“The solicitation describes the various small business categories recognized in the procurement being run by the National Institutes of Health’s IT acquisition organization known as NITAAC, short for NIH Information Technology Acquisition and Assessment Center.
Most of those are familiar categories — Small Business, Woman-owned, Veteran-owned, Service-disabled, HUBzone, 8(a), Indian Economic Enterprises, and Indian Small Business Economic Enterprises.
There also is Other than Small Business, a category for everyone not small.
Companies in each category will only compete against others in the same category when it comes to winning spots on the vehicle.
For example, a woman-owned business will only compete against another woman owned business. A HUBzone can only compete against another HUBzone, and so on.
Then there is this other category – Emerging Large Business. These are the middle-tier companies that have long felt the pressure to survive when they grow out of small business designations and face competition in the full-and-open world against the market’s behemoths.
There has been talk from time to time of creating another set-aside category for these companies. It looks like the responsible for the CIO-SP contracts is trying to do just that.
The CIO-SP4 solicitation defines an Emerging Large Business as a business with an average yearly revenue for the last five years of between $30 million and $500 million. Any business with an average of $500 million for the last five years will be considered an other than small business.
NOTE: In an earlier version of this post, I said the solicitation didn’t define Emerging Large Business, but a reader alerted me to my mistake. Thank you, Melissa, who did not leave a last name.
The solicitation states that Emerging Large Business is only considered a category in the competition to get on the contract. When it comes time to compete for task orders, Emerging Large Businesses will be back competing with the big boys again.
So I’m not 100-percent sure what the point is.
One person I asked about that category predicted the new lane for the mid-sized companies will create legal issues for NITAAC. The Federal Acquisition Regulation doesn’t define anything as an Emerging Large Business.
I know we’ll see protests along the way, so we’ll have to watch if this is something that gets challenged.
But overall, the response to the solicitation has been positive.
In their press release, NITAAC acting director Brian Goodger said that the solicitation for CIO-SP4 tries to incorporate “lessons learned” from CIO-SP3.
So that was my first question to them: What are the lessons learned? The answers seem to mostly favor industry.
Gone are separate unrestricted and small business contracts. Everyone will be on a single vehicle. This is a big plus for small businesses that will hopefully grow out of their SB status during the 10-year runway of CIO-SP4.
Small businesses that outgrew the designation have been shut out under CIO-SP3 Small Business. They could not bid on small business opportunities because they were no longer small.
Neither could they bid on the Unrestricted CIO-SP3 task orders because they didn’t hold a spot on that contract. Small businesses were very vocal about this shortcoming under CIO-SP3.
“Now everyone is under one roof,” a NITAAC spokeswoman said.
Two contracts also created an administrative burden. A single contract is inherently easier to manage, she said.
I’ve spoken with a few folks on the industry side and the single contract versus having two is definitely popular.
“A single contract has benefits for both the federal government and contractors,” one person told me.
CIO-SP4 is expected to be easier to use and its best-value pricing should be popular with agencies. The contract’s structure also should make it easier for agencies to meet various socio-economic goals.
With all primes on a single contract, small businesses now have a place to go when they are no longer small, this person said.
The Emerging Large Business category might be a head-scratcher for some folks, but overall the reaction to the final CIO-SP4 solicitation is positive. People seem to like the effort to streamline processes and create an easy transition for small businesses that grow out that category.
We’ll watch how things shake out over the next several months.”
ABOUT THE AUTHOR:
Nick Wakeman is Editor In Chief, Washington Technology
“SMALL BUSINESS ADMINISTRATION OFFICE OF INSPECTOR GENERAL”
“SBA used three vendors without a contract to handle foreclosures and sales of properties. These vendors were primarily responsible for identifying subcontractors for appraisals, repairs, maintenance, listings, sale of properties, and legal services.
None of the three vendors were registered in the SAM, as required, and SBA did not purchase their services following federal procurement policy. Since 2012, SBA has made 34,030 payments for unauthorized commitments totaling over $10.8 million to these vendors.”
“During our audit work, we learned SBA used three vendors without a contract to handle foreclosures and sales of properties. These vendors were primarily responsible for identifying subcontractors for appraisals, repairs, maintenance, listings, sale of properties, and legal services.
