If there is one thing nearly every federal agency has experienced over the last 75 years, consistent application of laws, regulations and policy is a grueling and, unfortunately, many times a futile effort.

It’s more due to human nature than something malicious or purposeful.

Despite the history of inconsistencies, vendors are calling on the Office of Management and Budget to take the reins of this 111-agency horse drawn wagon and ensure some consistency in how agencies implement a specific section of the stimulus bill.

Section 3610 of the Coronavirus Aid, Relief and Economic Security Act (CARE Act) lets agencies pay contractors to keep them in a “state of ready” if they can’t work because of the pandemic. The provision is not a mandate nor does it guarantee payment, but it gives agencies broad latitude to count paid leave as a reimbursable cost.

This is why nine associations last week called on OMB to release governmentwide guidance on how agency contracting officers should interpret the provision.

“Consistent implementation of this provision is critical to the viability of the hundreds of thousands of companies that make up our nation’s critical infrastructure and defense industrial base supply chains,” the April 16 letter states. “Companies require clear and consistent guidance to protect their employees, maintain a ready state and make critical resource and personnel decisions tied to support for customer missions.”

OMB released that much anticipated guidance the next day — to be clear not because of the letter as we all know memos take days, if not months in some cases, to develop — giving agencies important direction.

Read more: Reporter’s Notebook

“The Office of Federal Procurement Policy (OFPP) has developed guidance to help agencies make rational business decisions that balance the need for contractor resiliency with the need for good stewardship,” OFPP Administrator Michael Wooten said in a statement.

In the guidance, OMB details several guiding principles for contracting officers, including the starting date of when agencies can start reimbursing vendors’ costs — March 27 — to ensuring funding is available before committing to payments to paying the actual amount but not more than the minimum applicable contract billing rates for up to an average of 40 hours per week.

“Contractors must fully support and maintain documentation for claims made under section 3610. Agencies are encouraged to work with their contractors to understand how they are using or plan to use the relief provisions available to them under the CARES Act and the Families First Act to address the health and economic hardships created by COVID-19,” OMB states. “In some cases, provisions other than section 3610 may provide a more efficient means of getting payment into the hands of contract employees. In other cases, a contractor may find it beneficial to take advantage of a combination of resources. For example, a business may wish to use the Paycheck Protection Program (PPP) established pursuant to sections 1102 and 1106 of the CARES Act for certain relief and request agency support under section 3610 for other relief. For this reason, it is important to secure fully supported documentation from contractors regarding other relief claimed or received, including credits allowed, along with the financial and other documentation necessary to support their requests for reimbursement under section 3610.”

Praise but vendors want more

This is OMB’s second memo aimed at helping vendors plan and stay ready during the coronavirus pandemic.

OMB’s guidance comes after both the Defense Department and the Office of the Director of National Intelligence released their own guidance to implement 3610.

And this is where vendors begin to get stressed. For example, both the DoD and ODNI guidances say military services and agencies and intelligence community agencies can reimburse contractors, if they deem it to be necessary, for lost time starting Jan. 31.

OMB’s memo, however, says agencies can reimburse for lost time starting March 27.

This is one of those inconsistencies that vendors believe need to be addressed.

While vendors, generally speaking, praised OMB for the memo, the variations on the rules, such as the starting date, has not satisfied many of their concerns.

“Unfortunately, OMB’s current guidance stops short of setting clear standards for consistent, governmentwide implementation of Section 3610, and fails to address many of industry’s specific questions and concerns about reimbursement,” said Gordon Bitko, senior vice president of policy for the public sector at the IT Industry Council, in a statement to Federal News Network. “OMB explicitly recognizes that its guidance will result in different applications of 3610 authority across the federal government, and potentially even among individual buying offices within the same agency. Navigating these different approaches places significant burdens on individual contractors at a time when resources are already strapped.”

Read more: Contracting News

OMB states in its memo that the variations of 3610 will be based on different missions, requirements, contracts and funding situations.

“Application of these guidelines will support rationally based decisions that reflect the best interest of the government in any given situation, fully supported by contractor records that are subject to oversight, and that safeguard the taxpayers funding these efforts,” the memo states.

FAQs may be coming

Larry Hanauer, vice president of policy for the Intelligence and National Security Alliance (INSA), said now that OMB’s guidance is out, agencies have to use it to streamline their processes.

“In order to reduce confusion and simplify bureaucratic requirements, INSA urges government agencies to implement the CARES Act legislation in a consistent, uniform manner,” he said. “We were pleased that OMB’s guidance properly emphasizes the importance of ensuring that federal contractors–who represent roughly 30% of the total government workforce–remain resilient. It directs agencies to use available funds and interpret contracts liberally. It also addresses the need to support national security contractors working in classified environments. Contractors supporting classified projects cannot bring work home with them, and many cannot access secure facilities due to office closures or social distancing requirements. The OMB memo makes clear these contractors should be paid to remain in a ready state so they can return to work at the earliest possible opportunity.”

More details from OMB seem to be on the way. OFPP said it will provide updates and additional information, including additional “frequently asked questions” as needed.

“Generally, OMB has tried to set out a consistent process for evaluating the application of Section 3610.  A clear, consistent process on which vendors can rely is critical for vendors seeking to understand and perform in this environment,” said Roger Waldron, the president of the Coalition for Government Procurement.

The “Unsafe at Any Speed” moment has come for cybersecurity.

For those of you who don’t remember, the 1965 seminal book by Ralph Nader forced Congress and the executive branch to take action — for some too much action — to ensure standard safety measures for cars.

Time magazine said in a 2015 article for the 50^th anniversary of the book, that Nader’s research was the catalyst for President Lyndon Johnson to sign “two auto-safety bills into law and established the National Traffic Safety Agency, despite the auto industry’s outspoken desire to regulate itself. The new laws addressed a wide range of problems from safety codes and vehicle inspection to highway design and driver education.”

The New York Times said in a similar 2015 article that the book’s “sharp-edged theme … was that the auto industry was ignoring ‘moral imperatives’ to make people safer.”

Consider the Cyberspace Solarium Commission’s report the most recent version of “Unsafe at Any [Network] Speed.”

The final report, which the commission released in early March, outlines 75 recommendations to improve the federal government’s response to a major cyber-attack.

Among the recommendations that could finally change the current and future view of cybersecurity and make government, industry and even consumers truly grasp the importance of cybersecurity is found in Section 4.3: “Congress should establish a Bureau of Cyber Statistics charged with collecting and providing statistical data on cybersecurity and the cyber ecosystem to inform policymaking and government programs.”

The bureau, much like the National Safety Transportation Board or the Bureau of Labor Statistics, would arm organizations and citizens with independent data to decide what investments make the most sense based on risk.

“This idea has been talked about for several years now, but what was gnawing at me is if we do what we think is adopting cyber best practices and latest technology, how do we know that we will be much more cyber secure?” said Rep. Jim Langevin, D-R.I., in an interview with Federal News Network. “The reality is we would be better served by having hard data to make informed policy decisions or for CEOs and [chief financial officers] and chief information security officers when making recommendations or decisions about what type of cyber technology to purchase and deploy. It just makes sense.”

While Nader’s book led to more stringent regulations of cars, the commission isn’t calling for more regulation. It’s calling for a better understanding through data of what works and what doesn’t.

The commission said the confusion and lack of independent data “limits the ability of the government to evaluate the effectiveness of its cybersecurity programs and prevents private enterprises and insurance providers from being able to adequately price, model, and understand cyber risk. Existing data sets are incomplete and provide only a superficial or cursory understanding of evolving trends in cybersecurity and cyberspace.”

Finally an answer to a difficult cyber question

Creating such a bureau, which Langevin said would most likely take an act of Congress to ensure funding and staffing, would help answer the long-time question of how to prove something didn’t happen: “What did we get from this cybersecurity investment?” asked many CEOs, CFOs and other non-technologists over the years.

Answering that question has been difficult for many chief information officers and CISOs.

Gus Hunt, a former chief technology officer for the CIA and currently the managing director and cyber strategy lead for Accenture Federal Services, said while the numerous cyber breaches — whether at the Office of Personnel Management or Target or JPMorgan Chase — have made the discussion between technology and non-technology executive easier, data would further unchain the doubters.

“What this will do for the CIO/CISO communities and the CFO/[chief operations officer] communities is make it easier to convince that this must be a continuing investment. It is essential for security and the well-being of your organization,” Hunt said. “It can help demonstrate this through statistics by having government-backed data, which enables organizations to have a conversation that then provides the basis to make some informed decision. They can see what they are worried about and then make investments to deal with the problems more effectively.”

The commission said the Bureau of Cyber Statistics could live in the Commerce Department, or another agency, and inform national risk, help the insurance industry create more accurate risk models and help the federal agencies craft more effective cybersecurity policy and programs.

Cyber insurance market growing

Wyatt Hoffman, co-authored a paper for the Carnegie Endowment for Peace on cyber insurance in 2018 and now is a research fellow at Georgetown’s Center for Security and Emerging Technology,  said as more organizations buy cyber insurance — Androit Market Research found in a recent report that the market will grow from about $4 billion in 2017 to more than $23 billion by 2025 — the need for better data and metrics will only grow.

“It’s a problem for insurers who are trying to model and quantify cyber risk to understand their exposure and determine premiums, and it’s a problem on a national scale,” Hoffman said. “It’s also a problem for companies trying to figure out which products to choose from to fit their particular risk profile.”

Hoffman said the bureau could help with risk aggregation and creating the macro picture that would help insurers understand specific industry sectors and what steps companies could take to make them more secure.

Read more: Reporter’s Notebook

“In a lot of instances like Equifax or Home Depot or Target, it’s difficult to look at those to figure out what you need to be doing to address your particular situation. We need a better picture of if you were in this industry with this profile, here is exposure you are likely to face,” he said. “There is a lot of data that exists already, but it’s widely dispersed across the private sector. Insurers have data, but there is not a lot of sharing or a lot of aggregation of data at a broad level. There are different information sharing efforts in different sectors, but not a single repository. That’s what you need to develop effective models to create a more robust picture, which is the idea behind this bureau.”

Creating trusted data

Accenture Federal’s Hunt added there is a definite desire in the cybersecurity market for data. He pointed to what seems to be a never-ending release of reports by cybersecurity and consulting companies analyzing cyber data. But a government-based unit with sufficient legislative backing would bring together a much broader perspective, provide early warning signs and make sharing more secure.

“The biggest issue the bureau would have to overcome is what would it take for government data to become the trusted source around cyber? How do you provide actionable data?” he said. “The Solarium report is asking Congress to establish safeguards against punitive measures for sharing and those sorts of actions would go a long way to mute concerns over sharing and get folks to participate and engage more effectively.”

Langevin said the creation of the bureau is one of the short-to-medium term recommendations from the commission.

“Hopefully we will be past this coronavirus crisis sooner than later and once we do get back we will have hearings and introduce legislation,” he said. “We can’t understand what we can’t measure and there is currently a dearth of robust and consistent data. Through this bureau, the data could be analyzed and made publicly available to see, and from there, we would have a better idea of what we can do to get us to be better secure.”

The question now is whether Congress and the administration will see the report as a “seminal call” to get ahead of cyber attacks, or will the document get thrown on the pile with the so many that came before it?

The memos are coming fast and furious. Like the movies with a similar name, many times the sequels are just as good as or better than the original.

This is especially true with the Defense Department’s acquisition memopalooza over the past few weeks. Since March 1, the Defense Pricing and Contracting Office has released 13 memos, four class deviations, three announcements and two sets of frequently asked questions.

Each one gives contractors more and critical information for how to work during the coronavirus pandemic.

“The challenge is there are so many flavors of contracts that it’s hard to write policy for them all, but you could do something broad and then narrow down to contract type,” said Stan Soloway, president and CEO of Celero Strategies and a former Defense procurement official. “It’s been interesting to see how this all has been playing out.”

The latest DoD memo and frequently asked questions may be among the most important so far. DoD provided contractor officers and other acquisition professionals with guidance for how to continue to pay contractors even if they can’t do work during the emergency.

Kim Herrington, DoD’s acting principal director of the Defense Pricing and Contracting office, told defense acquisition workers that under Section 3610 of the CARES Act, the government can modify contracts to ensure vendor employees are paid when they can’t work. Herrington also released a set of frequently asked questions to solve some of the more complex questions that rose from the law, including whether paid leave is considered a direct or indirect cost—it’s an indirect cost in most circumstances—and cost reimbursement is an option, not mandatory.

“Currently, many DoD contractors are struggling to maintain a mission-ready workforce due to work site closures, personnel quarantines and state and local restrictions on movement related to COVID-19 pandemic that cannot be resolved through remote work,” Herrington wrote. “It is imperative that we support affected contractors, using the acquisition tools available to us, to ensure that, together, we remain a healthy, resilient, and responsive total force.”

Classified contracts pose more challenges

At the same time, Kevin Meiners, the deputy director of national intelligence for enterprise capacity, issued a similar memo for contractors working for intelligence agencies.

The challenge for contractors working in the IC to work remotely is even more pronounced than for DoD.

“The memorandum provides you with documentation on the guiding principles we are using to address procurement issues during the pandemic mitigation,” Meiners wrote. “ODNI strongly encourages IC agencies to make full use of the flexibility provided by this [CARES] act and other existing contracting tools to enable the maximum number of contract personnel to convert to staying home in a ‘ready state’ during the national effort to mitigate the spread of COVID-19 pandemic.”

Eric Crusius, a partner with the law firm Holland & Knight, said he’s heard from clients that have classified contracts about how their employees are working in shifts to limit how many people are on site at any one time.

“They are finding ways to make it work but there are impacts on contractors,” he said. “The idea behind both of these and other documents is the government is not taking a hard line against contractors who are having a hard time performing. Instead, they are encouraging flexibility with missions.”

Soloway and other procurement experts praised DoD for not only its communications during the pandemic, but also how the Pentagon has been inclusive of contractors being part of the broader team.

“I think we’ve seen a really good tone from acquisition leaders. This pandemic is something that will test the public private partnership in government contracting, and agencies have to recognize the challenges,” Soloway said. “It’s encouraging that they are striking the right tone. Don’t underestimate how important that is. It’s a signal for how the workforce will act. They will give a level of support [that] will be consistent to that tone.”

Read more: Technology News

Crusius said the acquisition speed at which agencies are moving is heartening for many reasons.

“This memo is a wonderful permission slip for contracting officer to see. They know if they have the funds available, they can pay contractors so it’s a double win because it’s keeping contractors on ready state and keep[ing] firms from going under,” he said. “As I’m speaking with clients, there are some employees who can’t work so that is impacting their profits and their cash flow. Certainly big companies that do cleared work will be impacted as will companies that work onsite doing services like cleaning offices.”

Crusius said it’s important for vendors to keep a few things in mind as they consider asking DoD for financial support through Section 3610.

First, he said the memo makes it clear that vendors can’t “double dip” in relief programs such as if a small business receives money from the Paycheck Protection Program, it cannot receive money from DoD, too.

Crusius said it’s also important for vendors to communicate with contracting officers and document any expenses. He said vendors should keep in mind DoD isn’t mandated to pay contractors, it’s just an option.

Where are OFPP, GSA?

The one missing piece in this effort the lack of governmentwide guidance coming from the Office of Federal Procurement Policy (OFPP) and from the General Services Administration. OFPP issued initial guidance on March 20, but new questions and challenges have risen since then, especially in regards to the stimulus bill.

“We are anxiously awaiting to see their interpretations and the three legs of the acquisition stool are fully aligned,” Soloway said. “It would be terrible to have different sets of rules for different parts of the acquisition community.”

