My Profile   |   Contact Us   |   Sign In   |   Register
WIPP In Action
Blog Home All Blogs
Our organizational blog featuring the most important news in WIPP advocacy for women-owned businesses; federal procurement education, programs, and opportunities; and signature events celebrating and engaging with this powerful community.


Search all posts for:   


Top tags: Advocacy  membership  leadership  spotlight  federal contracting  President's Message  SBA  COVID-19  legislation  regulatory  cybersecurity  Federal Procurement  Federal Procurement Opportunities  guest post  Action Alert  Congress  FAR  policy  resource  Senate Small Business  Access to Capital  Appropriations  budget  community  microloan  partner  WIPP Works In Washington  women-owned  Access  ChallengeHER 

Cybersecurity Certification Keeps Chugging Along

Posted By Elizabeth Sullivan, WIPP Advocacy Team, Wednesday, September 9, 2020
The last time I wrote about Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) was back in early March when the DoD released their final version to industry. The pandemic hit shortly after and turned things upside down – except for the rollout of CMMC, which has continued to move forward. 
Elizabeth Sullivan
So, where does everything stand now?

A major step has been taken in moving this process along – training started at the end of August for certification assessors. These 73 assessors, however, are part of a “provisional program” and won’t actually be assigning the companies they evaluate a final CMMC level. Think of these initial assessments as more of a dry run, with the goal of providing feedback to the DoD and CMMC Accreditation Body (CMMC-AB) on any issues that need to be resolved before the real evaluations begin. As a reminder, the body providing the training – the CMMC-AB – is separate from the DoD. The AB is currently operating with a volunteer board and will eventually be a fully staffed organization. 

This step comes in the wake of a rift between the DoD and the CMMC-AB over a new contract that would supersede their existing Memoranda of Understanding (MOU). The tension between the two organizations over the new agreement is centered around responsibilities, which some AB board members felt was undermining their authority. The DoD has said this agreement is a new no-cost contract would provide a more binding relationship between the CMMC-AB and the Department. While this was slated to be resolved by the end of August, stay tuned for the final result.

In the meantime, CMMC requirements showed up in the General Services Administration’s (GSA) $50 billion 8(a) STARS III contract, where GSA indicated that it “reserves the right” to require certifications for small businesses awarded slots on the federal IT vehicle. Although CMMC is only a future requirement for the approximately 300,000 DoD contractors, it has been predicted that adoption of the certification could spill over into civilian acquisitions. The move by GSA is a prime example of this, but is also not very surprising – DoD was one of the biggest buyers on the predecessor contract, STARS II. 

So, where does this leave small business contractors? With a lot of remaining questions. Below are a few that come to mind: 
  • As companies try to prepare for this assessment, who is credible to help them identify gaps to reach a readiness level? There has been a myriad of bad actors popping up, claiming they can guarantee a certain CMMC level with their analysis (which they can’t). 
  • Once the CMMC-AB accredits assessors and their certified third-party assessment organizations (C3PAOs), companies can start to get assessed. What is the actual cost for companies get this assessment? Will all of the accreditors charge the same amount?
  • Once assessors are ready, what is the order in which the 300,000+ businesses will be assessed? Is there a cue? Will it be based on existing contracts? Are small businesses going to pushed to the bottom of the list?  

According to DoD, all contractors will have to be certified by 2025. Advocacy remains crucial on this issue, and WIPP’s Virtual Symposium on Cyber Resiliency from September 31 to October 1 is focusing on these important policy changes for WOSB contractors. Register by September 17 to take advantage of Early Bird pricing and to be eligible for MatchMaker Meetings with almost 20 government agency partners. 



Tags:  cybersecurity  federal contracting  WIPP Works In Washington 

Share |
PermalinkComments (0)

DoD’s CMMC is Moving Full Steam Ahead With or Without You

Posted By Elizabeth Sullivan, WIPP Advocacy Team, Wednesday, March 4, 2020

Read a quick refresher on CMMC. The final model for the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) came out earlier this year. So, what’s next for businesses? 

Elizabeth Sullivan


Let’s talk certification.

Now that version 1.0 of CMMC was released – the final version– DoD is moving full steam ahead. The “accreditation body” has been formed, which is an independent, non-profit group that is responsible for developing the training and assessment standards for the certification. The next step in the certification journey for DoD is forming a Memoranda of Understanding (MOU) with the accreditation body, which will outline the roles and responsibilities of each of the parties. Finally, “accreditors” – of which there are none currently – will be responsible for evaluating businesses and assigning them a CMMC certification level. If all of this third-party stuff leaves you scratching your head, just know that DoD is outsourcing the accreditation of over 300,000 contractors with plans for substantial oversight.

