Posts Tagged DOD

DoD Seeking Public Comment on Timeliness of Payments to Defense Subcontractors

Posted by on
Share

DoD is seeking public input on improving the timeliness of payments to defense subcontractors. The request for feedback published Friday July 14 in the Federal Register and stems from the Defense Contract Finance Study, which found that defense subcontractors and suppliers generally do not receive favorable cash flow benefits as consistently or to the same extent enjoyed by defense prime contractors. Input on this matter is solicited from interested parties, including current prime contractors, subcontractors, suppliers, or vendors, and potential new entrants. This is a great opportunity for small businesses in particular to have their voice heard.

Interested parties are encouraged to submit their comments within 60 days (by September 12) via the Federal eRulemaking Portal at https://www.regulations.gov/docket/DARS-2022-0012/document

Tags: ,

Posted in: Uncategorized

Leave a Comment (0) →

Introducing HIVE HUB: The 24/7 Industry Day for PEO DHMS

Posted by on
Share

The Program Executive Office, Defense Healthcare Management Systems (PEO DHMS) and the Federal Electronic Health Record Modernization (FEHRM) office have partnered to create the Health Innovation Vision Exchange (HIVE) as a space to promote innovation in the federal health space.

With the HIVE, PEO DHMS’s primary goal is to foster collaboration and introduce state-of-the-art healthcare solutions to the Federal marketplace. Serving as a centralized platform, HIVE HUB facilitates the cross-pollination of ideas between contractors and Federal agencies, creating an ecosystem that thrives on innovation and ingenuity. This real-time communication platform ensures that businesses have the opportunity to communicate directly with the government, and to join in the conversation themselves.

Help build a thriving community together at the forefront of healthcare innovation! Anyone can join by registering at https://connect.bidscale.com/register to create a free account. That’s all it takes to stay updated with the latest news, explore real contracting opportunities, discover upcoming events, communicate with federal health contracting officers, and gain valuable insights not available elsewhere.

Read the open letter to resource partners making us aware of this effort and encouraging APEX Accelerator clients interested in DHMS to register.

Tags: , , , , ,

Posted in: News Feed, Uncategorized

Leave a Comment (0) →

Virginia PTAC, an APEX Accelerator

Posted by on
Share

The Procurement Technical Assistance Program (PTAP) is now under the management of the Department of Defense (DOD) Office of Small Business Programs (OSBP) and has changed its name to APEX Accelerators. The Virginia PTAC, hosted by George Mason University, will be transitioning to the new name in the coming months. Please note, our mission and assistance will not change. We are still here to serve businesses with Local, State and Federal Contracting assistance within our service area. This change will enhance our scope and resources in order to do more for the businesses we serve. So, whether we are called a Procurement Technical Assistance Center (PTAC) or an APEX Accelerator, we continue to be here for you, our clients, for all your government contracting needs. Note: APEX is not an acronym, it is a destination.

Tags: , ,

Posted in: Uncategorized

Leave a Comment (0) →

Department of Defense’s SBIR/STTR online training calendar – free 2018 webinars

Posted by on
Share
The Department of Defense’s SBIR/STTR Program Office has put together an on-line training program catalogue for small businesses for the year. Upcoming SBIR/STTR webinar topics are listed below, along with dates. More information on each title is found on the registration site. All are offered free of charge.
  • How to Use the DOD SBIR/STTR Submission Site / Important Proposal Considerations / Using SITIS – May 24, 2018
  • Managing Intellectual Property – Important Business Considerations for Commercialization – June 5, 2018
  • Understanding the Evaluation Process/What to Do with a Debrief – June 26, 2018
  • Working with Prime Contractors – July 17, 2018
  • The DOD Acquisition Process / Contracting – August 1, 2018
  • Commercialization Assistance Programs and Beyond Phase II Considerations – Sept. 4, 2018
  • Manufacturing / Working with MIBP – September 18, 2018
  • Testing and Evaluation – October 9, 2018
  • Phase III Process – How to Identify Non-SBIR – October 30, 2018

Tags: , ,

Posted in: Uncategorized, Upcoming Events

Leave a Comment (0) →

Recent development in the DOD cybersecurity regulations

Posted by on
Share

An update to our December post on implementation of a NIST SP 800-171r: This past Tuesday (April 24th 2018), DOD issued draft regulations on its cybersecurity clause DFARS 252.204-7012.  Attached are pdf copies of the Federal Register notice plus the two documents referenced in the notice.

