The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for risk assessment

By

Industry on pins and needles as DoD and accreditation body work to finalize CMMC agreement

The Defense Department is one small step away from officially getting the Cybersecurity Maturity Model Certification (CMMC) off the starting blocks.

Ellen Lord, the undersecretary of Defense for Acquisition and Sustainment, is ready to sign off on the memorandum of understanding with the CMMC accreditation body that would jumpstart the training of third-party assessment organizations.

Katie Arrington, the chief information security officer for acquisition at DoD, said the MOU is through the clearance process and is just awaiting Lord’s signature.

Arrington, speaking at the Washington Technology CMMC event in McLean, Virginia on March 13, said once the MOU is signed, the six-month push to begin putting CMMC standards in procurements officially will begin.

“The accreditation board, the Johns Hopkins University Applied Physics Laboratory, Carnegie Mellon University and DoD are going through simulations of training, working through the kinks,” she said. “The first session of classes will actually be a lot of the proof in the pudding, and DoD will be there to help through this. This is new so we want to make sure we get it right.”

Keep reading this article at: https://federalnewsnetwork.com/reporters-notebook-jason-miller/2020/03/industry-on-pins-and-needles-as-dod-accreditation-body-to-finalize-cmmc-agreement/

By

GAO says DoD’s fraud assessment efforts should include examination of contractor ownership

Some companies doing business with the Defense Department have opaque ownership structures that may conceal who owns, controls, or benefits from the company.
This GAO illustration depicts how DoD’s use of an ineligible foreign manufacturer — that illegally exported sensitive military data and provided defective and nonconforming parts — led to the grounding of at least 47 U.S. fighter aircraft.

The Government Accountability Office (GAO) recently  identified fraud and national security risks to DoD from opaque ownership such as ineligible contractors receiving contracts and foreign firms receiving sensitive information through U.S.-based companies.

These risks, identified through GAO’s review of 32 adjudicated cases, include price inflation through multiple companies owned by the same entity to falsely create the appearance of competition, contractors receiving contracts they were not eligible to receive, and a foreign manufacturer receiving sensitive information or producing faulty equipment through a U.S.-based company.

For example, one case involved an ineligible foreign manufacturer that illegally exported sensitive military data and provided defective and nonconforming parts that led to the grounding of at least 47 fighter aircraft.

The GAO reports that DoD has taken some steps that could address some of the risks related to contractor ownership in the procurement process but has not yet assessed these risks across the department.  DoD, in coordination with other agencies, revised the Federal Acquisition Regulation (FAR) in 2014 to require contractors to self-report some ownership information.  In addition, DoD has taken steps to identify and use ownership information — for example, as part of its supply-chain risk analysis when acquiring critical components. DoD has also begun a department-wide fraud risk management program but, according to GAO, it has neither assessed risks of contractor ownership across the department nor identified risks posed by contractor ownership as a specific area for assessment.

GAO contends that assessing risks arising from contractor ownership would allow DoD to take a strategic approach to identifying and managing these risks, make informed decisions on how to best use its resources, and evaluate its existing control activities to ensure they effectively respond to these risks.

Keep reading this GAO report summary at: https://www.gao.gov/products/GAO-20-106#summary

By

Pentagon standing up a nonprofit to assess vendor cybersecurity

The organization would be responsible for running the department’s Cybersecurity Maturity Model Certification.

The Defense Department is looking to stand up a nonprofit organization to measure the strength of its contractors’ cybersecurity practices.

The group would be responsible for running the vendor accreditation process under the Pentagon’s new Cybersecurity Maturity Model Certification, or CMMC. The framework, which was released in draft form last month, will serve as a yardstick for determining if contractors are taking sufficient steps to protect the sensitive military data that resides on their networks.

The certification process is intended to push the Pentagon’s extensive network of vendors to strengthen their digital defenses, or at least adopt protections that are appropriate for the sensitivity of their work. The program comes adversaries like China increasingly target defense contractors to steal military secrets.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2019/10/pentagon-standing-nonprofit-assess-vendor-cybersecurity/160425/

By

VA failed to vet dubious contractors

An internal VA study has found that an east coast office that handles about $4 billion in business each year didn’t do enough checks to vet the backgrounds of companies to which it awarded contracts.

The internal study by consultants found that the Department of Veterans Affairs‘ “Service Area Office East” failed more than half the time to perform at least one of the required responsibility determination reviews, which include checking lists of banned companies or checking basic corporate facts with Dun and Bradstreet and other databases.

The study, obtained through the Freedom of Information Act, found the office would often neglect to fill out required paperwork on why they selected “high risk” contractors and found 94 percent of Federal Supply Schedule contracts had some kind of problem, including lack of proof that contracting officers pushed for government price reductions.

Some contract files didn’t even have signatures.

Keep reading this article at: http://www.washingtontimes.com/news/2015/jan/5/va-failed-to-vet-dubious-contractors/

By

4 lessons for government leaders on what motivates contractors

Competition was the main theme of the Defense Department’s second annual report on acquisition performance, released earlier this month. Declining budgets may be pushing defense contractors to look for work outside the government, but the Pentagon’s emphasis remains on promoting competition, according to Frank Kendall, the undersecretary of defense for acquisition, technology and logistics.

The report analyzed contractors’ cost and schedule performance over more than a decade to see what motivated them to produce better results. Here are some takeaways:

  1. The carrot-and-stick approach works.
  2. Fixed-price isn’t always the best fix.
  3. More competition does mean better performance.
  4. Leadership matters, but it’s not clear how much.

Keep reading this article at: http://www.washingtonpost.com/business/capitalbusiness/what-motivates-defense-contractors-four-lessons-for-government-leaders/2014/06/27/a623fb06-f577-11e3-a3a5-42be35962a52_story.html

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter