Georgia Tech Procurement Assistance Center

CMMC reciprocity in sight for 2021

By

The Defense Department is still figuring out how to save contractors money with its unified cybersecurity standard by authorizing reciprocity for multiple government certification programs, but an answer could come by the end of the 2021 fiscal year.

One of the key pledges DOD needs to fulfill for its Cybersecurity Maturity Model Certification program is building on work contractors have already done to meet security requirements for programs like the Federal Risk and Authorization Management Program (FedRAMP).

Stacy Bostjanick, CMMC’s director at the Defense Department’s Office of the Undersecretary of Defense for Acquisition and Sustainment, said a team is working with the General Services Administration and DOD to align the requirements, methodologies, and levels of the two programs.

“FedRAMP allows for [plans of action and milestones] and CMMC does not,” Bostjanick said Feb. 10 during an AFCEA NOVA event on IT and the intelligence community.  “You’ve either got it or you don’t.”

Continue reading at:  FCW

Small businesses struggle to climb the FedRAMP

By

Small businesses need lawmakers to ease barriers to product authorization through the Federal Risk and Authorization Management Program, according to industry and federal CIOs speaking before Congress.

FedRAMP is the entity charged with evaluating security and authorizing cloud products.  During a House Subcommittee on Government Operations hearing on the program, CIOs noted challenges for small business in getting offerings approved, such as a lack of transparency with the length of the process and cost.

Or some don’t know it exists it all.

“A lot of small businesses are unaware of the process itself, the security requirements that we have,” said Anil Cheriyan, the director of technology transformation services at the General Services Administration.

It took 20 months for Virtru, a small data protection start-up, to get its product FedRAMP authorized for a federal agency to use, according to testimony from Virtru’s CTO Will Ackerly.  From the beginning, he said, “it was also unclear upon entering the process how long it would take.”  The process cost the company $1.6 million, he told lawmakers.

Entering the FedRAMP approval process can be a “high-risk decision for most small companies” because of the cost “when combined with unknown timelines,” he said.

Looking back, Ackerly said that if his company hadn’t received an agency sponsorship to go through the FedRAMP process, it may not have made it through.

Continue reading at:  Federal Times

Impact of FedRAMP for Small Businesses

By

Did you know that over 30% of FedRAMP Cloud Service Providers (CSPs) are small businesses?  When this statistic is shared across industry and the federal community, people are quite surprised — and pleased!  Since small businesses represent an essential component of FedRAMP, organizers of the program realized it was essential to engage directly with the small business community to gather feedback to improve the program.

The convenor of FedRAMP, the General Services Administration (GSA), recently reached out to more than 40 small businesses engaged with FedRAMP to hear their feedback, learn about their experience with FedRAMP, and gather best practices to share across the small business CSP community. These CSPs spanned all stages of the FedRAMP process: In-Process, Ready, and Authorized.

From these meetings, GSA learned that most of the best practices for achieving a FedRAMP ATO are the same for both large and small CSP. For example:

  • Be prepared and utilize the Readiness Assessment Report,
  • Engage early and often with the FedRAMP PMO, and
  • Know the ins and outs of your system.

However, there were three unique differences that small businesses who have made it through FedRAMP repeatedly told us during our interviews:

Bigger Impact to Resources – But More Agile Teams

Pursuing and maintaining a FedRAMP Authority to Operate (ATO) proportionally requires more resources for a small business, requiring a team with specialized skillsets and costs associated with hiring a Third Party Assessment Organization (3PAO). As a result, staff often wear multiple hats and blend several duties into their role. This requires monitoring resource allocation carefully. Yet, the organizational structure of small businesses may provide some advantages. For example, teams don’t operate in silos and CSPs don’t have to navigate bureaucracy. With more centralized decision making and fewer layers of management, the process can go faster.

Levels Playing Field During Acquisition

Additionally, having a FedRAMP Authorization levels the playing field for acquisitions, as some Federal Agencies choose to require a FedRAMP ATO in their competitive procurement process.

Increased Security

Finally, being FedRAMP-Authorized can enhance the company’s internal security processes and rigor across all their products — not just those that are authorized — creating higher and more rigorous security standards for all systems and increasing system maturity.

The governance of FedRAMP is comprised of different executive branch entities that work in a collaborative manner to develop, manage, and operate the program.

Source: https://www.fedramp.gov/impact-of-fedramp-for-small-businesses/

GSA holding technology industry day Sept. 8th

By

On September 8, the General Services Administration (GSA) is hosting its very first Technology Industry Day.  Participating vendors will get an opportunity to learn about how GSA is transforming technology in the federal government, see demos of products and solutions developed by technologists and, last but not least, provide feedback on how GSA can work better with industry.

The event will be held at GSA headquarters located at 1800 F St., NW, Washington, DC 20405, and the event also will be accessible remotely.

On-site registration will close on September 5, 2016, and remote registration will close on the day of the event.

Below are a few projects to be featured and registration details:

Agile BPA
  • The Agile Blanket Purchase Agreement allows innovation in procurement, lessens the burden on industry and solves problems in a user-centered approach. A great example is the work with the FedRAMP program management office at GSA, the first client to use the Agile BPA. We helped the FedRAMP office hire an agile vendor to implement human-centered design and build a public-facing dashboard about cloud authorizations.
Micropurchasing
  • Micropurchasing is a process is where the federal government makes small procurements to directly buy products and services, as long as the price does not exceed $3,500. Currently, we are using that process to buy small pieces of open source software and design through the Micro-purchase Marketplace. This process has allowed clients to add valuable features to their products through quick, inexpensive purchases.
Cloud.gov
  • Cloud.gov is a shared platform built for government that allows agencies to securely deploy systems to the cloud. It takes care of baseline security and scalability concerns and allows federal teams to focus on delivering quality products.
Agenda

GSA Tech Industry Day 09.08.2016

Registration

If you want to learn more, sign up to join GSA on September 8 for the first Technology Industry Day.

4 government contracting trends to watch in 2016

By

Today’s times represent an ongoing shift in the federal services marketplace. The changes are broad and include shifts in technology; acquisition methods; and the economics of being a contractor with significant hurdles and barriers to success.  These market dynamics will play out over the coming months and years – here’s a rundown of the most significant of those changes now well underway.

1. Cloud Computing Continues to Absorb IT Services Opportunities
Federal agencies have moved beyond the 2010 Cloud-First mandate to adopt cloud computing, and have begun embracing the cloud to support their business and mission objectives.  Cloud computing represents a significant change to the way that the federal government had done business. Cloud computing permits the customer to spend less time managing complex IT resources and more time investing in core mission work.  Companies that have cloud-based offerings are winning significant business away from providers that have historically supported “in-house” solutions.

FedRamp opt outAn estimated $20 billion of the federal government’s $80 billion in IT spending is a potential target for migration to cloud computing solutions, according to the White House’s Federal Cloud Computing Strategy. The size and scope of cloud programs are becoming larger, driven in part by the success of smaller projects, and by the manifestation of supporting policies, including FedRAMP, a security “stamp of approval” that lets government agencies know a solution has an appropriate and detailed security plan in place. To date, 48 systems have been authorized FedRAMP compliant.  With the cost of a FedRAMP certification reaching as high as $300,000 and authorizations taking 9 to 15 months, gaining certification is a major commitment for any company.  As a result, many firms, especially small businesses, may be locked out of this segment of the market.

Read all 4 contracting trends to watch in 2016 at: http://www.washingtonexec.com/2015/10/guest-column-4-government-contracting-trends-to-watch-in-2016-by-mark-abel/

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More