Georgia Tech Procurement Assistance Center

DoD publishes long awaited interim rule on CMMC

By

At long last, the Department of Defense (“DoD”) has provided its interim rule, published in the Federal Register on September 29, 2020, amending the Defense Federal Acquisition Regulation Supplement (“DFARS”) to set forth requirements for the Cybersecurity Maturity Model Certification (“CMMC”) program, as well as new requirements for a “NIST SP 800-171 DoD Assessment Methodology.”  The interim rule is effective November 30, 2020, and comments to the interim rule should be submitted by November 30 as well. 

NIST SP 800-171 DoD Assessment Methodology

For contractors already required to comply with NIST SP 800-171, per DFARS 252.204-7012, DoD now is going to hold those contractors accountable, instituting an assessment and reporting system to verify compliance before new contracts can be awarded.  While the new requirement is for information to be provided prior to contract award, DoD encourages affected contractors to begin their self-assessments immediately.

The Assessment Methodology will include three assessment levels:  (1) Basic, (2) Medium, and (3) High.  The Basic Assessment will be a self-assessment completed by the contractor prior to contract award, while the Medium and High Assessments are available options for DoD to complete after award.  DoD estimates it will conduct 200 Medium Assessments and 110 High Assessments each year.  Additional information regarding DoD assessments is available here.

There is a specific scoring methodology to be followed for the Assessment.  A contractor that has fully implemented all 110 NIST SP 800-171 controls will have a score of “110.”  It goes without saying that contractors will need to be careful here – an inaccurate report could subject a company to exposure under the False Claims Act.

Assessments will be valid for three years unless there are issues requiring a reassessment sooner.  The newly-announced Assessment Methodology appears to be an immediate solution to provide DoD some peace of mind on contractor data security until the CMMC program can be fully implemented.

Continue reading at the Sheppard Mullin GovCon Blog.

Small business subcontracting for cloud computing gets easier

By

In response to widespread interest in allowing more small business participation in opportunities involving cloud computing, the Small Business Administration (“SBA”) has decided to exclude cloud computing from the limitation on subcontracting rule calculation, in certain circumstances.  Thus, beginning December 30, 2019, small businesses are no longer limited in their ability to subcontract out cloud computing services to larger companies, in connection with performing a Government contract set aside for small businesses, where the small business will perform other services that are the primary purpose of the acquisition.

The limitation on subcontracting rule provides that a small business may not subcontract more than 50% of the prime contract amount, under a services contract, to businesses that are other than small. 13 C.F.R. 125.6; 48 C.F.R. 52.219-14.  In the cloud computing context, this limitation has had the effect of reducing small business participation in IT service contracts with a substantial cloud computing component.  Typically, a small business is not able to commit to a procurement in which it (together with other small businesses, if needed) will provide more than 50% of the services under these contracts.  Certainly not where the cloud computing market is currently dominated by juggernauts who are far larger than “small.”

Continue reading at:  Government Contracts and Investigations Blog

Long awaited changes to WOSB/EDWOSB regulations expected this summer

By

Big news for women-owned businesses!  It’s certainly been a long time coming, but self-certification for women-owned small businesses is finally on its way out.  For those of you unfamiliar with this issue, here’s a little background.

When the Small Business Administration (SBA) created the Women-Owned Small Business program in 2011, the regulations allowed women owned small businesses (WOSBs) and economically disadvantaged women owned small business (EDWOSB) to self-certify for participation in the program.  Compare this to the SBA’s 8(a) program, for example, which does not allow self-certification and instead requires a company to go through a rigorous application process.  During that application process, the SBA ensures that all of the eligibility criteria are, in fact, satisfied.  Because the WOSB/EDWOSB program allowed women to self-certify without going through an arduous application process, many women-owned businesses did just that.  Others chose to use third-party certifiers.  (Though not required, third-party certification offers the added benefit of conferring eligibility under certain state-run women-owned business programs.)

Over time, criticism of WOSB self-certification mounted.  Various reports from the GAO and other governmental watchdogs noted high levels of fraud, and industry insiders began lobbying for change.  Legitimate WOSBs wanted a more robust review process, to eliminate fraudulent “front” companies from the program.  In response, Congress passed the 2015 NDAA, which eliminated self-certification for WOSBs and EDWOSBs.  The NDAA directed the SBA to modify its regulations, abolish self-certification, and create an application process to vet potential participants.  A year later, the SBA published a notice, indicating that it did plan on drafting the regulations Congress ordered . . . but no regulations were forthcoming.  In 2016, the SBA set up a new online portal – certify.sba.gov – through which WOSB status could be managed.  But, again, no actual changes to the regulation were proposed, let alone completed.  A 2017 GAO report found that “[a]s a result of inadequate monitoring and controls, such as not implementing a full certification program, potentially ineligible businesses may continue to incorrectly certify themselves as WOSBs.”  Still…crickets from the SBA.

