Anecdotal information is emerging about
contractors rushing to meet federal customer needs on an increasingly-wide
range of pandemic-related projects, but failing to ensure that they maintained
compliance with applicable contract terms. We don’t mean to seem school-marmish, but the
reality is that contractors must comply with applicable contract terms and
conditions whether serving a client with an urgent need or in the normal
conduct of business. Additionally,
contractors cannot “assume” that rules were waived. While some waivers have been issued for
pandemic-related acquisitions they are very closely defined. It is important to have those waivers in
your contract file, too, before you cut a corner. The “my customer told me it would be ok”
defense doesn’t work without an actual document to back it up. Experienced contractors know all too well
that customers will also hedge on whether they said something was “ok” if a
compliance issue arises. Remember that
customers are just as wary of their inspectors general as you are. Competitors, too, will be watching. The annals of False Claims Act litigation
show that competitors absolutely know enough about each other’s business to be
suspicious and take action when they believe a violation has occurred. The result could be costly litigation
for your company and/or a hit to your reputation, even though you thought you
were doing your patriotic duty to help a customer in need. Cutting a corner now doesn’t help anyone if
you end up running into a wall later on.
Contractors with existing FedRAMP or
Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) certification
will not have to go through separate Cybersecurity Maturity Model Certification
(CMMC) according to DOD officials. Katie Arrington, the chief information
security officer for Defense acquisitions, was recently quoted in a
NextGov article stating, “I’m going to take any ISO 27001 and provide
reciprocity,” referring to the formal international information security
standard upon which all of the reviews are based. This is good news for contractors that
have already paid third party certification organizations hundreds of thousands
of dollars to show that their systems can safely handle government information. It also means that DOD will have a ready-made
field of companies eligible to compete for projects where CMMC is
required. CMMC safeguards, therefore,
will also be able to be in place in more areas ahead of schedule. There are, of course, some
differences over implementation.
Unlike FedRAMP, which credits companies for submitting a plan of action
and milestones, or POA&M, CMMC will be approving companies based purely on
where they are at the time of review.
Arrington explained, “A CMMC level 3 is a FedRAMP moderate, so if you’re
using a cloud service provider to supplement portions of a CMMC 3, then
absolutely, you need to have the CSP’s certification for the assessor. The
difference between CMMC and FedRAMP is we are not allowing plans of action to
get better, right, you either are or you aren’t.” Still, companies that thought they were
facing significant new costs and delays that could put them at a competitive
disadvantage have to be pleased. Less
spending, faster implementation, and the ability to compete now all place
certified companies in a good place to obtain DOD business.
The federal revolving Technology Modernization Fund (TMF) could get an
injection of $9 billion, and get it quickly, if some lawmakers have their way. Although the fund has struggled to get
sufficient funds to modernize outdated IT systems, including funding in the
next COVID relief package, as key House Democrats have requested, would change
all of that overnight. TMF
projects have been hailed as critical to improving specific systems where they
have been allowed to work.
Agencies must present a business case proposal to a review board. If the review board approves the project, the
agency gets a certain amount of funds from the TMF account that it must pay
back as the benefits from the modernization action begin to show savings. There
is board oversight throughout. The
revolving fund structure is intended to allow many agencies to use the fund for
qualified projects. One key
impediment has been the reluctance of Congress, particularly the Senate, to
fully fund the account, despite an established track record of success. “We must begin to address IT investments now,
or we will continue down the same path as before unable to deliver critical
services to the public at a time when our country needs it the most…” read a
portion of the letter signed by six House Democrats, including Rep. Carolyn
Maloney, D-N.Y., Chairwoman of the House Committee on Oversight and Reform, and
Gerry Connolly, D-Va., Chairman of the House Subcommittee on Government
Operations. Contractors were excited
about working with customer agencies on TMF projects when the fund was
originally created. Some have had good
experiences. Overall, however, the $150
million in the current fund has prevented meaningful larger projects from using
this process to upgrade critical systems.
Contractor interest will undoubtedly be rekindled should the $9 billion
request be enacted. Current
plans show that a COVID relief bill could move as soon as next week under
expedited Senate procedures. Interested
contractors should watch this space.
The new presidential administration is promoting “evidence-based”
decision making. Fair enough. Companies often use “data driven” models to
make critical business decisions. Data
is mined, sliced, diced, shredded and re-packaged to fit a host of analytical
needs, whether in procurement and contracting or in other operations. Precisely because it is good to know where
you’re going, though, it is imperative to know that data has its limits. As Texas Tech economics professor Andrew
William Salter recently said in The Wall Street Journal, “Data
doesn’t interpret itself.”
Further, people cannot “just let the data speak for itself.” A set of the same figures can be, and
often is, interpreted differently by people with differing perspectives,
preferences, or agendas. This is
nothing new, either. Mark Twain is
famous for his 19th century line, “There are lies, damn lies, and
then there are statistics.” Compiling
and analyzing data can be an important component of decision making, but it
should not substitute for the ability of experienced, educated people to make
their own final decisions. People using
the tools must be adept at it and, in our own Ikea experiences, some are just
better than others in so doing. Blindly
going where you think the data are directing you may, like a GPS system, result
in your going over a cliff.
Users of data need to understand its limitations and that, ultimately,
there must be sound interpretation of the data, and other inputs, before
decisions are made. Contractors
may have to make this point on procurement policy multiple times over the next
four years. Be prepared.