Friday Flash 12.13.19

Transparency: Even the Simple Things are Important

In the fall of 2017, during her confirmation hearing, GSA Administrator Emily Murphy articulated key priorities for the agency should she be confirmed to lead it.  Among those priorities, she asserted a commitment to improving transparency.  Specifically, she said,

improving transparency is central to the agency’s work. Whether this means providing a database of Federal real property assets, making data more available at data.gov, or improving the system for award management, transparency will not only expose flaws and instill confidence in the integrity of our government[,] but also increase competition and ultimately save taxpayer money.

S. Hrg. 115–430, Oct. 18, 2017 at 10.

Further, in concluding her opening remarks, Administrator Murphy said that transparency and her other priorities

 should be applied to nearly every facet of GSA’s mission. They will provide a framework for addressing recommendations from the GAO and from the IG, and most importantly, they are the key to instilling public confidence in the agency.

 Id.

 Administrator Murphy is right, and Coalition members have appreciated GSA’s engagement with industry on various issues of importance, like the Schedules Consolidation initiative, e-commerce, and the implementation of Section 889.  For this reason, we and others were surprised to learn of the recent disappearance of GSA’s online staff directory from the agency’s website.  The directory was pulled down without warning or discussion, and it appears that it is not coming back.  A simplified organizational directory replaces the staff directory, but it is not nearly as robust and informative as GSA’s original directory.

This turn of events is as unfortunate as it is antithetical to the Administrator’s priorities and the path of openness to which the agency committed.  Just a year before Administrator Murphy’s nomination hearing, GSA’s Technology Transformation Service kicked-off an effort to provide standard employee contact information across agencies (although, we do not know what became of this effort).  A news report at the time identified as a goal the creation of a baseline of staff, office, and service data across government, in part, to help citizens access their government.

Coalition members were regular users of GSA’s directory.  It provided critical information to facilitate the day-to-day work that keeps contract administration on course.  The performance of key programs, like the GSA Schedules Program, was facilitated by allowing access to this tool.  Indeed, it would be interesting to collect data on the value of contract administration time saved and work completed by the mere access to directory information.

Removing the directory,  does not promote the Administrator’s goal.  Nor does it manifest the intent of an agency that wishes to engage and collaborate with its industry partners.  There was great value in, and use of, GSA’s online staff directory.  It should be returned to the agency’s website forthwith.

GSA Dismisses Pre-Award Protest of its E-commerce Platform Solicitation 

Earlier this week Federal News Network reported that a pre-award agency-level protest had been filed in response to General Services Administration’s (GSA) e-commerce solicitation. The protest was filled last month and challenged GSA’s market research and compliance with laws such as the Competition in Contracting Act, Federal Acquisition Streamlining Act, and Section 846 from the 2018 National Defense Authorization ActThe protest was dismissed, and GSA is currently working to strengthen the request for proposals.  

Coalition President, Roger Waldron, was quoted in the article. 

 “To the extent the protester argues that the RFP terms are inconsistent with commercial practice, the law has been clear for a quarter of a century.  FASA prescribes the use of commercial terms/practices to the maximum extent practicable. Section 846 likewise prescribes that sales be made, to the maximum extent practicable, under the standard terms and conditions of the portal provider. This language (to the maximum extent practicable) reflects the government’s obligation to balance its responsibilities to the public against a vendor’s terms and conditions,” Waldron said in an email to Federal News Network. “That is why transparency is paramount. The public needs to understand the nature of any RFP changes and whether they are consistent with the law. This is especially important here given the lack of analysis in GSA’s Phase II Report of e-commerce portal standard terms and conditions in context of government requirements.” 

To read the full article about the protest to GSA’s Commercial Platform Initiative RFP, click here. 

