This is a guest post by Haley Claxton of Koprince Law LLC.
Recently, GAO published a report on small business subcontracting plan compliance, concluding that agency oversight of these plans need improvement.
As many of our readers know, some federal contracts require large business prime contractors to utilize small business subcontractors under a small business subcontracting plan, as described in FAR 52.219-9. For context, in 2019, federal agencies “awarded more than 5,000 contracts requiring a small business subcontracting plan, and obligated more than $300 billion to contracts with required small business subcontracting plans.”
If a small business subcontracting plan is in place, contractors are required to report on any subcontracting achievements and make a “good-faith” effort to keep to the plan. In addition, some regulations and procedures require contracting officers to review the subcontracting plan before or after award to make sure certain information is included in the plan. Agencies are also required to provide SBA Procurement Center Representatives (or PCRs) the opportunity to review the proposed contract and associated subcontracting plan.
After a contract is in place, the FAR requires contracting officers to ensure that subcontracting reports are submitted via the eSRS web platform within a certain amount of time. Contracting officers must then review and decide whether to accept these reports. In addition to reviewing the reports, agencies are also required to perform annual evaluations of all contractor performance though CPARS (the Contractor Performance Assessment Reporting System). One aspect of the annual CPARS evaluation, where applicable, is compliance with the contractor’s small business subcontracting plan.
Despite the amount of oversight agencies appear to have over contractor compliance with small business subcontracting plans on paper, some folks at the Department of Defense were concerned about how much actual oversight agencies were providing to ensure contractors complied with their plans. Thus, GAO looked into how four representative agencies (the DLA, the Navy, GSA, and NASA) provide oversight. It found that the DoD was right to be concerned.
First, GAO looked to pre-award procedures for reviewing subcontracting plans. It found that COs from all four representative agencies reviewed and approved subcontracting plans as required in most, but not all, cases. More problematically, however, the “[a]gencies also could not demonstrate they followed procedures related to PCR reviews in about half of the contracts reviewed.” Put differently, most of the time, the SBA wasn’t involved in reviewing subcontracting plans before contract award, as required.
Next, GAO turned to agency overview of contractor compliance with their subcontracting plans post-award. GAO found this overview was pretty “limited.” Even though each representative agency did offer some amount training to contracting officers on subcontracting plans, GAO found that these contracting officers did not ensure contractors met their reporting requirements in most of the reviewed contracts. In addition, even where reports were submitted as required, many were not reviewed in the manner anticipated.
As a result of its investigation, GAO offered ten recommendations for the reviewed agencies and the SBA. These recommendations are outlined here, but in summary, they ask the relevant agencies to make sure they have steps in place to ensure appropriate review of subcontracting plans and contractor compliance with those plans.
Overall, an increased focus on compliance with subcontracting plans is likely to have an effect on many contractors–hopefully ensuring more contracting dollars go to small business subcontractors. For more on small business subcontracting plans, check out our related blog posts here.
This post originally appeared on the SmallGovCon blog at https://smallgovcon.com/statutes-and-regulations/room-for-improvement-gao-reviews-agency-oversight-of-small-business-subcontracting-plans/ and was reprinted with permission.
Section 872 of the 2020 NDAA makes many notable changes to the Department of Defense’s (DoD) Mentor-Protégé Program. Besides permanently authorizing the program, Section 872 required DoD’s Office of Small Business Programs to establish performance goals and periodic reviews to be submitted to the congressional defense committees by February 1, 2020. This serves to improve outcomes, define expectations, and set measurable goals for the DoD Mentor-Protégé Program going forward.
Notably, Section 872 changes the definition of a “disadvantaged small business concern” to align with how small businesses are defined in other programs. To be considered small, the original definition required a business to have “less than half the size standard corresponding to its primary North American Industry Classification System code.” The new definition states that a disadvantaged small business concern must not exceed the size standard corresponding to its primary NAICS code.
Note that this change has already been approved and signed by the President, and applies to fiscal year 2020, ending in September 2020.
In spite of the fact that this seems like a trivial matter, it is important to understand that unlike mentor-protégé programs in other departments, the DOD program has a healthy budget (typical agreements of $750,000 to $1M or $2M) that can in fact get passed through the mentor for the benefit of the mentor-protégé partnership, i.e., mostly the protégé.
The important thing to understand is that this allows the DOD to pay the mentor for money that is used by the mentor-protégé agreement in ways that benefit the protégé in the future. Because this is a money granting program, it’s authorized not in annual increments (though it’s still budgeted annually), but in multiple-year increments.
As noted above one of the changes with reauthorization was an alignment of the definition of small businesses with other definitions in other classification systems like NAICS codes. If those definitions are different you could be small in one place and not small in another.
One of the interesting things about this legislation is that the new definition says you cannot exceed the size standard of the primary NAICS code but doesn’t say how much work must be in that code.
Why is that important? At TAPE, for example, we have work in three or four different NAICS codes. We do a lot of work in 541611 (administrative), which is a size standard of $16.5M, and we’re larger than that. On the other hand, we have a lot of work in in 541512 and 541513 (IT), which have a size standard of $30.5M, which we’re within so we’re considered small, and 541330 (engineering), which has a size standard of $41.5M, where we’re also small.
So we do some of our work in a NAICS code for which we are large, which is perfectly okay. It just means if it was recompeted we’d have to compete as a large business, or find a small business partner.
After three or four months of working from home, it’s good to go back to one of the things that passed in 2019 and was signed by the President back before any of this happened.
This legislation affects lots of us, including joint ventures that involve an 8(a) protégé, or are led by an 8(a). It’s also particularly close to my heart, and may just be the most wonderful section that ever exists. Why? Because 823 also happens to be my birthday!
Section 823 of the 2020 NDAA increases the threshold for justification and approval for 8(a) Program sole-source awards. While the 2010 NDAA required justification and approval for 8(a) Program sole-source awards valued at or above $20 million (later increased to $22 million), Section 823 of the 2020 NDAA increases this threshold to $100 million.
[Note from Bill: $20M is a long way from the $4M threshold in place when I first started out!]
This change will benefit entity-owned 8(a) Program participants because, under the Federal Acquisition Regulation (FAR) and Small Business Administration’s (SBA) regulations, those are the only participants eligible for sole-source awards above the competitive thresholds ($7 million for manufacturing contracts and $4 million for all other contracts).
What this new legislation means is that if the contracting officer makes the determination that there is a single source that can perform a certain piece of work, and you can couch the language in such a way that states you are the only person that can do so, you can now get a sole-source contract for up to $100M. That is pretty cool!
For contracting officers, there is usually a threshold or limit as to what they can sign for (and this limit is now decidedly higher for 8(a) awards), before the award needs to be approved by another level of command or even by the Pentagon. Still, there is a big distinction in time and energy between a contract that anyone can compete on (e.g., in a vehicle), and a sole-source contract.
There’s still an approval process, but they don’t have to compete the award. They just need to write a J&A and get it approved by the appropriate levels of authority based on the number of dollars involved. Then lo and behold, they can award a contract.
Note from Bill: The following document was sent to us on behalf of the Small Business Administration by Donna Ragucci of the Federal OSDBU Council.
The National Defense Authorization Act (NDAA) for Fiscal Year 2020 authorizes FY2020 appropriations and sets forth policies regarding the military activities of the Department of Defense (DOD), military construction, and the national security programs of the Department of Energy (DOE).
Below is a list of small business-related FY 2020 updates/changes to the NDAA. We’ll highlight each one here, and then delve into more detail in future posts:
SEC. 870. REQUIREMENTS RELATING TO CREDIT FOR CERTAIN SMALL BUSINESS CONCERN SUBCONTRACTORS.
Highlight: If the subcontracting goals pertain to more than one contract with one or more Federal agencies, or to one contract with more than one Federal agency, the prime contractor may only receive credit for first tier SB subcontractors.
Note from Bill: Interesting nuance here. So multi-award contracts or ANY contract that spans multiple agencies, only the first tier subs apply for SB credit. This mostly applies to large businesses, but can also affect “similarly situated entity” use in multiple award GWACS.
SEC. 871. INCLUSION OF BEST IN CLASS DESIGNATIONS IN ANNUAL REPORT ON SMALL BUSINESS GOALS. (House bill)
Highlight: In addition to the requirements listed in this section for each best in class designation, the Administrator shall include new requirements in the in Best In Class Small Business Reporting.
Note from Bill: The Best in Class designation is rapidly taking hold, and many agencies are opting out of having their own vehicles and using the BIC. This change allows for more reporting of BIC vehicles and defines legislatively, the requirements.
