How the CMMC is Changing Culture One Company at a Time

Note from John: Seems like every time I have a conversation with another colleague or company the topic of CMMC comes up. The Cybersecurity Maturity Model Certification is not going away…for many good reasons. As defense contractors we have to protect our assets, resources and those of our clients. It is in OUR best interest. Here is another great article from Jason Miller.

© Skorzewiak – depositphotos.com

This is a guest post by Jason Miller, executive editor, Federal News Network.

Let’s set the record straight: The Cybersecurity Maturity Model Certification, or CMMC, accreditation body is not part of the Defense Department.

Of all the misconceptions out there about CMMC, Chris Golden, a former member of the CMMC accreditation body and the director of information security for Blue Cross, Blue Shield, said that is the one he hears the most.

So 18 months into the CMMC development and roll out, Golden said industry and agencies still need to grasp why this initiative matters so much.

“We’re losing a lot of intellectual property as a country to our adversaries through gaps in cybersecurity practices and maturity throughout the supply chain. And right now, that’s focused on DoD supply chain, but it will very quickly go out,” Golden said in an interview. “If you look at the Air Force, Navy, Marine Corps F-35 aircraft, and then you look at the Chinese J-31 aircraft, and you wonder why those airplanes look exactly the same? You wonder how that happened. That’s the problem we’re trying to fix.”

Golden said the idea behind CMMC, and supply chain security more broadly, is changing one company’s culture at a time.

“As each company does their assessment, they’re going to get a little bit better. And hopefully, the next time they have their next assessment, they’re going to be a little bit better,” he said. 

“We’re just going to slowly change the culture, where companies are going to start looking at cyber the way they look at human resources. Most people that start a company are not experts on local, federal and state labor laws. So what do they do? They hire an expert to help set up a HR office to handle all that stuff for them to do everything right to keep them out of jail. Cyber has got to be seen as the same thing. It’s just part of doing business in the modern global enterprise. What we’re trying to do is we’re trying to get the point where people don’t forget about it or whitewash it or whatever the case is, but actually take it seriously as a part of doing business.”

That culture change has to happen with just more than defense industrial base companies. This is why the Department of Homeland Security and the General Services Administration are starting to consider how they can use CMMC.

Click the link below to read the full article and listen to Jason’s interview with Chris Golden, a former member of the CMMC accreditation body and the director of information security for Blue Cross, Blue Shield: https://federalnewsnetwork.com/cybersecurity/2021/02/cmmc-changing-culture-one-company-at-a-time/.


FAR Final Rule Increases both Micro-Purchase and the Simplified Acquisition Threshold

© ikuvshinov – depositphotos.com

While many federal agencies have already increased the thresholds for micro-purchase and simplified acquisition via deviations, the FAR has officially been updated as well. Effective August 31, 2020, the FAR has solidified the following thresholds:

  • $10K for micro-purchase (previously $3,500)
  • $250K for simplified acquisition threshold (previously $150K)

The increase to the simplified acquisition threshold should help small businesses, and here’s how: Purchases above the micro-purchase threshold, but not over the simplified acquisition threshold, shall be set aside for small business if two or more small firms are expected to compete. See FAR 19.502-2.

How can you leverage this rule to your advantage?

Micro-purchases or simplified acquisition threshold are ways in which smaller dollar amount contracts can be accomplished without any competition. These situations are perfect for new, emerging small businesses.  

Opportunities exceeding these limits have to go according to the regular FAR guidelines and do a regular acquisition (competition), unless you can do something with a set-aside that gives you a sole source. Government requirements falling within these dollar value limits can even be awarded to large businesses.  

There are some rules and regulations that must be considered, for example, you can’t do 10K a hundred times to support a $1,000,000 requirement but you can do 10K and even some renewals, etc.

Fundamentally this applies to something small, e.g., you’re going to send a couple employees in for a week of analysis and they can give you a sole source for $10,000 to do that easily.

For larger but still small increments up to $250K, there is a SAP (simplified acquisition procedure) FAR 19.502-2 explanation. That work that might only be a small amount to most big contracts, but it’s a way to get your foot in the door and get started, and you can do that on a sole source basis under the simplified acquisition rules. 

