The Department of Defense needs help in
managing its IT portfolio and can improve its
transparency and risk management.
NASA, Transportation, and Treasury also need help in that area. These are among the findings of the
recently-published 10th FITARA report card (https://federalnewsnetwork.com/wp-content/uploads/2020/08/fitara-Scorecard-10-USAID-corrected.pdf). Once viewed unevenly across the federal IT
community, FITARA compliance is now mandated by OMB and is the subject of
regular Congressional oversight.
Contractors probably know that, as a result, FITARA comes up a lot more
in business and agency management discussions than was once the case. While federal agencies are making
overall progress in meeting their FITARA requirements, there are still specific
areas where companies can help. One such
area is “Agency CIO Authority Enhancements”. DOD, DHS, and NASA are three agencies that
received an “F” in that category, indicating that they might be open to help
from contractors that can provide a strategic analysis of the CIO’s
role and how it is integrated into overall agency management. To put it mildly, not all CIO designations
carry the same weight. Where are
agencies doing well? Both GSA and USAID
received an overall “A” grade. All
agencies except OPM received an “A” grade for their management of software
licensing. Still, there is plenty
of intelligence to be gathered from the latest report card on where agencies
fall short in IT management and, by extension, where contractors might be able
to find opportunities.
The busy federal buying season also
corresponds with an increase in acquisition-related protests. Protests are a fact of life in government
procurement and we believe that companies do themselves a great disservice if
they adopt “no protest” policies.
Indeed, we are happy to have a deeper discussion on why outside of the
newsletter. Before a company
protests, though, it is absolutely essential to know the answer to this
question: “What do I want to happen?”.
This may seem obvious, but consider just the latest example of where it
wasn’t. It’s a safe bet that none
of the small businesses that had invested hundreds of thousands of dollars in
Alliant II SB wanted the procurement to be cancelled. Staff time, proposal writers, business
consultants, lawyers, etc. all were deployed with the expectation that there
would be business through Alliant II SB.
Back in the dark ages we had the chance to sit in on oral arguments
before the US Court of Appeals for the Federal Circuit, sometimes known as the
“junior Supreme Court”, on the Best Power contract case. The lawyer for Best was prepared for
everything related to the contract. He
was not prepared for the question from one of the judges, “What is it that you
want?” The lawyer stammered. There was an awkward silence. Finally, the judge answered his own question,
“Do you want attorney’s fees?”. A perceptible groan came from the gallery
as the lawyer quietly affirmed that, yes, he would like fees. Not one of the best moments from the annals
of federal contract law and, unsurprisingly, the Court found a way to punt on
the case. The bottom line is that it
is ok to protest when you have a legitimate reason to do so, but you need to
answer the “What do I want?” question first. Losing your investment in a huge IDIQ
contract and ensuring that your lawyer gets paid probably aren’t at the top of
the list.
Contractors eying potential opportunities in a new round of COVID-19
relief funding may want to focus elsewhere. House and Senate negotiators are reportedly
wide apart on the specifics of any “Phase IV” relief package. A self-imposed
deadline of July 31st is rapidly approaching. What that means for the long-term is unclear
as self-set deadlines can always be extended.
In the interim, however, some benefits and money will expire without a
short-term extension, something that even itself seems to be doubtful. The
shape of any long-term deal is also uncertain.
Money for unrelated projects, such as the building of a new FBI
Headquarters, has drawn sharp disapproval from Senate Republicans, making the
passage of anything not directly tied to COVID-19 problematic. Even there, however, discussions are at an
impasse. It is also worth
remembering that House leaders have previously said that there will not be
additional funds for defense contractors to pay for previously-authorized CARE
Act expenses.Contractors
should instead focus on already-identified money and opportunities in their
pipelines. Congress may very
well decide to pass some sort of relief measure at the last second (either
before the August recess or closer to the Fall elections), but that should not
be a distraction from a company’s core business, especially during the end of
the year. Appropriations will also
be late this year, so prepare to start FY’21 under a Continuing Resolution
until sometime after the November election.
Companies selling to the Department of Defense have been gearing up to
become Cybersecurity Maturity Model Certification (CMMC) approved. Even GSA is eying the inclusion of CMMC
requirements for some of its contracts as DOD is often their largest user. Now, however, the National Institute
for Standards and Technology (NIST) has come out with new requirements (https://csrc.nist.gov/publications/detail/sp/800-172/draft) that will eventually
be incorporated into certain CMMC levels.
How that will impact companies among the first to be certified under the
current guidance is unknown. Guidance from
DOD, especially for companies that provide cloud services, is also changing. Don’t even start with the cybersecurity
requirements that Commercial Off the Shelf (COTS) procurements are and are not
exempt from. It’s enough to make a
contractor seek an easier career like commercial fishing. What is clear is that FAR clause 52.204-21 on
Federal Contract Information (FCI) is increasingly being incorporated into a
wide range of government contracts, including those for commercial items. Make
sure your company can comply with the 15 basic NIST security requirements
referenced in the clause. Not all cyber guidance has found its way to the FAR
yet, though. DOD contractors need to
increasingly examine DFAR clauses to ensure they understand the cybersecurity
and cloud standards required of them and those standards that need to be passed
down to subcontractors. There are
many key terms to know, but two of the most frequent are Covered Defense
Information (CDI) and Controlled Unclassified Information (CUI). CUI is actually included in the definition of
CDI, so if your company meets standards on how such information needs to be
handled, it likely meets the other.
While COTS providers are, in fact, exempt from CMMC and some other
requirements, that differentiation may be lost on DOD buyers and prime contractors. Such companies will need to be prepared to
answer why they feel they are exempt from certain compliance standards, or
become compliant. The situation is
changing, but ensuring that your company follows the changes and stays
compliant with applicable rules is critical to doing continued government
business.
Have you ever seen the movies where the car breaks through the first
barrier, then the second and third, keeps ploughing down a road it obviously
shouldn’t be on and then sails off the unfinished bridge and into a lake? Think you would never do that? Think again.
This is exactly the type of behavior many contractors engage in
when it comes to ensuring proper contract compliance. We understand that companies are in
business to do business, but part of conducting that business is making sure
all contractual requirements are fulfilled. Just like the out of control car, contractors
may get multiple warnings to stop, slow down, turn around or otherwise get back
on the right path. Some get the
message by the second or third sign.
That’s late, but usually not too late to prevent truly bad outcomes that
disrupt the business you’re trying to pursue.
Some companies believe that their car could make the jump over the
missing bridge span – akin to reaching safety without having to change
practices. Many, though, end up in the
lake. Unfortunately, that ruins not just
your business but the livelihoods of those who work at the company. A damaged business also upsets investors who
provided money with the expectation that the company would be run
properly. While stopping your car
short of the lake may still result in a ticket and a small repair bill, that’s
certainly preferable to having the entire car wrecked and paying to get
it out of the water. Effective
contract compliance systems are truly a “pennies on the dollar’ investment that
help your business stay on the open road.