Substantial questions remain for contractors. One of the biggest is the timing of the certification rollout. The Department has said that they will issue 10 “pathfinder” solicitations that require various CMMC levels, including a few that will require level 4 or 5 certifications. Since these will be substantial contracts, if you are a small business tapped to subcontract on one of these – when will you get certified? Will there be some type of cue, where the biggest companies go first? Or will it be ranked by the amount of anticipated work? This remains to be determined.


Let’s talk levels.

While the CMMC levels have been refined throughout the DoD’s drafting process, it is important to know that there are five levels. Any contractor, regardless of the type of work they do that wants to do business with DoD will need at least a level one. Level one is the most basic cyber hygiene, which has some noteworthy differences from NIST 800-171. The Defense Department has said that most small businesses only need a level one. But I wouldn’t take that assessment at face value. It is important for small/midsize companies to determine the appropriate level they want to prepare for based on the work they do, or plan to do, for the DoD. For example, if your company handles any Controlled Unclassified Information (CUI) you will need at least a level three. By the way, these levels will also apply to subcontractors. Which brings me into the next section of this article – unknowns. 


Let's talk unknowns.

I was recently on a panel at the Women Leaders in Defense & Aerospace Law & Compliance Conference, where I shared the stage with the other two sides of the CMMC equation – a lawyer and prime. One of the things that I learned is that concerns span all business sizes—small businesses aren’t the only ones with questions. First and foremost is how the DoD will handle CMMC certification levels for subcontracted work. There has been a lot of conflicting information about this component flying around, but the latest and greatest (as of the time this is published) is that the program managers for both the DoD and prime contractor will work together to determine the appropriate CMMC levels for the components of subcontracted work.

Another unknown is how a company can dispute an assigned level by an accreditor. While the accreditation body will have some sort of mechanism to address this, DoD’s involvement in this process is unclear. This is an important question because certification levels will be assigned for a three-year period. Finally – and this is a big one – the total cost for contractors remains to be seen. DoD has not yet provided any specific information on the cost of obtaining the certification. Some good news is that something that is known (and has been for a while) is that DoD will not seek levels retroactively – meaning that no current contracts will be modified to require a certain certification level. All of this is to say, stay tuned.


WIPP recently offered a member webinar, "The Ugly Truth about CMMC," hosted by WIPP Board Chair and cybersecurity expert Angela Dingle. We intend to continue to provide the most updated education on this certification roll-out.

Moral of the story is – as a federal contractor, it is time to pay attention if you aren’t already. Although CMMC is only for the DoD supply chain, in the future it could impact civilian agencies as well. So, get ready – it’s moving full steam ahead with or without you. 


Tags:  cybersecurity 

Share |
PermalinkComments (0)

The Ugly Truth About the Cybersecurity Maturity Model Certification (CMMC)

Posted By Angela Dingle, President & CEO, Ex Nihilo; WIPP Board of Directors, Chair, Monday, January 27, 2020

WIPP was one of the first small business organizations to raise the red flag on the compliance standards lying in wait for not only Defense Department prime contractors, but also the thousands of subcontractors in the industrial base, as the Cybersecurity Maturity Model Certification (CMMC) began to roll out at its various agencies. 
Angela Dingle
The intent of the CMMC is to combine various cybersecurity control standards such as National Institute of Standards and Technology Special Publication 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. Much like the Capability Maturity Model Integrated (CMMI), the CMMC is designed to measure the maturity of a company’s institutionalization of cybersecurity practices and processes. It will consist of five levels. 
All DOD contractors will be required to achieve a Level 1 certification, as reported in Bloomberg Government. Contractors that handle sensitive information up to classified data will be required to achieve a Level 5 certification. In the future, contractors that lack the desired CMMC level will become ineligible to compete for certain contracts and task orders.
Join us next month on February 18 for our first WIPP Member Webinar of the year, “The Ugly Truth About CMMC,” which will be a deeper dive into how CMMC will affect your business in the future, strategies for compliance, and how to manage the cost of implementation.