Continue reading at:  GovCon Examiner

The CMMC has arrived: DoD publishes version 1.0 of its new cybersecurity framework

By

On January 31, 2020, the Department of Defense (“DoD”) publicly released Version 1.0 of the Cybersecurity Maturity Model Certification (“CMMC”) framework.  The CMMC is a certification framework developed by DoD that measures a defense contractor’s ability to safeguard Federal Contract Information (“FCI”) and Controlled Unclassified Information (“CUI”) handled in the performance of DoD contracts.  By FY 2026, CMMC certification will be a requirement for any company doing business with DoD, either as a prime contractor or lower-tier subcontractor.  Version 1.0 of the CMMC fills in several gaps from the earlier drafts, which we assess in prior articles.  Additionally, the public briefing that accompanied the release of Version 1.0 included new insights into DoD’s rollout of the CMMC framework.  This alert walks through the CMMC framework, highlights updates from prior drafts, summarizes DoD’s proposed rollout, and provides considerations for companies during CMMC implementation.

Continue reading at:  K&L Gates

GSA keeping ‘on track’ with schedule consolidation

By

The General Services Administration has begun the process of updating pre-existing contracts to meet the terms and conditions of its recently consolidated acquisition schedule.

GSA consolidated 24 schedules for finding and purchasing solutions into one Multiple Award Schedule (MAS) on Oct. 1 to modernize acquisition for federal, state and local agencies.

New contracts are placed on the consolidated schedule, while pre-existing contracts must be modified to be placed on the consolidated schedule — the second phase of the process known as Mass Modification.  Schedule holders have until July 31 to accept the Mass Mod that GSA started issuing Friday, or else their offerings will no longer be accessible on GSA’s eTools platform.

Continue reading at:  fedscoop

Federal contracting community disappointed with FBO.gov replacement beta.sam.gov

By

The transition of the federal contracting opportunities website from Federal Business Opportunities, better known as FedBizOpps or FBO, to the Contracting Opportunities page of beta.SAM.gov caused concern ahead of the migration and frustration after the move.  Three months after the transition finished, the government contracting community’s anger has yet to be assuaged.

Last week, the Professional Services Council—an industry group representing 400 federal contractors—sent a letter to the General Services Administration detailing its members’ concerns and asking for immediate action.

Continue reading at:  NextGov

Proposed bi-partisan legislation could mean changes for small businesses

By

Earlier this month, the U.S. House of Representatives passed two bills that could mean big changes for small businesses.

The first, the “Capturing All Small Businesses Act,” H.R. 5130, aims to change the way that the Small Business Administration (SBA) calculates a company’s number of employees for the purpose of determining that company’s size.  This act was authored by House Small Business Committee members Rep. Marc Veasey (D-TX) and Rep. Kevin Hern (R-OK).  Rep. Veasey’s website, describes the act as “bipartisan legislation that will protect our nation’s small businesses against being prematurely forced out of the ‘small’ business category due to sudden growth.”

Continue reading at:  GovCon Examiner

Federal contractors to be limited on criminal background checks

By

Private employers with federal contracts will soon be prohibited from requesting criminal history information from candidates at the onset of the hiring process; instead, they will have to wait until after an offer is made.

The Fair Chance to Compete for Jobs Act of 2019 (Act) was discreetly tucked into the Defense Spending Bill approved on December 20, 2019.  The Act is part of a growing national trend of “Ban the Box” laws, referring to the question on job applications asking whether a candidate has been convicted of a crime.  Ban the Box laws largely have bipartisan support and, according to the National Employment Law Project, have been approved in 35 states and more than 150 cities across the United States.

As of March 31, 2017, the U.S. Office of Personnel Management already required most federal agencies to wait until the conditional offer stage of the hiring process to request criminal history information from a job candidate.  The Act supersedes this regulation and applies the prohibition to both the federal government and now certain private employers.

Continue reading at:  Ackerman

Deputy Associate Attorney General sheds light on DOJ’s FCA priorities at annual False Claims Act conference

By

“Enforcing the False Claims Act is a top priority for the Department—not just for our office,” said Deputy Associate Attorney General Stephen Cox, the Keynote Speaker for the 2020 Advanced Forum on False Claims and Qui Tam Enforcement, hosted by the American Conference Institute.  Deputy Cox reflected on FCA recoveries in 2019 and previewed DOJ’s FCA priorities for 2020.  Specifically, his keynote address on Monday, January 27 focused on: (1) enforcement; (2) cooperation credit; and (3) third-party financing.

Continue reading at:  Arent Fox

CMMC model 1.0 released: DoD’s unified cybersecurity standard for future acquisitions

By

In a major effort to strengthen the cybersecurity posture of the hundred of thousands of Defense Industrial Base (DIB) contractors and subcontractors, the Department of Defense yesterday released final Model Version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) framework.

This version replaces previously released versions 0.4, 0.6, and 0.7, which have been made available to the public via the CMMC official website.

Continue reading at:  JD Supra

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More