So certainly anyone who’s starting out, this is a way to get business directly for yourself. You have to go look at the rules and understand them, but the point is you can get a $10K purchase order directly, straight up, no competition, and these $250K ones with certain rules and regulations, and under certain conditions.


NDAA 2020 874 – Post-Award Explanations

© peshkova – depositphotos.com

Section 874 of NDAA 2020, Post-Award Explanations for Unsuccessful Offerors for Certain Contracts, “requires the FAR to be revised within 180 days to require that contracting officers provide a brief explanation of award, upon written request from an unsuccessful offeror, for task order or delivery order awards in an amount greater than the simplified acquisition threshold and less than or equal to $5.5 million issued under an indefinite delivery-indefinite quantity contract. Currently, offerors are only entitled to a debriefing after award of an order exceeding $5.5 million.” – Megan Connor, PilieroMazza

So what does this mean for us? Here’s what makes this important. Last year in the FAR rules, a detailed debrief of your losing proposal had to be made only if total value of the award exceeded $5.5 million. 

If it was less than $5.5 million, under those old rules, you weren’t entitled to anything. They literally didn’t have to even give you the time of day. All they’d tell you is that  XXX company won, not you. No explanation of what you did wrong or right. Hopefully you have all taken advantage of this rule change on every source selection this past year. If not, I suggest you add the request for a debrief into your standard process when an award notification (win or loss) is made.  

The revised rule states anything above the simplified acquisition threshold from $250K to $5.5 million now may provide you a brief explanation of award. You do have to request this and you should ALWAYS ask for it immediately after you receive the notice. 

The result is usually just a paragraph or two. It might be something like, “the offeror’s proposal was judged acceptable but not more than acceptable,” or it could say, “we awarded it to the lowest bidder.”  

This rule means you will get more explanatory results from your IDIQ task order bids and useful information for that next proposal. I hope you have taken advantage of this.


FAR Council Issues New Interim Rule on Section 889 – Prohibitions on Using Chinese Telecommunications and Video Surveillance Equipment

© PirenX – depositphotos.com

This is a guest post by Isaias “Cy” Alba, IV of PilieroMazza, PLLC.

Note from John: Seems like the list of action items for us small business folks is forever growing. With CMMC looming and now this requirement in place we must make sure we are ever vigilant to protect ourselves and our most important clients. This one requires the annual SAM reps and certs BUT also requires we conduct these repeated, reasonable inquiries throughout the contract performance. This one may not be so onerous…especially after the initial review of assets and services.

If you have not viewed PilieroMazza’s prior client alert and webinar on the implications of the new prohibition on the use of certain Chinese telecommunications and video surveillance equipment, we highly recommend you do so before reading this article as it will provide helpful background and information which we will not rehash in this article. You can find that content here and here, respectively.

The FAR Council released a new interim rule, effective October 26, 2020, allowing federal contractors who already certified in SAM, pursuant to the new FAR 52.204-26, that they “do not” use the prohibited equipment or services to update that certification only once a year instead of in conjunction with every proposal or bid pursuant to FAR 52.204-24(d)(2). Pursuant to this interim rule, FAR 52.204-26(c)(2) adds the following representation, which will be included in all contractor’s SAM representations and certifications:

After conducting a reasonable inquiry for purposes of this representation, the offeror represents that it [ ] does, [ ] does not use covered telecommunications equipment or services, or any equipment, system, or service that uses covered telecommunications equipment or services.

While the FAR Council has billed this as a change to ease the administrative burden of having to conduct repeated “reasonable inquiries” prior to certifications on each bid or proposal, this rule does NOT change the ongoing reporting requirements during contract performance which are, arguably, the most onerous part of the new Section 889 compliance regime.

Specifically, clients are already asking me about how this impacts the reviewing and reporting requirements of FAR 52.204-25, and whether this is still required if they take advantage of the new FAR 52.204-26 annual reporting. Unfortunately, the answer is “YES,” the constant monitoring and reporting during all federal contracts required under FAR 52.204-25(d) still applies. 

This means that even if a contractor has made the new FAR 52.204-26 certification in SAM, they still have to closely monitor the performance of themselves, employees, and subcontractors to ensure that none of the prohibited equipment or services are used or delivered on any federal contracts. If such use or delivery is found, the one-day required disclosure and the ten-day follow-up disclosures still apply in full force. 