The three vendors billed the resolution center for the foreclosure and sale services and administrative fees for commissioning the sales. Since 2012, SBA has made 34,030 payments for unauthorized commitments totaling over $10.8 million to these vendors as follows:
Vendor 1—22,384 payments totaling more than $8.1million
Vendor 2—9,325 payments totaling more than $2.4 million
Vendor 3—2,321 payments totaling more than $336,800
Agencies are required to use the U.S. government’s System for Award Management (SAM) as the primary source of vendor information. None of the three vendors were registered in the SAM, as required, and SBA did not purchase their services following federal procurement policy. We questioned these unauthorized payments, totaling more than $10.8 million, because SBA did not comply with regulations (see Appendix I). Federal Acquisition Regulation (FAR) Part 1.102 requires “promotion of competition, maximizing the use of commercial products and services, and conducting business withintegrity, fairness, and openness.” FAR Part 13 Subpart 104 Promoting Competition states a contracting officer must “promote competition to the maximum extent practicable to obtain supplies and services from the source whose offer is the most advantageous to the Government.”
The regulatory provision defined in the FAR states that any agreement made by a government employee who lacked the authority to enter into such agreement with a vendor is considered an unauthorized commitment. Title 5 of the Code of Federal Regulations (CFR) Part 2635.101 Standards of Ethical Conduct for Employees of the Executive Branch states employees shall not knowingly make unauthorized commitments or promises of any kind that bind the government.
Additionally, Title 48 of the Code of Federal Regulations Part 1.602-3 Ratification of Unauthorized Commitments states ratification of an unauthorized commitment mayonly be performed by a contracting officer or an official with the authority to do so as designated by the head of the contracting office.
The CFR defines an unauthorized payment as any action or agreement which is not binding solely because the representative who made it lacked the proper authority to enter into this action or agreement on behalf of the government. Agencies should takepositive action to preclude, to the maximum extent possible, the need for ratification actions.
SBA had not entered into a government contract and was using vendors that were not recorded in SAM. The agency paid more than $10.8 million in unauthorized commitments that should be ratified under 48 C.F.R. § 1.602-3. Additionally, the agency did not conduct these contracting actions with integrity and openness in a fair and equitable manner, as required by the FAR.
An SBA official told us the vendors were first engaged for small services for what was perceived to be of minimal value. Use of the vendors continued over time and became part of the resolution center’s normal process. The practice of using these vendors without a contract was not intentional but rather an oversight.
The official further explained that the FAR applies to the acquisition of supplies and services with appropriated funds. The nature of the services does not require the use of federally appropriated funds. The fees associated with each service are the borrower’sfinancial obligation and are charged back to the borrower by way of a care and preservation of collateral fee.
It is important to note that the disaster loans are in default, and the sale of the real estate collateral is being used as a last resort to recover a portion of the delinquent debt. Any fees charged by the vendors are added to the delinquent loan balance. Any portion of the delinquent debt not recovered through foreclosure is charged off, so the 3 federal government ultimately pays for these services.”
“The Office of Management and Budget has reported category management efforts have saved the federal government over $27 billion by leveraging the government’s collective purchasing power, according to the Government Accountability Office report released on Nov. 30.
With some higher-level standardization of requirements and enforcement, it could do better, according to the report.“
“Although federal category management practices have saved agencies billions of dollars in purchases of common goods and materials over the last few years, with more detailed help it could be even more effective, according to a new government watchdog agency report.
While the OMB’s 2019 category management guidance focused on category management techniques at the agency contracting officer level, it didn’t set higher-level requirements to define and standardize category management practices, said GAO’s report.
“Agency officials and category managers told us that they would benefit from a coordinated, government-wide approach to addressing prices-paid and spending data challenges,” the report states.
Federal category managers have little influence over how agencies define requirements and don’t have the authority to get agencies to act on their recommendations. Agency officials stated they were challenged by collecting, analyzing and sharing spending and pricing data that fuels category management’s effectiveness.
GAO urged OMB to better define category management requirements for common products and services, including working with the Category Management Leadership Council and the Performance Improvement Council to set additional category management performance metrics. It also recommended OMB work with the Category Management Leadership Council and the Chief Data Officer Council, to craft a strategic plan that will coordinate agencies’ responses to government-wide data challenges, including those involving prices-paid and spending data.
GAO also recommended that designated agency officials have the authority to hold personnel accountable for defining requirements for common products and services under the category management initiative. Another recommendation would also help open the door for more small businesses under the initiative with targeted training for federal contracting officers that would help them identify small business opportunities.
