The Department of Defense needs help in managing its IT portfolio and can improve its transparency and risk management.  NASA, Transportation, and Treasury also need help in that area.  These are among the findings of the recently-published 10^th FITARA report card (https://federalnewsnetwork.com/wp-content/uploads/2020/08/fitara-Scorecard-10-USAID-corrected.pdf).  Once viewed unevenly across the federal IT community, FITARA compliance is now mandated by OMB and is the subject of regular Congressional oversight.  Contractors probably know that, as a result, FITARA comes up a lot more in business and agency management discussions than was once the case.  While federal agencies are making overall progress in meeting their FITARA requirements, there are still specific areas where companies can help.  One such area is “Agency CIO Authority Enhancements”.  DOD, DHS, and NASA are three agencies that received an “F” in that category, indicating that they might be open to help from contractors that can provide a strategic analysis of the CIO’s role and how it is integrated into overall agency management.  To put it mildly, not all CIO designations carry the same weight.  Where are agencies doing well?  Both GSA and USAID received an overall “A” grade.  All agencies except OPM received an “A” grade for their management of software licensing.  Still, there is plenty of intelligence to be gathered from the latest report card on where agencies fall short in IT management and, by extension, where contractors might be able to find opportunities.

The busy federal buying season also corresponds with an increase in acquisition-related protests.  Protests are a fact of life in government procurement and we believe that companies do themselves a great disservice if they adopt “no protest” policies.  Indeed, we are happy to have a deeper discussion on why outside of the newsletter.  Before a company protests, though, it is absolutely essential to know the answer to this question: “What do I want to happen?”.  This may seem obvious, but consider just the latest example of where it wasn’t.  It’s a safe bet that none of the small businesses that had invested hundreds of thousands of dollars in Alliant II SB wanted the procurement to be cancelled.  Staff time, proposal writers, business consultants, lawyers, etc. all were deployed with the expectation that there would be business through Alliant II SB.  Back in the dark ages we had the chance to sit in on oral arguments before the US Court of Appeals for the Federal Circuit, sometimes known as the “junior Supreme Court”, on the Best Power contract case.  The lawyer for Best was prepared for everything related to the contract.  He was not prepared for the question from one of the judges, “What is it that you want?”  The lawyer stammered.  There was an awkward silence.  Finally, the judge answered his own question, “Do you want attorney’s fees?”. A perceptible groan came from the gallery as the lawyer quietly affirmed that, yes, he would like fees.  Not one of the best moments from the annals of federal contract law and, unsurprisingly, the Court found a way to punt on the case.  The bottom line is that it is ok to protest when you have a legitimate reason to do so, but you need to answer the “What do I want?” question first.  Losing your investment in a huge IDIQ contract and ensuring that your lawyer gets paid probably aren’t at the top of the list.

Contractors eying potential opportunities in a new round of COVID-19 relief funding may want to focus elsewhere.  House and Senate negotiators are reportedly wide apart on the specifics of any “Phase IV” relief package. A self-imposed deadline of July 31^st is rapidly approaching.  What that means for the long-term is unclear as self-set deadlines can always be extended.  In the interim, however, some benefits and money will expire without a short-term extension, something that even itself seems to be doubtful. The shape of any long-term deal is also uncertain.  Money for unrelated projects, such as the building of a new FBI Headquarters, has drawn sharp disapproval from Senate Republicans, making the passage of anything not directly tied to COVID-19 problematic.  Even there, however, discussions are at an impasse.  It is also worth remembering that House leaders have previously said that there will not be additional funds for defense contractors to pay for previously-authorized CARE Act expenses.Contractors should instead focus on already-identified money and opportunities in their pipelines.  Congress may very well decide to pass some sort of relief measure at the last second (either before the August recess or closer to the Fall elections), but that should not be a distraction from a company’s core business, especially during the end of the year.  Appropriations will also be late this year, so prepare to start FY’21 under a Continuing Resolution until sometime after the November election.

Companies selling to the Department of Defense have been gearing up to become Cybersecurity Maturity Model Certification (CMMC) approved.  Even GSA is eying the inclusion of CMMC requirements for some of its contracts as DOD is often their largest user.  Now, however, the National Institute for Standards and Technology (NIST) has come out with new requirements (https://csrc.nist.gov/publications/detail/sp/800-172/draft) that will eventually be incorporated into certain CMMC levels.  How that will impact companies among the first to be certified under the current guidance is unknown.  Guidance from DOD, especially for companies that provide cloud services, is also changing.  Don’t even start with the cybersecurity requirements that Commercial Off the Shelf (COTS) procurements are and are not exempt from.  It’s enough to make a contractor seek an easier career like commercial fishing.  What is clear is that FAR clause 52.204-21 on Federal Contract Information (FCI) is increasingly being incorporated into a wide range of government contracts, including those for commercial items. Make sure your company can comply with the 15 basic NIST security requirements referenced in the clause. Not all cyber guidance has found its way to the FAR yet, though.  DOD contractors need to increasingly examine DFAR clauses to ensure they understand the cybersecurity and cloud standards required of them and those standards that need to be passed down to subcontractors.  There are many key terms to know, but two of the most frequent are Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).  CUI is actually included in the definition of CDI, so if your company meets standards on how such information needs to be handled, it likely meets the other.  While COTS providers are, in fact, exempt from CMMC and some other requirements, that differentiation may be lost on DOD buyers and prime contractors.  Such companies will need to be prepared to answer why they feel they are exempt from certain compliance standards, or become compliant.  The situation is changing, but ensuring that your company follows the changes and stays compliant with applicable rules is critical to doing continued government business. 

Have you ever seen the movies where the car breaks through the first barrier, then the second and third, keeps ploughing down a road it obviously shouldn’t be on and then sails off the unfinished bridge and into a lake?  Think you would never do that?  Think again.  This is exactly the type of behavior many contractors engage in when it comes to ensuring proper contract compliance.    We understand that companies are in business to do business, but part of conducting that business is making sure all contractual requirements are fulfilled.  Just like the out of control car, contractors may get multiple warnings to stop, slow down, turn around or otherwise get back on the right path.  Some get the message by the second or third sign.  That’s late, but usually not too late to prevent truly bad outcomes that disrupt the business you’re trying to pursue.  Some companies believe that their car could make the jump over the missing bridge span – akin to reaching safety without having to change practices.  Many, though, end up in the lake.  Unfortunately, that ruins not just your business but the livelihoods of those who work at the company.  A damaged business also upsets investors who provided money with the expectation that the company would be run properly.  While stopping your car short of the lake may still result in a ticket and a small repair bill, that’s certainly preferable to having the entire car wrecked and paying to get it out of the water.  Effective contract compliance systems are truly a “pennies on the dollar’ investment that help your business stay on the open road.