COTS | The Contracting Education Academy

June 26, 2020 By cs

CMMC regulations on the way despite pandemic

The Defense Department’s new high-profile cybersecurity regulations are on schedule for implementation this year despite potential setbacks from the COVID-19 pandemic.

Katie Arrington, chief information security officer at the office of the undersecretary of defense for acquisition and sustainment, said the Pentagon will begin rolling out the Cybersecurity Maturity Model Certification version 1.0 rules this year.

The requirements are part of the Defense Department’s push to protect industrial base networks and controlled unclassified information from cyberattacks. The CMMC rules will require contractors to be certified by third-party auditors, which will ensure that companies are adhering to certain standards. Organizations will be required to meet different levels of security requirements depending on the type of work they are doing, with level 1 being the lightest and level 5 the most stringent.

Acquisition officials unveiled their roadmap for implementation in January, before the COVID-19 pandemic roiled U.S. society and industry. The plans included releasing solicitations with CMMC requirements baked in for pathfinder programs this year.

“We are on track to do that,” Arrington said during a Project Spectrum webinar in May. “We’re still on target to release some initial [requests for information] in June. … Stay tuned, but the work hasn’t stopped and we’re still doing our absolute best to stay on track.” Project Spectrum is intended to help small businesses improve their cybersecurity and is supported by the Defense Department’s Office of Small Business Programs.

Keep reading this article at: https://www.nationaldefensemagazine.org/articles/2020/6/22/cmmc-regulations-on-the-way-despite-pandemic

June 12, 2020 By cs

CMMC update: Details on certification infrastructure and COTS products

The framework for the DoD’s Cybersecurity Maturity Model Certification (CMMC) process continues to move forward.

Here’s an update on what’s currently happening with the CMMC that includes a few more details the DoD and the independent CMMC Accreditation Body have recently released about the nuts and bolts of the certification process.

As explored in Koprince Law’s prior posts (such as this one), the CMMC standards were put in place to protect Controlled Unclassified Information held by defense contractors to reduce loss of data and “risk to national security.” The standards will require a third-party audit of all defense contractors and will be proportional to the magnitude of the contract and what data the contractor is handling for the DoD.

CMMC Accreditation Body and C3PAOs

DoD’s partners have been hard at work on fleshing out the details of the certification process. The CMMC Accreditation Body (or CMMC-AB) is a non-profit, independent organization that will accredit CMMC Third Party Assessment Organizations (C3PAOs) and the assessors themselves. This means the CMMC-AB is not part of the government, although it operates under an agreement with the DoD. The C3PAOs are the organizations that will help “train the trainers”–meaning they will provide skills to and assist the assessors, but the CMMC-AB will actually license the assessors. A C3PAO must be certified by the CMMC AB and then the C3PAO will train and monitor the CMMC assessors who provide the certifications.

The CMMC AB is taking steps to carry out its goals. The training program for CMMC assessors has not started yet and there is no timeline on the AB’s website. As a consequence, no assessors have been licensed yet.

However, as part of its mission, the AB is conducting market research to develop “a scalable and extensive partner-centric training and educational model to effectively equip professionals, students, and other stakeholders within the CMMC ecosystem.” The organization will provide training content and providers for certification. The AB is also doing market research for an entity to develop a CMMC certification exam.

Keep reading this article at: https://smallgovcon.com/statutes-and-regulations/cmmc-update-details-on-certification-infrastructure-and-cots-products

April 26, 2019 By AMK

What the 809 Panel didn’t quite get right

The Section 809 panel offers an important new idea on how the defense acquisition system could be improved to provide the Pentagon greater access to innovative new technologies that are rapidly developed in the private sector.

But the panel fumbled its recommendations with a contradictory and incoherent legislative approach that would hurt more than it helps. That should not undermine the significance of the panel’s underlying idea: a new focus on the source of funding for commercial items instead of the marketplace in which they are sold. This could encourage companies to develop defense-unique products at their own expense. Today, many are driven away when they are forced to accept regulated pricing and burdensome, government-unique contract terms and conditions.

