Friday Flash 5/26/23

FAR & Beyond: Remembering Our Fallen Heroes

This upcoming weekend marks the opportunity for us to observe the Memorial Day holiday. Americans across the country will gather, not only to enjoy time with family and friends, but also to remember the brave men and women who sacrificed their lives defending our great nation. To honor these heroes, the Coalition wishes to share the following Memorial Day prayer of remembrence:

We Remember
We remember the many brave men and women
who have given their lives
through the history of our country
to protect us from danger and harm
We remember all those who sustained injury
in mind and/or body in the course of their service
We salute all those who served in the military.

–   Author Unknown

These pictures were taken on Memorial Day in 2016 at the Chattanooga National Cemetery while I was on the way to pick up my daughter from the University of Alabama.

As our nation spends valuable time with loved ones this weekend, we hope all have an opportunity to set aside a quiet moment to honor and remember those fallen Americans who laid down their lives protecting our freedom.

From all of us at the Coalition, we wish you and your families a safe Memorial Day weekend.

Negotiations Continue to Raise the Debt Limit
CNN reported that the House went into recess on Thursday while the White House and House Republicans met in the afternoon for continued negotiations to raise the debt limit and avoid a default. On Wednesday, House Majority Leader Steve Scalise said that if a deal is reached, members will receive 24 hours’ notice to return to the Capitol for additional votes. Reporting indicates that both sides have agreed to roll back some spending, such as unobligated COVID-19 relief funds, and Speaker of the House Kevin McCarthy has referred to the talks as “productive” and committed to daily meetings until a deal is reached. They remain at loggerheads, however, over issues such as whether spending should be cut or frozen, how long a spending cap would last, and what work requirements the White House is willing to accept for Federal welfare programs. Any agreement between the two sides will then have to be written up as legislation and pass both houses of congress. In the House, many Republicans will likely not support the deal, requiring Democrats to supply the remaining votes to achieve a majority.

Secretary of the Treasury Janet Yellen reiterated in a Monday letter to Congress that the best estimate for when the Treasury would be unable to cover all US obligations and default was “early June, and potentially as early as June 1.” The continued negotiations have already begun to have economic consequences, however: on Wednesday, ratings agency Fitch placed the US credit rating on “negative watch” to reflect an increased risk that the government could miss payments and borrowing costs have already risen for short duration treasury bills.

DoD Plans to Release Contractor Cybersecurity Strategy in November
NextGov reports that the Department of Defense (DoD) expects to release a contractor cybersecurity strategy in November. David McKeown, the DoD’s Chief Information and Security Officer, spoke on the forthcoming strategy at GovExec’s Cyber Summit event last week. According to McKeown, the strategy will be divided into multiple stages, including the identification of areas that need protection, intrusion detection, cyberattack response, and cyberattack recovery. Additionally, the document will guide contractors to resources such as the Defense Cyber Crime Center and the National Security Administration’s Cybersecurity Collaboration Center. Finally, McKeown noted that in order to reduce data breaches, DoD is working on modifications to contract language to clarify contractors’ cybersecurity responsibilities.

GAO Report Finds Gaps in FedRAMP Compliance
Last Thursday, the Government Accountability Office (GAO) published a report examining the strengths and weaknesses of cloud security practices at the Departments of Treasury, Labor, Homeland Security, and Agriculture. Almost all of the 15-cloud systems GAO sampled fully complied with three of six Federal cloud security practices that GAO condensed from Federal cloud guidance: delineating agency and vendor security responsibilities; documenting identity, credential, and access management policies; and documenting incident response and recovery procedures.

However, only four of fifteen systems fully complied with FedRAMP, the Federal Government’s main program for authorizing cloud services from a cybersecurity perspective. While all services were initially FedRAMP authorized, agencies sometimes failed to document their own authorization of the services, provide these authorizations to the FedRAMP Program Office, and/or ensure their contracts with the vendor required FedRAMP compliance. The findings echoed a 2019 GAO report with a different quartet of agencies that found three of the agencies failed to consistently prepare and provide authorizations. Agency officials provided various reasons for the absence of the requirements in contracts, including that they considered “the FedRAMP process and the FedRAMP authorization … sufficient for ensuring that [cloud services] met requirements.” GAO noted, however, that Office of Management and Budget guidance directs agencies to include the requirements. Regarding the other two security practices, GAO reported that “most” systems had defined security metrics in their service level agreements and had partially implemented continuous monitoring.

GAO made 35 recommendations to the agencies to address the issues raised in the report.