 

Spending Agreement to Avert Government Shutdown 

On Thursday, Roll Call reported that negotiators had reached an agreement in principle on all spending bills, fending off the possibility of a government shutdown. Negotiations had lasted for months and centered on funds for the border wall. The agreement is set to be drafted into legislation over the weekend, and the House and Senate are expected to have floor votes sometime next week on at least two packages. The Senate will need to reach a timing agreement in order to pass the bills before a temporary spending bill expires on December 20th.

Congress Reaches Agreement on Compromise NDAA  

Earlier this week, the House and Senate reached an agreement on a compromise National Defense Authorization Act (NDAA) for fiscal year 2020. The NDAA authorizes over $740 billion in spending for DoD. Notably, the NDAA does not address spending for a border wall, which will be addresses during the appropriations process for FY2020. The House passed the NDAA by a vote of 377 to 48 on Wednesday and the Senate is expected to vote soon on the compromise bill. 

The Coalition is preparing a summary of key acquisition provisions from the 2020 NDAA. The summary will be available in next week’s editions of the Tuesday Tracker and the Friday Flash. 

 

GSA Announces Update on DUNS Replacement 

On December 10, GSA released an update on the unique entity identifier (UEI), which the agency will use to replace DUNS. The UEI is a new, non-proprietary identifier that will be assigned through the System for Award Management (SAM.gov).  GSA has now published the technical specification on the UEIAmong the new specifications is the beta.SAM Entity Management API, which allows interfacing systems to pull information about the entity through SAM. 

Specifications will continue to be provided in the coming weeks, and the IAE plans to release its testing plan by December 30.  Additional resources about this initiative are: 

  • UEI webinar 
  • GSA’s Unique Entity Identifier Update Webpage 
  • The latest UEI announcement on GSA Interact 

 

Congress Blocks OPM-GSA Merger 

Federal News Network reported that Congress included formal language in FY2020 National Defense Authorization Act (NDAA) to stop the Office of Personnel Management (OPM) and General Service Administration (GSA) merger. The NDAA calls for a study by an independent organization, National Academy of Public Administration (NAPA), to assess the impact of a merger. OPM will have 30 days to contract with NAPA for a report to be summitted to Congress within one year. Congress has given OPM direction on how to respond to NAPA’s recommendations. The language in FY20 NDAA does not explicitly ban the GSA-OPM merger. Read more here. 

 

JEDI Protest Documents Released  

Last week, Federal News Network reported that court documents in the Court of Federal Claims (COFC) protest of DoD’s JEDI Cloud contract were unsealed last week. In their filing, Amazon Web Services (AWS) alleged political interference in the procurement from President TrumpIn response to the publicly-released documents, the Department of Justice and Department of Defense filed an objection with the COFC claiming a large quantity of AWS’ redactions were unjustified.  

The Government has until January 21 to file a response with the CourtAdditionally, Microsoft has been granted permission to intervene in the case. 

 

AbilityOne Inspector General Highlights the Challenges of e-Commerce 

The AbilityOne Inspector General (IG) has found that e-Commerce is one of the top management challenges for the agency and that e-commerce is both an opportunity and challenge for the AbilityOne program, according to their recently released report. The IG found that the AbilityOne Commission’s e-commerce pilot, which completed at the end of the fiscal year, did not lead to an increase in sales for AbilityOne products. The IG also noted that the e-commerce portal did not block essentially the same offerings and substitute AbilityOne products, which is required for authorized AbilityOne distributors. The IG notes that the pilot provided valuable insights for the Commission as e-commerce continues to expand in the Federal market, but also believes that there is significant risk for program erosion.

 

Legal Corner: DoD Updates Draft Cybersecurity Maturity Model Certification—300,000+ DoD Contractors and Subcontractors Required to Be Certified as a Prerequisite to Contracting

By Mayer Brown: David A. Simon, Marcia G. Madsen, Rajesh De, Roger V. Abbott, Veronica R. Glick, and Joshua M. Silverstein

The Legal Corner provides the legal community with an opportunity to share insights and comments on legal issues of the day. The comments herein do not necessarily reflect the views of the Coalition for Government Procurement. 

