Recent analysis from Bloomberg Government finds that six federal market segments control approximately 25% of federal spending. Knowing what those markets are, who’s buying, and how they’re buying is important information for contractors. Cloud computing, AI and operations and logistics comprise the top three areas. None of those should come as a surprise. We’ve previously written about the ubiquity of government users desiring AI solutions throughout government. Business management and financial services, facilities services and digital services round out the top six. Business and financial services point to the importance of holding key GSA contracts, such as professional service offerings through the Schedules program and GSA’s OASIS contract. Digital services, an area defined by Bloomberg, includes not only web applications, but the emerging emphasis on enhancing customer experience. Despite efforts by the Biden Administration to attract new market entries, Bloomberg predicts that competition for most of the dollars in these areas will become more pointed among established contractors. Further, the overall number of companies will decline as some merge or are acquired, while others leave the federal market generally. A key factor included in the Bloomberg presentation, but also well known to contractors, is the increased statutory and regulatory burdens placed on contractors as the Administration tries to achieve multiple public policy goals via government contracting. Holding critical contract vehicles is also important. Bloomberg forecasts that up-coming vehicles such as LOGCAP V, SEWP VI, the GSA services MAC, and GSA Alliant III will be among the most desired contracts to have. Bloomberg’s report shows that, while government priorities shift over time, the basic business blocks for contractors remain the same.
The federal government takes major cybersecurity vulnerabilities seriously. That’s one bottom line take-away all contractors and observers can learn from the Cybersecurity and Infrastructure Security Agency’s (CISA) emergency directive mandating that all federal civilian agencies take immediate steps – by today – to patch critical vulnerabilities associated with various VMware solutions. Contractors should resist the impulse to default to the “there but for the Grace of God Go I” response. There are lessons here for all companies doing business with the federal government. First, prime contractors should take this incident as a reminder that they need to manage their subs and teammates properly. VMware’s problems aren’t just its own. They include the primes through which they sell. Making sure that your prime contractor business has proper protections and performance-related remedies is essential. As a prime, it is your company that is ultimately accountable for performance issues. Second, there is such a thing as bad publicity. VMware will have to spend a lot of money not only to resolve the security issues but to bolster its reputation in the federal market, all only two months before federal busy season starts. We’ve said before that your company spent a lot of time building a positive reputation. Investing in security and compliance helps protect your company’s reputation as a reliable and safe federal partner. Third, the government will take steps to protect itself, regardless of what the potential damage to a company’s reputation may be. Yes, government and industry work together on a wide variety of federal missions. Contractors should not forget, however, that the government is the senior partner that ultimately holds the high card in the relationship. This means that companies need to ensure performance, anticipate problems, and have clear mitigation strategies developed in advance so that they can resolve issues quickly. While contractors may be reluctant to bring up concerns or potential trouble areas, it is vitally important to remember, just like Richard Nixon, that it’s not the crime, but the cover-up that can cause real trouble. While VMware is busy patching this weekend, all contractors should take a look at their own performance, and that of their subs, on critical contracts to ensure that they’re not the next ones in line for an emergency directive.
The Office of Management and Budget could save “billions” in the acquisition of common items if it continues to promote category management. Category management includes the identification and encouraged use of “Best in Class” (BIC) acquisition methods and the reduction of duplicative acquisition efforts. Specifically, GAO stated that OMB needs to work with agencies to improve data management capabilities and establish new performance metrics in order to better measure both outcomes and savings. The recommendations, part of GAO’s annual report to Congress, are no surprise to contractors. Experienced companies understand the value of holding or participating in multiple BIC contracts. Similarly, requirements for contractors to provide spend analysis information have mushroomed as agencies seek to meet OMB directives. One potential hurdle in meeting GAO’s recommendations is that OMB, itself, recently issued guidance stating that the use of BIC solutions should be balanced with decentralized contracts and other necessary strategies to increase diversity within agency supplier bases. The two goals aren’t necessarily mutually exclusive, though it may take time for them to harmonize. Look for GSA, NIH, and other agencies with BIC programs to add more small businesses, including small, disadvantaged businesses, in order for agencies to achieve both desired outcomes. Indeed, both of these agencies are working now to expand opportunities for small firms of all types to participate on some of their most popular indefinite delivery indefinite quantity contracts. Increased promotion of category management wasn’t the only acquisition-related recommendation GAO made. It also stated that GSA’s 18F program and OMB’s U.S. Digital Service should work more closely together to avoid overlapping each other’s work. We’re not holding our breath as each is backed by powerful constituencies. In the meantime, contractors should anticipate increased small business participation on BIC programs and seek to partner with such companies to maximize federal business opportunities.