OMB said the General Services Administration, along with the Department of Health and Human Services and NASA are currently working to develop an Information Technology Vendor Management Office that could help category management efforts on a number of levels, including requirements development, data analysis, and training.
The office, it said, will also provide the federal acquisition workforce with more information to make the best buying decisions. The Information Technology Vendor Management Office, said OMB, will also help standardize technical and contract requirements, mitigate cyber-risks, improve data quality and more evenly leverage buying practices that will make it easier for small businesses to enter the federal marketplace.”
“The Federal Circuit’s decision in The Boeing Company v. United States clears the way for resolution of Boeing’s substantive challenge to a controversial Federal Acquisition Regulation provision that can give the government windfall recoveries in Cost Accounting Standards (CAS) matters. The case is notable for several reasons.”
“First, the court clarified the circumstances in which a contractor will be found to have waived its rights to object to a FAR provision.
Second, the court provided a useful primer on the three different kinds of jurisdiction available under the Tucker Act.
Finally, the Federal Circuit’s remand means the Court of Federal Claims will now address Boeing’s substantive challenge to FAR 30.606, which directs contracting officers to ignore offsets that save the government money when calculating the impact of changes to a contractor’s cost accounting practices.
FAR 30.606 provides that that a contracting officer “shall not combine the cost impacts” of multiple unilateral changes to a cost accounting system “unless all of the cost impacts are increased costs to [the] Government.” This is in contrast to the government’s previous practice, which was to offset any increase in costs with any savings.
In 2011, Boeing made multiple, simultaneous changes to its cost accounting practices. The “unilateral” changes increased the government’s costs by $940,007, but other changes decreased the government’s costs by an additional $2.3 million. Because the changes resulted in a net savings to the government, Boeing’s position was that it did not owe the government any money. The contracting officer, however, followed FAR 30.606, and required Boeing to pay $940,007 plus interest.
The company began paying this sum, and then filed suit in the Court of Federal Claims to get the money back. The contractor’s core argument was that regulation was unlawful because it violated the Cost Accounting Standards statute, which in relevant part provides that the “Federal Government may not recover costs greater than the aggregate increased cost to the government.”
The company argued that the government’s decision to follow FAR 30.606 was a breach of the contractual provision that requires the parties to follow CAS, and the government’s requiring Boeing to pay $940,007 plus interest amounted to an illegal exaction.
The Court of Federal Claims, however, held that Boeing waived its arguments by failing to challenge FAR 30.606 prior to contract award. The court also held that it lacked jurisdiction over the exaction claim because the CAS statute is not “money-mandating.”
The Federal Circuit reversed both Court of Federal Claims holdings on appeal. The circuit court explained that the contractor could not have received relief prior to award through negotiations because FAR 30.606 is a mandatory provision that could not have been bargained away by the parties. Moreover, a pre-award bid protest or other judicial proceeding would have been futile, for a variety of reasons: Boeing could not have filed a pre-award bid protest, because such protests cannot challenge matters of contract administration such as FAR 30.606; the contractor could not have filed an Administrative Procedures Act challenge because the CAS statute provides that that law’s judicial review procedures do not apply to the standard; and any claim would not have been ripe for review prior to contract award in 2008 because the company did not make the disputed cost accounting changes until 2011.
In short, the Federal Circuit held that Boeing had not waived its challenge to the legality of FAR 30.606, and made clear that contractors will not need to file pre-award protests in order to challenge the legality of FAR provisions that might potentially affect them in the future.
The Federal Circuit also explained that there are three types of Tucker Act claims over which the Court of Federal Claims has jurisdiction: contractual, illegal exaction, and those made pursuant to “money-mandating” statutes.
A previous Federal Circuit decision, Norman v. United States, stated that “[t]o invoke Tucker Act jurisdiction over an illegal exaction claim, a claimant must demonstrate that the statute or provision causing the exaction itself provides, either expressly or by necessary implication, that the remedy for its violation entails a return of money unlawfully exacted.”
In the Boeing case, however, the Federal Circuit clarified that the Court of Federal Claims has jurisdiction so long as: the plaintiff paid money to the government; and the plaintiff makes a non-frivolous allegation that the government, in obtaining the money, violated the Constitution, a statute, or a regulation. These types of claims for return of exacted funds are different from claims that seek damages as a result of a government action, which require the existence of either a contract or a money-mandating statute. Thus, the Federal Circuit made clear that jurisdiction over Boeing’s exaction claim did not depend on whether the CAS statute was “money-mandating.”
