This week, GSA’s Federal Acquisition Service (FAS) posted a blog highlighting the completion of the OASIS on-ramps and announcing a new Federal Marketplace initiative, the Services Marketplace. The blog outlines three goals of the Services Marketplace initiative, while setting forth a series of efforts to achieve the goals. Chief among the three goals is “rationalizing, aligning, and expanding GSA’s Government-wide Acquisition Contract (GWAC), Multiple Award Contract, and MAS service contract offerings.”
The FAS blog makes clear that FAS will be seeking input from the procurement community, including its industry partners, regarding its acquisition strategies and systems investments. Coalition members welcome this dialogue and look forward to sharing feedback on the key market drivers and contract features that enhance customer agency mission support.
The blog discusses the development of the “government’s next generation services “BIC MAC” as the follow-on to OASIS. It states, in pertinent part:
“Customer agencies’ needs will serve as the foundation for BIC MAC’s acquisition strategy, scope, and fair opportunity construct; while industry will be invited to provide us with feedback and input on their needs through focus groups, listening sessions, industry days, and input from industry associations.”
The FAS blog closes by providing a link to FAS’s Professional Services Category Interact site where details on the forthcoming dialogue will available. This dialogue will be critical to fashioning a follow-on professional services contract vehicle that efficiently and effectively meets customer agency missions. The stakes are high, as OASIS’ performance in meeting customer agency mission requirements has been one of the most successful, if the not the most successful, government-wide contract vehicle over the last six years.
OASIS – A Strategic Asset in Supporting Customer Agency Mission
OASIS’ performance over the last six years has made it a strategic procurement tool in meeting customer agency mission needs. The program’s success can be attributed to features like effective contract administration, streamlined task order processes, and high-quality contracts/capabilities. These features provide customer agencies with timely, efficient, and effective access to critical, high-quality professional services capabilities. Defense and civilian organizations across government rely on OASIS in meeting their respective missions.
The increasing reliance on OASIS reflects customer satisfaction, as highlighted in the following chart, which documents the remarkable growth of the program in meeting customer agency mission requirements.
Impressively, over its six-year life, the OASIS program has provided customer agencies with over $28 billion in services support for agency mission requirements. Since 2017, OASIS mission support has increased by more than 167 percent, to over $8.7 billion in 2020.
The program is essential to departments and agencies, like the Air Force, which acquired more than $3.1 billion in mission support through OASIS in 2020. In fact, almost 20 percent of the Air Force’s professional services support (based on dollar value) is provided through OASIS. GSA’s contracting programs rely on OASIS extensively, as well. The two largest single users of OASIS were FEDSIM and GSA’s Assisted Acquisition Services in Region 4, which obligated more than $3.5 billion in services mission support through OASIS in 2020. It is noteworthy that, in 2020, over 50 percent of FEDSIM’s contract spending for customer agency mission support went through OASIS.
The data makes clear that OASIS is a strategic asset supporting and supported by customer agencies. Its ease of use, high quality contracts, and effective management have delivered for customer agencies time and time again. Looking forward, in a new era of near peer competition and its attendant challenges, contracting programs, like OASIS, will be more important than ever in meeting the challenges facing our government and nation. As such, the dialogue around the OASIS follow-on, the BIC MAC, will, by necessity, include identification, discussion, and implementation of a contract vehicle. That vehicle should maintain the key contract features that have made OASIS a strategic asset for so many customer agencies. It should not disrupt or change what, unquestionably, has been working. The Coalition appreciates GSA for opening the dialogue, and we look forward to future discussions among all stakeholders.
In the new year, in addition to continuing to focus on the OASIS follow-on, the FAR & Beyond blog also will address the IT GWACs and the MAS program as part of the Services Marketplace. In the meantime, the Coalition wishes you and yours a safe, healthy, and happy holiday season!
Congress Close to Agreement on Spending Bill, COVID Relief
Roll Call reported that Congressional leaders are close to an agreement on an Omnibus spending bill and a Coronavirus relief package. The Omnibus bill is will include $1.4 trillion in spending for the Federal Government in 2021. The bill needs to be passed before the current continuing resolution is set to expire on December 18 in order to prevent a Government shutdown. Additionally, the Coronavirus relief bill could contain as much as $900 billion in spending to support businesses, vaccine distribution, and aid for state and local governments.