SEC. 873. ACCELERATED PAYMENTS APPLICABLE TO CONTRACTS WITH CERTAIN SMALL BUSINESS CONCERNS UNDER THE PROMPT PAYMENT ACT.
Highlight: To the fullest extent permitted by law, the head of an agency will establish an accelerated payment date (with a goal of 15 days after a proper invoice for the amount due is received) if a specific payment date is not established by contract.
Note from Bill: Good for all us smalls, because the fact is, the sooner we get the funds, the better.
SEC. 874. POSTAWARD EXPLANATIONS FOR UNSUCCESSFUL OFFERORS FOR CERTAIN CONTRACTS.
Highlight: Upon receipt of a written request from an unsuccessful offeror for a task order or delivery order in an amount greater than the SAT and less than or equal to $5,500,000 issued under an IDIQ contract; the CO must provide a brief explanation as to why such offeror was unsuccessful.
Note from Bill: So, interesting, this used to be $10M, so the size threshold has gone down (good for us in seeking info), but they mention “brief explanation,” which is frustrating. Brief is NEVER good.
SEC. 875. SMALL BUSINESS CONTRACTING CREDIT FOR SUBCONTRACTORS THAT ARE PUERTO RICO BUSINESSES OR COVERED TERRITORY BUSINESSES.
Highlight: Businesses receive contracting credit for subcontractors that are Puerto Rico Businesses and covered territory businesses. Covered territory businesses are located in the United States Virgin Islands, American Samoa, Guam, and The Northern Mariana Islands.
Note from Bill: A simple change that allows Puerto Rican and territorial companies to be included in US designations for SB credits.
SEC. 876. TECHNICAL AMENDMENT REGARDING TREATMENT OF CERTAIN SURVIVING SPOUSES UNDER THE DEFINITION OF SMALL BUSINESS CONCERN OWNED AND CONTROLLED BY SERVICE-DISABLED VETERANS.
Highlight: In section 3(q)(2) of the Small Business Act is amended (bb) in the case of a surviving spouse of a veteran with a service-connected disability rated as less than 100 percent disabling who does not die as a result of a service-connected disability, is 3 years after the date of the death of the veteran.
Note from Bill: This is useful, because it does mean that for a business designated as SDVOSB when the veteran passes, the surviving spouse has three years to “wind things up.” Definitely a good idea.
SEC. 880. ASSISTANCE FOR SMALL BUSINESS CONCERNS PARTICIPATING IN THE SBIR AND STTR PROGRAMS.
Highlight: The PCR (procurement center representative) is to consult with the appropriate personnel from the relevant Federal agency to assist small business concerns in participating in the SBIR or STTR program (with commercializing research developed under such a program) before a small business is awarded a contract from a Federal agency.
Note from Bill: This affects small businesses doing R&D, and is useful to give the SB staff a say in the process to ensure small businesses are utilized on SBIR and STTR awards.
A government agency’s evaluation of your past performance can often be the difference between winning or losing your bid. In fact we are increasingly receiving RFPs in which the only written material supplied to the government are past performance references.
When we do a contract for the government, the agency is obligated to rate our performance in different areas from 5 to 1 (excellent, very good, satisfactory, marginal, or unacceptable). These reference ratings are then stored in a web-based application called the Contractor Performance Assessment Reporting System (CPARS).
We recently did an RFP where they listed elements from their PWS (Performance Work Statement, which is essentially a list of work you’re supposed to do). We were required to take those PWS elements and map them to the information from the past performance reference that we were giving. Then they would go and consult CPARS, which means the contract in your reference had to have been in place for a year, and the CPARS entry already approved.
For example, one of the PWS elements was project management. We were required to give a written response that yes we do project management and we’ve done it on a past project. Then we had to go the contract documents for that past project, to the actual PDF of the signed contract documents, and put an electronic sticky note where the contract states we were required to do project management reports.
In the end, we submitted 400+ pages of old contract documents with electronic sticky notes on various pages, along with detailed notes in the RFP about where to refer to these pages in the past performance contract.
There is a lot more movement towards using past performance as the only award criteria, and so you really need to focus as a vendor on disputing your CPARS if they’re not appropriated, understanding your rating criteria, and working directly with your CORs and KOs to make sure everything gets into your past performance record.
