rule encourages companies subject to NIST SP 800-171’s requirements “to immediately conduct and submit” a self-assessment to facilitate later review by DoD. Companies subject to DFARS 252.204-7012 that process CDI should consider performing such an assessment if they have not already done so.
  • DoD’s two-track approach to assessments—with some performed by third parties and others performed by the government and contractors—raises questions about the roles to be played by third parties (i.e., the CMMC-AB and C3PAOs) and the government and the relationships between the various participating oversight entities.
  • A prime contractor’s flow-down obligations to subcontractors will present challenges. There will be interpretive questions such as what it means for a prime contractor to “ensure” that a subcontractor has a CMMC certificate that is “appropriate” for the information that is to be flowed down to the subcontractor and who will decide the meaning of “appropriate.”
  • The rule provides DoD with discretion to use a Medium or High Assessment after a contract is awarded, depending on the nature of the program or the sensitivity of the information, but this also creates uncertainty for companies trying to prepare their systems for assessment.
  • Questions remain regarding the applicable standards and the information that needs to be protected (e.g., the definition of Controlled Unclassified Information (COI)), as well as the cost impact for small businesses.
  • Issues remain unanswered about dispute resolution procedures under CMMC, including the extent to which DoD will be involved in resolving disagreements and the implications of CMMC’s “Go/No Go” requirements for bid protests challenging procurements.

Companies should continue to monitor developments in this area as they prepare for CMMC and the interim rule’s effective date.

 

Healthcare Spotlight: VA Adds More Facilities to Health Information Exchange 

FedScoop reported that the Department of Veterans Affairs (VA) added 15,000 more hospitals and clinics to its information exchange for the health records of military personnel and veterans. The information exchange gives providers a good opportunity to provide the best care to patients. This information exchange is a part of the modernization push for government electronic health records (EHRs). The VA EHR system will go-live in Spokane, Washington, but the rollout has been delayed due to the pandemic and lack of training. 

 

GSA 2021 Presidential Innovation Fellows Announced  

On October 19, the General Services Administration (GSA) announced its 2021 cohort for the Presidential Innovation Fellows (PIF). PIF is part of the Technology Transformation Services (TTS) within GSA’s Federal Acquisition Services (FAS), and pairs talented technologists with top civil servants in the federal government. The new cohort consists of 34 technology and industry leaders who will work to create innovative solutions alongside 22 federal agencies for the next year. This year’s class is the most diverse and includes leaders across data science, software engineering, product, design, entrepreneurship, and more. New this year, the cohort will start virtually. The Fellows will work on 26 projects across the 22 federal agency partners, including: 

  • Developing digital health platforms and diagnostic technologies to address the COVID-19 pandemic with the National Institute of Biomedical Imaging and Bioengineering (NIBIB) at the National Institutes of Health (NIH) 
  • Developing technical infrastructure to combat adversarial AI with the U.S. Department of Energy’s (DOE) Artificial Intelligence & Technology Office (AITO) 
  • Protecting consumer rights in the rapidly evolving digital advertising ecosystem with the Federal Trade Commission’s (FTC) Division of Litigation Technology and Analysis, Office of Technology Research and Investigation (OTech) 

As of October 2020, PIF has worked with more than 40 agencies to advance government innovation. 

 

GAO Recommends Improvements for DHS Acquisition Oversight 

The Government Accountability Office (GAO) released a report on opportunities to improve acquisition oversight at the Department of Homeland Security (DHS). GAO found that Component Acquisition Executives (CAE) responsible for overseeing acquisition functions in the DHS Management Directorate have not been nominated or designated for their role and may not have had their qualifications vetted. GAO identified the Directorate for Non-Major Acquisitions, Office of the Chief Readiness Support Officer, Office of the Chief Information Officer, and the Office of the Chief Financial Officer as having CAE’s who were not nominated. 

GAO recommended that DHS ensure that CAE should be nominated and designated according to agency policy. GAO also recommended that CAE’s complete staffing plans for their acquisition functions, which had previously been neglected.  