On December 15, the General Services Administration (GSA) posted a blog by Tiffany Hixson, Assistant Commissioner of GSA’s Office of Professional Services and Human Capital Categories on the OASIS program. The OASIS on-ramps are complete, and there are now more than 1,100 OASIS Best-In-Class contracts, approximately 70% of which are awarded to small businesses. For next steps, the Federal Acquisition Services (FAS) is focused on a new Federal Marketplace initiative, the Service Marketplace. The purpose of this initiative is to holistically approach how GSA is supporting the federal acquisition community’s procurement needs for services. The initiative has three goals:
- Rationalizing, aligning, and expanding GSA’s Government-wide Acquisition Contract (GWAC), Multiple Award Contract, and MAS service contract offerings.
- Improving FAS’s market research and buying tools for federal acquisition professionals.
- Improving the data and reporting systems used in support of GSA’s acquisition programs.
As a follow-on to OASIS, whose ordering period ends in 2024,GSA will be establishing a broader and more flexible next generation services Best-in-Class Multi-Agency Contract (BIC MAC). The FAS Information Technology Category is leading the implementation efforts for the GWACs, and the Professional Services and Human Capital Categories Organization is leading the development of the government’s next generation services Best-In-Class Multi-Agency Contract (BIC MAC). Customer agencies’ needs will serve as the foundation for BIC MAC’s acquisition strategy, scope, and fair opportunity construct. Industry input will be encouraged through focus groups, listening sessions, industry days, and industry associations. More details will be posted on FAS’ Professional Services Interact site and on gsa.gov.
The Coalition IT/Services and GWAC/MAC Committees plan to both educate members about the Services Marketplace Initiative and provide GSA with feedback on the BIC MAC and the IT GWACs in the coming year.
GSA Administrator Murphy Reflects on Tenure at GSA
This week, Federal News Network published an interview with GSA Administrator Emily Murphy, who reflected on her tenure and accomplishments at GSA. Administrator Murphy discussed her decision-making process on the ascertainment of the Presidential election which officially launched the transition, in addition to her goals and accomplishments as Administrator.
Over the last three years, spending under GSA contract has grown by almost $20 billion and GSA has increased its IT market share by eight percent during that period. Customer loyalty surveys also increased by four percent. In addition to these achievements, Administrator Murphy reflected on shortfalls and goals that are still incomplete, such as the implementation of Section 876 “Increasing Competition at the Task Order.” Administrator Murphy also noted that GSA’s eBuy Open pilot did not produce the results the agency expected, and that the increased transparency actually reduced competition. To listen to the full interview with Administrator Murphy, click here.
Federal News Network reported that the Department of Defense (DoD) has released the initial seven contracts that will likely be the test contracts for the Cybersecurity Maturity Model Certification (CMMC). DoD previously stated that they expected 15 procurements to be part of the CMMC pathfinder process in 2021. By October 2025, DoD plans to have CMMC in all DoD contracts, which is a change from the current self-certification that DoD currently requires. The following contracts were selected as the initial test contracts for CMMC:
- Integrated Common Processor
- F/A-18E/F Full Mod of the SBAR and Shut off Valve
- Yard Services for the Arleigh Burke Class Destroyer
- Mobility Air Force Tactical Data Links
- Consolidated Broadband Global Area Network Follow-On
- Azure Cloud Solution
Missile Defense Agency
- Technical Advisory and Assistance Contract
FY21 NDAA Awaits President’s Signature
Both Houses of Congress passed the 2021 National Defense Authorization Act (NDAA) last week. The NDAA authorizes more than $740 billion in defense spending for 2021. The President has threatened to veto the bill, however the bill passed both Houses with enough votes to override a veto. The President has through December 23rd to issue a veto or the bill will become law.
Next Steps for GSA’s Small Business GWACs
Fedscoop reported this week on GSA’s updates on its small business governmentwide acquisition contracts (GWACs) for next year. The 8(a) Streamlined Technology Acquisition Resource for Services (STARS) III solicitation closed in August and will be awarded in fiscal year 2021.