Thus, while this new interim rule is helpful to ease the burden of having to perform a “reasonable inquiry” prior to every bid or proposal, it does not alleviate the eternal vigilance that all federal contractors must now undertake to comply with the full application of Section 889 of the 2019 NDAA.

Please contact Cy Alba, the author of this client alert, or a member of PilieroMazza’s Government Contracts or Cybersecurity & Data Privacy groups with inquiries.

This post originally appeared as a PilieroMazza Client Alert at https://www.pilieromazza.com/far-council-issues-new-interim-rule-on-section-889-prohibitions-on-using-chinese-telecommunications-and-video-surveillance-equipment/ and was reprinted with permission.


GAO Reviews Agency Oversight of Small Business Subcontracting Plans

© Olivier26 – depositphotos.com

This is a guest post by Haley Claxton of Koprince Law LLC.

Recently, GAO published a report on small business subcontracting plan compliance, concluding that agency oversight of these plans need improvement.

As many of our readers know, some federal contracts require large business prime contractors to utilize small business subcontractors under a small business subcontracting plan, as described in FAR 52.219-9. For context, in 2019, federal agencies “awarded more than 5,000 contracts requiring a small business subcontracting plan, and obligated more than $300 billion to contracts with required small business subcontracting plans.”

If a small business subcontracting plan is in place, contractors are required to report on any subcontracting achievements and make a “good-faith” effort to keep to the plan. In addition, some regulations and procedures require contracting officers to review the subcontracting plan before or after award to make sure certain information is included in the plan. Agencies are also required to provide SBA Procurement Center Representatives (or PCRs) the opportunity to review the proposed contract and associated subcontracting plan.

After a contract is in place, the FAR requires contracting officers to ensure that subcontracting reports are submitted via the eSRS web platform within a certain amount of time. Contracting officers must then review and decide whether to accept these reports. In addition to reviewing the reports, agencies are also required to perform annual evaluations of all contractor performance though CPARS (the Contractor Performance Assessment Reporting System). One aspect of the annual CPARS evaluation, where applicable, is compliance with the contractor’s small business subcontracting plan.

Despite the amount of oversight agencies appear to have over contractor compliance with small business subcontracting plans on paper, some folks at the Department of Defense were concerned about how much actual oversight agencies were providing to ensure contractors complied with their plans. Thus, GAO looked into how four representative agencies (the DLA, the Navy, GSA, and NASA) provide oversight. It found that the DoD was right to be concerned.

First, GAO looked to pre-award procedures for reviewing subcontracting plans. It found that COs from all four representative agencies reviewed and approved subcontracting plans as required in most, but not all, cases. More problematically, however, the “[a]gencies also could not demonstrate they followed procedures related to PCR reviews in about half of the contracts reviewed.” Put differently, most of the time, the SBA wasn’t involved in reviewing subcontracting plans before contract award, as required. 

Next, GAO turned to agency overview of contractor compliance with their subcontracting plans post-award. GAO found this overview was pretty “limited.” Even though each representative agency did offer some amount training to contracting officers on subcontracting plans, GAO found that these contracting officers did not ensure contractors met their reporting requirements in most of the reviewed contracts. In addition, even where reports were submitted as required, many were not reviewed in the manner anticipated.

As a result of its investigation, GAO offered ten recommendations for the reviewed agencies and the SBA. These recommendations are outlined here, but in summary, they ask the relevant agencies to make sure they have steps in place to ensure appropriate review of subcontracting plans and contractor compliance with those plans.

Overall, an increased focus on compliance with subcontracting plans is likely to have an effect on many contractors–hopefully ensuring more contracting dollars go to small business subcontractors. For more on small business subcontracting plans, check out our related blog posts here

This post originally appeared on the SmallGovCon blog at https://smallgovcon.com/statutes-and-regulations/room-for-improvement-gao-reviews-agency-oversight-of-small-business-subcontracting-plans/ and was reprinted with permission.


Section 872 – Reauthorization and Improvement of Department of Defense Mentor-Protégé Program

© garagestock – depositphotos.com

Section 872 of the 2020 NDAA makes many notable changes to the Department of Defense’s (DoD) Mentor-Protégé Program. Besides permanently authorizing the program, Section 872 required DoD’s Office of Small Business Programs to establish performance goals and periodic reviews to be submitted to the congressional defense committees by February 1, 2020. This serves to improve outcomes, define expectations, and set measurable goals for the DoD Mentor-Protégé Program going forward.