GSA has been active in developing guidance and class deviations, but nothing so far around Section 3610 of the CARES Act.

Jeff Koses, GSA’s senior procurement executive, did issue a memo on Monday accelerating payments to small businesses that are both subcontractors and prime contractors.

The class deviation of the Federal Acquisition Regulation will:

• Provide accelerated payments to prime contractors that are small businesses;
• Establish a goal of 15 days after receipt of a proper invoice for payments to prime contractors that are small business and prime contractors that subcontract with a small business concern; and
• Prohibit prime contractors from charging consideration or a fee to subcontractors when issuing accelerated payments.

DHS opens up CSO to fight COVID-19

Additionally, the Department of Homeland Security announced it plans to use its Commercial Solutions Opening (CSO) authority to help the agency respond to the coronavirus pandemic.

“DHS is seeking innovative commercial products that are in support of the COVID-19 response or similar microbial threats. Considering the magnitude and potential threat that COVID-19 and similar microbial threats pose to our nation’s health, safety and security, the government seeks to rapidly accelerate the testing and fielding of new capabilities, employing innovative commercial products to the detection of exposure, prevention, containment and treatment of COVID-19 and similar microbial threats,” the notice states. “Proposed innovative commercial products may be, but are not limited to, products that: 1) supplement shortages and/or emerging needs for personal protective equipment, 2) enhance or expedite screening capabilities, 3) enhance or expedite facility cleaning capabilities, 3) extend testing capabilities, 4) utilize technology to support the COVID-19 response, or 5) convert existing production and logistics operations to support the COVID-19 response.”

Read more: Acquisition News

DHS said the solicitation will remain open and it will accept proposals on an ongoing basis, with awards scheduled for fiscal 2020.

Soloway said one question that DoD, DHS, GSA, OFPP and really every agency need to answer is what happens after award.

“I’ve heard from some companies who have been surprised by the pace of awards. They are still happening at a relatively reasonable schedule. Some do expect RFPs to be pushed to the right,” he said. “What happens with contract transition and kick off? Can you do that with remote working or will they have to delay awards and kick off? How [do] you transition to [a] new contractor and launch the work and what does that do to financial stability and ready state? How does the current situation impact the security clearance process too? It’s all about the implementation of contracts where the rubber hits the road.”

The drum beat continues.

As the Defense Department’s Joint Enterprise Defense Infrastructure (JEDI) cloud initiative remains mired in protest, the CIA’s Commercial Cloud Enterprise (C2E) acquisition is held up as a model approach.

Yet, DoD continues to try to fix what many call a flawed procurement from the beginning despite an obvious path to the finish line.

“It’s a good thing that C2E is looking for multi-vendors. That is a good omen. I’ve always been a fan of multi-vendor multiple-award type contracts because it puts the agency a little more in the driver’s seat to select what they want, to select who they want and at the best price points. It’s not really playing one vendor off another, but just keeping options open,” said Shawn McCarthy, IDC Government Insights research director, in an interview. “Across all levels of government edge computing is a hot topic. It’s born from smart cities and the manufacturing sector. A great example in a smart city where they collect traffic data using a small footprint artificial intelligence capability at the edge. If they see something happening, they can send commands to traffic lights to change the flow of traffic in near real time. It helps make decisions and it’s increasingly important on all networks because the edge is where the action is.”

DoD, the CIA and so many other agencies speak about getting power to the edge whether it’s for warfighters or farmers or first responders. In fact, one of DoD’s first task orders under JEDI was for services ranging from testing to accrediting to hosting devices for use at the tactical edge.

McCarthy said the edge of the network can be used and controlled the same way as the cloud is for applications and systems, and a multi-vendor approach provides the better way to do that.

The latest salvo to get DoD to rethink its approach comes from the IT Acquisition Advisory Council (IT-AAC) in a memo sent to House and Senate lawmakers, which Federal News Network obtained.

IT-AAC, which includes former DoD and civilian technology officials, has been a long-time and outspoken critic of the JEDI procurement. This latest memo doesn’t necessarily break new ground, but it comes as DoD continues to fight the court battle with Amazon Web Services over its award to Microsoft. DoD recently promised to take corrective action on AWS’ bid protest.