Successes and Failures

We had high hopes when we helped to write the commercial buying acquisition reforms in the Federal Acquisition Streamlining Act of 1994 and the Clinger-Cohen Act of 1996. These reforms broadened the definition of commercial items, established a commercial item preference, and authorized waivers to government-unique requirements and contract clauses for the purchase of commercial solutions.

As a result, the government went from 476 contracts under simplified commercial item procedures in 1996 to nearly 13 million contracts worth almost $75 billion in 2011. As our colleague Jon Etherton has explained, this enabled the U.S. government to catch up with the information technology revolution that had swept the private sector in the 1990s and likely saved the Department of Defense (DOD) billions of dollars by avoiding unnecessary research and development and the extended acquisition lead times associated with government-unique products.

Keep reading this article at: https://breakingdefense.com/2019/04/what-the-809-panel-didnt-quite-get-right-greenwalt-levine/

March 20, 2019 By AMK

Creating space for innovation

“Innovation” is an overused buzzword that obscures the messy reality of making change happen.

True innovation requires the right people, the proper mix of technologies and a critical grasp of customers’ needs and expectations. For agencies, the many layers of federal governance and regulation add another degree of difficulty.

FCW recently gathered a group of IT leaders from across government to talk about the obstacles they’re encountering and how they’ve addressed them. The discussion was on the record but not for individual attribution, and the quotes have been edited for length and clarity. Here’s what the group had to say.

Procurement is no longer the obstacle — security is

The Federal Acquisition Regulation’s restrictions, both real and perceived, have long been a friction point for digital reinvention efforts, but most participants said the contracting process is not holding them back.

“It used to be the in-vogue complaint was, ‘Oh, it’s all procurement’s fault,'” one executive said. “But actually, procurement has gotten much better. What our agency is grappling with is the IT monstrosity that came out of” the Federal Information Security Management Act.

“FISMA came out because we were doing these things wrong in government,” he acknowledged. “But now we’ve created this very burdensome process that is not well-aligned to where cloud architecture is going,” and agencies must find new ways to navigate that process. “Obviously, we can’t bend security principles, [but without a new architecture,] you’re waiting two years to deploy. That’s not innovation. That’s not acceptable in this day and age.”

Keep reading this article at: https://fcw.com/articles/2019/02/21/fcw-perspectives-innovation.aspx

October 18, 2018 By AMK

Efforts to speed procurement of commercial off-the-shelf items influenced by ‘The Amazon Effect’

Amazon looms large over the world’s commerce, drawing a stark contrast to old ways of shopping, and an even starker contrast to the way government agencies buy things. In fact, there’s even a term for it: The Amazon Effect.

So, when Section 846 of 2018 National Defense Authorization Act was enacted, providing for the Pentagon and other federal government agencies to buy directly from e-marketplaces, it was immediately dubbed the “Amazon Bill,” and not just because of the Amazon Effect.

Introduced by Congressman Mac Thornberry, the bill was crafted to help speed the procurement process for commercial off-the-shelf (COTS) products through e-commerce portals. The General Services Administration (GSA), in partnership with the Office of Management and Budget (OMB), is currently working on the strategy and plan to properly implement and execute this legislation.

Based on input from the providers of commercial e-commerce portals and e-procurement solutions, the GSA and OMB team has developed the initial plan (Phase I) and is now working on the market research and industry consultation needed to develop the program’s implementation guidance (Phase II). This is not a simple task, as the team must review and consider existing processes and all the requirements of public procurement — buying off negotiated contracts from vetted suppliers who have invested heavily in meeting government requirements, and giving fair treatment to small, disadvantaged, minority women-owned and veteran-owned companies. The target is to have things completed by 2020.

However, the gap between expectations of selection, ease of use and speed that Amazon has created among consumers, and the reality of what is actually possible in the federal government continues to crop up as we move into the next phase of this process, the proof of concept phase.

Keep reading this article at: https://www.publicspendforum.net/blogs/andrew-malay/2018/10/09/future-federal-government-procurement-ecommerce