PTAC has been advised that DOD has implicitly acknowledged that contractor implementation of a NIST SP 800-171r cybersecurity plan is not going as anticipated.  The draft guidance explains three levels of priority within an implemented System Security Plan (“SSP”). The utility of the priority levels is that DOD has identified the priorities on an item-by-item basis per the NIST security requirement.  For example, multifactor authentication (NIST 171, 3.5.3) is a priority 1 (“P1”) while monitoring security controls (NISAT 171, 3.12.3) on an ongoing basis is a priority 3 (“P3”).  DOD is again focusing on the development of SSP as supplemented by a Plan of Action that includes an implementation schedule.

More importantly, and as highlighted during the presentations sponsored by PTAC, DOD has emphasized that SSPs (with or without an accompanying Plan of Action) will be an evaluation factor used to discriminate among offers as a means to evaluate the government’s overall risk of providing “covered Defense information” to contractors who then use or store CDI on their IT systems.  Specifically, the draft guidance states that RFP’s must require delivery of NIST SP 800-171 Security Requirement 3.12.4 – System Security Plan (or specified elements of) and [NIST-171] Security Requirement 3.12.2 – Plans of Action with the contractor’s technical proposal.

Thanks to David B. Dempsey of Dempsey Fontana, PLC of making us aware of these recent developments!

Tags: , , , , , ,

Posted in: Uncategorized

Leave a Comment (0) →

NIST and DFARS and Cyber Compliance! (oh my)

Posted by on
Share

You have doubtless heard and read all about the looming requirement for all Department of Defense government contractors to become compliant with Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards derived from NIST SP 800-171 Rev 1 by Dec 31, 2017- or else risk losing their contracts.  DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, will be a mandatory clause in all contracts except for contracts solely for the acquisition of COTS items.

This requirement applies to any DoD Contractor, subcontractor, and supplier ALL THE WAY DOWN THE SUPPLY CHAIN that processes, stores, or transmits Controlled Unclassified Information (CUI). Not just security contractors. Not just companies that have clearances. Not even just IT contractors.  If you have a landscaping business and you are performing work at a DOD facility, and have access to blueprints that are or may be considered CUI, you’re subject to this requirement.  CUI includes the categories outlined in the NARA CUI Registry, but as you can probably imagine, is not limited to that. your government customer can identify additional categories and data, and you as a contractor, should err on the safe side and identify potential CUI so that you can protect and segregate it just in case.

Note: civilian contractors are not subject to this requirement (there are only 15 security controls outlined in FAR part 52.204-21 compared to 109 in the DFARS clause), but that may be changing to synthesize the compliance requirements to the more complete set that the DOD/DFARS adopted.

Ultimately, it is the contractor’s responsibility to determine whether it is has implemented the NIST SP 800-171 (as well as any other security measures necessary to provide adequate security for covered defense information).   Third party assessments or certifications of compliance are not required, authorized, or recognized by DoD, nor will DoD certify that a contractor is compliant with the NIST SP 800-171 security requirements.

The protections required to protect government information are dependent on the information DoD is protecting and the kind of system on which the information is processed or stored.

There is no single or prescribed manner in which a contractor may choose to implement the requirements of NIST SP 800-171, or to assess their own compliance with those requirements.  For companies new to the requirements, a reasonable first step may be for company personnel with knowledge of their information systems security practices to read through the publication, examining each requirement to determine if it may require a change to company policy or processes, a configuration change for existing company information technology (IT), or if it requires an additional software or hardware solution.