It is notable that the Federal Circuit was careful to disclaim any opinion as to the merits of Boeing’s challenge to FAR 30.606. We now eagerly await the decision of the Court of Federal Claims on the contractor’s illegal exaction claim on remand.”
“Public comments will be collected until then and are expected to be considered when crafting the final rule.
Ellen Lord, DOD’s top buyer, announced the rule’s publication during a virtual keynote presentation at the Common Defense 2020 conference on defense industry base procurement.
“To ensure cybersecurity is also foundational for our partners in industry, the department created the Cybersecurity Maturity Model Certification or CMMC,” Lord said. “Thereby requiring all DOD contracts by Oct. 21, 2025 — five years from now — to have some level of CMMC in each of those contracts.”
The interim rule includes contracting language to amend the Defense Federal Acquisition Regulation Supplement that “requires contractors to apply the security requirements of NIST SP 800-171 to ‘covered contractor information systems’…that are not part of an IT service or system operated on behalf of the government.”
The interim rule effectively creates three levels for cybersecurity assessments — basic, which is required to be eligible for award, medium and high, which can be conducted during the course of performance — and two assessment tracks, one for NIST 800-171 that’s effective now and one for CMMC, according to an analysis by the Wiley Rein law firm in Washington, D.C.
“Under this framework, contractors will be required to complete a self-assessment of their compliance with NIST SP 800-171 before they can receive DOD contracts,” Wiley Rein wrote.
“For CMMC, the interim rule introduces the long-anticipated DFARS clause that sheds some light on how DOD contractors are expected to flow down the requirements to subcontractors. But the interim rule also highlights DOD’s desire to continue developing the CMMC requirements outside the DFARS rulemaking process.”
The aim of the program is to ensure DOD contractors are adhering to a uniform standard and that DOD’s controlled unclassified information is protected. But while trade groups representing government and defense contractors have lauded the CMMC framework but criticized the implementation and rulemaking process.
Corbin Evans, the National Defense Industrial Association’s principal director of strategic programs, told FCW via email that the interim rule format is limiting when it comes to allowing for industry feedback.
“The use of the interim rule format limits the ability for DOD to incorporate valuable feedback from the [defense industry base] prior to the final rule taking effect,” Evans said, and “eliminates the ability for a public meeting to be conducted on the rule prior to implementation.”
The Professional Services Council said in a statement that it “supports improved cybersecurity and cyber hygiene for government contractors” but is “disappointed it was issued as an interim rule, taking effect immediately, and not a proposed rule.”
The rule also gives a glimpse of expected costs to comply for small businesses, ranging from approximately $1,000 for Level 1, or what’s considered basic cyber hygiene, to upwards of $50,000 to reach Level 3, which is reserved for companies that process, store, or transmit CUI, to cover contract support and a certified third-party assessment.
According to a chart that evaluates estimated annual assessment costs, companies seeking a CMMC Level 1 could expect to pay $1,000 a year for third-party assessments, while those seeking Level 3 certification could spend about $60,000 a year. For the latter, about $17,000 would go towards assessments, which are organized and run by the CMMC Accreditation Body — a non-government entity partnering with DOD to develop curricula and implement training for assessors.
However, there’s concern that those cost estimates could be conservatively low and “not fully in line with the reality,” Evans said. “Just considering implementation costs for the delta between CMMC level 3 and NIST 800-171, we see that the costs of compliance are still underestimated,” he said. “This will harm the ability for contractors to fully recover costs of CMMC compliance, effectively imposing both a new regulatory and financial burden on defense industrial base members.”
“In recent years, both Congress and the Executive Branch have made it a key priority to mitigate risks across the industrial and innovation supply chains that provide hardware, software, and services to the U.S. government.
Five of these initiatives are likely to result in new regulations in 2020, each of which could have a fundamental impact on companies’ ability to sell Information, Communications, Technology and Services to the USG.“
“In recent years, both Congress and the Executive Branch have made it a key priority to mitigate risks across the industrial and innovation supply chains that provide hardware, software, and services to the U.S. government.
Five of these initiatives are likely to result in new regulations in 2020, each of which could have a fundamental impact on companies’ ability to sell Information, Communications, Technology and Services to the USG. As these requirements begin to take hold, federal contractors should be mindful of potential impacts and the actions that can be taken now to prepare for increased USG scrutiny of their supply chain security.
