Georgia Tech Procurement Assistance Center

Uncle Sam wants you — and your DFARS compliance

By

Following rules of engagement is a common concept, but knowing the rules — and whether they really apply to one’s own business — is not always a common condition.  The federal market can be especially confusing for smaller companies that may be delivering similar products or services to both civilian and military/defense/aerospace agencies.

If you know enough to ask about DFARS 252.204-7012 compliance, hold grants or contract awards subject to the provisions, or are contemplating entering the Department of Defense (DoD) market, you should at least be on the path to Defense Federal Acquisition Regulation Supplement (DFARS) compliance.  By September 2020, meeting the required security level contained in a DoD solicitation will be the basis for a go/no-go decision on further consideration of an offeror’s cost, schedule, and performance qualifications.

Announced changes to federal procurement practices, particularly for DoD-related contracts, put into play provisions for supply chain security and resiliency based, in part, on the 2018 “Deliver Uncompromised” study from MITRE Corporation.  Widely publicized leaks of government-funded intellectual property and other proprietary information have intensified concerns about the vulnerability of the defense industrial base (DIB), one of the 16 industry sectors defined by the Department of Homeland Security (DHS) as “critical infrastructure.”  The Office of the Under Secretary of Defense for Acquisition & Sustainment notes on its website that DoD is “planning a series of engagements across the United States in order to solicit inputs and feedback from the [DIB] sector.”

Continue reading at:  IndustryWeek

Government contracts regulatory and legislative update

By

Our monthly edition of the “Government Contracts Regulatory and Legislative Update” offers a summary and insight into the relevant industry developments that occurred during the previous month.

Regulations

DoD Issues Proposed Rule Establishing Preference for Fixed-Price Contracts

On April 1, 2019, the U.S. Department of Defense (DoD) issued a proposed rule to revise the Defense Federal Acquisition Regulation Supplement (DFARS) to establish a preference for fixed-price contracts when determining contract type, and to require use of firm fixed-price contracts for foreign military sales, subject to exceptions.  Approval is required for cost-reimbursement contracts in excess of $50 million if awarded between October 1, 2018 and October 1, 2019, and for cost-reimbursement contracts in excess of $25 million if awarded on or after October 1, 2019.  These revisions will implement Sections 829 and 830 of NDAA FY 2017.

The proposed rule includes the following key amendments:

  • Adds “milestone decision authority” definition to DFARS 202.101.
  • Revises DFARS 216.102(1) and adds DFARS 216.102(3) to reference the Section 829 NDAA requirements.
  • Adds DFARS 225.7301-1 and -2 to implement the Section 830 NDAA requirements.

DoD Issues Proposed Rule Revising the Nonmanufacturer Rule for 8(a) Participants

On April 1, 2019, DoD issued a proposed rule to amend the DFARS to implement the Small Business Administration’s (SBA) final rule standardizing the nonmanufacturer rule (NMR).  The NMR imposes certain requirements upon small business concerns that offer end items they did not manufacture, process, or produce.

This rule will update DFARS clause 252.219-7010 (Notification of Competition Limited to Eligible 8(a) Participants) to remove the nonmanufacturer rule exemption for contracts valued at or below $25,000 and awarded under simplified acquisition procedures.  Instead, the NMR will apply to all 8(a) contracts regardless of dollar value, and will require 8(a) participants that are nonmanufacturers to offer end items manufactured, processed, or produced by small business concerns in the United States or its outlying areas.

Continue reading at:  Drinker Biddle

The importance of compliance with DFARS cybersecurity regulations

By

Clicking the “COMPLY” check box on the list of government requirement flow-downs may seem like a necessary evil of being a supplier to the defense market, but some regulations around information and cybersecurity provide the critical foundations of a trusted computing supply chain.

Cyber and information warfare are the hottest and possibly most contested battlefields in the race for military dominance. Case in point, the U.S. Navy recently changed the name of Space and Naval Warfare Systems Command (SPAWAR) to the Naval Information Warfare Systems Command (NAVWAR), in recognition of how important information warfare to defense strategy.