Some resources and tools to help you determine whether you’re subject to the requirement, and what you can do next:

  1. DOD Office of Small Business Cyber resources and news – especially the 49-minute video and the presentation slides
  2. DOD Procurement Toolbox – Cyber security section (including how to approach evaluating each requirement)
  3. Georgia Tech PTAC 20-min Instructional Video
  4. A handy presentation [from a law firm] that translates the major requirements into easy-to-understand terms
  5. The Safeguarding Covered Defense Information one-pager to ease you into the basics.
  6. The Cybersecurity Evaluation Tool (CSET) that provides a systematic approach for evaluating an organization’s security posture through a step-by-step process to evaluate their control system and information technology network security practices.  The tool will allow you to select a standard (e.g. NIST SP 800-171) – and CSET will generate specific questions to those requirements and present you with assessment results.
  7. A  Self-assessment guide when you’re ready for the deep dive
  8. OSD Memorandum: DPAP Guidance for DoD Acquisition Personnel that instructs DOD buyers how to implement and evaluate vendor cyber compliance (and since it’s going to be an evaluation factor in source selection, you need to know what your customers expect).
  9. For subcontractor and supplier reference – Lockheed Martin’s notice to its supply chain that you may find informative and applicable regardless of who your prime is.
  10. And if you heard the rumors of possible delay and were wondering if they have merit — sadly, no.

PTAC counselors can help you walk through these steps. While we’re not technical experts on network security, we could help you walk through the self-assessment and determine what steps you need to take to bring your business up to compliance.

Update (submitted by David Dempsey, Dempsey Fontana, PLLC): This past Tuesday (April 24th 2018), DOD issued draft regulations on its cybersecurity clause DFARS 252.204-7012.  Attached are pdf copies of the Federal Register notice plus the two documents referenced in the notice.

PTAC has been advised that DOD has implicitly acknowledged that contractor implementation of a NIST SP 800-171r cybersecurity plan is not going as anticipated.  The draft guidance explains three levels of priority within an implemented System Security Plan (“SSP”). The utility of the priority levels is that DOD has identified the priorities on an item-by-item basis per the NIST security requirement.  For example, multifactor authentication (NIST 171, 3.5.3) is a priority 1 (“P1”) while monitoring security controls (NISAT 171, 3.12.3) on an ongoing basis is a priority 3 (“P3”).  DOD is again focusing on the development of SSP as supplemented by a Plan of Action that includes an implementation schedule.

More importantly, and as highlighted during the presentations sponsored by PTAC, DOD has emphasized that SSPs (with or without an accompanying Plan of Action) will be an evaluation factor used to discriminate among offers as a means to evaluate the government’s overall risk of providing “covered Defense information” to contractors who then use or store CDI on their IT systems.  Specifically, the draft guidance states that RFP’s must require delivery of NIST SP 800-171 Security Requirement 3.12.4 – System Security Plan (or specified elements of) and [NIST-171] Security Requirement 3.12.2 – Plans of Action with the contractor’s technical proposal.

Update (submitted by David Dempsey, Dempsey Fontana, PLLC) : Earlier this morning (June 7th, 2018), NIST’s Computer Security Resource Center (“CSRC”) distributed its fourth revision of NIST SP 800-171 (second one for 2018). See https://csrc.nist.gov/ publications/detail/sp/800-171/rev-1/final). As of today, the proper reference to “NIST-171” is NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, rev. 1 (December 2016) (updated June 7, 2018) or “NIST SP 800-171, r1 (updated through June 7, 2018).” According to the “errata sheet” the CSRC has made approximately 72 “substantive” changes to NIST-171.  Presumably, DOD will revise the link currently set forth in DFARS 252.202-7012 and bring the DFARS clause up to date.