Section 889 of the Fiscal Year 2019 National Defense Authorization Act
As many USG contractors are now painfully aware, Section 889 of the Fiscal Year 2019 National Defense Authorization Act establishes two constraints on telecommunications supply chains. Subsection 889(a)(1)(A), effective as of August 13, 2019, prohibits USG agencies from acquiring certain telecommunications equipment or services from Huawei, ZTE, Hytera Communications Corporation, Hikvision, or Dahua, or any of their subsidiaries or affiliates.
Section 889(a)(1)(B), effective August 13, 2020, prohibits USG agencies from “enter[ing] into a contract (or extend[ing] or renew[ing] a contract) with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.” As drafted, the statute is broad enough to apply in cases where a company uses such equipment or services solely in connection with its commercial sales outside of work the company does for the USG.
The interim rule for Section 889(a)(1)(A) was released last August and opened for comment. The FAR Council has indicated that it will provide feedback to those comments when it issues the proposed regulations for Section 889(a)(1)(B), which have not yet been released. This means that key terms, such as “entity”and “use” remain undefined. Accordingly, contractors, especially those with a mix of commercial and government business, must take educated guesses in preparing compliance programs to begin to address these requirements.
SECURE Technology Act
On December 21, 2018, the President signed into law the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act. The Act establishes the Federal Acquisition Security Council, which is charged with building greater cybersecurity resilience into federal procurement and acquisition rules.
The Act also gives the Secretary of the Department of Homeland Security, the Secretary of Defense, and the Director of National Intelligence the authority to issue exclusion and removal orders for information technology products and/or companies that supply such products if the FASC determines that they represent a risk to the USG’s supply chain. The Act also permits federal agencies to exclude companies or products they deem to pose a supply chain risk from individual procurements.
Recent reports indicate that the FASC is nearing completion of a final interim rule that would specify the exclusion criteria and detail the appeal process from an exclusion order. Although the Department of Defense and the Intelligence Community currently have the authority to exclude products in certain instances, this interim rule would apply government wide. Still to be seen is whether the exclusion determinations will be publicly available.
Cybersecurity Maturity Model Certification
On January 31, 2020, DoD released Version 1.0 (since updated to Version 1.02) of its Cybersecurity Maturity Model Certification. CMMC is DoD’s upcoming framework for managing cybersecurity risks in the Defense supply chain. Under the current paradigm, contractors that handle “Covered Defense Information” must self-attest to providing “adequate security” to protect that information, but are allowed to work toward implementing 110 NIST SP 800-171 security controls over time so long as the plans for doing so are appropriately documented.
Not only does the new CMMC add additional security controls (depending on the level of sensitivity assigned to the procurement), contactors must be in full compliance with each control at the time that contract performance begins. Most importantly, contractors will no longer be able to self-certify compliance. Instead, compliance with a particular CMMC level must be externally validated by trained auditors.
DoD is in the process of promulgating an update to the current Defense Federal Acquisition Regulation Supplement cybersecurity clause to account for the shift to CMMC requirements and is planning on choosing a subset of procurements where CMMC can be applied by the end of this year. DoD’s goal is to fully implement CMMC certification requirements in all DoD awards by Fiscal Year 2026. DoD has indicated, however, that COVID-19 could delay release of the DFARS clause.
Executive Order on Securing the ICTS Supply Chain
On May 15, 2019, the President issued an EO declaring a national emergency with respect to threats against ICTS in the United States. The EO authorizes the Secretary of Commerce to prohibit, block, unwind, or mitigate any transaction involving ICTS that is “designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.” Reviews of transactions will be conducted on a case-by-case basis.
Commerce received comments on a November 2019 proposed rule in January 2020. There has been no known use of the authority during the rulemaking process and an update is expected from Commerce soon.
Sections 1654 and 1655 of the Fiscal Year 2019 National Defense Authorization Act
Sections 1654 and 1655 of the FY19 NDAA generally require contractors to disclose whether they have allowed within the last five years a foreign government that poses a cybersecurity risk to USG defense and national security systems and infrastructure (or for non-commercial items, any foreign government) to review the source code of any product, system, or service that DoD is using or intends to use.
The law also requires contractors to disclose whether they are under an agreement to allow a foreign government or a foreign person to review the source code of a product, system, or service that DoD is using or intends to use. DoD will be able to condition contract awards on contractors’ mitigation of any risks that DoD identifies because of the foreign source code review.