Similarly, earlier this year, the U.S. Army, announced the evolution of its Cyber Command into the Information Warfare Command, and the U.S. Air Force announced the merger of the 24th Air Force (Air Forces Cyber) and the 25th Air Force, to create a new information warfare focused command.

By all indicators, information currently sits near the top of the food chain of assets requiring protection.  To that end, the U.S. Department of Defense (DOD) upped the ante on regulations around what types of information need protection and how much suppliers must protect that information.

Continue reading here:  Military and Aerospace Electronics

Doing business with the U.S. Government in an era of cybersecurity, espionage and executive orders

By

In an era of trade wars, espionage, and executive orders, how can companies who wish to dive into government procurement or are already involved in procurement abide by Federal laws and data security regulations and increase the likelihood of proper procurement?

Recently, the D.C. law firm Sheppard Mullin hosted a podcast discussing various government contracting requirements, including those related to cybersecurity.  Topics discussed include:

What does the legal landscape look like for doing business with the U.S. government?

What various layers of laws apply to government contracting?

When it comes to cybersecurity, what new developments have emerged that affect government contracts?

What type of security controls should contractors implement to protect data?

What are security control “families”?

What security rules are specific to government contractors and why are they important for companies of all types to be familiar with them?

Why is it important to be open to checking where your sensitive data and documenting your plan to protect that data?

The “Plan of Action” the Department of Defense requires.

What is the National Defense Authorization Act and what does it establish?

How has the 2019 Executive Order affected information and telecommunications technologies?

How are the Federal Acquisition Regulations playing a role in the trade war with China?

You can listen to the podcast at:  The Sheppard Mullin website

Pentagon to unveil new Cybersecurity Maturity Model Certification (CMMC) for defense contractors

By

The Department of Defense announced that it is developing a new cybersecurity standard and certification for defense contractors.  It is named the “Cybersecurity Maturity Model Certification” (CMMC).

Notably, the intent of the CMMC is to improve cybersecurity deficiencies in the defense industrial base and secure the supply chain.

The CMMC is expected to be based on NIST SP 800-171, as is the current Defense Federal Acquisition Regulation Supplement (DFARS) rule.  Specifically, DFARS Clause 252.204-7012 requires defense contractors handling sensitive, unclassified information to implement the 110 security controls of NIST SP 800-171.

However, the CMMC may incorporate or rely on frameworks in addition to NIST SP 800-171.

According to news reports, the CMMC will serve as the enforcement mechanism lacking in the current DFARS rule.

Although the draft CMMC has not yet been published, it’s been reported that there will be 5 levels of certification.  The levels will range from basic cyber hygiene to “State-of-the-Art.”  DoD contracts will require specific levels — and awards will be “go/no-go” based on the contractor’s certification status.

This is a fundamental change to how defense contracts are awarded today.

Read more at:  JD Supra

Northrop Grumman to provide free cybersecurity training to small businesses June 4th

By

Northrop Grumman, in collaboration with the USC Center for Economic Development, is offering FREE cybersecurity training to small businesses.  The workshop is open to all small businesses, but advance registration is required.

The primary purpose of the one-day 8-hour workshop is to ensure that small businesses are aware of the cybersecurity requirements mandated under Defense Federal Acquisition Regulations Supplement (“DFARS”) Subpart 204.73 (Safeguarding Covered Defense Information and Cyber Incident Reporting).  The workshop will focus on understanding the risks associated with safeguarding controlled unclassified DoD information. 

The workshop will focus on the groups of controls from NIST SP 800-171, with examples highlighting what happens when these controls are not implemented.  By the end of the workshop, small businesses will become familiar with all 110 controls and be able to better identify the areas where you may need greater focus to meet the DoD’s cybersecurity expectations.

Here are the details about the event:

Date:  Tuesday, June 4, 2019

Time:  8 a.m. to 5 p.m. ET

Location:  Loudermilk Conference Center, 40 Courtland Street NE, Atlanta, GA 30303

The training will also be available online via webinar.