For better or worse, agencies are given broad discretion in how they evaluate past performance. As such, it is critical that when working with the federal government that contractors understand not only what steps they should take to cultivate and utilize positive past performance, but also the steps they should take to defend their past performance from attacks. Here are some key items for your team to discuss:
- general rules governing past performance evaluations;
- ways in which a prime contractor can utilize different sources of past performance information;
- best practices for obtaining positive CPARS ratings; and
- how and when to challenge negative CPARS ratings.
In the fall of 2019, the United States Government Accountability Office (GAO) released a report about agencies’ use of the lowest price technically acceptable (LPTA) process in federal contracting.
As background, in 2017 section 813 of the NDAA started to create some limitations on using LPTA and when it would be appropriate. Then section 880 of the NDAA FY 2019 required that those changes be applied to civil agencies as well.
As part of that, Congress required the GAO, which acts sort of like Congress’s review agency, to develop some reports on various aspects of the LPTA world – they were looking for large dollar value issues and so forth.
There are eight criteria established for the use of LPTA:
- The agency can clearly describe the minimum requirements in terms of performance objectives, measures, and standards that will be used to determine acceptability of offers.
- The agency would realize no, or little, value from a proposal exceeding the solicitation’s minimum technical requirements.
- The proposed technical approaches can be evaluated with little or no subjectivity as to the desirability of one versus the other.
- There is a high degree of certainty that a review of technical proposals other than that of the lowest-price offeror would not identify factors that could provide other benefits to the government.
- The contracting officer has included a justification for the use of the LPTA process in the contract file.
- The lowest price reflects full life cycle costs, including for operations and support.
- DOD would realize little or no additional innovation or future technological advantage by using a different methodology.
- For the acquisition of goods, the goods being purchased are predominantly expendable in nature, nontechnical, or have a short life expectancy or shelf life.
The important thing about this, from our perspective, is that Congress is making a determination and imposing requirements on DoD and now on the civil agencies that LPTA has a limited space.
Specifically, there has to be a determination that the agency does not need technical trade-offs. If the agency has technical trade-offs then they can’t use LTPA. Furthermore, if there are specific trade-offs between cost and technical activity that is also not conducive to using LPTA.
From our perspective as an observer of the process, it’s clear that there were increasingly non-applicable uses of LPTA, which led to some very anomalous decisions. The net result was that subject matter experts with education, talent, and experience became too expensive to use – they were being priced out of the market.
If there was someone willing to allegedly supply these SMEs for substantially less, that person automatically won an LPTA contract. But then when they tried to hire SMEs at these discounted rates the SMEs just went elsewhere to people who would pay them fairly.
This produced ugly contracts, when half the staff would leave either in the transition time frame or shortly thereafter, and who you lost were the really good people. Fortunately this set of legislation has reigned in the excesses between the two NDAAs. Fundamentally, we must thoroughly understand not just when to use LPTA but why it makes sense (or doesn’t).
The description of this provision reads: The Secretary of Defense shall streamline and digitize the existing Department of Defense approach for identifying and mitigating risks to the defense industrial base across the acquisition process, creating a continuous model that uses digital tools, technologies, and approaches designed to ensure the accessibility of data to key decision-makers in the Department.
Essentially, the government is directing DoD to adjust their risk mitigation framework so that downstream suppliers are also included.
They are looking specifically at these supply chain risks:
- material sources and fragility;
- counterfeit parts;
- cybersecurity of contractors;
- vendor vetting in contingency or operational environments; and
- other risk areas as determined appropriate.
And these risks posed by contractor behavior:
- ownership structures;
- trafficking in persons;
- workers’ health and safety;
- affiliation with the enemy; and
- other risk areas as deemed appropriate.
Let’s say I am a contractor serving the Department of Defense. I may be supplying an assembly of some kind, a device or a simulator or something. However, I’m just the integrator, not the person actually building the digital pieces.
Now, what happens if some of the parts that I’m using come from a forbidden foreign supplier? Or my manufacturing plant is in a prohibited foreign country. Or the country is not forbidden but they are doing a project (e.g., building a 5G network) using companies that are on the prohibited list.
So you can begin to see that there are tons of implications and risks that track across the entire industrial base, down to whose chips I am using in my digital manufacturing and whose chips I am using to assemble my products. So while this provision seems like a simple thing to update the risk mitigation framework, it represents an enormous issue across the entire DoD.
