A recent Cyber Safety Review Board (CSRB) report on the shortcomings of Microsoft’s security standards is a great opportunity to start a serious discussion between government and industry on the price the government is willing to pay for a solution vs. the cost of providing what it actually wants. The Microsoft story is just the latest example of where the government expects a lot more than it’s willing to pay for. The CSRB report said, among other things, that “…security culture was inadequate…” at Microsoft. Inadequate in that it didn’t meet the government’s expectations. Ask just about any commercial item contractor, though, and you’ll hear the same story. It is essentially this: “we’re happy to create the systems that the government needs if only they will pay for us to create and support it.” FedRAMP is another great example. Many DOD agencies insist that they need FedRAMP high, or better, even if the specific solution doesn’t seem to call for it. Contractors with FedRAMP moderate are happy to build out systems that meet higher standards if their DOD customers will pay for it. Most won’t, limiting competition to those few contractors that have no choice but to make the investment. Not only does the reduced competition increase acquisition costs, but it also locks the government into paying for and maintaining systems with a higher level of security than may be needed. Although there are many areas where similar scenarios regularly play out, the one getting the most attention today is cyber. We’ve written extensively on the government’s cavalcade of cyber rules. Cyber is a valid goal, but industry needs to do a better job in making it clear that what the government says it wants will come at a cost, a cost higher than comparable commercial systems that don’t require the same security levels. It’s time for some open and honest discussions on this front. “What we have here is a failure to communicate” is no way to run government acquisition.
The proliferation of cyber and secure supply chain requirements governing federal acquisition has caused the FAR Council to announce the creation of Chapter 40 of the Federal Acquisition Regulations (FAR). The new chapter will become the centralized home for all such regulations. The final rule announcement from the FAR Council doesn’t, in and of itself, discuss new rules, only that all existing and future cyber and supply chain security regulations will be populated in the new chapter. The idea is to provide contracting officers and contractors with an easy-to-find centralized location for what is required on the cyber front in specific acquisition situations. The Federal Register notice announcing the creation of the new FAR part stated, Read more
Individual federal offices will soon receive their official funding levels for the remainder of FY’24. A lot of business will be transacted in a short amount of time. Here are three things that contractors should focus on now to be prepared.
1. Shift the Focus of Customer Discussions: While many federal agencies have projects just waiting for money once the money comes it’s time to shift the dialogue from the theoretical to the practical. Did the project actually get its anticipated money? When and how will the customer move forward? Now is the time to start having federally appropriate “closing” discussions with customers.
2. Make Sure That Your Contracts Are Current and Ready: GWAC and other IDIQ contract holders should ensure that their contracts are fine-tuned and ready to go. Only a small window remains to add needed solutions. Don’t plan on trying to add new line items overnight in August. That is the time when IDIQ use soars in government procurement, but only for those who are already prepared. Make sure that you are.
3. Establish or Strengthen Relationships With Socio-economic Partners: We’ve said before that partnering with companies that have special socio-economic status is key to bringing in business. That is especially true now when a lot of money needs to be obligated in a short amount of time. Expect small business set-asides to soar as agencies look for a way to spend what they have by September 30th. Partnering with small firms can ensure that you get at least part of that market. The pace of federal business will only accelerate as the temperature warms up. Be prepared.
Nothing exceeds like excess on today’s regulatory front. If one rule is good, two or three must be better. So it seems with an Advanced Notice of Proposed Rulemaking (ANPR) issued by CISA last week that would create yet another cyber incident reporting requirement for contractors. The 447-page ANPR covers both private sector entities and government contractors and is designed to implement requirements of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). This specific rule would require more detailed technical disclosure information than other existing requirements. As such, while CISA officials state that they want to “harmonize” reporting requirements among multiple platforms, their ability to do so may be Read more
Contractors are rightly concerned about whistleblowers calling out suspected or actual bad behavior. Most significant False Claims Act cases come from whistleblowers, often disgruntled employees or competitors. Life isn’t all rosy for whistleblowers, though, as a recent Federal News Network report highlighted. Whistleblower lawyer Stephen Kohn pointed stated that while whistleblowers may provide the Department of Justice with significant information on major wrongdoings, the whistleblower, themselves, could also face prosecution, even for a Read more