“As DoD CIO was not initially included in the JEDI planning effort by the US Digital Service/Defense Digital Service team, the DoD CIO should not be forced to implement this flawed strategy that is likely to be contented well into 2021, denying the warfighter urgently needed capabilities,” the IT-AAC memo states.

IT-AAC also said DoD can’t get out the perpetual protest cycle easily.

“The recent Court of Federal Claims injunction that stayed JEDI cited errors in DoD’s evaluation of one of six ‘pricing scenarios.’ The pricing scenarios were theoretical use cases included to help DoD evaluate costs, and were only necessary because DoD decided to select a single solution up-front, before knowing how it would be used. Furthermore, DoD noted that it ‘wishes to reconsider its evaluation of the offerors’ online marketplace offerings.’ Yet if DoD pursued a multi-vendor offering, it would not need a marketplace in the first place,” the memo states.

JEDI court filings continue

At the end of March, the JEDI procurement, which is now two years since the release of the first draft request for proposals and 21 months since the Pentagon released the final RFP, remained contentious. AWS filed a brief with the Court of Federal Claims asking for the judge to reject DoD’s plan to revise narrow parts of the contract the judge has already faulted.

Instead, IT-AAC told lawmakers that DoD should just follow the CIA’s so far successful procurement.

“The result will be a cloud computing framework that preserves competition for price, services, and features while ensuring the IC retains access to the most innovative technologies from multiple vendors. Mission owners will be free to choose the cloud architectures and solutions that best meet their requirements,” IT-AAC states. “This practical, multi-vendor approach will pay off. C2E has been able to rapidly move toward delivering capability to mission owners, going from initial market survey to nearly final proposal in under a year. By harnessing this approach, DoD could make faster progress, moving from concept to award to execution in months rather than years.”

The CIA released its draft C2E solicitation in February, and expects to make an award by the end of fiscal 2020.

“Based on the IC strategic plan, the IC will leverage government and multiple commercial cloud capabilities that are interoperable and support workflows within and across multiple security fabrics,” the CIA wrote in the draft documents. “The goal is to maximize rapid re-use of data and sharing of data in mission systems to support these capabilities.”

One industry source, who requested anonymity in order to talk about the C2E procurement, said there is no question that the CIA is taking a much more rational approach to the procurement than DoD did with JEDI.

“I think what you see is the government recognizing that in six or 12 months the landscape will change and they want access to the best and brightest technology and companies at any given point in time,” the source said. “DoD came in and said we need to nail down one provider and stick with one provider.”

While Pentagon officials have been clear that JEDI was never going to be the only cloud for military services and agencies to use, concerns remain even two years later among vendors about first mover status on a department-wide program that could be worth $10 billion over 10 years.

CIA following industry best practices

Many say DoD is following the CIA’s 2013 playbook for its initial cloud procurement, called C2S and won by AWS. But while that approach worked well seven years ago, the current understanding of cloud is more mature.

“The CIA has learned a lot from prior experience C2S and its operating experience over the last six or seven years,” said Dave Mihelcic, a principal with DMMI LLC and a former Defense Information Systems Agency chief technology officer. “When CIA started C2S, they were leading edge. They were not even sure people would bid on that contract. I don’t fault that decision to go with a single cloud back then. But forward to JEDI, clearly multi-cloud makes sense now.”

Mihelcic said the CIA’s draft RFP recognizes cloud providers excel in different areas and set up the gate criteria that ensures traditional vendors like Microsoft, IBM, AWS, Google and Oracle could fit under as well as others likes Salesforce or SAP.

“The draft RFP talks about having an open season so the CIA can add providers for unclassified services as well as provider initially awarded only for unclassified cloud services,” he said. “They could award a follow on to someone in the classified world too. They are not locking themselves in to service providers.”

The industry source added the CIA also realized it will need help managing the multiple cloud instances so they are asking for cloud broker services.