OMB Plans to Release AI Guidance for Agencies this Summer
According to Federal News Network, the Office of Management and Budget (OMB) will release draft guidance this summer for Federal agencies on the development, procurement, and use of Artificial Intelligence (AI) systems. The White House announced the upcoming OMB guidance as part of a series of actions being taken to promote responsible AI innovation that respects Americans’ rights and safety. In addition to the forthcoming guidance, the Administration announced a commitment from leading AI developers to participate in a public evaluation of AI systems at DEFCON 31, a prominent hacker convention. At the event, the AI systems will be evaluated for their compliance with the Administration’s Blueprint for an AI Bill of Rights and AI Risk Management Model.

Webinar: Software Supply Chain Security Requirements: Are You Ready?, June 1
On June 1 from 12:00 – 1:00 PM (ET), the Coalition will host a webinar on Software Supply Chain Security Requirements. This webinar will feature Crowell & Moring attorneys Michael Gruden, Alexander Urbelis, and Alexis Ward as they discuss the Office of Management and Budget’s forthcoming self-attestation requirements and deadlines approaching this summer.

To register, click here.

Imaging Committee Meeting: DLA Document Services, June 8
The Coalition’s Imaging Committee will be hosting Terra Nguyen, Director of the Defense Logistics Agency Office of Document Services. The virtual meeting will be held June 8 at 10:00 AM (ET) and will provide an update on the office’s work as well as a discussion on industry challenges and strengths for 2023.

To register click here.

All-Member Meeting on GSA Contracting Trends with The Gormley Group, June 13
The IT/Services Committee will be hosting an all-member meeting featuring speakers from The Gormley Group who will provide an update on the latest trends in the schedules program. Sonia Pesantes, Managing Principal Consultant, and Sean Nulty, Senior Consultant, will be presenting insights across the Federal contracting landscape. The meeting will be held at the office of LMI, 7940 Jones Branch Road, Tysons, VA 22102, on June 13, from 10:00 – 11:00 AM (ET). Please submit questions that you would like answered at the meeting to Joseph Snyderwine, If you have any questions or issues with registration please contact Erin Cartwright, Virtual attendance will also be available.

To register for the meeting, click here.

Register for the 10th Annual Joseph P. Caggiano Memorial Golf Tournament, August 16
Registration is open for the 10th Annual Joseph P. Caggiano Memorial Golf Tournament (to register, click here)! The annual golf tournament will take place on August 16 at the stunning Whiskey Creek Golf Club in Ijamsville, Maryland. This event honors our friend and colleague, Joe Caggiano, a Navy veteran and longtime expert in the Federal contracting marketplace.

Over the years, tournament proceeds have supported a number of initiatives aiding our veterans, including The Coalition for Government Procurement Endowed Scholarship Fund for a qualified veteran concentrating their studies in the field of U.S. government procurement at The George Washington University Law School.

We are pleased to share that the proceeds from this year’s tournament will not only contribute to the scholarship fund, but also will support a new charity organization: Paws for Purple Hearts! Paws for Purple Hearts strives to improve the lives of veterans and wounded service members facing mobility challenges and trauma-related conditions by providing the highest quality assistance dogs and canine-assisted therapeutic programs. In addition, Paws for Purple Hearts builds public awareness about the important role dogs play in helping veterans and service members along the road to recovery.

Learn more about this wonderful organization by visiting, and don’t miss the opportunity to meet some of the service dogs at the Joseph P. Caggiano Memorial Golf Tournament!

Become a Sponsor
Many sponsorship opportunities are available for the Joseph P. Caggiano Memorial Golf Tournament. These opportunities include:

  • Title Sponsorships
  • Reception Sponsorships
  • Lunch Sponsorships
  • All-Day Beverage Cart Sponsorships
  • Hole Sponsorships with 4 Players
  • Veranda Club Sponsorships
  • Hole Sponsorships (no players)
  • Golf Foursomes
  • Single Golfer

For more details on the complete list of sponsorship packages and their corresponding benefits, click here. To secure your sponsorship, or if you have any questions, please contact Heather Tarpley at

Off the Shelf: Using AI to Enhance Warfighter Performance
This week on Off the Shelf the focus turns to emerging solutions in fitness and sports industries that are directly applicable to optimizing warfighter performance.

Host Roger Waldron speaks with Sonya Rahmani, a chief technologist leading Booz Allen Hamilton’s Warfighter Performance efforts, Bart Hodlik, the integrated project technical lead at Naval Information Warfare Center Pacific, Dr. Mark Derriso, chief engineer, and chief data officer for the 711th Human Performance Wing, Air Force Research Laboratory, Dr. Reuben Burch, associate professor of Industrial & Systems Engineering and director of Athletic Engineering, Mississippi State University, and Irik Johnson, senior associate and human performance practitioner at Booz Allen Hamilton.

