commercial item | The Contracting Education Academy

July 28, 2020 By cs

The absurdity of government contracting

It is time for a top-to-bottom review of the acquisition process.

I take no joy in writing this article, but it is a desperate plea for improvement.

From 1995-2001, I worked for the Department of the Army as a contract specialist procuring advanced communications and electronics systems, equipment and services.

The first contract I ever negotiated was valued at over $3 million opposite an emerging company from Massachusetts. I had just finished my four-week Contracts 101 training in Virginia, and I was eager to put my newfound knowledge of the Federal Acquisition Regulation (FAR), Defense Federal Acquisition Regulation Supplement (DFARS), and Army Federal Acquisition Regulation Supplement (AFARS) to work on behalf of the Army and the American taxpayer. Then reality set in. Despite being armed with this new knowledge and skill, I was hamstrung by a procurement system so vast, complex and rigid it would make Kafka blush.

Throughout the course of my next seven years with the Army, we were promised acquisition reform, enhanced efficiencies, paperless transactions and less red tape, particularly in connection with the procurement of commercial items and services.

Since leaving the Army, I have focused my practice primarily on commercial contracts in a variety of industries, ranging from media and entertainment to digital advertising and technology. Increasingly, however, I have been handling more government contracting issues for our clients, including negotiating contracts for prime and subcontractors and handling diligence and regulatory issues in connection with mergers and acquisitions. It never ceases to amaze and disappoint me how different these commercial contracts are to federal contracts. The commercial process is still so much faster and efficient; the contracts are generally much shorter and less complex; and the parties are able to navigate contentious issues through negotiations rather than having to abide by a panoply of opaque and largely wasteful regulations.

Keep reading this article at: https://www.afcea.org/content/absurdity-government-contracting

July 2, 2020 By cs

Defense information network to host data repository for contractors’ cybersecurity audits, official says

Applications are now available for aspiring assessor organizations, which will also need to have their security certified.

Information about organizations seeking a stamp of approval under the Pentagon’s new Cybersecurity Maturity Model Certification program will be stored on the Department of Defense Information Network, according to the head of the accreditation body working with DOD on the CMMC.

Currently, DOD contractors mostly pledge adherence to requisite cybersecurity practices. The CMMC, taking effect with a rule change expected this fall, will require all defense contractors to have their cybersecurity status audited and certified by an independent third party before they can do business with the department.

The program has raised concerns among some contractors about cybersecurity for the apparatus being set up to manage the certifications and audit data, such as a repository DOD officials will use at the time of award to check whether prospective prime contractors and their associated subcontractors have achieved the necessary certification.

“DOD intends to maintain their instance [of the repository] on the DOD network and we will be responsible for populating that,” said Ty Schieber, chairman of the board for the CMMC accreditation body.

Keep reading this article at: https://www.nextgov.com/cio-briefing/2020/06/defense-information-network-host-data-repository-contractors-cybersecurity-audits-official-says/166375/

June 26, 2020 By cs

Accreditation body to begin training CMMC auditors

An accreditation body facilitating implementation of the Pentagon’s Cybersecurity Maturity Model Certification (CMMC) version 1.0 has opened up training for third-party auditors, according to an official.

The upcoming cyber requirements are a reflection of the Pentagon’s push to protect defense industrial base networks and controlled unclassified information from cyber attacks. The CMMC rules will require contractors to be certified by third-party auditors, which will ensure that companies are adhering to certain standards. As the initiative is phased in, contractors will have to meet different levels of security depending on the work they are performing, with level 1 being the lowest and level 5 the most stringent.

“We are busy doing pathfinders in the DoD. We are getting ready to launch our pilots,” Katie Arrington, chief information security officer in the office of the undersecretary of defense for acquisition and sustainment, said June 24 during a webinar hosted by cybersecurity company PreVeil. “The Accreditation Body opened the door for training registration for [certified third-party assessor organizations] two days ago.”

The CMMC Accreditation Body was set up to train organizations conducting CMMC compliance assessments on behalf of the Pentagon.

Keep reading this article at: https://www.nationaldefensemagazine.org/articles/2020/6/24/pentagon-to-begin-training-thirdparty-cmmc-auditors

June 26, 2020 By cs

CMMC regulations on the way despite pandemic

The Defense Department’s new high-profile cybersecurity regulations are on schedule for implementation this year despite potential setbacks from the COVID-19 pandemic.

Katie Arrington, chief information security officer at the office of the undersecretary of defense for acquisition and sustainment, said the Pentagon will begin rolling out the Cybersecurity Maturity Model Certification version 1.0 rules this year.

The requirements are part of the Defense Department’s push to protect industrial base networks and controlled unclassified information from cyberattacks. The CMMC rules will require contractors to be certified by third-party auditors, which will ensure that companies are adhering to certain standards. Organizations will be required to meet different levels of security requirements depending on the type of work they are doing, with level 1 being the lightest and level 5 the most stringent.

Acquisition officials unveiled their roadmap for implementation in January, before the COVID-19 pandemic roiled U.S. society and industry. The plans included releasing solicitations with CMMC requirements baked in for pathfinder programs this year.

“We are on track to do that,” Arrington said during a Project Spectrum webinar in May. “We’re still on target to release some initial [requests for information] in June. … Stay tuned, but the work hasn’t stopped and we’re still doing our absolute best to stay on track.” Project Spectrum is intended to help small businesses improve their cybersecurity and is supported by the Defense Department’s Office of Small Business Programs.

Keep reading this article at: https://www.nationaldefensemagazine.org/articles/2020/6/22/cmmc-regulations-on-the-way-despite-pandemic

June 12, 2020 By cs

CMMC update: Details on certification infrastructure and COTS products

The framework for the DoD’s Cybersecurity Maturity Model Certification (CMMC) process continues to move forward.

Here’s an update on what’s currently happening with the CMMC that includes a few more details the DoD and the independent CMMC Accreditation Body have recently released about the nuts and bolts of the certification process.

As explored in Koprince Law’s prior posts (such as this one), the CMMC standards were put in place to protect Controlled Unclassified Information held by defense contractors to reduce loss of data and “risk to national security.” The standards will require a third-party audit of all defense contractors and will be proportional to the magnitude of the contract and what data the contractor is handling for the DoD.

CMMC Accreditation Body and C3PAOs

DoD’s partners have been hard at work on fleshing out the details of the certification process. The CMMC Accreditation Body (or CMMC-AB) is a non-profit, independent organization that will accredit CMMC Third Party Assessment Organizations (C3PAOs) and the assessors themselves. This means the CMMC-AB is not part of the government, although it operates under an agreement with the DoD. The C3PAOs are the organizations that will help “train the trainers”–meaning they will provide skills to and assist the assessors, but the CMMC-AB will actually license the assessors. A C3PAO must be certified by the CMMC AB and then the C3PAO will train and monitor the CMMC assessors who provide the certifications.

The CMMC AB is taking steps to carry out its goals. The training program for CMMC assessors has not started yet and there is no timeline on the AB’s website. As a consequence, no assessors have been licensed yet.

However, as part of its mission, the AB is conducting market research to develop “a scalable and extensive partner-centric training and educational model to effectively equip professionals, students, and other stakeholders within the CMMC ecosystem.” The organization will provide training content and providers for certification. The AB is also doing market research for an entity to develop a CMMC certification exam.

Keep reading this article at: https://smallgovcon.com/statutes-and-regulations/cmmc-update-details-on-certification-infrastructure-and-cots-products