Notably, Section 872 changes the definition of a “disadvantaged small business concern” to align with how small businesses are defined in other programs. To be considered small, the original definition required a business to have “less than half the size standard corresponding to its primary North American Industry Classification System code.” The new definition states that a disadvantaged small business concern must not exceed the size standard corresponding to its primary NAICS code.

Note that this change has already been approved and signed by the President, and applies to fiscal year 2020, ending in September 2020.

In spite of the fact that this seems like a trivial matter, it is important to understand that unlike mentor-protégé programs in other departments, the DOD program has a healthy budget (typical agreements of $750,000 to $1M or $2M) that can in fact get passed through the mentor for the benefit of the mentor-protégé partnership, i.e., mostly the protégé.

The important thing to understand is that this allows the DOD to pay the mentor for money that is used by the mentor-protégé agreement in ways that benefit the protégé in the future. Because this is a money granting program, it’s authorized not in annual increments (though it’s still budgeted annually), but in multiple-year increments.

As noted above one of the changes with reauthorization was an alignment of the definition of small businesses with other definitions in other classification systems like NAICS codes. If those definitions are different you could be small in one place and not small in another.

One of the interesting things about this legislation is that the new definition says you cannot exceed the size standard of the primary NAICS code but doesn’t say how much work must be in that code.

Why is that important? At TAPE, for example, we have work in three or four different NAICS codes. We do a lot of work in 541611 (administrative), which is a size standard of $16.5M, and we’re larger than that. On the other hand, we have a lot of work in in 541512 and 541513 (IT), which have a size standard of $30.5M, which we’re within so we’re considered small, and 541330 (engineering), which has a size standard of $41.5M, where we’re also small.

So we do some of our work in a NAICS code for which we are large, which is perfectly okay. It just means if it was recompeted we’d have to compete as a large business, or find a small business partner.


Section 823 – Modification of Justification and Approval Requirement for Certain DOD Contracts

© BlackIllustrations.com

After three or four months of working from home, it’s good to go back to one of the things that passed in 2019 and was signed by the President back before any of this happened.

This legislation affects lots of us, including joint ventures that involve an 8(a) protégé, or are led by an 8(a). It’s also particularly close to my heart, and may just be the most wonderful section that ever exists. Why? Because 823 also happens to be my birthday!

Section 823 of the 2020 NDAA increases the threshold for justification and approval for 8(a) Program sole-source awards. While the 2010 NDAA required justification and approval for 8(a) Program sole-source awards valued at or above $20 million (later increased to $22 million), Section 823 of the 2020 NDAA increases this threshold to $100 million. 

[Note from Bill: $20M is a long way from the $4M threshold in place when I first started out!]

This change will benefit entity-owned 8(a) Program participants because, under the Federal Acquisition Regulation (FAR) and Small Business Administration’s (SBA) regulations, those are the only participants eligible for sole-source awards above the competitive thresholds ($7 million for manufacturing contracts and $4 million for all other contracts).

What this new legislation means is that if the contracting officer makes the determination that there is a single source that can perform a certain piece of work, and you can couch the language in such a way that states you are the only person that can do so, you can now get a sole-source contract for up to $100M. That is pretty cool!

For contracting officers, there is usually a threshold or limit as to what they can sign for (and this limit is now decidedly higher for 8(a) awards), before the award needs to be approved by another level of command or even by the Pentagon. Still, there is a big distinction in time and energy between a contract that anyone can compete on (e.g., in a vehicle), and a sole-source contract.

There’s still an approval process, but they don’t have to compete the award. They just need to write a J&A and get it approved by the appropriate levels of authority based on the number of dollars involved. Then lo and behold, they can award a contract.


Small Business Updates in NDAA 2020

magnifying glass in front of typed document
© Violin – depositphotos.com

Note from Bill: The following document was sent to us on behalf of the Small Business Administration by Donna Ragucci of the Federal OSDBU Council.

The National Defense Authorization Act (NDAA) for Fiscal Year 2020 authorizes FY2020 appropriations and sets forth policies regarding the military activities of the Department of Defense (DOD), military construction, and the national security programs of the Department of Energy (DOE).