The CSRC also published today three supplemental documents to NIST-171 (available at the above link):

All previous attendees should also be made aware of DOD’s proposed priorities for NIST-171 implementation (see 83 Fed. Reg. 17807 (April 24, 2018) and follow instructions on p. 17808) and the NIST requirements (identified by ¶ number in an Attachment to the slides presented at those seminars.  Moreover, DOD’s updated FAQs on NIST-171 implementation (dated April 2, 2108) should be reviewed in the context of today’s revised NIST-171 – see FAQs updated April 2, 2018.

Also included with today’s CSRC announcement regarding NIST-171 is the second draft of NIST SP 800-171A entitled “Assessing Security Requirements for Controlled Unclassified Information (Final Draft)(February 2018).  (This document is also available at https://csrc.nist. gov/publications/ detail/sp/800-171/rev-1/final.) The introduction to CSRC’s “assessment” document states that it “is intended to help organizations develop assessment plans and conduct efficient, effective, and cost-effective assessments of the security requirements in NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”

Tags: , , , , , ,

Posted in: Uncategorized

Leave a Comment (0) →

Department of Defense Waiving SAM registration requirements for emergency response vendors

Posted by on
Share

Due to the emergency situation caused by the hurricanes, contracting offices are using authority to waive the requirement for SAM registration in purchases that directly support the emergency response.  If you’re helping a vendor who is not yet registered in SAM but needs a CAGE code, the expedited process instructions are below. 

(information on selling to disaster response agencies)

Subject: Obtaining CAGE codes for vendors responding to the Hurricanes

Hello everyone – obviously we expect that there will be many offices responding to the hurricanes with emergency purchases where SAM registration is waived per FAR 4.1102(a)(3)(iii) and part 18.102.  We want to get the below instructions out for how you can still help your vendors obtain CAGE codes (if they don’t already have one) that are required per FAR 4.1804 for other than micro-purchase actions:

1 – Go to https://cage.dla.mil

2 – Choose ‘Request or Update a CAGE Code’ and hit Begin on the next page

The user will then be taken through a series of pages where they provide the data necessary to set up a CAGE code, but before they get to those elements, they have to answer a few more questions.  In order for the CAGE website not to just direct them to go register in SAM, the users need to answer exactly as follows:

  1. Question – Do you have a registration for this same entity in process at System for Award Management (SAM)?  Answer – No
  2. Question – Do you plan to receive contract payments or grants from the U.S. Government?  Answer – No
  3. Question – Are you a NON-U.S. entity (government or commercial)?  Answer  No (note – if the entity really is foreign, answer Yes, but realize that the user will be directed to contact his/her home country codification bureau)
  4. Question – Are you requesting a new CAGE Code?  Answer – Yes
  5. Question – Do you have a previous business?  Answer – No
  6. Question – Please choose your Entity Type   Answer either – (1) U.S Commercial Company/Firm, Organization or Government Entity (non-federal) OR (2) Sole Proprietor Business
  7. Question – Please choose a Primary Purpose for this CAGE   Answer -Other
  8. Question – Please describe the primary purpose for this CAGE  Answer – Provide Urgent Hurricane Irma Support (or Harvey or Jose as appropriate)

From here on, the user is just providing their name, address, etc.information.  Should be simple from here.

Be aware – when a user requests a CAGE code be established via this method (instead of through registering in SAM), it goes into manual processing at DLA in Battle Creek.  It’s very important that the user enter ‘hurricane’ in the purpose field after they choose other.  The CAGE team is going to search for that term in each request that comes in and move those to the top to be worked.

For non-GPC actions, it’s important that the vendor get a CAGE code assigned and it be included in the contract when its distributed to ensure that their eventual payment is streamlined and not held up for manual action.  Note also that without a valid CAGE code, an action will fail Procurement Data Standard (PDS) validations.

If these are going to be on-going contracts (such as reconstruction), it would behoove the vendors to eventually actually get registered in SAM (they can use the CAGE code that will be assigned in this process when they do so) even if they’re not technically required to do so because the contract was initially exempted due to the emergency.  Being registered in SAM will just make the whole invoicing and payment processes run a bit smoother if the contract lasts for a while.