Tuesday, February 18 
2 PM ET / 1 PM ET / 11 AM PT
Register Today


Free to WIPP Members / $25 for Non-Members


This is a guest blog post from Ex Nihilo, a WIPP Member business. 
Ex Nihilio
Since 2002, Ex Nihilo has been a trusted advisor in the public and private sector, providing objective IT governance, risk management, and compliance services based on a thorough understanding of customer requirements and deep systems integration experience.

Tags:  cybersecurity  guest post  regulatory 

Share |

New Year's Resolutions from WIPP's Advocacy Team

Posted By Elizabeth Sullivan, WIPP Advocacy Team, Wednesday, January 15, 2020
Updated: Tuesday, January 14, 2020

It has been two weeks since New Year's Day and you’re not alone if you have broken most or all of your New Year's resolutions. While we put our personal resolutions aside, when it comes to advocacy, our team has made some we are committed to keeping.

Elizabeth Sullivan
  1. Untangle the web of new federal cybersecurity requirements for WOSBs.

  2. Urge the Senate to pass the SBA Reauthorization bill

  3. Celebrate and build upon our FY2020 NDAA wins.

  4. Support Congressional women

Untangle the web of new federal cybersecurity requirements for WOSBs

2020 is shaping up to be the year of securing the federal supply chain. This may sound dry or mundane, but recent changes truly impact every federal contractor of every size. While we did a deeper dive last year, let me provide some context. Our work does not stop when a bill becomes a law. In fact, the devil is in the details, so providing input during the regulatory process is just as important as the passage of the law (read a refresher on the regulatory process). In addition, remember that a proposed or new regulation is called a “rule.” Major agency actions – all regulatory – require our attention. 


  • Cybersecurity Maturity Model Certification (CMMC) – The final version of this requirement should be published later this month. The CMMC is expected to designate maturity levels ranging from “Basic Cybersecurity Hygiene” to “Advanced.”  While contractors will be required to be certified by an accrediting body, it has not yet been determined. This body is expected to enter into an MOU with the DoD sometime this month. The government has indicated that contractors will be reimbursed for the certification fee through their pricing on contracts to the federal government. However, the current cost remains unclear. CMMC will eventually be required for anyone doing business with DoD – the certification levels will begin to be included in RFIs starting in June and RFPs sometime in the fall. One important point made by Katie Arrington, DoD’s Chief Information Security Officer for Acquisition and Sustainment, was to never post your CMMC level certification on your website, as hackers will then know the types of security you are employing and target accordingly. Although there are still some factors to be determined, this certification is moving full steam ahead – and compliance strategies will be an important exercise for every federal contractor in 2020.
  • Section 889: Prohibition on Certain Telecommunications and Video Surveillance Services or Equipment – Commonly referred to as “Section 889,” this rule seems like it would have nothing to do with small businesses or most contractors, however, it does. It broadly prohibits federal agencies from using telecommunications or surveillance equipment or services from six Chinese companies or their subsidiaries. WIPP Chief Advocate Ann Sullivan took a closer look at the rule. In step two of implementation, a rule is expected to go into effect sometime this year that prohibits any government contractor from using any components or services from these companies. If you are renewing your SAM profile, you will notice a new question asking if you provide covered telecommunications equipment or services in the performance of any contract or subcontract. This action impacts the entire supply chain, covering all contracts. 

Additionally, WIPP members have aired their frustrations for years on the government’s security clearance processes, both in civilian agencies and at DoD. This “chicken and egg” issue continues to hamper WOSBs and other small contractors from reaching their full potential. We hear you and are working to create policy solutions on these issues.


Urge the Senate to pass the SBA Reauthorization bill

WIPP has been working closely with the Senate Committee on Small Business and Entrepreneurship to make necessary changes to programs benefiting entrepreneurs through the Small Business Administration (SBA). The Chairman’s draft contains 15 changes that, if passed, will be game-changers for women business owners. This includes positive sole source changes for federal contractors and increasing the ability for WOSBs to access capital.


Unfortunately, the Committee postponed action on a comprehensive reauthorization bill after failing to agree on proposed regulatory changes contained in the draft legislation. Despite this setback, you should still contact your Senators, urging action. We even have a letter you can easily download and send. This bill has enormous implications for small and midsize businesses around the country – we’ll be keeping up the drumbeat. One detail to know about this effort is that while it is a new year, it is not a new Congress. The 116th Congress is in its second session, which means that bills introduced in 2019 are still active in 2020.


Celebrate and build upon our FY2020 NDAA wins

The National Defense Authorization Act (NDAA) is a must-pass bill by Congress – authorizing all of the DoD programs on an annual basis. The 2020 NDAA, passed in December 2019, contained three WIPP supported provisions that positively impact WOSBs.