New FAR Rule: Partial Set-Asides and Reserves, Small Business Set-Asides Under Multiple-Award ContractsPosted: May 13, 2020
DoD, GSA, and NASA have issued a final rule amending the Federal Acquisition Regulation (FAR) to implement regulatory changes made by the Small Business Administration, which provide Governmentwide policy for partial set-asides and reserves, and for set-asides of orders for small business concerns under multiple-award contracts. The rule went into effect March 30, 2020.
As part of the implementation of reserves of multiple-award contracts, the proposed rule removed the term “reserve” in the FAR where it is not related to reserves of multiple-award contracts.
This final rule makes the following significant changes from the proposed rule:
- Removal of the term “HUBZone order.” This term has been removed throughout the final rule.
- Requirement to assign a North American Industry Classification System (NAICS) code. The final rule clarifies that NAICS code(s) must be assigned to all solicitations, contracts, and task and delivery orders, and that the NAICS code assigned to a task or delivery order must be a NAICS code assigned to the multiple-award contract. This clarification appears at FAR 19.102, with cross references in 8.404, 8.405-5, and 16.505.
- Requirement to assign more than one NAICS code and associated size standard for multiple-award contracts where a single NAICS code does not describe the principal purpose of both the contract and all orders to be issued under the contract. In the proposed rule, the date for implementation of this particular requirement was listed as January 31, 2017. For the final rule, this date has been extended to October 1, 2022. This is when Governmentwide systems are expected to accommodate the requirement. This date also allows time for Federal agencies to budget and plan for internal system updates across their multiple contracting systems to accommodate the requirement. Use of this date in the final rule means that the assignment of more than one NAICS code for multiple-award contracts is authorized only for solicitations issued after October 1, 2022. Before this date, agencies may continue awarding multiple-award contracts using any existing authorities, including any addressed in this rule, but shall continue to report one NAICS code and size standard which best describes the principal purpose of the supplies or services being acquired.
- Rerepresentation of size status for multiple-award contracts with more than one NAICS code. FAR 19.301-2 is revised to clarify that, for multiple-award contracts with more than one NAICS code assigned, a contractor must rerepresent its size status for each of those NAICS codes. A new Alternate I is added for the clause at 52.219-28 to allow rerepresentations for multiple NAICS codes, and a prescription is added at 19.309(c). Alternate I will be included in solicitations that will result in multiple-award contracts with more than one NAICS code.
- Rerepresentation for orders under multiple-award contracts. The clause at 52.219-28 is revised to relocate the paragraph addressing rerepresentation for orders closer to the beginning of the clause and to renumber subsequent paragraphs.
- Representation of size and socioeconomic status. FAR 19.301-1 is revised to clarify that, for orders under basic ordering agreements and FAR part 13 blanket purchase agreements (BPAs), offerors must be a small business concern identified at 19.000(a)(3) at the time of award of the order, and that a HUBZone small business concern is not required to represent twice for an award under the HUBZone Program. A HUBZone small business concern is required to represent at the time of its initial offer and be a HUBZone small business concern at time of contract award.
- Applicability of the limitations on subcontracting to orders issued directly to one small business under a reserve. The final rule clarifies that the limitations on subcontracting and the nonmanufacturer rule apply to orders issued directly to one small business concern under a multiple-award contract with reserves. This clarification appears in multiple locations in parts 19 and 52. The final rule also clarifies the limitations on subcontracting compliance period for orders issued directly, under multiple-award contracts with reserves, to small businesses who qualify for any of the socioeconomic programs. These clarifications appear in subparts 19.8, 19.13, 19.14, and 19.15, and in the clauses at 52.219-3, 52.219-14, 52.219-27, 52.219-29, and 52.219-30.
- Compliance period for the limitations on subcontracting. The final rule revises the proposed text at sections 19.505, 19.809, 19.1308, 19.1407, and 19.1507 to be consistent with the implementing clauses for those sections. The clauses reflect that the contracting officer has discretion on whether the compliance period for a set-aside contract is at the contract level or at the individual order level.
- Fair opportunity and orders issued directly to one small business under a reserve. The final rule addresses orders issued directly to one small business under a reserve at FAR 16.505.