On November 7, the U.S. Department of Defense (DoD) Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) released Draft Version 0.6 of its Cybersecurity Maturity Model Certification (CMMC) for public comment. According to DoD’s overview briefing, the CMMC was created to provide “a unified cybersecurity standard for DoD acquisitions to reduce exfiltration of Controlled Unclassified Information (CUI) from the Defense Industrial Base (DIB).” In brief, the CMMC builds upon DFARS 252.204-7012, which generally requires contractors to maintain “adequate security” on all covered contractor information systems and to report any cybersecurity incidents to the DoD Cyber Crime Center (DC3) within 72 hours. The certification process, which will rely on non-government third parties, raises legal and business risks for contracting entities, including the potential for disputes. Whereas DFARS 252.204-7012 relies on contractor self-certification, the CMMC framework will requireall government contractors and subcontractors to obtain cybersecurity certification from yet-to-be-created CMMC Third-Party Assessment Organizations (C3PAO) as a prerequisite to performing DoD contracts.1

The requirement for a certification by a non-government third party raises a number of questions and concerns:

– Levels of Certification.The CMMC framework includes five levels of certification, ranging from Level 1 (“basic”) to Level 5 (“highly advanced”). DoD will determine the appropriate level of certification on a case-by-case basis, but a minimum of Level 3 will be mandatory for contractors that access CUI or generate CDI (Controlled Defense Information)/CUI. Consistent with DFARS 252.204-7012, a business must (among other things) meet the security requirements of NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations in order to be certified at Level 3.

– Selection of Certification Levels for Different Contracts. Rather than implementing these certification requirements by issuing a regulation (as in the case of DFARS 252.204-7012), DoD states that it will – as a matter of policy – include certification as a Go/No-Go criterion for all DoD contracts. It is unclear how DoD will decide on the appropriate level of certification for a given contract, or whether the default will be to require higher certification levels.

– Applicability to COTS Products and Non-FAR Agreements.According to DoD, “[t]he working estimate for the number of organizations requiring CMMC certifications is 300,000, with a very high percentage of those companies in the micro-, small-, and mid-size range.”2 DoD has not addressed whether or how the requirement will apply to contracts for commercial products and services (as defined in the procurement statutes and regulations). The CMMC Draft Version 0.6 explains that the purpose of the certification requirement is to enforce existing DoD cybersecurity requirements. One such set of requirements, DFARS 252.204-7012, applies to all contracts except for those solely concerning the acquisition of commercially available off-the-shelf (COTS) products.3 For this reason, the proposed CMMC requirement imposes significant compliance costs. Moreover, the requirement is arguably in tension with recent efforts of Congress, and the acquisition streamlining recommendations of the Section 809 Panel,4 to expand the use of commercial products and services by reducing obstacles to participation by commercial entities in DoD contracts.5 The impact of the growing use of commercial products and services in the defense sector and ongoing efforts by DoD to expand access to commercial technology through mechanisms that are not restricted by the Federal Acquisition Regulation (FAR) (such as the GSA NDAA Section 846 e-marketplace initiative and the growing use of Other Transaction Agreements) also are not addressed.

– C3PAO Role. On October 3, DoD issued a Request for Information (RFI) regarding the creation of a CMMC accreditation body, which will be charged with “managing, operating and sustaining the CMMC program, CMMC training, and evaluating and accrediting individual assessors and C3PAOs.”6 According to the RFI, this accreditation body will “complete all activities … using revenue generated through dues, fees, partner relationships, etc. with no additional funding or resources provided by the Government.” The RFI also indicates that the federal government will not have a contractual relationship with the accrediting body but rather will manage its relationship with it through a Memorandum of Understanding. Each certification assessment “will be conducted by a credentialed independent assessor working for an accredited C3PAO under the oversight of the CMMC accreditation body.”

– Timing.DoD expects to publish the final version of the full CMMC framework in January 2020. According to a Q&A published by DoD, industry should begin to see the CMMC requirements in June 2020.