Below is a list of small business-related FY 2020 updates/changes to the NDAA. We’ll highlight each one here, and then delve into more detail in future posts:

SEC. 870. REQUIREMENTS RELATING TO CREDIT FOR CERTAIN SMALL BUSINESS CONCERN SUBCONTRACTORS.

Highlight: If the subcontracting goals pertain to more than one contract with one or more Federal agencies, or to one contract with more than one Federal agency, the prime contractor may only receive credit for first tier SB subcontractors.

Note from Bill: Interesting nuance here. So multi-award contracts or ANY contract that spans multiple agencies, only the first tier subs apply for SB credit. This mostly applies to large businesses, but can also affect “similarly situated entity” use in multiple award GWACS.

SEC. 871. INCLUSION OF BEST IN CLASS DESIGNATIONS IN ANNUAL REPORT ON SMALL BUSINESS GOALS.  (House bill)

Highlight: In addition to the requirements listed in this section for each best in class designation, the Administrator shall include new requirements in the in Best In Class Small Business Reporting.

Note from Bill: The Best in Class designation is rapidly taking hold, and many agencies are opting out of having their own vehicles and using the BIC. This change allows for more reporting of BIC vehicles and defines legislatively, the requirements.

SEC. 873. ACCELERATED PAYMENTS APPLICABLE TO CONTRACTS WITH CERTAIN SMALL BUSINESS CONCERNS UNDER THE PROMPT PAYMENT ACT.

Highlight: To the fullest extent permitted by law, the head of an agency will establish an accelerated payment date (with a goal of 15 days after a proper invoice for the amount due is received) if a specific payment date is not established by contract.

Note from Bill: Good for all us smalls, because the fact is, the sooner we get the funds, the better.

SEC. 874. POSTAWARD EXPLANATIONS FOR UNSUCCESSFUL OFFERORS FOR CERTAIN CONTRACTS.

Highlight: Upon receipt of a written request from an unsuccessful offeror for a task order or delivery order in an amount greater than the SAT and less than or equal to $5,500,000 issued under an IDIQ contract; the CO must provide a brief explanation as to why such offeror was unsuccessful.

Note from Bill: So, interesting, this used to be $10M, so the size threshold has gone down (good for us in seeking info), but they mention “brief explanation,” which is frustrating. Brief is NEVER good.

SEC. 875. SMALL BUSINESS CONTRACTING CREDIT FOR SUBCONTRACTORS THAT ARE PUERTO RICO BUSINESSES OR COVERED TERRITORY BUSINESSES.

Highlight: Businesses receive contracting credit for subcontractors that are Puerto Rico Businesses and covered territory businesses. Covered territory businesses are located in the United States Virgin Islands, American Samoa, Guam, and The Northern Mariana Islands.

Note from Bill: A simple change that allows Puerto Rican and territorial companies to be included in US designations for SB credits.

SEC. 876. TECHNICAL AMENDMENT REGARDING TREATMENT OF CERTAIN SURVIVING SPOUSES UNDER THE DEFINITION OF SMALL BUSINESS CONCERN OWNED AND CONTROLLED BY SERVICE-DISABLED VETERANS.

Highlight: In section 3(q)(2) of the Small Business Act is amended (bb) in the case of a surviving spouse of a veteran with a service-connected disability rated as less than 100 percent disabling who does not die as a result of a service-connected disability, is 3 years after the date of the death of the veteran.

Note from Bill: This is useful, because it does mean that for a business designated as SDVOSB when the veteran passes, the surviving spouse has three years to “wind things up.” Definitely a good idea.

SEC. 880. ASSISTANCE FOR SMALL BUSINESS CONCERNS PARTICIPATING IN THE SBIR AND STTR PROGRAMS.

Highlight: The PCR (procurement center representative) is to consult with the appropriate personnel from the relevant Federal agency to assist small business concerns in participating in the SBIR or STTR program (with commercializing research developed under such a program) before a small business is awarded a contract from a Federal agency.

Note from Bill: This affects small businesses doing R&D, and is useful to give the SB staff a say in the process to ensure small businesses are utilized on SBIR and STTR  awards.


Protect Your Past Performance

© ingka.d.jiw – depositphotos.com

A government agency’s evaluation of your past performance can often be the difference between winning or losing your bid. In fact we are increasingly receiving RFPs in which the only written material supplied to the government are past performance references.