- Conditions under which an order may be issued directly to an 8(a) contractor under a reserve. The final rule clarifies in 19.804-6 the conditions under which an order can be issued directly to an 8(a) contractor on a multiple-award contract with a reserve.
- Set-asides of orders under multiple-award contracts. At FAR 19.507, the prescription for Alternate I of the clause at 52.219-13 is revised to apply to any multiple-award contract under which orders will be set aside, regardless of whether the multiple-award contract contains a reserve.
- Consistent language for “rule of two” text. FAR 19.502-3, 19.502-4, and 19.503 are revised for consistency with FAR 19.502-2(a), which most closely matches the “rule of two” in the Small Business Act (15 U.S.C. 644(j)(1)).
- Documentation of compliance with limitations on subcontracting. The requirement for contracting officers to document contractor compliance with the limitations on subcontracting is removed from subparts 19.5, 19.8, 19.13, 19.14, and 19.15. FAR part 4 and subpart 42.15 already prescribe documentation of contractor compliance with various contract terms and conditions, including the limitations on subcontracting. FAR subpart 42.15 is revised to clarify that performance assessments shall include, as applicable, a contractor’s failure to comply with the limitations on subcontracting.
- Clarification of “domestically produced or manufactured product.” FAR 19.6 is revised to use the phrase “end item produced or manufactured in the United States or its outlying areas” instead of “domestically produced or manufactured product.”
- Subcontracting plans for multiple-award contracts with more than one NAICS code. FAR subpart 19.7 is revised to provide guidance to contracting officers on how to apply the requirement for small business subcontracting plans to multiple-award contracts assigned multiple NAICS codes. With the requirement to assign multiple NAICS codes, it will be possible for a contractor to be both a small business concern and an other than small business concern for a single contract.
- HUBZone price evaluation preference and reserves. FAR subpart 19.13 is revised to clarify that the HUBZone price evaluation preference shall not be used for the reserved portion of a solicitation for a multiple-award contract. The price evaluation preference shall be used in the portion of a solicitation for a multiple-award contract that is not reserved. In addition, the clause at 52.219-4 is revised to remove the proposed text that stated the HUBZone price evaluation preference did not apply to solicitations that have a reserve for HUBZone small business concerns, since that is not accurate.
- Performance by a HUBZone small business concern. FAR 19.1308 is revised to specify performance by a HUBZone small business concern instead of performance in a HUBZone. The related changes that were proposed in the clause at 52.219-4, paragraph (d)(2), are not being adopted as they are no longer accurate.
- Separate provision for reserves and clause for orders issued directly under a reserve. The final rule provides a new solicitation provision at 52.219-31, Notice of Small Business Reserve, and prescription at 19.507 to address information and requirements that are related to reserves of multiple-award contracts and are appropriate for inclusion only in the solicitation. These requirements and information were proposed as part of the clause at 52.219-XX (now 52.219-32); however, since they only apply prior to contract award, the final rule relocates them to a separate provision. The final rule also revises the clause at 52.219-32 to address only orders issued directly to one small business under a reserve. The title of the clause reflects the revised content.
This is a guest post by Benjamin Brooks of Beryllium InfoSec Collaborative.
When you think “contractor with the U.S. government,” what do you think of? Bureaucracy? Guaranteed steady revenue? Those are the most popular responses, because after-all, we are in business to make money, right? But how many people reading this think of “cybersecurity” as one of the ideas surrounding contracting with the United States government?
Today, however, when it comes to getting a government contract, cybersecurity is “the new black.” Traditionally, cybersecurity requirements were only a big deal for direct, prime contractors or their subs. However, because there have been so many breaches involving contractors, and the associated costs of those breaches, the United States government is starting to get tough on cybersecurity.
So much so, that the government is going to issue a certification process for ensuring cybersecurity before allowing contracts to be awarded! Because government contractor cybersecurity is such a huge issue today, let’s jump into some information to help companies earn their contractor cybersecurity “badge.”
1. Identity management
Contractors are going to need to make sure that all the users in the organization can be positively identified when using the information system (the network/computers). This means everyone who uses a computer gets a username. And who needs one, gets a mailbox. You can have a shared inbox, but the logins need be unique to each person. That goes for admins too!
2. Multi-factor authentication (MFA)
Multi-factor authentication is one of the most affordable ways to protect your organization from a plethora of cyber-attacks. Whether your organization uses single sign-on, zero-trust, or another model in between, MFA is a powerful tool against cybercriminal activity.