– Supply Chain Implications.The certification requirement likely will have significant supply chain implications. The DoD Q&A states that “all companies doing business with the Department of Defense,” including subcontractors, will be subject to the certification requirement. However, DoD has not yet issued any guidance regarding the level of certification required for subcontractors (including acquisitions from purely commercial entities) or the role of a prime contractor with respect to entities in lower tiers.

– Compliance Costs. DoD states that the costs of compliance with CMMC will be allowable under the applicable FAR principles, although this concession will not benefit businesses that contract with DoD based on fixed prices.

Background:

Over the past several years, government contractors and the federal government itself have been targeted by a series of high profile and costly cybersecurity intrusions. For example, the Office of Personnel Management hack announced in 2015 exposed confidential personal information of over 20 million people.7 Foreign adversaries also have exfiltrated sensitive information by targeting defense contractors.8 Such breaches have raised significant security concerns and led to calls for increased scrutiny and requirements for entities that have access to government networks and information.

In 2015, the National Institute of Standards and Technology (NIST) issued Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, which outlines 110 security controls to be implemented by government contractors that transmit or store CUI. CUI is an expansive concept that encompasses an extensive array of unclassified government information (see CUI Categories, here).

Shortly afterward, the federal government issued three regulations of significance for government contractors:

– In May 2016, the FAR was amended to include a new subpart and contract clause governing basic safeguarding of contractor information systems that process, store, or transmit Federal Contract Information (FCI). This rule is codified in FAR Subpart 4.19, with a corresponding contract clause in FAR 52.204-21.

– Later in 2016, the National Archives and Records Administration issued a final rule for managing controlled unclassified information.9

– Finally, in October 2016, DoD issued a final DFARS Rule – codified in DFARS 252.204-7008 and -7012 – for contractors that handle CDI. Most notably, the rule requires contractors to “provide adequate security on all covered contractor information systems,” which includes “at a minimum” implementation of NIST SP 800-171 and requires contractors to report any “cyber incident” within 72 hours.

Despite these efforts, cybersecurity continues to pose a significant challenge to the federal government and the private sector, including the DIB. For example, in February 2018, the White House concluded that “malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.”10 The introduction of CMMC Draft Version 0.6 reiterates this concern, noting that “[t]he theft of hundreds of billions of dollars of intellectual property (IP) due to malicious cyber activity threatens the U.S. economy and national security.” Moreover, “[t]he sharing of FCI and CUI with DIB sector contractors expands the Department’s attack surface because sensitive data is distributed beyond the DoD’s information security boundary.”

DFARS 252.204-7012 does not impose an oversight or verification requirement but relies for compliance on contractor self-certification – and the threat of False Claims Act (FCA) liability and debarment for “knowing” false certification. As the CMMC Draft Version 0.6 explains, concern about the continued vulnerability of contractor intellectual property and sensitive DoD information to exfiltration prompted DoD to use certification to verify compliance. Additionally, DoD hopes that the creation of a uniform certification framework that applies to all DoD contractors will address the confusion in the contractor community regarding the requirements for compliance with the various DoD cybersecurity regulations.

The CMMC Framework:

The CMMC was created to provide a unified cybersecurity standard for all DoD acquisitions to reduce the risk of exfiltration of CUI from the DIB. Unlike DFARS 252.204-7012, which relies predominantly on NIST SP 800-171, CMMC incorporates cybersecurity standards and best practices from a variety of sources, including NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS 993, CIS Critical Security Controls 7.1, and the CERT Resilience Management Model®. The CMMC model framework includes the following:

– The CMMC model framework consists of 17 domains, which are “key sets of capabilities for cybersecurity” based on cybersecurity best practices. These domains are roughly based on the NIST SP 800-171 “control families” and include:

– Access Control, Asset Management, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Recovery, Risk Assessment, Security Assessment, Situational Awareness, System and Communications Protection, and System and Information Integrity. (The Asset Management and Situational Awareness domains were not among the 14 NIST SP 800-171 security requirement families.)