 

DoD Releases Interim Rule Implementing CMMC  

On September 29, the Department of Defense (DoD) issued an interim ruleamending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the Cybersecurity Maturity Model Certification (CMMC) framework in order to assess contractor implementation of cybersecurity requirements. According to the interim rule, CMMC will apply to all DoD contracts and solicitations, including those for the acquisition of commercial items (except exclusively COTS items) valued at or greater than the micro-purchase threshold, starting on or after October 1, 2025. If the offeror does not have the required CMMC certification, then contracting officers will not make an award or exercise an option on a contract. In addition, CMMC certification requirements must be flowed down to subcontractors at all tiers based on the sensitivity of the unclassified information flowed down to each subcontractor.    

DoD is implementing a phased rollout of CMMC. Inclusion of a CMMC requirement in a solicitation prior to October 1, 2025 will need to be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment.    

The interim rule is effective November 30, 2020. The Coalition plans to submit comments in response to the interim rule.  The deadline to submit comments to the Government is November 30, 2020.  If you would like to send any comments or questions to the Coalition, please send your input to Sean Nulty at   snulty@thecgp.org by Friday, November 13.

 

Final Rule Consolidates SBA Mentor-Protégé Programs 

On October 16, the Small Business Administration (SBA) released a final rule, which consolidates the 8(a) Business Development (BD) Mentor-Protégé Program and the All Small Mentor-Protégé Program. The consolidation is to remove confusion and eliminate the duplication of programs in the SBA. The consolidation of the two programs reduces the burden on 8(a) participants by eliminating the requirement that 8(a) participants seeking to be awarded an 8(a) contract as a joint venture submit the joint venture agreement to SBA for review and approval prior to contract award. This final rule includes the requirement of a business concern to recertify its size and/or socioeconomic status for all set-asides with unrestricted multiple award contracts (MAC) with the exception of MAC that have authorized limited pools of concerns for which size and/or status is required. See final rule here 

 

Upcoming Meetings  

Medical/Surgical Subcommittee Meeting with VA NAC, Oct 29  

The VA National Acquisition Center (NAC) will meet with members of the Medical/Surgical Subcommittee on Thursday, October 29 at 1:30 pm EST.  Our invited speakers for the virtual meeting are:  

  • Dan Shearer, FSS Director   
  • James Booth, FSS Chief   
  • Diana Lawal, FSS Chief   
  • Bob Satterfield, FSS Chief   
  • Deborah Zuckswerth, FSS Chief    

The VA will be providing an update on the Federal Supply Schedules and the response to COVID-19.   

The VA NAC is also looking forward to responding to member questions during the meeting. This is a great opportunity. Please submit your questions to Aubrey Woolley atawoolley@thecgp.orgby COB Friday, Oct 23 and we will share them with the VA team in advance.  To attend the virtual meeting, please RSVP to Michael Hanafin at mhanafin@thecgp.org.   

IT/Services Meeting on Polaris GWAC, Nov 4  

Join us for the next IT/Services Committee meeting focused on GSA Small Business GWACs on Wed., Nov. 4 at 10:30 am ET.    

Our guest speakers will be Keith Nakasone, Deputy Assistant Commissioner of Acquisition, and Carlton Shufflebarger, Executive Director of IT Services for the IT Category.  The objective of the meeting will be to provide GSA with industry input on the next-generation Small Business GWAC.  If you would like to join the virtual meeting, please RSVP to Michael Hanafin at mhanafin@thecgp.org.   

 

GSA Looks to Add Enhanced Cybersecurity Requirements to Contracts 

According to Fedscoop, GSA is looking to add enhanced cybersecurity requirements for contractors to its contracts. Keith Nakasone, GSA’s Deputy Assistant Commissioner for Acquisition in the Office of IT Category, said that the agency will continue to look for ways to add new controls for how contractors handle sensitive government information into its acquisition vehicles. These rules will be in line with the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) standards. As part of GSA’s STARS III contract which was launched in July, the vehicle includes language that says the agency reserves the right to require CMMC certifications for small businesses that are awarded. GSA could require contractors to meet CMMC level 1 of 5. Nakasone added that this is not a “one-and-done type of deal,” and that GSA is trying to create an ecosystem where controls are phased in over time. As new technologies emerge, GSA is looking for ways to ensure that controlled unclassified information is properly handled in its contract vehicles. “When we talk about the ecosystem, and we look at contract requirements, we try to build our contracts so that we can evolve over time,” said Nakasone.