For example, if Tiny Tim wants to log in to his email remotely, it would be a good idea to confirm it is he who is logging in, right? By using MFA, an alert can be sent to Tiny Tim’s phone to prompt “is this you logging in?”…and Tiny Tim clicks “yes.” If a hacker were to obtain Tiny Tim’s username (typically his email address) and his password (which often is an easy one to remember, yikes!), the hacker still needs Tiny Tim’s phone to gain access. That is a simple way to make it much harder for the bad guy! For smaller organizations (and larger ones too) MFA solutions like DUO are a great way to provide MFA services/software.
Security tip: Avoid using an SMS code push, or a phone call for your second authentication factor, as SIM-swap attacks are on the rise.
3. Effective anti-malware programs
There are plenty of anti-malware programs around, and unless your organization has been hiding under a rock for the past 10 years, you probably know this simple and essential protection. On that note, the most effective anti-malware solutions are those that can be centrally managed for updates, patches, etc., by your IT folks.
4. General user cybersecurity awareness training
Training your employees of the current cybersecurity threats, and what to do in the event something bad does happen, is one of the biggest bangs-for-your-security-buck! With email-based compromises being one of the largest sources of breaches these days, improving poor user behavior into an effective line of defense is a huge double impact investment. Of course, the right user awareness training is key. Making it fun and memorable will make your employees be more aware of cyber threats.
If you really want your organization to build internal information security defense via your people, test them via a phishing simulation tool! What good is training if you aren’t testing to see if it is working? There are very good (and super affordable!) solutions out there to strengthen your first line of defense (your employees). There have been rave reviews about InteproIQ’s platform that combines both training and a phishing tool, so it is definitely worth looking into.
5. The Cybersecurity Maturity Model Certification
If your organization has been anywhere near the United States government defense contracting space for the last few months, you hopefully have heard of the newly announced Cybersecurity Maturity Model Certification (CMMC). I think we can all agree that cybersecurity is important. The new sheriff in town for DOD contractor (and potentially other federal) cybersecurity policy and practice adherence is the Office of the Under Secretary of Defense.
The Cybersecurity Maturity Model Certification will be tiered-out in order to ensure affordability by even the smallest of sub-contractors, but more importantly, by the data potentially sensitive data shared with outside organizations. The CMMC allows for different levels of security for different amounts and types of information that need protection. Whether or not this will be implemented outside of the DOD is yet to be determined.
In cases where the contract is not with the DOD, specific clauses for cybersecurity requirements will be laid out through FAR clauses, specific organizational requirements, and NIST 800 series documents.
To summarize, cybersecurity in government contracting is not going away anytime soon. If your organization is aspiring to get a GSA schedule, or be a contractor to the U.S. government in any regard, it will pay dividends to get help understanding the ins-and-outs of both contract negotiating and cybersecurity requirements.
Ensuring taxpayers are not overspending on goods and services is a worthwhile and potentially lucrative business opportunity. Safeguarding the information and data surrounding that venture will ensure it stays lucrative.
Beryllium InfoSec Collaborative helps defense contractors get compliant and implemented with all the DFARS 252.204-7012 and NIST SP 800-171 requirements. We do so in an affordable, practical and secure way, so you can focus on your business. You can watch Winvale’s joint webinar with Beryllium about “Managing Cybersecurity Requirements in Today’s Federal Market” here.
This post originally appeared on the Winvale blog at https://info.winvale.com/blog/top-5-cybersecurity-tips-for-government-contractors.
This is a guest post by John Abel and Haley Lawrie of Winvale.
The GSA MAS Consolidation is here, and things are changing FAST for government contractors. Not to worry, Winvale is here with all the information your company needs to help successfully navigate the new MAS solicitation updates. We’ve seen the updates and how they affect new offerors, but let’s take a look at how current contractors will be affected.