– Each domain, in turn, includes various capabilities,11 which DoD describes as “achievements to ensure cybersecurity within each domain.”

– Finally, each capability consists of a series of practices and processes, which are mapped to CMMC Levels 1 through 5. Practices are activities performed at each level for the domain, while Processes detail maturity of institutionalization for the practices.

– Each CMMC level introduces additional practices and incorporates the practices required at previous CMMC levels.

– At Levels 1 and 2, organizations may be provided with FCI, which is information not intended for public release. However, organizations that require or generate CDI/CUI must certify at Level 3 or above.

The following is a summary of the description of each of the CMMC levels provided by Draft Version 0.6:

– Level 1: Focuses on basic cyber hygiene and consists of the safeguarding requirements specified in 48 C.F.R. § 52.204-21.

– Level 2: Focuses on intermediate cyber hygiene, creating a maturity-based progression for organizations to move from Level 1 to 3. This more advanced set of practices gives the organization greater ability to both protect and sustain its assets against more cyber threats as compared to Level 1.

– Level 3: An organization assessed at CMMC Level 3 will have demonstrated good cyber hygiene and effective implementation of controls that meet the security requirements of NIST SP 800-171 Rev 1. CMMC Level 3 indicates a basic ability to protect and sustain an organization’s assets and CUI. However, at CMMC Level 3, organizations will have challenges defending against advanced persistent threats (APTs).

– Levels 4 and 5: An organization assessed at CMMC Levels 4 and 5 has a substantial and proactive cybersecurity program. The organization has the capability to adapt its protection and sustainment activities to address the changing tactics, techniques, and procedures (TTPs) in use by APTs.

To provide a sense of the magnitude of these requirements, Level 1 includes 17 processes; Level 2 incorporates 58 additional processes (for a total of 75); Level 3 incorporates 56 additional processes (for a total of 131); Level 4 incorporates 62 additional processes (for a total of 193); and Level 5 incorporates 26 additional processes (for a total of 219).

CMMC Draft Version 0.6:

CMMC Draft Version 0.4 elicited over 2,000 comments from industry participants. Draft Version 0.6 includes the following changes from Version 0.4:

– Number of domains reduced from 18 to 17, with the elimination of the “Cybersecurity Governance” domain.

– Consolidation of practices. For instance, Level 3 under Version 0.4 included 241 practices, whereas Level 3 under Version 06 includes 131 practices.

– More detailed descriptions of Levels 1 through 3. DoD is still processing comments with regard to Levels 4 and 5 and will presumably provide more detail when it issues the final version in January 2020.

– A new Appendix B, which provides discussion and clarifications for the CMMC Level 1 practices that map to the safeguarding requirements specified in 48 C.F.R. § 52.204-21 Basic Safeguarding of Covered Contractor Information Systems and the associated security requirements in NIST SP 800-171 Rev 1.

– Introduction of a glossary of key terms. Although these definitions are consistent with the ones set forth in DFARS 252.204-7012, the glossary also defines terms that are not included in this DFARS provision.

Remaining Issues and Concerns for Contractors:

– Supply Chain Management. DoD makes clear, in the Q&A referenced above, that a certain amount of flow down is to be expected: “CMMC is designed to provide the DoD assurance that a DIB contractor can adequately protect CUI at a level commensurate with the risk, accounting for flow down to subcontractors in a multi-tier supply chain.”

– However, it is unclear to what extent and at which level the CMMC certification requirements will flow down to subcontractors and whether they also will apply to open-market transactions. One possibility is that for larger contracts, the level of CMMC certification required will vary by function.