The discussion identifies and discusses the key technologies, including wearables, artificial intelligence, and machine learning that can be used to monitor and enhance warfighter performance. The guests also identify key strategies and supporting infrastructure capabilities to support a holistic approach to warfighter performance. The wide-ranging discussion also highlights data, network, cybersecurity, physical and psychological considerations that organizations must address as part of any implementation of fitness solutions across units and around the world.

To listen to the full episode, click here, or search “Off the Shelf” on all major podcasting platforms.

VA IT Obligations Grow while Contractor Count Shrinks

On May 23, the Government Accountability Office (GAO) released a investigating trends in the Department of Veterans Affairs (VA) IT contracting.

GAO found that IT contract obligations had grown from $4.2 billion in 2017 to $6.5 billion in 2021 and totaled $25 billion through the four-year period. These contracts are primarily awarded through its Technology Acquisition Center. During this same period, the number of companies the VA contracted with for IT products and solutions shrunk by more than 25%. In addition, the number of Veteran Owned Small Business contractors fell from 367 to 325, while total contractors fell from 1,247 to 873. They also found that Chief Information Officer (CIO) approval could not be verified for 14 out of 26 contracts in 2021, and for 39% of contracts from March 2018 to September 2021. The low approval percentages are attributed in large part to the absence of an automated control reminding Contracting Officers to seek CIO approval. GAO has recommended the creation of such a control, which the VA concurred.

UFDUR Survey for Pharmaceutical Members

The Coalition is conducting a survey of its pharmaceutical members on DHA’s publication of data in the quarterly Uniform Formulary Drug Utilization Report (UFDUR).

Defense Health Agency Data and Communication Survey
Please note that all responses are for non-attribution. Company names will remain confidential and will not be disclosed to the government. The survey asks for company names for the sole purpose of providing an accurate count of the number of company respondents. If you have any questions, please contact Ian Bell at

About the Survey:
This is the second UFDUR survey of DHA’s industry partners. It asks contractors about the value of the current UFDUR, whether industry has any suggestions to expand the data available and how that would help DHA to meet its cost avoidance and military readiness goals. The survey also includes questions to assess the demand for additional data on the new Accredo Specialty Pharmacy program through TRICARE.

Our last survey recommended that DHA resume publication of the UFDUR, substantially improving industry’s understanding of DHA’s buying patterns and providing industry with a strong basis upon which competitive pricing could be offered to DHA.

We encourage all members in the pharmaceutical sector to participate.

Legal Corner:

Who Is Required to Complete Attestations?

The term “software producer” is not defined but, on its face, it encompasses all firms that produce or develop software. These attestations will be required for:

  1. software developed after September 14, 2022,
  2. software that undergoes a major version change (e.g., using a semantic versioning schema of Major.Minor.Patch or the software version number goes from 2.5 to 3.0) after September 14, 2022, and
  3. software where the producer delivers continuous changes to the software code (e.g., software-as-a-service products or other products using continuous delivery/continuous deployment).

This requirement applies to third-party software used on an “agency’s information systems or otherwise affecting the agency’s information.” Software broadly encompasses: “firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.”  Note that software developed by Federal agencies is exempt.

It’s unclear how this will apply to resellers of software. Presumably though, to provide software to an agency, the contractor selling it must ensure its developer completed the attestation. Similar to other areas of government contracts, it may be possible that Federal contractors who resell software to the government can rely, in good faith, on the representations and certifications made in the Form from the software producers. While we need to wait until the Form is finalized, agencies can require contractors to provide these attestations as “go/no-go” requirements or as part of responsibility determinations in solicitations.

Examples of Some Attestations and Related SSDF Practices

If you are a producer familiar with the NIST SSDF, the following references and examples of some secure software practices will be familiar. If you are new to the world of SSDF, these attestations and references to the SSDF may seem daunting at first. Below are some of the attestations in the draft form, as well as some (non-exhaustive) examples of practices that meet the SSDF requirements.