ALL GSA Schedule holders will be receiving a notice for Mass Modification A812 – MAS Consolidation over the course of the next week or so. Some of those reading this may have already received the notice, depending on Schedule number. Below is a schedule for the release dates of the mass mod across all 24 GSA legacy Schedules:
|Mass Mod A812 Release Date||Legacy Schedule Number|
|Friday, 1/31||03FAC, 23V, 36, 48, 51V, 58 I, 599|
|Monday, 2/3||00CORP (PSS)|
|Tuesday, 2/4||00CORP (PSS) Cont.|
|Thursday, 2/6||70 Cont.|
|Friday, 2/7||56, 66, 67, 71, 71 II K, 72, 73,|
|Monday, 2/10||736, 738X, 75, 751|
|Tuesday, 2/11||76, 78, 81 I B, 84|
Why is the MAS Mass Mod happening?
GSA is making active efforts to modernize and simplify the federal acquisition process by consolidating the current GSA Schedules. This mass modification will be the most important to date for GSA Contractors.
24 Schedules have been consolidated into 1 Multiple Award Schedule, 12 Large Categories, 83 Subcategories, and 316 newly formatted Special Item Numbers. GSA wants to eliminate any duplicate Schedules while continuing to meet the needs of its government buyers.
When do you need to take action on Mass Mod A812?
It is imperative that you check your email regularly to ensure that you’ve received the mass modification notice. If your contract administrator has not received the email by the corresponding date for your specific schedule, contact your GSA Administrative Contracting Officer (ACO) as soon as possible. (Don’t know who your ACO is? Find them here.)
Not only is it essential for contractors to ensure acceptance of this mass modification in order to reap the benefits of the consolidation, it is also mandatory, with a 90-day window for acceptance after the initial email notification is received. Within this mass modification, contractors will be required to:
- Review and accept 210 FAR and GSAM clauses
- Review the updated terms and conditions for the MAS
- Map existing SINs on your current Schedule to new SINs under the applicable Large Categories
If you have taken exception to any solicitation clauses in previous Mass Modifications, these exceptions will not carry over and that process must occur again.
How do you know what SINs you will have awarded after the Mass Mod?
It is important to note that awarded products/services, pricing, contract number, and the period of performance for your GSA Contract will NOT change. While the Contract Type and Special Item Numbers (SINs) will change, the pricing components of your contract won’t change. You don’t need to apply for a new contract and the Mass Mod will not automatically consolidate your contracts down to one contract per your DUNs number.
GSA will provide a mapping of your current SINs to the new SINs that will go into effect upon acceptance. If you are wondering what new SINs your contract will be mapped to, we can help.
Overall, changes from this MAS consolidation will be contingent on Mass Mod A812, but there are a few things on the backend that contractors must complete in order to be fully compliant and ensure proper use of the GSA Schedule to its full potential moving forward. Although accepting the mass modification will update a number of fields within GSA’s internal systems, contractors must still manually complete the updates through programs like SIP to reflect the new MAS structure on GSA eLibrary and GSA Advantage!.
After accepting the mass mod, contractors will need to perform a SIP upload to initiate a “merge” of the legacy SINs to the new SINs within 30 days acceptance. This will ensure that all records remain current with the new MAS solicitation structure and terms and conditions so that buyers will be able to conform to the new structure when seeking out contracting partners.
How will this impact your current GSA Schedule Maintenance?
To ensure there are no hiccups when accepting the Mass Mod, GSA is suspending the ability to submit requests in eMod for “Add SIN” and “Delete SIN” modifications under the legacy Schedules on Jan. 30, 2020. The ability to process “Add SIN” and “Delete SIN” modifications will be restored March 14, 2020. All other modification types will still be accepted throughout Phase II of MAS Consolidation.
With regards to sales reporting, SINS are effective immediately when you sign the Mass Mod, and you will see both legacy SINs and new MAS SINs in SRP for the first sales reporting period after the Mass Mod approval date. After that reporting period has been completed, future reporting periods will only display the new MAS SINs.
The MAS Consolidation may seem like a huge hurdle to overcome, but it is a step in the right direction for GSA and your GSA Schedule contract. To make it easier for our clients, Winvale is hosting a webinar on Tuesday, February 25 about the MAS Consolidation and how it impacts your contract.
If you can’t make the webinar, feel free to contact our consulting team today for more information on how these updates will affect your company’s GSA Schedule and a more in-depth look into the changes. Winvale offers full-service GSA Schedule support from our experienced professionals specializing in SIP, FAR compliance, GSA Advantage! and Schedule compliance.
This post originally appeared on the Winvale blog at https://info.winvale.com/blog/gsa-mas-consolidation-phase-2-current-gsa-contractors and was reprinted with permission.