The DFARS regulatory implementation of this requirement is currently on hold “pending resolution of technical issues,” and specific countries of concern have not been publicly identified, but regulations are still expected within the next year.”
“The intent of OTAs is to leverage commercial technologies for military purposes, improve the nation’s industrial base and allow for more cost effective and affordable solutions without extreme bureaucracy.
Opportunities are available to traditional defense industry partners and nontraditional defense contractors, such as academia, non-profits and other small businesses.“
“Imagine this. The Defense Department had an urgent need for armored vehicles to protect warfighters from new threats during a time of war. By applying a unique and tailored acquisition approach with specific attention to time and similar solutions already available in the commercial marketplace, it successfully started fielding new vehicles only 18 months after identifying the warfighter need.
The program referenced here was the mine-resistant ambush protected vehicle program, which began in 2006. Was the program a success? Absolutely. Was it a risk-free or perfect solution? No. Although the MRAP program was timely in helping mitigate the threat and associated warfighter casualties, there were challenges related to operating field conditions, training, sustainment, transportation and costs. The program, however, ultimately enabled the creation of other military vehicles that are still widely used today and supports how tailored acquisition approaches can produce successful outcomes.
A popular and continuously growing phenomenon within the department is the other transaction authority, or OTA. It permits Defense Department entities to award OTA agreements for research, prototyping and production efforts critical to national security. They are not an acquisition approach or strategy; however, they are flexible options that can support an acquisition approach or strategy.
Given leadership’s priorities for the increased application of adaptive acquisition methods, it is highly likely OTAs will be a key ingredient for success.
OTAs are binding agreements between Defense Department organizations and industry partners that are different than Federal Acquisition Regulation contracts, grants and cooperative agreements. While they are an innovative and flexible option that are not subject to all acquisition laws and regulations, they require vigorous program management.
Here are some points to remember:
OTAs are not new to the department. Although it received limited authority in 1989, the authority has significantly expanded since 2015. As a result, more agencies and industry partners are working together on the agreements. OTAs vastly differ from contracts because negotiations are not limited by FAR-based restrictions and allow for more robust terms between parties. This includes, but is not limited to, intellectual property rights, title to property, payment terms, project schedule or duration, cost or price analysis, financial and project status reporting, disputes, remedies and termination.
Congress specifically provided the authority to foster business flexibility for certain circumstances. Unfortunately, there is not a universal process or checklist for all parties to follow when planning or executing the agreements. This is intentional because universal processes across the department could hinder innovation and expanded industry participation.
Since OTAs will differ between agencies, these entities should individually create and maintain some form of standard business processes to support how to execute them from initial planning through completion. Examples of standard business processes include organizational policies, instructions, directives, guidebooks and standard operating procedures. These resources are foundational for success as they can provide tremendous assistance and value to not only the parties seeking to do business with the defense organization, but also the personnel leading or supporting the process.
There can also be immense benefits for industry partners who have not previously done business with the department. It currently has an “OT Guide” published in November 2018 available to the public; however, it is very broad and not unique to individual DoD organizations. Creating and maintaining standard processes can enable consistent and efficient operations, prevent miscommunication, minimize noncompliance with laws and assist organizations during evaluations or audits.
Since there is not a one-size-fits-all option to execute OTAs, defense authorities and industry partners should be aware of the various options available. Specific to prototype OTs, the most widely used type of OT, there are primarily four options for execution. Figure 1 provides helpful information associated with each option.
Agencies should carefully evaluate all options prior to option selection, depending on the specific need or the entity’s experience with OTAs. Evaluation can be done by market research and other means to effectively support the strategy and objectives. For example, if an organization is seeking a prototype that could be created by start-up companies or existing commercial firms, it may be in the best interest to award an OTA on its own, through the Defense Innovation Unit, or to a consortium.
Alternatively, if an agency is seeking a prototype similar to one another government agency is concurrently seeking through its own prototype OTA, it may be in the best interest — and the most economical option — for it to leverage the other government agency’s agreement. The Government Accountability Office reported in 2019 that the majority of funding for prototype OTAs between fiscal year 2016 and fiscal year 2018 was awarded to consortiums.
Further, the GAO reported that the department — in response to congressional direction — is improving its reports on OTA usage to provide more data and transparency. Given the options available for executing OTAs, it is critical that both defense organizations and interested industry partners are cognizant of the options and their individual characteristics.
