Monthly Archives: May 2022


The Office of Management and Budget could save “billions” in the acquisition of common items if it continues to promote category management.  Category management includes the identification and encouraged use of “Best in Class” (BIC) acquisition methods and the reduction of duplicative acquisition efforts.  Specifically, GAO stated that OMB needs to work with agencies to improve data management capabilities and establish new performance metrics in order to better measure both outcomes and savings.  The recommendations, part of GAO’s annual report to Congress, are no surprise to contractors.  Experienced companies understand the value of holding or participating in multiple BIC contracts.  Similarly, requirements for contractors to provide spend analysis information have mushroomed as agencies seek to meet OMB directives.  One potential hurdle in meeting GAO’s recommendations is that OMB, itself, recently issued guidance stating that the use of BIC solutions should be balanced with decentralized contracts and other necessary strategies to increase diversity within agency supplier bases.  The two goals aren’t necessarily mutually exclusive, though it may take time for them to harmonize.  Look for GSA, NIH, and other agencies with BIC programs to add more small businesses, including small, disadvantaged businesses, in order for agencies to achieve both desired outcomes.  Indeed, both of these agencies are working now to expand opportunities for small firms of all types to participate on some of their most popular indefinite delivery indefinite quantity contracts.  Increased promotion of category management wasn’t the only acquisition-related recommendation GAO made.  It also stated that GSA’s 18F program and OMB’s U.S. Digital Service should work more closely together to avoid overlapping each other’s work.  We’re not holding our breath as each is backed by powerful constituencies.  In the meantime, contractors should anticipate increased small business participation on BIC programs and seek to partner with such companies to maximize federal business opportunities.


Federal leaders in both acquisition and IT are taking a fresh look at ways to cooperate with their state and local government colleagues.  Officials from the Office of Management and Budget, GSA, and the IT community are among those looking for ways to better coordinate and share resources.  GSA, of course, has long opened its Schedules program to state and local users under a variety of rules based on the items and services being purchased.  While state and local leaders do use the Schedules to buy, not all do, and most look at the Schedule option as one of several when considering an acquisition plan.  State leaders, especially, have been somewhat wary of potentially ceding control over acquisition decisions to the federal government.  Still, there may be a broader understanding now that SLED officials have tools that the feds would like, creating better opportunities for two-way sharing.  OMB, in particular, is looking at how state governments are using technology to streamline acquisition processes.  The National Association of State Chief Information Officers (NASCIO) has made closer working arrangements with their federal counterparts a priority for about five years.  That currently means working with federal IT leaders to better understand and harmonize disparate federal cybersecurity regulations.  A coordinated cybersecurity approach at all levels of government makes sense.  Information on threats can be more consistently shared and so, too, can solutions to those threats.  Federal operations, for example, rely on a secure power grid.  Such grids are often operated or overseen by local or state government agencies.  The potential for increased cooperation across government lines presents opportunities and challenges for contractors.  While the potential for an increased market seems to be the most obvious up-side, federal contractors need to look at rules that mandate the use of state or local businesses in some markets and need to understand that some officials at these levels of government are still wary of solutions “coming from Washington”.  Partnering with state and local businesses may be a good way to enter such markets.  Contractors should also be on the lookout for additional discussions of a potential new era of cooperation for specifics on how such actions could impact their business.    See the article highlighting one aspect of this issue, here:


The Department of Defense will do a type of dry run this summer to test out the implementation of its Cybersecurity Maturity Model Certification (CMMC) 2.0 protocol.  Selected defense contractors will participate in “tabletop exercises” where DOD creates a sample program and walks through the entire process.  The agency wants to make sure that CMMC 2.0 is properly configured to examine a proposal and captures the right information.  The final determination of whether contractors that handle Controlled Unclassified Information (CUI) will be able to conduct a self-assessment or will need to have a third-party assessment has not yet been made.  The final rule implementing the CMMC regulation is still in the regulatory process.  DOD officials have said, though, that contractors who hold certain kinds of CMMC Level 2 CUI will only need to do a self-assessment, while others who hold more sensitive Level 2 data will need to get a third-party assessment.  Companies that do not hold CUI, but only hold Federal Contract Information (FCI) will be able to conduct a self-assessment once every three years.  The assessment will review the company’s compliance with 15 security controls outlined in NIST 800-171.  This is likely to be the same standard for companies that only need to have CMMC Level 1 status.  The NIST requirements for each of the three CMMC levels are likely to be specifically spelled out in the final rule, in addition to appearing in NIST documentation.  The entire CMMC implementation process is likely to take years, despite initial statements from DOD that it would be rolled out quickly.  The agency now estimates that approximately 80,000 DOD contractors will be covered by CMMC requirements on some level.  Many larger defense contractors have already taken steps to ensure compliance and are prepared to go through the third-party assessment process.  Smaller, commercial item companies may not yet have done the work.  It is a best practice to look at the NIST 800-171 requirements and ensure compliance with at least the most basic 15 security controls.  Companies are supposed to be compliant with those already, but DOD found that many that had self-certified to that standard did not, in fact, meet it.  CMMC was born of the failure to comply with the NIST standards.  Make sure your company is prepared now so that it can continue to do business with DOD and remember that, coming soon, similar standards are likely coming soon to a civilian agency contract near you.


A government contractor and its new employee, a former Department of Homeland Security (DHS) official, are facing a six-count False Claims Act Complaint filed by the Department of Justice that, in part, maintains that the former official had improper communications with his former agency during the post-employment “cooling off” period and that the company then tried to cover up such contact.  This is generally what is meant by “Don’t try this at home”.  The Department of Justice (DOJ) has an extensive record of text messages and phone calls between the former official and a senior DHS former colleague during the cooling off period.  That is in direct violation of rules of which all parties were certainly aware.  Further, DOJ has obtained a detailed account of the invoices through which the company allegedly tried to hide the violations from agency contracting personnel.  No one, apparently, remembers the lesson from Watergate:  It’s not the crime, it’s the coverup.  The company now faces the prospect of lost business, a damaged reputation, and millions in legal fees, all before an expensive settlement with Justice is negotiated.  Instead of fairly competing for, and possibly winning, profitable business, it will now spend a lot of its own money.  Cooling off periods are in place for a reason.  Companies and former federal employees must respect and follow such rules.  It is essential not only to have policies in place to ensure compliance with rules like these, but to regularly train on such rules and have consequences for those who do not follow them.  Such practices may cost a little money now but consider the much large price tag of non-compliance.


The General Services Administration has many projects under development right now, but few, if any, new people to help run and manage them.  The projects are important parts of the agency’s core mission, with both contractors and government customers anticipating the new solutions.  A new small business IT contract, a new cloud BPA, and the much-anticipated follow-on to the agency’s popular services IDIQ are just three examples.  At the same time, there is a real need for additional contracting professionals.  GSA is stretched thin.  This is the time when senior agency leadership should be supporting the agency’s core missions by ensuring that project managers have the people and resources needed for each to succeed.  It is surprising, therefore, to see senior agency leadership be primarily focused not on these issues, but on sustainability and a host of other political agenda items.  To be clear, sustainability, and its accompanying wish-list issues, are great things.  That doesn’t mean, though, that they can be implemented without costs.  One is the obvious increase in costs to contractors in complying with any new mandates.  Another is the cost in progress on the roll out of the programs noted above.  Contractors and GSA are partners in serving their common federal customer and companies should be prepared to speak up if they see timelines slipping on core projects.   A former GSA official was well known for his mantra of “getting the General what he wants”.  That’s a good basic statement that GSA leadership needs to keep in mind.  Take care of the customer and execute your core mission and not only will you be able to work on sustainability and other non-core areas, but GSA, itself, will be more sustainable.