A draft request for proposals (RFP) is coming soon for another small business GWAC, Polaris. Polaris is geared towards technologies like 5G and artificial intelligence, and GSA hopes that it will increase the number of woman-owned and HUBZone IT contractors that agencies work with. The RFP will be published on beta.SAM.gov. GSA has set up a Polaris informational page on Interact.
On December 9, the Department of Defense’s (DoD) Office of Inspector General (IG) released a report on the audit of DoD’s implementation of Section 3610 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act. Overall, the IG found that DoD contracting officers complied with the Office of Management and Budget (OMB) and DoD guidance when implementing Section 3610. However, the IG also found that they DoD had the following challenges implementing Section 3610:
- Contracting officers had to rely on contractors to self-certify that the Section 3610 costs claimed were the only reimbursement that contractors were receiving for the paid leave, and that contractors were not being reimbursed from any other source of other coronavirus disease–19 relief, for the same expenses.
- The DoD’s use of Section 3610 authority was limited. As of September 30, 2020, only 96 of the 781 DoD affected contractors received assistance through Section 3610.
- Tracking and identifying DoD contracts using Section 3610 was not easy. Not all contracts using Section 3610 authority were clearly identified in DoD information systems and some contracts were mislabeled as having the Section 3610 authority when they did not..
The IG completed this audit and report to review whether DoD contracting officers authorized and reimbursed contractors costs properly according to Section 3610 of the CARES Act. For the full report, visit here.
HHS Publishes 340B Dispute Resolution Process
On December 14th, the Department of Health and Human Services (HHS) published a final rule on the Administrative Dispute Resolution (ADR) process under the 340B Drug Pricing Program. The final rule replaces the 340B Program’s guidelines on the informal dispute resolutions process developed to resolve disputes between covered entities and manufacturers that were published in December 1996.
The ADR process described in the final rule is designed to assist covered entities and manufacturers in resolving disputes regarding overcharging, duplicate discounts, or diversion. According to the rule, the 340B Administrative Dispute Resolution (ADR) Panel will be responsible for reviewing claims made by a covered entity or manufacturer for monetary damages or equitable relief. The ADR Panel will issue final agency decisions on each claim following the procedures described in the final rule, which will be provided to the Health Resources and Services Administration (HRSA) for appropriate action regarding “refunds, penalties, removal, or referral to appropriate Federal authorities.” The final rule is effective January 13, 2021.
By Matt Gilbert, Baker Tilly
The Legal Corner provides the legal community with an opportunity to share insights and comments on legal issues of the day. The comments herein do not necessarily reflect the views of The Coalition for Government Procurement.
The current understanding is that any organization that obtains DoD contracts will be subject to the CMMC requirements. This includes prime contract recipients and the subcontractors. If you currently hold a DoD contract but do not intend to obtain future contracts, then CMMC will not apply, as the CMMC requirements are prospective only.
If your organization is a grant recipient, it is our current understanding that CMMC will likely apply to new grants. The key determinant is if the CMMC requirement is included by the government. The DoD is currently working on Defense Federal Acquisition Regulation Supplement (DFARS) modifications to institute CMMC. When this language is available for review, we will have further clarity. If you are not a DoD contractor, then you are not likely to have CMMC requirements initially. However, we caution that if CMMC is successful, we believe that other agencies across the federal government will look to it as a model and similarly look to adopt CMMC in the future.
According to the DoD:
“CUI is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
A CUI Registry provides information on the specific categories and subcategories of information that the executive branch protects. The CUI Registry can be found at: https://www.archives.gov/cui.”
The DoD also issued a memo on CUI.
The CMMC model v1 defines FCI as “information provided by or generated for the government under contractor not intended for public release.” This is similar to CUI but without the same degree of structure and definition coming from the National Archives and Records Administration. If you do not possess CUI, it is more likely that you do possess FCI. In discussions and examples from the DoD, it appears that if you possess CUI then you will likely be required to obtain CMMC level three. If you are not in possession of CUI, but as a contractor do have FCI, then you will likely be required to have level one.