Another factor for success is sound planning and identification of technical performance parameters.
Failing to plan is planning to fail. Since parties can negotiate and tailor many OTA elements, it is critical for all parties involved to complete sound planning efforts prior to execution. Also, because they promote “outside the box” business practices, risk management is not a choice, but the backbone of the effort from cradle to grave. Agencies should start planning with a clear needs statement or defined problem supporting a capability gap.
Next, the entity must perform adequate market research and requirements analysis to determine if solutions already exist or whether the capability is possible among industry partners. Adequate market research efforts must consider existing commercial products and practices, technological stability and current similar Defense Department or federal government efforts.
Entities must ensure OTAs will comply with codes, depending on the effort’s characteristics. The agency must collectively and clearly articulate what success looks like and how success or performance will be measured. Is the end game a report as a result of extensive research? Or is the end game follow-on production if the prototype OTA successfully meets the capability gap?
The government shall give full consideration to key areas related to cost, schedule and performance throughout the project’s life since OTAs do not eliminate the need for effective program management. Thus, consideration shall be given to vital technical characteristics or performance parameters, such as cybersecurity, intellectual property, technology transfer, testing, integration, interoperability and life cycle sustainment/supportability. Parties involved should continually ascertain when to continue or terminate the effort based on cost-benefit analysis.
Planning efforts should also encompass the means by which the government will publicize and solicit OTAs. Publicizing activities should target relevant and capable industry partners identified from market research. Solicitation activities must be creative, through fair and reasonable methods, to foster maximum competition. Methods include white papers, commercial solutions openings, requests for proposals, panel pitches, industry days, LinkedIn and Twitter.
OTAs require critical thinking and can be incredibly complex. Besides the many aspects of cost, schedule and performance to be considered and evaluated, they have minimum predefined requirements and are accompanied with unique negotiations requiring advanced levels of business acumen from various perspectives. OTAs are a team sport and should have diverse participation by technical and non-technical personnel.
Standardized OTA training or credential programs are not widely available to Defense Department or industry personnel. Personnel should seek to complete some form of OTA training. Nontraditional contractors should also complete training on the electronic invoicing system that will be used to submit invoices for work performed on OTAs. Invoicing the department can be cumbersome, especially for smaller firms with operations largely dependent on timely cash flows.
OTAs also require sufficient documentation since they have more flexibility and fewer internal controls when compared to other business options. Documentation is also vital to support OTA-related actions were fair, reasonable, transparent and legal. The need for sufficient documentation applies to both government and industry partners.
Appropriate documentation assists organizations in establishing beneficial continuous feedback loop mechanisms to replicate best practices and learn from shortcomings. Documentation also allows independent or unbiased individuals to follow OTA-related business decisions and funding. Documentation is even more meaningful as defense organizations spend greater amounts of taxpayer funds on OTAs and Congress seeks additional details on their usage.
Also, the law requires that all prototype OTs above $5 million include a clause that provides the GAO full access to records. As a result, all parties involved need to make documentation efforts a priority throughout the life of every OTA. Lack of existent or appropriate documentation could cause all the parties to receive undesired scrutiny from
Congress and defense leadership. Congress could also reduce or eliminate the authority if parties do not create or maintain sufficient OTA documentation.
The ability for the nation to maintain a sustainable competitive advantage and efficiently leverage adaptive acquisition methods depends on OTAs. It is all but certain they will continue to grow in popularity.
Although they are a bright and shiny object drawing significant attention from expanded usage, the department, its agencies and industry partners must carefully plan and execute OTAs from cradle to grave.
While they are flexible alternatives, they are accompanied by risks, not appropriate for every situation, and do not have a universal pathway for guaranteed success. OTAs must be treated as a privilege rather than an authority that will remain indefinitely.
Appropriate use in accordance with Congress’ intent could produce tremendous value for the Defense Department and industry partners. Alternatively, inappropriate use could result in inefficient use of taxpayer resources and Congress limiting or eliminating the modernized authority.”
“The commission’s final report, expected to be issued in March or April, may include new reporting requirements for the private sector that would incentivize better security practices, the commission’s co-chairs, Sen. Angus King, I-Maine, and Rep. Mike Gallagher, R-Wis., said Tuesday during a Council on Foreign Relations summit in Washington, D.C.