Federal leaders in both acquisition and IT are taking a fresh look at ways to cooperate with their state and local government colleagues. Officials from the Office of Management and Budget, GSA, and the IT community are among those looking for ways to better coordinate and share resources. GSA, of course, has long opened its Schedules program to state and local users under a variety of rules based on the items and services being purchased. While state and local leaders do use the Schedules to buy, not all do, and most look at the Schedule option as one of several when considering an acquisition plan. State leaders, especially, have been somewhat wary of potentially ceding control over acquisition decisions to the federal government. Still, there may be a broader understanding now that SLED officials have tools that the feds would like, creating better opportunities for two-way sharing. OMB, in particular, is looking at how state governments are using technology to streamline acquisition processes. The National Association of State Chief Information Officers (NASCIO) has made closer working arrangements with their federal counterparts a priority for about five years. That currently means working with federal IT leaders to better understand and harmonize disparate federal cybersecurity regulations. A coordinated cybersecurity approach at all levels of government makes sense. Information on threats can be more consistently shared and so, too, can solutions to those threats. Federal operations, for example, rely on a secure power grid. Such grids are often operated or overseen by local or state government agencies. The potential for increased cooperation across government lines presents opportunities and challenges for contractors. While the potential for an increased market seems to be the most obvious up-side, federal contractors need to look at rules that mandate the use of state or local businesses in some markets and need to understand that some officials at these levels of government are still wary of solutions “coming from Washington”. Partnering with state and local businesses may be a good way to enter such markets. Contractors should also be on the lookout for additional discussions of a potential new era of cooperation for specifics on how such actions could impact their business. See the article highlighting one aspect of this issue, here: https://www.globalgovernmentforum.com/increase-cooperation-between-all-levels-of-government-legislation-seeks-to-update-50-year-old-rules-on-us-federal-state-cooperation/
The Department of Defense will do a type of dry run this summer to test out the implementation of its Cybersecurity Maturity Model Certification (CMMC) 2.0 protocol. Selected defense contractors will participate in “tabletop exercises” where DOD creates a sample program and walks through the entire process. The agency wants to make sure that CMMC 2.0 is properly configured to examine a proposal and captures the right information. The final determination of whether contractors that handle Controlled Unclassified Information (CUI) will be able to conduct a self-assessment or will need to have a third-party assessment has not yet been made. The final rule implementing the CMMC regulation is still in the regulatory process. DOD officials have said, though, that contractors who hold certain kinds of CMMC Level 2 CUI will only need to do a self-assessment, while others who hold more sensitive Level 2 data will need to get a third-party assessment. Companies that do not hold CUI, but only hold Federal Contract Information (FCI) will be able to conduct a self-assessment once every three years. The assessment will review the company’s compliance with 15 security controls outlined in NIST 800-171. This is likely to be the same standard for companies that only need to have CMMC Level 1 status. The NIST requirements for each of the three CMMC levels are likely to be specifically spelled out in the final rule, in addition to appearing in NIST documentation. The entire CMMC implementation process is likely to take years, despite initial statements from DOD that it would be rolled out quickly. The agency now estimates that approximately 80,000 DOD contractors will be covered by CMMC requirements on some level. Many larger defense contractors have already taken steps to ensure compliance and are prepared to go through the third-party assessment process. Smaller, commercial item companies may not yet have done the work. It is a best practice to look at the NIST 800-171 requirements and ensure compliance with at least the most basic 15 security controls. Companies are supposed to be compliant with those already, but DOD found that many that had self-certified to that standard did not, in fact, meet it. CMMC was born of the failure to comply with the NIST standards. Make sure your company is prepared now so that it can continue to do business with DOD and remember that, coming soon, similar standards are likely coming soon to a civilian agency contract near you.