This has not been clearly defined. The DoD wants to ensure that the first wave of contracts with the CMMC requirement are a manageable number that can be handled by the provisional class of assessors. Depending on the progress of the CMMC Accreditation Body (CMMC-AB) to have the assessors ready and the timeline of DoD acquisitions, the specific contracts that are part of the pathfinder program could change. Our recommendation is to stay close to your customer, and where allowed, seek their guidance. If your DoD request for information (RFI) or request for proposal (RFP) is expected this fall or winter, be aware that it could be selected and you might need to have your CMMC completed.
The indications are that the DoD will specify in the RFI/RFP and/or in the contract the level of certification that is required. The DoD has indicated that contractors that handle CUI will at a minimum require level 3. If a contractor does not handle CUI and only handles FCI they will be required to only be Level 1. This will also help define that prime contractors (primes) and subcontractors (subs) might have different levels. Examples from DoD officials have indicated a situation where the prime is required to be level three and the subs level one. Our belief is that primes should target level three. If you are a sub, then level one might be all you require, but level three is not a bad investment to enable you to obtain prime or more significant sub roles on future DoD procurements where you will be required to handle CUI.
No assessors have been officially named. Baker Tilly Principal Matt Gilbert is assessor number 19. The CMMC-AB is in the process of confirming Certified Third-Party Assessment Organizations (C3PAOs). When this is completed they will post an official list of assessors and C3PAOs within their marketplace. Initially there is a class of provisional assessors, but eventually assessors will need to hold a requisite certification and work with a C3PAO to conduct valid certification assessments. Organizations seeking certification will need to coordinate with the C3PAOs.
The DoD also states in their FAQ on the CMMC website: “The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive.” The cost will ultimately depend on the level that the organization is seeking, as well as the complexity, size and scale of the environment being assessed. Other factors, such as requiring expedited assessment completed by a certain time, might also impact the costs.
The concept in question here is called enclaves. A company may decide that certain basic controls such as level one or level three will be adopted for the entire organization. Then, as a contract requires greater certification, a separate lab, network, location, etc. will be defined as an enclave and be certified at a higher level. The key is to ensure that the scope of your certification matches your plan and objectives for operation going forward.
Per the interim rule that goes into effect on Nov. 30, 2020, the CMMC results will be posted to the DoD’s SPRS system. You will be able to see your own score but not that of other contractors including subcontractors. Therefore, in the future it is going to be an important task to determine what level a sub possesses. The contract will not be awarded to the prime and future awards should not be made to the subs if they do not have the required certifications. In the adoption period, when a sub does not yet have a certification or the proper level, it will be imperative for the prime to understand the plans and efforts underway to obtain required certification in time for award. We advise primes to work with their subs to make sure they are on track, and potentially even review readiness efforts with them. If a sub is not on track, the prime might want to make alternative arrangements.
This is unclear. As no certifications are being issued yet, it is hard to know. We also expect that when certifications occur it could take at minimum nine weeks to cover selection of and contracting with a C3PAO to fieldwork and final issuance and approval of the certification by the CMMC-AB. It is also possible to imagine there could be a backlog of organizations seeking certifications and a waiting period to schedule the assessments. How long it takes for the organization to prepare is very dependent on the maturity of that organization’s cyber controls and the results of the self-assessments and readiness reviews that they conduct. We highly encourage an organization to conduct readiness efforts to ensure they are ready for the assessment.
If you are handling classified information or have contracts with FISMA and/or NIST SP 800-53 requirements, you are likely not impacted by CMMC for that contract. However, additional contracts or portions of your existing contract that are not subject to those higher requirements could require CMMC levels in the future.
It is not clear at this time. The guidance on reciprocity is not available at the time of writing, and therefore, ability to rely is unknown. However, there is a mapping of CMMC to the other common frameworks and efforts to implement controls or conduct self-assessments of such controls could be greatly decreased as the controls are already in place and previously evaluated during your other assessments.
The DCMA established the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). They have conducted assessments, but to date, the assessments are based on NIST SP 800-171 and not CMMC. It is not officially announced if those assessments will have reciprocity with CMMC at this time but this is highly likely.