  • The first is the prompt payment for small business prime contractors and subsequently their subcontractors. WIPP has supported permanently establishing an accelerated payment date since the Office of Management and Budget (OMB) directive expired in 2017, and this provision establishes a goal of 15 days after proper invoice.
  • The second is uncovering small business participation on multiple award contracts that are designated as best-in-class vehicles. As the spend through these vehicles increases, it is critical to have data on WOSB participation. Therefore, the provision requires the SBA to report the dollar amount of contracts awarded to small businesses.
  • WIPP’s third win was to strengthen accountability for subcontractors. The provision implements a new dispute process allowing small subcontractors to bring nonpayment issues to the agency’s Office of Small and Disadvantaged Business Utilization (OSDBU), as well as strengthen the agency’s ability to collect and review data regarding prime contractors' achievement of their subcontracting plans.

Support Congressional women

As we all know, this is a Presidential election year. However, the entire House of Representatives and a third of the seats in the Senate are also up for grabs. Electing women to Congress is important, no matter your party affiliation. Currently, 127 women serve in the U.S. Congress – 26 in the Senate and 101 in the House. The women in the Senate have long been a model for avoiding legislative gridlock. They are often the negotiators who are willing to reach across the aisle to find common ground on major pieces of legislation. Women Members are also the cosponsors on legislation important to women entrepreneurs. For example, our bill to increase investment in women-owned federal contractors, The Women and Minority Equity Investment Act of 2019, is championed in the Senate by Senator Maria Cantwell (D-WA) with Chair Marco Rubio (R-FL) and in the House by Representative Robin Kelly (D-IL). 


It is also important to note that the Senate just confirmed a new Administrator to the Small Business Administration, current U.S. Treasurer Jovita Carranza. We are thrilled to work with her again, as she was formerly an SBA Deputy Administrator and championed issues important to women-owned businesses during her tenure.


No doubt, other policy priorities will arise as the year moves forward. Although there are many political pressures that threaten to derail our efforts, we remain committed to the bipartisan mission of empowering women entrepreneurs. Let’s get to work.


Tags:  Advocacy  cybersecurity  leadership  SBA  women-owned 

Share |

Advocacy Update: Cybersecurity Maturity Model Certification (CMMC)

Posted By Advocacy Team, Friday, September 27, 2019

As reported by Bloomberg Government, the Defense Department sought comments this month on a draft of the Cybersecurity Maturity Model Certification (CMMC), which would be mandatory in 2020 for every supplier and contractor working with the department. 

WIPP submitted comments on Wednesday, September 25 reiterating that this certification process could be cost prohibitive and restrictive to small businesses. Thank you to cyber expert Angela Dingle, WIPP Board Chair and President & CEO of Ex Nihilo Management, for providing critical input. 


Read the full comment letter.




Tags:  Advocacy  cybersecurity 

Share |

Senate Committee Passes WIPP-Supported Cybersecurity Bills

Posted By Elizabeth Sullivan, Wednesday, March 27, 2019
Updated: Wednesday, April 3, 2019

The Senate Small Business Committee passed two WIPP supported bipartisan cybersecurity bills last week, the Small Business Cyber Training Act of 2019 (S. 771) and the SBA Cyber Awareness Act (S. 772). These bills are a step in the right direction to help small businesses with cybersecurity compliance as well as hold the SBA accountable to secure the sensitive data it collects. The next stop is a vote by the full Senate.


WIPP submitted a letter endorsing both bills to Committee Chair Marco Rubio (R-FL).

Tags:  Advocacy  cybersecurity  Senate small business 

Share |
PermalinkComments (0)
more Calendar

FountainHead: Diversity, Equity and Inclusion Panel Event (VIRTUAL)

9/29/2020 » 10/1/2020
WIPP Virtual Symposium on Cyber Resiliency

WIPP Advocacy Update - October 2020

WIPP Intersectionality Series

WIPP Community Connections - October 2020

Featured Members
Tina PattersonPrincipal, Jade Solutions, Germantown, MD — August 2020 Member Spotlight
Jeanette Prenger (Hernandez)President & CEO, ECCO Select, North Kansas City, MO — September 2020 Member Spotlight

Privacy Policy / Disclaimer    |    © WIPP  |    888-488-WIPP

Association Management Software Powered by YourMembership  ::  Legal