My Profile   |   Contact Us   |   Sign In   |   Register
WIPP In Action
Blog Home All Blogs
Our organizational blog featuring the most important news in WIPP advocacy for women-owned businesses; federal procurement education, programs, and opportunities; and signature events celebrating and engaging with this powerful community.

 

Search all posts for:   

 

Top tags: Advocacy  membership  leadership  spotlight  federal contracting  President's Message  SBA  COVID-19  legislation  regulatory  cybersecurity  Federal Procurement  Federal Procurement Opportunities  guest post  Action Alert  Congress  FAR  policy  resource  Senate Small Business  Access to Capital  Appropriations  budget  community  microloan  partner  WIPP Works In Washington  women-owned  Access  ChallengeHER 

Cybersecurity Certification Keeps Chugging Along

Posted By Elizabeth Sullivan, WIPP Advocacy Team, Wednesday, September 9, 2020
The last time I wrote about Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) was back in early March when the DoD released their final version to industry. The pandemic hit shortly after and turned things upside down – except for the rollout of CMMC, which has continued to move forward. 
Elizabeth Sullivan
So, where does everything stand now?

A major step has been taken in moving this process along – training started at the end of August for certification assessors. These 73 assessors, however, are part of a “provisional program” and won’t actually be assigning the companies they evaluate a final CMMC level. Think of these initial assessments as more of a dry run, with the goal of providing feedback to the DoD and CMMC Accreditation Body (CMMC-AB) on any issues that need to be resolved before the real evaluations begin. As a reminder, the body providing the training – the CMMC-AB – is separate from the DoD. The AB is currently operating with a volunteer board and will eventually be a fully staffed organization. 

This step comes in the wake of a rift between the DoD and the CMMC-AB over a new contract that would supersede their existing Memoranda of Understanding (MOU). The tension between the two organizations over the new agreement is centered around responsibilities, which some AB board members felt was undermining their authority. The DoD has said this agreement is a new no-cost contract would provide a more binding relationship between the CMMC-AB and the Department. While this was slated to be resolved by the end of August, stay tuned for the final result.

In the meantime, CMMC requirements showed up in the General Services Administration’s (GSA) $50 billion 8(a) STARS III contract, where GSA indicated that it “reserves the right” to require certifications for small businesses awarded slots on the federal IT vehicle. Although CMMC is only a future requirement for the approximately 300,000 DoD contractors, it has been predicted that adoption of the certification could spill over into civilian acquisitions. The move by GSA is a prime example of this, but is also not very surprising – DoD was one of the biggest buyers on the predecessor contract, STARS II. 

So, where does this leave small business contractors? With a lot of remaining questions. Below are a few that come to mind: 
  • As companies try to prepare for this assessment, who is credible to help them identify gaps to reach a readiness level? There has been a myriad of bad actors popping up, claiming they can guarantee a certain CMMC level with their analysis (which they can’t). 
  • Once the CMMC-AB accredits assessors and their certified third-party assessment organizations (C3PAOs), companies can start to get assessed. What is the actual cost for companies get this assessment? Will all of the accreditors charge the same amount?
  • Once assessors are ready, what is the order in which the 300,000+ businesses will be assessed? Is there a cue? Will it be based on existing contracts? Are small businesses going to pushed to the bottom of the list?  


According to DoD, all contractors will have to be certified by 2025. Advocacy remains crucial on this issue, and WIPP’s Virtual Symposium on Cyber Resiliency from September 31 to October 1 is focusing on these important policy changes for WOSB contractors. Register by September 17 to take advantage of Early Bird pricing and to be eligible for MatchMaker Meetings with almost 20 government agency partners. 

 

 

Tags:  cybersecurity  federal contracting  WIPP Works In Washington 

Share |
PermalinkComments (0)
 

Section 889 and the U.S. Government Supply Chain

Posted By Laura Berry, Wednesday, August 5, 2020
Updated: Wednesday, August 5, 2020
Elizabeth Sullivan

Amidst the continuing pandemic and negotiations on another round of COVID-19 relief in Congress, one thing remains the same for all federal contractors: Section 889 implementation.

Section 889 is a name that does not mean much to the average person, but carries a lot of weight for federal contractors. This is a section in the FY2019 National Defense Authorization Act (NDAA) that seeks to eradicate Chinese telecom from the entire U.S. government supply chain. Why write about it now? The part that impacts federal contractors of all sizes (Part B) goes into effect this month. 
 
Earlier this year, the Department of Defense (DoD) held a public meeting to hear from industry. Of the salient points made, one resounding theme was that definitions will mean everything for implementation. However, industry hasn’t been able to share any definitional clarity because of the rule release delay. The FAR Council published their interim rule in July – Part B goes into effect before the comment period is over, which means contractors will have to comply with the rule starting on August 13, 2020. Public comments can be submitted until September 14. 
 
Here are the five key components for small/midsize contractors to pay attention to.
 
You’ll have a new box to check in SAM.