When we do a contract for the government, the agency is obligated to rate our performance in different areas from 5 to 1 (excellent, very good, satisfactory, marginal, or unacceptable). These reference ratings are then stored in a web-based application called the Contractor Performance Assessment Reporting System (CPARS).

We recently did an RFP where they listed elements from their PWS (Performance Work Statement, which is essentially a list of work you’re supposed to do). We were required to take those PWS elements and map them to the information from the past performance reference that we were giving. Then they would go and consult CPARS, which means the contract in your reference had to have been in place for a year, and the CPARS entry already approved.

For example, one of the PWS elements was project management. We were required to give a written response that yes we do project management and we’ve done it on a past project. Then we had to go the contract documents for that past project, to the actual PDF of the signed contract documents, and put an electronic sticky note where the contract states we were required to do project management reports.

In the end, we submitted 400+ pages of old contract documents with electronic sticky notes on various pages, along with detailed notes in the RFP about where to refer to these pages in the past performance contract.

There is a lot more movement towards using past performance as the only award criteria, and so you really need to focus as a vendor on disputing your CPARS if they’re not appropriated, understanding your rating criteria, and working directly with your CORs and KOs to make sure everything gets into your past performance record.

For better or worse, agencies are given broad discretion in how they evaluate past performance. As such, it is critical that when working with the federal government that contractors understand not only what steps they should take to cultivate and utilize positive past performance, but also the steps they should take to defend their past performance from attacks. Here are some key items for your team to discuss:

  • general rules governing past performance evaluations;
  • ways in which a prime contractor can utilize different sources of past performance information;
  • best practices for obtaining positive CPARS ratings; and
  • how and when to challenge negative CPARS ratings.

Restricting LPTA in Federal Contracting

© olly18 – depositphotos.com

In the fall of 2019, the United States Government Accountability Office (GAO) released a report about agencies’ use of the lowest price technically acceptable (LPTA) process in federal contracting.

As background, in 2017 section 813 of the NDAA started to create some limitations on using LPTA and when it would be appropriate. Then section 880 of the NDAA FY 2019 required that those changes be applied to civil agencies as well.

As part of that, Congress required the GAO, which acts sort of like Congress’s review agency, to develop some reports on various aspects of the LPTA world – they were looking for large dollar value issues and so forth.

There are eight criteria established for the use of LPTA:

  1. The agency can clearly describe the minimum requirements in terms of performance objectives, measures, and standards that will be used to determine acceptability of offers.
  2. The agency would realize no, or little, value from a proposal exceeding the solicitation’s minimum technical requirements.
  3. The proposed technical approaches can be evaluated with little or no subjectivity as to the desirability of one versus the other.
  4. There is a high degree of certainty that a review of technical proposals other than that of the lowest-price offeror would not identify factors that could provide other benefits to the government.
  5. The contracting officer has included a justification for the use of the LPTA process in the contract file.
  6. The lowest price reflects full life cycle costs, including for operations and support.
  7. DOD would realize little or no additional innovation or future technological advantage by using a different methodology.
  8. For the acquisition of goods, the goods being purchased are predominantly expendable in nature, nontechnical, or have a short life expectancy or shelf life.

The important thing about this, from our perspective, is that Congress is making a determination and imposing requirements on DoD and now on the civil agencies that LPTA has a limited space.

Specifically, there has to be a determination that the agency does not need technical trade-offs. If the agency has technical trade-offs then they can’t use LTPA. Furthermore, if there are specific trade-offs between cost and technical activity that is also not conducive to using LPTA.

From our perspective as an observer of the process, it’s clear that there were increasingly non-applicable uses of LPTA, which led to some very anomalous decisions. The net result was that subject matter experts with education, talent, and experience became too expensive to use – they were being priced out of the market.

If there was someone willing to allegedly supply these SMEs for substantially less, that person automatically won an LPTA contract. But then when they tried to hire SMEs at these discounted rates the SMEs just went elsewhere to people who would pay them fairly.

This produced ugly contracts, when half the staff would leave either in the transition time frame or shortly thereafter, and who you lost were the really good people. Fortunately this set of legislation has reigned in the excesses between the two NDAAs. Fundamentally, we must thoroughly understand not just when to use LPTA but why it makes sense (or doesn’t).


css.php