While the final language is unclear, the report is expected to include a sweeping set of proposals ranging from an overhaul of congressional oversight on cybersecurity issues to an assessment of the Pentagon’s offensive and defensive readiness. Whether there’s broader appetite outside of the 14-member commission to implement the recommendations, however, remains to be seen.
One idea the commission has entertained is convincing insurance companies to offer better rates to clients who follow specific guidelines meant to bolster their cybersecurity, King said. Insurance companies already are incentivizing clients to work with cybersecurity vendors considered more likely to stop data breaches, as CyberScoop has reported.
“How do we ensure they are at some minimal level of cybersecurity?” King said. “The insurance company will say to the company if you do these things your rate will be ‘x,’ if you don’t do these things it will be ‘2x.’”
The commission also has considered reporting requirements that would encourage companies to decrease the time it takes them to detect, evaluate, and remediate possible network intrusions.
The so-called 1:10:60 rule has been helpful in debating possible requirements, Gallagher said. That rule encourages firms to detect intrusions in one minute, have an analyst evaluate it in 10 minutes, and remediate it within 60 minutes. Meeting this benchmark, according to CrowdStrike data, would eradicate most hackers before they’re able to move beyond their initial entry point.
“You can imagine a world in which we require regulated companies or critical infrastructure to collect 1:10:60 data or something similar,” Gallagher said.
The focus of any such proposal would be to hold companies accountable in case of a breach, Gallagher said.
How the exact proposal on reporting detection and remediation might be adopted, however, is still being debated. In the meantime, Gallagher noted, the federal government could improve its own internal reporting, perhaps by sending Congress quarterly updates about agencies’ detection and remediation times.
Changing behavior in Washington, too
The Solarium’s report may present Congress with some structural proposals that could enhance its oversight of cybersecurity issues, the co-chairs said.
The commission is unanimous that Congress needs to change how it conducts cybersecurity oversight, according to King, and the Solarium report may present lawmakers with proposals on how to expands their visibility into cybersecurity gaps. One way to do that could be to create a select committee to oversee cybersecurity issues, he said.
The commission also will mandate the Pentagon conduct internal assessments of the operational capacity of different cyber personnel in the Department of Defense. Such a change could provide insight on how U.S. Cyber Command personnel, for example, are functioning under a new Pentagon strategy of being more aggressive in cyberspace, known as “defending forward,” according to Gallagher.
The commission has also been debating how hiring can and should be different for cybersecurity posts at the Pentagon.
“Do you need a cyberwarrior to do 100 pushups? We don’t want to lower the standards of the military, but we need to be able to tailor the requirements to the job,” King said.”
“ASmall Business Administrationrule implementing legislation that changes the calculations to determine small business size standards takes effect on Jan. 6, 2020.
The rule itself, which extends the period of average annual receipts from three years to five years for the purpose of determining size standards, was finalized Dec. 5.
“After this new size standard takes effect, small businesses will be able to make critical investments to grow their businesses without fearing that they will lose access to resources and contracting opportunities,” Sen. Ben Cardin (D-Md.), a sponsor of the Runway Extension Act legislation, said in a statement.”
“Hundreds of military installations have either known or likely water contamination caused by runoff from firefighting foam used in response to vehicle and aircraft accidents, according to the Environmental Working Group.
“Of these sites, 138 have not been previously identified on EWG’s map of known PFAS contamination at military bases, civilian airports and industrial sites,” according to a Tuesday new release. “In addition, 42 of these sites were not included on a list of 401 locations the Pentagon gave to Congress of active and former installations where PFAS contamination was known or suspected.”
An interactive Environmental Working Group map lays out PFAS contamination across 305 military sites. (EWG)
The map went live the day after the House and Senate armed services committees finalized a compromise defense authorization bill for 2020, which includes provisions to approaching the PFAS issue going forward.
Expected to see a vote in the House on Wednesday, the law would prohibit the use of PFAS-laden firefighting foam after Oct. 1, 2024, and immediately ban any use of the foam outside of emergency situations.
While the bill dropped a provision that would have brought PFAS-contaminated bases under the federal Superfund law, providing funding and a requirement to clean them up, the NDAA pushes the Pentagon to work with state governments to start clean up using funds from the Defense Environmental Remediation Account.
It would also require that military firefighters are testing for PFAS levels in their blood, as the chemicals do not break down over time and are known to build up in the human body.
In the mean time, the Air Force has been testing a system that might be able to remove PFAS from ground water, and DoD is funding research into a new firefighting foam.”