– In circumstances where a prime must certify at a higher level than some of its subcontractors, it is not clear what requirements will exist regarding the flow of information needed for performance. For example, if a lower-tier subcontractor is providing a component that will function in a prime contractor’s system, how will the specific requirements be transmitted to the subcontractor such that the component will function appropriately? How will suppliers of commercial technology, products, and services (sold in the open market) be addressed?

– Can the CMMC Level Determination Be Disputed? It is unclear how DoD or contracting officers will determine which level of CMMC certification will be required for a particular procurement. Where a requirement is unreasonable and restricts competition, challenges are likely.

– C3PAO Process/Appeal: It is unclear how the certification process will operate, how certification requirements will be established, and whether an offeror or contractor may appeal in the event the C3PAO declines to certify at a particular level. Is the C3PAO determination subject to challenge if relied upon by DoD for use in its procurements and contracts? Since the DoD will not be in privity of contract with any of the C3PAOs, it is likely that any litigation involving the C3PAOs will be in federal district court and not before the GAO or Court of Federal Claims.

– Timeline for Certification: It is unclear when the certification requirements will become effective and whether they will become effective at the same time. For instance, DoD is taking much longer to develop the standards for Levels 4 and 5, so it is possible DoD might require certification for Levels 1-3 before introducing Levels 4-5. Additionally, DoD has not yet determined the duration of certification or how often re-certification will be required.

– FCA Exposure: Assuming a contractor can be in full compliance, will CMMC certification create a safe harbor against FCA claims, e.g., if an intrusion occurs nevertheless?

Healthcare Spotlight: Evolution of the TRICARE Pharmacy Benefit: A Decade of Change

By Amy M. Lugo, PharmD, BCPS, FAPhA; Angela A. Allerman, PharmD, BCPS; and Shana K. Trice, PharmD

The Healthcare Spotlight provides the healthcare community with an opportunity to share insights and comments on leading issues of the day. The comments herein do not necessarily reflect the views of the Coalition for Government Procurement.  

TRICARE is the military’s health plan that provides coverage to 9.4 million active duty and retired uniformed services personnel and their family members. The TRICARE pharmacy benefit has undergone many changes in the last decade. These changes include assigning newly approved drugs to nonformulary status after regulatory approval, the addition of weight loss medications to the benefit, channel management point-of-service requirements for some medications, and copay increases. Several initiatives have resulted in significant cost avoidance to the Department of Defense (DoD). The purpose of this article is to discuss the changes to the TRICARE pharmacy benefit, describe the continual challenges, and estimate cost savings associated with implementation of these changes.

DoD implemented its 3-tier Uniform Formulary in 2005. Since then, many changes have been enacted, including more extensive use of prior authorization, step therapy, and quantity limits; coverage of over-thecounter medications; the retail refund program; coverage of vaccines and smoking cessation agents; mandatory mail/military treatment facility requirements; rapid review and initial nonformulary status for newly approved innovator drugs; revisions to the compounded drug benefit; initial deployment of a new medical record system; coverage of weight loss medications; and the ability to exclude medications from the Uniform Formulary.

Click here to read the full article.

Legal Corner: U.S. Government To Award Billions Of Dollars In Contracts To Open Electronic Marketplaces To Government Customers—Though Serious Questions Remain

By Professor Christopher R. Yukins; The George Washington University Law School

(First published on October 21, 2019)

The Legal Corner provides the legal community with an opportunity to share insights and comments on legal issues of the day. The comments herein do not necessarily reflect the views of the Coalition for Government Procurement. 

Proposals to the U.S. General Services Administration are due soon in a $6 billion procurement under which multiple no-cost contracts will be awarded to vendors that will open electronic marketplaces to federal users making micro-purchases (generally up to $10,000). Although federal purchase card holders have long been able to make micro-purchases with few regulatory constraints regarding competition, transparency or socioeconomic requirements, this new initiative appears likely to normalize and expand those purchases—and so may revolutionize small purchases in the federal market.

Click here to read the full article.