Healthcare Spotlight: Medicare Links Part B Payment Rates to International Prices: Most Favored Nation Model
By Alice Valder Curran, Beth Halpern, Stuart Langbein, Beth Roberts, Christopher H. Schott, Kathleen A.Peterson, Samantha D. Marshall, James Huang, James M. Deal, and Boyd Jackson with Hogan Lovells, LLC.
The Healthcare Spotlight provides the healthcare community with an opportunity to share insights and comments on healthcare issues of the day. The comments herein do not necessarily reflect the views of The Coalition for Government Procurement.
On November 20, 2020, the U.S. Centers for Medicare & Medicaid Services (CMS) issued an interim final rule (IFR) with comment period implementing a mandatory “Most Favored Nation” demonstration model (MFN Model) to test Medicare reimbursement based on international reference prices. Comments are due no later than January 26, 2021. Initially, the Model will focus on approximately 50 Medicare Part B drugs or biologicals (collectively, drugs) with the highest spending during the preceding year, with additional drugs potentially added in subsequent years without removing a commensurate number of drugs. Part B payment will be made for such drugs based on an “MFN Price” that reflects the lowest per capita Gross Domestic Product (GDP) adjusted price of any non-US member country of the Organisation for Economic Co-Operation and Development (OECD) with a GDP per capita of at least 60 percent of the United States. CMS estimates that the Model will reduce Medicare fee-for-service spending by approximately $85.5 billion over the demonstration period.
Click here to read the full article.
Expectations for VA Policy Changes under Biden Administration
The transition to a new administration is underway and there are several changes expected that are likely to impact healthcare. According to U.S. Medicine, one of the changes the Biden administration said it will make is refining and updating the Department of Veterans Affairs (VA) community care guidelines, to ensure that veterans are receiving the same standard of care whether their provider is within the VA or outside of the VA. The Biden administration also plans to invest in existing infrastructure to update it to fit the needs of the VA. There is a plan to finding better ways to retain and recruit VA staff. The Biden administration plans to continue the dedication to mental health support of DoD and VA. Read full article here.
The Government Accountability Office (GAO) published a report on the 340B Drug Pricing Program, specifically how the Department of Health and Human Services (HHS) ensures compliance with 340B requirements. The 340B Program requires drug manufacturers to sell outpatient drugs at a discount to covered entities in order for their drugs to be covered by Medicaid. Covered entities may save a substantial amount through the program’s price discounts. HHS’ Health Resources and Services Administration (HRSA) administers the program and oversees compliance through annual audits and other efforts. GAO was asked to review HRSA’s efforts to oversee covered entities’ compliance with requirements.
If an audit identifies noncompliance with 340B requirements, then HRSA issues findings to covered entities and requires them to take corrective actions to continue participating in the program. HSRA told GAO that beginning in 2019, findings are only issued when audit information is in clear and direct violation of requirements. HRSA officials stated that the guidance used to interpret provisions of 340B does not provide the agency with appropriate enforcement capabilities. GAO also found that in addition to audits, HRSA provides education to covered entities about program requirements. According to the report, he agency has also implemented other ways to identify noncompliance, including requiring all covered entities to recertify their eligibility to participate in the program annually, and using a self-disclosure process through which entities can disclose and correct self-identified instances of noncompliance.
The Government Accountability Office (GAO) released a report, on December 15, about actions Federal agencies need to take to manage supply chain risks. GAO reviewed the supply chain management of 23 civilian Federal agencies, which includes Department of Homeland Security, Department of Veterans Affairs, General Services Administration, and the Small Business Administration.
GAO found that few of the agencies implemented the seven foundational practices for managing information and communications technology (ICT) supply chain risks. None of the agencies have implemented all supply chain risk management practices. Most agencies stated that they have not implemented any of the practices because there is a lack of federal guidance.
GAO’s review was conducted to determine the extent to which federal agencies have implemented standard ICT practices. GAO made 145 recommendations to the 23 agencies to fully implement the expected supply chain management practices. 17 of the agencies agreed with all recommendations made.
