Anecdotal information is emerging about contractors rushing to meet federal customer needs on an increasingly-wide range of pandemic-related projects, but failing to ensure that they maintained compliance with applicable contract terms.  We don’t mean to seem school-marmish, but the reality is that contractors must comply with applicable contract terms and conditions whether serving a client with an urgent need or in the normal conduct of business.  Additionally, contractors cannot “assume” that rules were waived.  While some waivers have been issued for pandemic-related acquisitions they are very closely defined.  It is important to have those waivers in your contract file, too, before you cut a corner.  The “my customer told me it would be ok” defense doesn’t work without an actual document to back it up.  Experienced contractors know all too well that customers will also hedge on whether they said something was “ok” if a compliance issue arises.  Remember that customers are just as wary of their inspectors general as you are.  Competitors, too, will be watching.   The annals of False Claims Act litigation show that competitors absolutely know enough about each other’s business to be suspicious and take action when they believe a violation has occurred.  The result could be costly litigation for your company and/or a hit to your reputation, even though you thought you were doing your patriotic duty to help a customer in need.  Cutting a corner now doesn’t help anyone if you end up running into a wall later on.

Contractors with existing FedRAMP or Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) certification will not have to go through separate Cybersecurity Maturity Model Certification (CMMC) according to DOD officials.  Katie Arrington, the chief information security officer for Defense acquisitions, was recently quoted in a NextGov article stating, “I’m going to take any ISO 27001 and provide reciprocity,” referring to the formal international information security standard upon which all of the reviews are based.  This is good news for contractors that have already paid third party certification organizations hundreds of thousands of dollars to show that their systems can safely handle government information.  It also means that DOD will have a ready-made field of companies eligible to compete for projects where CMMC is required.  CMMC safeguards, therefore, will also be able to be in place in more areas ahead of schedule.    There are, of course, some differences over implementation.  Unlike FedRAMP, which credits companies for submitting a plan of action and milestones, or POA&M, CMMC will be approving companies based purely on where they are at the time of review.  Arrington explained, “A CMMC level 3 is a FedRAMP moderate, so if you’re using a cloud service provider to supplement portions of a CMMC 3, then absolutely, you need to have the CSP’s certification for the assessor. The difference between CMMC and FedRAMP is we are not allowing plans of action to get better, right, you either are or you aren’t.”  Still, companies that thought they were facing significant new costs and delays that could put them at a competitive disadvantage have to be pleased.  Less spending, faster implementation, and the ability to compete now all place certified companies in a good place to obtain DOD business. 

The federal revolving Technology Modernization Fund (TMF) could get an injection of $9 billion, and get it quickly, if some lawmakers have their way.  Although the fund has struggled to get sufficient funds to modernize outdated IT systems, including funding in the next COVID relief package, as key House Democrats have requested, would change all of that overnight.  TMF projects have been hailed as critical to improving specific systems where they have been allowed to work.  Agencies must present a business case proposal to a review board.  If the review board approves the project, the agency gets a certain amount of funds from the TMF account that it must pay back as the benefits from the modernization action begin to show savings. There is board oversight throughout.  The revolving fund structure is intended to allow many agencies to use the fund for qualified projects.  One key impediment has been the reluctance of Congress, particularly the Senate, to fully fund the account, despite an established track record of success.  “We must begin to address IT investments now, or we will continue down the same path as before unable to deliver critical services to the public at a time when our country needs it the most…” read a portion of the letter signed by six House Democrats, including Rep. Carolyn Maloney, D-N.Y., Chairwoman of the House Committee on Oversight and Reform, and Gerry Connolly, D-Va., Chairman of the House Subcommittee on Government Operations.  Contractors were excited about working with customer agencies on TMF projects when the fund was originally created.  Some have had good experiences.  Overall, however, the $150 million in the current fund has prevented meaningful larger projects from using this process to upgrade critical systems.  Contractor interest will undoubtedly be rekindled should the $9 billion request be enacted.  Current plans show that a COVID relief bill could move as soon as next week under expedited Senate procedures.  Interested contractors should watch this space.

The new presidential administration is promoting “evidence-based” decision making.  Fair enough.  Companies often use “data driven” models to make critical business decisions.  Data is mined, sliced, diced, shredded and re-packaged to fit a host of analytical needs, whether in procurement and contracting or in other operations.  Precisely because it is good to know where you’re going, though, it is imperative to know that data has its limits.  As Texas Tech economics professor Andrew William Salter recently said in The Wall Street Journal, “Data doesn’t interpret itself.”  Further, people cannot “just let the data speak for itself.”  A set of the same figures can be, and often is, interpreted differently by people with differing perspectives, preferences, or agendas.  This is nothing new, either.  Mark Twain is famous for his 19^th century line, “There are lies, damn lies, and then there are statistics.”  Compiling and analyzing data can be an important component of decision making, but it should not substitute for the ability of experienced, educated people to make their own final decisions.  People using the tools must be adept at it and, in our own Ikea experiences, some are just better than others in so doing.  Blindly going where you think the data are directing you may, like a GPS system, result in your going over a cliff.  Users of data need to understand its limitations and that, ultimately, there must be sound interpretation of the data, and other inputs, before decisions are made.  Contractors may have to make this point on procurement policy multiple times over the next four years.  Be prepared.