  1. The Form requires the environment the software was developed and built in be secured by regularly logging, monitoring, and auditing trust relationships used for authorization and access to any software development and build environments and among components within each environment. Examples of practices that meet this requirement include: (i) using multi-factor authentication and conditional access for each environment, (ii) using network segmentation to separate environments from each other, and (iii) enforcing authentication and restricting connections entering and exiting each software development environment.
  2. Another attestation from the Form requires the software producer to maintain provenance data for internal and third-party code incorporated into the software. Examples of practices consistent with this statement include: (i) making the provenance data available to the organization’s operations and response teams to aid them in mitigating software vulnerabilities, (ii) protecting the integrity of provenance data and providing a way for recipients to verify provenance data integrity, and (iii) updating the provenance data every time any of the software’s components are updated.
  3. The Form also requires producers to attest they employed automated tools or comparable processes that check for security vulnerabilities. Examples of such tools and/or processes include: (i) using up-to-date versions of compiler, interpreter, and build tools, (ii) following change management processes when deploying or updating compiler, interpreter, and build tools and audit all unexpected changes to tools, and (iii) having a qualified person who was not involved with the design and/or automated processes within the toolchain review the software design to confirm and enforce that it meets all of the security requirements and satisfactorily addresses the identified risk information.

Penalties for Willfully Disclosing Misleading or False Information

The disclosure statement refers to 18 U.S.C. § 1001 as a potential penalty in the event attesters willfully provide false or misleading information. 18 U.S.C. § 1001 makes it a federal crime to, among other things, “knowingly and willfully” falsify a material fact or make a fraudulent statement or representation. While the False Claims Act is not specifically referenced, the U.S. Department of Justice could also prosecute software producers who make false statements or representations in the Form.

Relatedly, the estimated reporting burden to complete the Form is 3 hours and 20 minutes. While some companies well-versed in these practices may be able to attest to the Form’s statements in that time, some commenters made it clear that having a Chief Executive Officer (CEO)—as required by the Form—sign off on the attestation, will require a detailed, point-by-point review and analysis of the company’s current policies and practices. The SSDF and related NIST documents are detailed, comprehensive sets of policies, practices, and cross-references, requiring a great deal of time, resources, and energy to go through; it will likely entail consulting legal counsel. The estimated reporting burden therefore may not be accurate. Although the Form is not particularly long, to ensure contractors are not misrepresenting their secure software development practices, they should expect completing the Form will take much longer than a few hours, especially considering the potential penalties that might result.

CISA is collecting public comments regarding the Form here until June 26, 2023. If you have questions about the attestations and how to prepare for compliance with them, or any other secure software developments, please contact Cy Alba and Daniel Figuenick, the authors of this blog, or another member of PilieroMazza’s Government Contracts or Cybersecurity & Data Privacy practice groups.

Healthcare Corner: VA Awards MSPV Gen-Z V1 Distribution and Supply Management IDIQs

The Veterans Health Administration (VHA) Medical Supply Program Office (MSPO) and the Strategic Acquisition Center – Frederick (SAC-F) announced the award of six 10-year indefinite delivery/indefinite quantity contracts to provide Prime Vendor support to Veterans Affairs Medical Centers (VAMC) and Other Government Agencies (OGAs). The support encompasses the comprehensive distribution and supply management of all required medical, surgical, dental, and laboratory supplies to VAMCs and eligible OGAs. The award was made through the Department of Veterans Affairs Medical Surgical Prime Vendor Generation-Z Version 1 (MSPV Gen-Z V1) program and has a collective ceiling of $15 billion, as well as a period of performance consisting of a five-year base period with one five-year option. The contracts were awarded to Cardinal Health 200, LLC, Cardinal Health P.R. 220, LLC, Concordance Healthcare Solutions, LLC, McKesson Medical-Surgical Government Solutions LLC, Medline Industries, LP, and Owens & Minor Distribution, Inc.

A View From Main Street

By Ken Dodds, Live Oak Bank

The following blog does not necessarily represent the views of The Coalition for Government Procurement. 

New SBA Rule Highlights

8(a) Mergers and Acquisitions
The Small Business Act provides that an 8(a) contract must be terminated for the convenience of the government if there is an acquisition of an entity or assets involving 8(a) contracts unless the SBA Administrator issues a waiver.[2] In a major positive development for 8(a) concerns and disadvantaged individuals, SBA is streamlining the waiver request process by having such requests submitted directly to the head of the 8(a) program instead of the District Office and imposing a time limit of 90 days to review the waiver request. SBA is also deleting the requirement that the acquiring concern have experience performing the type of work performed by the acquired concern.