Labor Department Launches “Race and Sex Stereotyping EO” Website
On September 22, 2020, President Trump signed Executive Order 13950, “Combatting Race and Sex Stereotyping.” This week the Department of Labor released a new website to serve as a one-stop resource for contractors on compliance with the EO. In short, the EO prohibits the promotion of “race or sex stereotyping or scapegoating” and prohibits contractors from inculcating such views in their employees in workplace diversity training. In addition to providing information about the requirements of the EO, the website provides the hotline where individuals or groups may file complaints in accordance with the order. It also describes potential consequences if violations are found to have occurred including contract cancellation, suspension or debarment. For more details, visit the DOL website at www.dol.gov/agencies/ofccp/faqs/executive-order-13950 .
CISA Issues Emergency Cybersecurity Order
Federal Computer Week reported that the Cybersecurity Infrastructure Security Agency (CISA) issued an emergency directive for civilian agencies to stop using SolarWinds’ Orion products immediately. The emergency directive was issued following a network breach at the Departments of Homeland Security, Treasury, and Commerce.
Secure Telework a Top Priority for DISA
Federal News Network reported that cybersecurity and telework tools are top priorities in 2021 for the Defense Information Systems Agency (DISA). One of the innovations that DISA is considering is adding a solution that creates an air gap between internet traffic and DoD’s network. DISA would also like to add existing technology to heighten security on emails and email attachments. DISA is looking to add encrypted traffic analysis in addition to classified telework tools. Secure telework became a top priority due to the current COVID-19 pandemic.
Concerns Raised about GSA Schedule Price Negotiations
Earlier this week, Federal News Network published a report on the policies used to negotiate prices on the GSA Schedules. The report noted frustrations and concerns in industry about negotiation tactics as well as the role of the GSA Office of Inspector General in pricing decisions. Coalition President Roger Waldron was interviewed and provided a quote for Federal News Network’s analysis. To read the exclusive report, click here.
Off the Shelf: IT Procurement and Management at GSA
Laura Stanton, assistant commissioner for the IT Category, Keith Nakasone, deputy assistant commissioner for Acquisition Management, and Allen Hill, acting deputy assistant commissioner for Category Management, provided an overview of GSA’s 2020 IT category performance and share their priorities for 2021.
The wide-ranging discussion tackled GSA’s IT GWAC performance and the future POLARIS small business IT contract vehicle. Stanton, Nakasone and Hill discuss cloud computing, e-commerce and cybersecurity along with GSA’s growing efforts in artificial intelligence and robotic process automation.
Click here to listen to the show.
DISA “Zero Trust Reference Guide” for DoD Networks
According to Fedscoop, the Defense Information Systems Agency (DISA) plans to release a zero-trust reference guide next year as part of an effort to move the Department of Defense (DoD) networks to a new security configuration. The guide will provide a blueprint for defense agencies to transition to networks that have the same heightened security levels for all users. The reference guide was put together by DISA, the National Security Agency (NSA), U.S. Cyber Command, and industry. In addition, a private zero-trust cybersecurity lab was set up in Maryland through a partnership with the Maryland Innovation and Security Institute, NSA, Cyber Command, and other security-focused agencies. The lab provides a place to test new technology as well as a meeting place for government officials and vendors to collaborate.
DLA Releases Supplier Survey
On November 12, the Defense Logistics Agency (DLA) released a survey to collect supplier feedback and drive internal change. DLA sent out a first survey in September of 2018, in which representatives from more than 7,000 companies were asked to evaluate their experience conducting business with the agency. This year’s survey will help DLA refine processes, improve responsiveness, and strengthen relationships with suppliers. The survey is targeting suppliers who have done $50,000 or more in business with the DLA over the past two years. It asks for demographic information including whether a business is large or small, a manufacturer or distributor, and what particular supply chain within DLA they do business with. The data will be used to develop action plans based on specific focus areas identified by suppliers. The survey is part of DLA’s industry engagement effort outlined in the 2018 DLA Industry Engagement Plan. Members who received the survey are highly encouraged to respond. Suppliers will have until late January 2021 to complete the survey. Industry representatives can get more information about the survey by contacting the DLA Industry Engagement Office at IndustryEngagement@dla.mil.