Contractors will need to annually check a box in SAM verifying that they do not use any covered telecommunications equipment or services. A contractor can choose to say yes, they do use some of these banned equipment/services, which would require an offer-by-offer representation for contracts and task/delivery orders under IDIQs. It is important to know this ban applies to any equipment, system, or service that uses the covered equipment or services as a substantial or essential component of any system, or as critical technology as part of any of a contractor’s systems. Think this rule does not apply to you? Think again – acquisitions of commercial items (including COTS) and contracts at or below the simplified acquisition threshold (SAT) must also adhere to this prohibition. 

 
Definitions are key.

Definitions are critical to the implementation of this rule, which defines words such as “backhaul” and “roaming,” but leaves contractors with uncertainty over what constitutes a covered technology. FAR 4.2101 covers some of these definitions, however there was no further clarity in the rule regarding who is considered “any subsidiary or affiliate of such entities” of the five listed companies (Huawei, ZTE, Hytera, Hikvision, and Dahua). It seems problematic that a small business contractor is expected to research all of the subsidiaries and affiliates of these companies to make sure they are not utilizing any prohibited components. Note to government: why not just provide a list? 

 

Another definitional bone I have to pick is the meaning of “reasonable inquiry.” The rule says that a company is compliant if a “reasonable inquiry” by the company does not show any use of the prohibited equipment or services. So, what exactly does that mean? According to the rule, a reasonable inquiry is something that is designed to uncover any use of these covered telecommunications equipment or services and does not need to be an internal or third-party audit. While I am not a lawyer, I can imagine that every procurement attorney would advise contractors to have some type of legitimate audit of systems in case compliance risks arise.

 
The waiver process is laborious.

Although a waiver sounds reasonable and gives contractors added time to comply (until August 13, 2022), it doesn’t seem designed for small or midsize contractors. In order to get a one-time waiver, the head of an agency has to grant it. Before this happens, a senior agency official for supply chain risk management has to discuss the waiver with the Federal Acquisition Security Council (FASC). And consult with the Office of the Director of National Intelligence (ODNI) to make sure conditions are met. And provide notice to the ODNI and FASC 15 days before granting the waiver. And notify appropriate Congressional committees within 30 days. The FAR Council does acknowledge that this process could take a few weeks and advises to enter at your own risk because “agencies may reasonably choose not to initiate one and to move forward and make award to an offeror that does not require a waiver.” A quick data point: there are 387,967 companies registered in SAM, 74% of which are small. That would mean if every small company decided to submit an offer for a federal award and sought a waiver, that would be 287,096 waivers. 

 
Six contractor actions are necessary for compliance.

A chunk of the rule outlines contractor compliance recommendations. After reading and re-reading these six actions in the rule, I’m left with the same feeling: small contractors need something more detailed than just general guidelines. Generalities like “read and understand the rule and necessary actions for compliance” and “corporate enterprise tracking” sound great, but what exactly does that entail? During more normal times – let alone a pandemic – building out a compliance program can be complicated, not to mention costly. It is important contractors have the detailed information to get it right.

 
Finally, I see dollar signs.

The rule completely underestimates the time it will take contractors to implement and remain compliant with this rule. A whole section is dedicated to this analysis – and quite a few estimates left me scratching my head (you can find these in Section III, Part D). Companies aware of the rule have been spending months trying to prepare and continue to evaluate the components in their government offerings. An important part of complying with the rule to highlight is that a company cannot use any of these prohibited systems/equipment, even if they are not used in its federal contracts. That means no split networks or having one system for U.S. federal business and a difference one for commercial or contracts with other countries. I see more dollar signs.

 
The FAR Council is seeking public comment on the rule – and federal contractors should respond. In Section IV of the rule you can find a list of questions the Council wants industry to answer, and it is worth taking a look at them. One that is also found in the beginning of the rule is whether an expansion of the prohibition should be made to include all company subsidiaries and affiliates. Feedback is also requested on subjects like challenges, costs, and insight into existing systems.
 
One thing all contractors, regardless of size, have in common: they want to be compliant so they can compete. Given the uphill battle small and midsize contractors face when it comes to compliance with Section 889 and many other contracting requirements, advocacy on this issue is critical. WIPP continues to elevate this critical information to policymakers, asking them to consider the needs of women-owned businesses to comply with this new requirement. 

Tags:  Advocacy  federal contracting  leadership  regulatory  WIPP Works In Washington 

Share |
PermalinkComments (0)
 
more Calendar

9/21/2020
FountainHead: Diversity, Equity and Inclusion Panel Event (VIRTUAL)

9/29/2020 » 10/1/2020
WIPP Virtual Symposium on Cyber Resiliency

10/14/2020
WIPP Advocacy Update - October 2020

10/19/2020
WIPP Intersectionality Series

10/21/2020
WIPP Community Connections - October 2020

Featured Members
Jeanette Prenger (Hernandez)President & CEO, ECCO Select, North Kansas City, MO — September 2020 Member Spotlight
Tina PattersonPrincipal, Jade Solutions, Germantown, MD — August 2020 Member Spotlight

Privacy Policy / Disclaimer    |    © WIPP  |    888-488-WIPP

Association Management Software Powered by YourMembership  ::  Legal