Lisa Romney, Defense Procurement and Acquisition Policy Office of Acquisition Technology and Logistics

 

Tags: , , , ,

Posted in: Resources

Leave a Comment (0) →

No, you can’t just “Apply” to the Mentor Protege Program

Posted by on
Share

The long-anticipated, much applauded, expanded SBA All Small Mentor Protege Program is here…not to be confused with the SBA 8(a) Mentor Protege Program … or the Department of Defense Mentor Protege Program*

So what?  What does it mean to your small business?   How do you take advantage of it?

The mechanics:  Mentor Protégé Program (MPP) is an agreement between typically a large business (mentor) and a smaller business (protégé) whereby the mentor provides:

  • Management and Technical Assistance
  • Financial Assistance
  • Contracting Assistance
  • Trade Education
  • Business Development Assistance
  • General and/or Administrative Assistance

(source: SBA)

to the protégé, essentially investing resources into the company’s growth and infrastructure.  It’s not a direct government-to-small-biz program: there’s no application that small businesses fill out to ‘get in’ – but there is a checklist.  It’s an agreement between two businesses that is regulated and approved by either the SBA (for civilian agencies) or the DOD.

A few reasons large businesses are incentivized to become mentors:

  1. Agencies will apply subcontracting “Credit” to mentors when under consideration for awards.  This can also help mitigate gaps in subcontracting requirements Mentors can get credit for their protege’s accomplishments because the implication is that the mentor’s help was instrumental in getting the company ready. For example, the protege’s wins as a prime at the same or different agency, the protege’s win as a subcontractor for other prime contracts at the same or different agencies – if the mentor protege agreement was instrumental in building capacity / ability of the protege company to win the additional work.
  2. Dept of Defense also administers reimbursement agreements (as well as credit agreements) but some DOD agencies will award dollars directly to the mentor to invest in the protégé.  The financial benefit is obvious to both – the mentor isn’t spending internal resources helping the protégé, but rather the DOD’s money.
  3. Ability to form Mentor Protege Joint Ventures that enable access to set-aside contracts without triggering affiliation rule. Win-win:
    1. Protege can pursue set-aside contracts that would’ve been otherwise out of reach of the protege due to capacity, past performance, clearances, or other requirements that they don’t have
    2. Mentor is able to participate in set-aside awards – and retain 60% of at least 50% of total contract amount.  Here’s the math: the “prime” contractor in a set-aside award has to do 50%+ of the work… the joint venture is the prime contractor.  The mentor company can do 60% of the work because it’s a mentor.
  4. Investment / Merger & Acquisition strategy (great explanation here with many more finance details, thanks Elvis Oxley!) – mentors can take up to a 40% stake in the protege company — and the ability to reap the benefits of that investment as they develop that protege’s capabilities.  In the event of a future M&A, that 40% stake of a much more substantial business makes for a decent profit margin.

There are risks and considerations, to be sure.  A meeting of the minds is essential – to ensure both parties set expectations and have a plan to meet them. Proteges are limited to 3 MPP agreements per program in their lifetime (that’s 3 SBA AllSmall and also 3 DOD); Mentors can only have 3 Mentor Protege Agreements per program concurrently. A MPP agreement is thus never formed by strangers – the companies have to have solid business reasons for entering into the arrangement; most often, there’s a prior relationship of subcontracting or other business relationships that forms the baseline of mutual interest and sets the ground for pursuing a more strategic joining of forces.

For small businesses seeking to become proteges, the essential question is: What do you bring to the table? What would be an incentive for another entity to invest their time, resources, and dollars into developing your company’s capabilities?  If you can answer those questions, you probably have a good idea of who to approach for mentorship.

 

*Changes coming to the DOD Mentor Protege Program – thank you Steven Koprince of SmallGovCon.com

Tags: , , , , , , , , ,

Posted in: Resources

Leave a Comment (0) →