For registration, visit:  https://events.r20.constantcontact.com/register/eventReg?oeidk=a07eg5xonme7588be26&oseq=&c=&ch=

DoD proposes new rule on performance-based contract payments

By

According to a report by the Federal News Network, the Department of Defense (“DoD”) is proposing a new rule which would change how it pays some defense contractors.  DoD is looking to require, whenever practicable, that fixed price contracts be paid out through performance-based contractual payments.  Performance-based payments are a method of contract financing where payments are made on the basis of the contractor’s achievement of objective, quantifiably measurable events, results, or accomplishments that are defined and valued in the contract prior to performance.  Some within the government consider it a preferred method of contracting and claim that it reduces the government’s oversight and compliance costs.  It also may have benefits for contractors, as it should help cash flow, reduce the cost of oversight and compliance, and allow the contractor to focus on technical and schedule progress.  Comments on the proposed rule are due by July 1.

Read the new rule at the Federal Register.

Weak links in the defense supply chain

By

Industry experts told Congress recently that poor awareness of federal cybersecurity contracting standards and a lack of visibility by contractors into their own supply chains are at the heart of problems that have led to widespread targeting and theft of U.S. economic and national security secrets by nation state hackers.

According to a survey of small and medium-sized defense contractors conducted by the National Defense Industrial Association, less than 60 percent of respondents said they read the Defense Federal Acquisition Regulation Supplement that lays out minimum security standards for contractor information systems, while nearly half of those who did said they found it hard to understand.

About 45 percent of respondents hadn’t read National Institute for Standards and Technology guidelines for protecting controlled unclassified information.

Keep reading this article at: https://fcw.com/articles/2019/03/31/defense-supply-chain-weak-links.aspx

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Keeping up with DoD cybersecurity compliance demands

By

On Jan. 21, 2019, Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment, issued a memorandum focused on assessing contractor compliance with the DFARS cyber clause via audits of a Contractor’s purchasing system.  One intent of this guidance is to have the Defense Contract Management Agency, or DCMA, “validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS clause 252.204-7012.”

This would be done as part of a review of a contractor’s purchasing system in accordance with DFARS 252.244-7001.  Pursuant to this DFARS clause, contractors are required to provide adequate security on their internal networks to protect Covered Defense Information (CDI) and are required to flow DFARS clause 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” to subcontractors without alteration.

On Feb. 26, 2019, the DCMA updated its Contractor Purchasing System Review (CPSR) Guidebook to incorporate requirements from the January 2019 memorandum. In particular, the “Supply Chain Management Process” outlined in Appendix 24 states that “[p]rotecting Controlled Unclassified Information is a critical aspect” of supply chain management.

The guidebook assumes obligations that are beyond those imposed by the DFARS clause, presumably assuming that new requirements will be imposed contractually in the future.

Keep reading this article at: https://www.insidegovernmentcontracts.com/2019/03/keeping-up-with-dod-cybersecurity-compliance-demands/

Readying contractors’ security plans for evaluation

By

The Defense Department recently issued final guidance for requiring activities to assess contractors’ system security plans and their implementation of the security controls in National Institute of Standards and Technology Special Publication 800-171.

It includes a compliance guidance document, which explains how department entities will assess contractor implementation of its security controls, and an impact guidance document, which explains how the Pentagon will assess the risks of security controls not implemented.

The compliance guidance addresses three objectives pre-award: requiring a self-attestation of implementation of the special publication in all proposals; imposing enhanced security controls in certain situations; and providing alternatives for compliance as an evaluation factor.

Defense Federal Acquisition Regulation Supplement 252.204-7008, which is required in every noncommercial off-the-shelf solicitation, provides that “[b]y submission of this offer, the offeror represents that it will implement the security requirements specified by [NIST SP 800-171].” The Defense Department has interpreted “implementation” as having a completed security system plan and a plan of action and milestones for the relevant covered defense information.

If a requiring activity believes that enhanced security controls are required beyond those in NIST SP 800-171, the compliance guidance provides direction for adding the requirements to a solicitation.

The guidance does not define what constitutes “enhanced controls.” NIST is expected to issue a new appendix of enhanced controls in the first quarter of 2019.

Keep reading this article at: http://www.nationaldefensemagazine.org/articles/2019/1/30/readying-security-plans-for-evaluation

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More