One of the primary reasons to acquire another concern is to gain experience and past performance in a new industry by utilizing the management and technical expertise of the acquired concern’s personnel.[3] There is also a change of ownership process where a disadvantaged owner is substituted for another disadvantaged owner. A change of ownership decision is made by the head of the 8(a) program, not the SBA Administrator, and SBA should issue a change of ownership decision within 60 days.[4] The change of ownership concept applies when an entity such as an ANC/Tribe/NHO acquires an 8(a) graduate with 8(a) contracts.[5]

Joint Ventures
Orders are not contracts for purposes of SBA’s joint venture rule which provides that a joint venture can receive an unlimited number of contract awards within a two-year period after the first contract award.[6] Joint ventures can be populated with employees where the parties to the joint venture are similarly situated with respect to the type of set-aside contract, but the firm’s employees/revenues in the aggregate must meet the relevant size standard (in contrast with unpopulated joint ventures where each member of the joint venture must individually meet the size standard).[7] Members of unpopulated joint ventures must include in their own size calculation the receipts or employees of the joint venture based on work share. Members of populated joint ventures must include in their own size calculation the receipts or employees of the joint venture based on the ownership percentage of the joint venture.[8] A joint venture minority member’s consent can be required to initiate litigation or pursue contract opportunities on behalf of the joint venture.[9] A firm cannot be a member of more than one joint venture pursuing a specific 8(a)/HUBZone/SDVO/WOSB/EDWOSB set-aside contract.[10]

Ostensible Subcontractor Rule
If a firm and its similarly situated subcontractors are meeting the limitations on subcontracting, a firm cannot be found to be affiliated with a large business subcontractor under the ostensible subcontractor rule.[11] SBA declined to include hiring a large number of the incumbent’s personnel as a factor under the ostensible subcontractor rule, since that is often the government’s desire and sometimes legally required.[12] As part of a status protest SBA will review whether a HUBZone or WOSB/EDWOSB is unduly reliant on a non-eligible subcontractor to perform the primary and vital parts of a HUBZone or WOSB/EDWOSB contract.[13] This change has already been implemented for the SDVO program.[14]

8(a) Business Development Program

A firm must be small and in the 8(a) program at the time of award of an 8(a) sole source order.[15]

Where an SBIR awardee is affiliated with a subcontractor under the ostensible subcontractor rule the parties will be treated as a joint venture and therefore must comply with the SBIR rules applicable to joint ventures.[16] The exemption from affiliation applicable to Small Business Investment Companies applies to SBIR/STTR as well.[17]

Non-Manufacturer Rule
Where SBA has granted a waiver of the non-manufacturer rule for a contract with a duration of greater than five years, the contracting officer must request a new waiver after five years.[18] A contract must be awarded within one year of the date of SBA’s waiver of the non-manufacturer rule.[19]

Combined Set-Asides
SBA is codifying its long-time policy that agencies cannot issue solicitations that limit competition to multiple socio-economic categories or give evaluation credit for additional socio-economic categories beyond the designated set-aside.[20]

Limitations on Subcontracting
For multi-agency contracts, the limitations on subcontracting will apply to each order.[21]

Mentor Protégé
A protégé can use its second opportunity to have mentor by extending its time with its first mentor for an additional six more years.[22]

Recertification is not required where an acquisition does not result in a change of control or negative control.[23]

Do you have a topic you wish to have covered or a question on how Live Oak Bank can support your business? Email me at

[1] 88 FR 26164.

[2] 15 USC 637(a)(21),

[3] 13 CFR 124.515.

[4] 13 CFR 124.105(i).

[5] 13 CFR 124.105(i)(1).

[6] 13 CFR 121.103(h).

[7] 13 CFR 121.103(h)(1).

[8] 13 CFR 121.103(h)(4).

[9] 13 CFR 125.8(b)(2)(ii)(A).

[10] 13 CFR 124.513(a), 126.616(a)(2), 127.506(a)(3), and 128.402(a)(3).

[11] 13 CFR 121.103(h)(3)(iii).

[12] 88 FR 26164, 26166.

[13] 13 CFR 126.801(e)(2) and 127.603(d)(2).

[14] 13 CFR 134.1003(c).

[15] 13 CFR 121.404(a)(1)(i)(B), 121.404(a)(1)(ii)(B), 124.501(h), and 124.502(a), 124.503(i)(1)(iv).

[16] 13 CFR 121.702(c)(7).

[17] 13 CFR 121.702(c)(11).

[18] 13 CFR 121.1203(e).

[19] 13 CFR 121.1204(b)(5).

[20] 13 CFR 124.501, 126.609, 127.503(e), and 128.404(d).

[21] 13 CFR 125.6(d).

[22] 13 CFR 125.9(e)(6)(iv).

[23] 13 CFR 121.404(g)(2)(i).