Legal Corner: The Long Reach Of Section 889 (aka the Anti-Huawei Rule)

By Jonathan Aronie, Townsend Bourne, and Scott Maberry

The Legal Corner provides the legal community with an opportunity to share insights and comments on legal issues of the day. The comments herein do not necessarily reflect the views of the Coalition for Government Procurement. 

As you probably know, we have been following closely developments relating to Section 889 of the 2019 National Defense Authorization Act (NDAA), which prohibits executive agencies from purchasing restricted products and services from certain Chinese telecommunications companies (including Huawei and ZTE) and also from working with contractors that use such products.

Jonathan Aronie was one of the featured panelists at the well-attended General Services Administration (GSA) Section 889 industry event on November 6, 2019, during which a lively conversation ensued regarding the likely impact of the provision on government contractors. While contractors already are dealing with Part A of the rule, which prohibits them from selling covered products and services to the government, Part B will go into effect in August 2020 and contains a much broader prohibition relating to the use of covered products and services – even if unrelated to federal business.

We’ve included a lengthy set of Frequently Asked Questions (and answers) at the end of this article based on our ongoing focus on 889 and its long reach. But first, a little background . . .

Click here to read the full article.

 

New Off the Shelf Interviews 

Protecting Your Company’s Organization Integrity with Sheppard Mullin 

On Off the Shelf, Sheppard Mullin Partners Jonathan Aronie, David Douglass, and Scott Maberry discuss Sheppard Mullin’s new Organizational Integrity Group (OIG). 

The OIG reduces risk through the development of compliance programs, and defends clients under investigation or in litigation, using a holistic approach that looks beyond the narrow legal challenges/issues to address a company’s values, reputational threats, business imperatives and stakeholder interests. 

The Sheppard Mullin team explains its multi-layered analytical framework for solving problems for clients.  Central to the approach is a set of “First Principles” for problem solving that is unique in the industry. 

As outlined by the OIG team, civility, transparency, values, probabilities, cognitive illusions and communication are among the OIG’s key principles to effective, holistic, problem-solving.  To listen to the program, click here 

 

An Update on MAS Consolidation 

On Off the Shelf, Stephanie Shutt, director of the Multiple Award Schedule (MAS) Program Management Office, provided a briefing on Federal Acquisition Service’s MAS Consolidation initiative. 

MAS consolidation is one of GSA’s strategic, foundational efforts to streamline the MAS program. The consolidation will merge 24 schedules into a single, comprehensive schedule and reduce the number of line items from approximately 900 to 300. It will reduce operational costs, increase access to commercial solutions, and enhance competition. 

Shutt provided an update on key features for offers and contractors looking at the new solicitation, which issued on Oct. 1. 

She also outlined the key considerations and milestones for current contractors with multiple MAS contracts, and the next steps with regard to the systems that support the MAS program. 

Finally, Shutt answered cross-cutting questions on issues like the interplay between the Price Reduction Clause and Transactional Data Reporting.  To listen to the program, click here 

 

Slides from Joint IT/Services and GWAC/MAC Meeting  

On Tuesday, the Coalition held a joint IT/Services Committee and GWAC/MAC Committee meeting. Zachary Lerner, Supplier Relationship Manager for GSA’s Professional Services Category, and Rob Coen, Acquisition Program

Director for Professional Services, provided briefings on Supplier Success Strategies and a program update on the OASIS program. 

Zachary’s slides can be accessed here. Rob’s slides can be accessed here. 

Thank you to Zachary and Rob for speaking to our members and Northrop Grumman for hosting the meeting. 

 

SBA Rule Modifying Receipt-Based Calculations 

The Small Business Administration (SBA) issued a rule modifying the way it calculates average annual receipts to advise size standards for small businesses. This change implements the Runway Extension Act of 2018. The new method uses 5-year average based receipts-based size standards instead of the current 3-year average. There will be a transition period lasting through January 6, 2022. During the transition firms may choose between using a 3-year averaging period and 5-year averaging period. This rule will take effect on January 6, 2020.