federal regulations | The Contracting Education Academy

February 22, 2021 By cs

Why systemic bias exists in government contracting programs

President Joe Biden issued an executive order to advance racial equity and support underserved communities.

The executive order promotes racial equity and emphasizes that advancing that ideal requires a systemic approach to embedding fairness in the decision-making process; it encourages agencies to recognize inequities in their policies and programs and work to redress them. Agencies are required to assess whether and to what extent their programs and policies perpetuate systemic barriers to opportunities and benefits for underserved communities.

The underlying emphasis here is that programs and initiatives that are meant to support, grow and allow the underserved communities to prosper are often hindered, and obstacles are created which prevent the full impact of the programs to be realized.

Too often, congressional initiatives to support underserved communities are implemented in regulations, programs, procedures and processes in such a way that all but neuter the intended outcomes. At best, under the mantra of ensuring that the benefits flow to the intended recipients, well-intentioned civil servants implement the programs in such a way to “protect” the underserved either from themselves or from would be charlatans, thus negating or totally eliminating the intended impact. At worst, maligned bureaucrats can’t stand by and witness government programs generate wealth for minorities and the underserved communities, and thereby create procedural roadblocks, hurdles and sand traps.

There are countless examples of the above, but I will provide one for illustrative purposes. Consider the intended benefits of the Small Business Administration’s 8(a) Business Development Program.

Keep reading this article at: https://federalnewsnetwork.com/commentary/2021/02/why-systemic-bias-exists-in-government-contracting-programs/

February 15, 2021 By cs

CMMC model tweaks coming after industry feedback

The foundation of the Cybersecurity Maturity Model Certification (CMMC) — the Department of Defense’s new cyber requirements for contractors — will see some coming changes, its leaders recently said.

The DOD will make alterations to the highest level of the five-tier security model after receiving public comments on the recently issued CMMC Defense Federal Acquisition Regulation System rule.

The department issued an “interim final” rule in September instead of first issuing a proposed rule, which meant the rule took effect upon publication. But there was still a 60-day comment period for industry to weigh in. The Office of Management and Budget, which hosts the council overseeing acquisition rules, allowed for this because of “the threat to national security” embedded in supply chain vulnerabilities, Jessica Maxwell, a DoD spokeswoman said in a statement.

Keep reading this article at: https://www.fedscoop.com/cmmc-model-assessment-guide-to-get-tweaks-after-feedback-from-industry/

February 9, 2021 By cs

CMMC implementation creates issues for ‘shop floors’

As of Nov. 30, defense contractors and suppliers are required to comply with an interim rule that strengthens implementation of the Cybersecurity Maturity Model Certification (CMMC), which is designed to protect controlled unclassified information from hackers.

In December, the Legal and Policy Committee of the National Defense Industrial Association’s Cybersecurity Division hosted the second in a four-part series of tabletop exercises to dry run the implementation and highlight areas where special attention may be needed. This exercise focused specifically on the implications for manufacturers in defense supply chains, probing deeper into issues from the first exercise, held in October.

Controlled unclassified information, or CUI, needs to be protected not only in enterprise information systems, but also in shop floor networks and systems where technical data may be at risk. The Defense Federal Acquisition Regulation Supplement 252.204-7012 clause that established CMMC mandates use of 110 security requirements defined by National Institute of Standards and Technology Special Publication 800-171 that are appropriate for information technology systems, but in many instances, not appropriate for operational technology systems as found in manufacturing facilities.

Manufacturing systems are capital investments expected to last 20 years or more. Many run old operating systems that do not support patches or encryption. Updates are expensive and rare. Efficiency requires connectivity and safety requires easy, rapid access. Workarounds are possible, but smaller manufacturers may need help in implementing them.

Keep reading this article at: https://www.nationaldefensemagazine.org/articles/2021/1/29/cmmc-implementation-creates-issues-for-shop-floors

February 2, 2021 By cs

DoD’s cybersecurity certification requirements to appear in DHS contracts

The Department of Defense is figuring out how to incorporate its Cybersecurity Maturity Model Certification (CMMC) program in contracts offered by the Department of Homeland Security, according to the official helming the initiative.

The CMMC program will ultimately require all defense contractors have their cybersecurity practices certified by a system of independent third party auditors. As it is now, companies simply pledge their adherence to security controls detailed in standards issued by the National Institute of Standards and Technology.

Rules to implement the program are expected to be finalized as early as next month and have caused some heartburn within the contracting community. But the program is being rolled out in phases — 15 prime contractors, and all their subcontractors, are being selected to undergo assessments this year — and won’t be fully applicable until 2025.

That led one participant during a virtual meeting hosted by the Armed Forces Communications & Electronics Association Thursday to suggest organizations might even want to deprioritize complying with the CMMC’s requirements.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2021/01/dods-cybersecurity-certification-requirements-appear-dhs-contracts/171551/

December 24, 2020 By cs

Pentagon announces 7 procurements to test out new CMMC process

The Defense Department on Thursday disclosed the first seven contracts that are likely to be the initial test cases for the Cybersecurity Maturity Model Certification (CMMC) program, DoD’s new approach to shoring up its suppliers’ IT security.

The department stopped short of a full commitment to subject the forthcoming Navy, Air Force and Missile Defense Agency procurements to CMMC’s requirements.

In a statement, DoD said only that they are “candidates” under consideration to serve as pathfinders.

The projects, as described by the Pentagon, are:

Navy

Integrated Common Processor
F/A-18E/F Full Mod of the SBAR and Shut off Valve
Yard services for the Arleigh Burke Class destroyer

Air Force

Mobility Air Force Tactical Data Links
Consolidated Broadband Global Area Network Follow-On
Azure Cloud Solution

Missile Defense Agency

Technical Advisory and Assistance Contract

The department did not immediately provide further details on the procurements beyond the descriptions above, but said each of the contracts are expected to be awarded in fiscal 2021.

Keep reading this article at: https://federalnewsnetwork.com/defense-main/2020/12/pentagon-reveals-first-contracts-to-serve-as-pathfinders-for-cmmc/