“The IC’s cloud strategy is echoing what we’ve been seeing in [the] commercial marketplace, call it chapter 2. The first was move to the cloud and begin to convert capital expense to operational expense so you can free up people and data center space,” the source said. “It was very much a monetary reason to make the move. But what the government and the commercial world found out was at the end of the day you can’t move to one cloud. There were far more important things than dollar savings. You’ve got business model and operational improvements by moving to the cloud and you can really accelerate the business model changes through a multi-cloud approach.”

Enough of wasting time, resources

IT-AAC contends that moving forward with JEDI doesn’t make sense for multiple reasons.

“DoD CIO has requested the opportunity to amend its proposal, but the limited scope of its revisions amount to cosmetic change. Such tinkering will continue to stir up controversy – as evidenced by AWS’s opposition to DoD’s proposed changes – without addressing the foundational problems with the current approach to JEDI,” the memo states. “The resulting fight will force DoD to invest ever greater time and energy defending an unworkable competition. It will drag attention further away from where it belongs – delivering capability to the warfighter.  In the meantime, defense agencies are rolling out their own cloud strategies that will further a disconnected governance structure, drive up costs and create future interoperability problems that JEDI sought to resolve.”

It seems clear someone at DoD needs to take a step back from JEDI, look around at what’s happening at the Air Force with its Cloud One and Platform One initiatives, and the fact that the Army and Navy are following closely behind. By now Dana Deasy, the DoD CIO, or David Norquist, the DoD deputy secretary, should be able to see that the time for JEDI has passed and the Pentagon should cut its loses and cancel the contract.

Chris Howard is used to working from home. The vice president of U.S. public sector at Nutanix has been working remotely for 15 years. But even for Howard, the changes brought on by the coronavirus pandemic has required some adjustment.

“This is our new life behind the computer screen. There is no opportunity to meet in person right now so it’s an adjustment period,” Howard said in a recent interview. “I’ve working from home for 15 years, but I always had the flexibility to travel and see clients. But this, our new reality for 10 or 12 hours a day and it can be tough to deal with.”

Howard, like many government contractors, are using video teleconferencing systems to keep in touch with his co-workers and industry and agency partners.

“We are doing a lot of virtual lunches and some virtual happy hours just as a way to get people engaged and have a semblance of a team,” he said.

It’s that engagement and ensuring the relationship continues that is something agencies tend to struggle with. But in this age of social distancing, certain agencies are standing out in how they are communicating with vendors and customers alike.

Alan Chvotkin, the executive vice president and senior counsel for the Professional Services Association, told the Federal Drive with Tom Temin in a recent interview that agencies and contractors are doing their best to keep moving forward. He said this means understanding the state of current and future acquisitions.

“I’ve been really pleased and thrilled with the willingness to engage and the outreach they are taking,” Chvotkin said. “We have a call with the Defense Department several times a week, and we have for the last several weeks, under [Undersecretary of Defense for Acquisition and Sustainment] Ellen Lord’s leadership with multiple trade associations. We talk through issues that arise and it results in not just a conversation, but real action.”

He said there are five or six agencies, including the Department of Homeland Security, the U.S. Agency for International Development and the General Services Administration, that have been out in front in communicating with vendors.

New DHS facility rules

To that end, DHS Chief Procurement Officer Soraya Correa released a memo on March 25 to vendors detailing new procedures for getting into agency facilities.

“Admission to the facility or work space will be limited to individuals who have been authorized access during the COVID-19 restricted access timeframe, and who have a government personal identity verification (PIV), common access card (CAC), or other documents allowing access to the facility or work space,” the guidance states. “Everyone including employees, contractors and visitors entering a DHS facility or work space may be screened prior to entry. At the St. Elizabeth campus the screening process will include a temperature check to assess that the person’s temperature is less than 100.4ºF. In addition, the person being screened will likely be asked a series of questions to determine whether the person should be permitted to enter the facilities or work space.”

Correa said these rules will remain in effect for at least 30 days.

“Contractor and subcontractor employees who are denied access to DHS facilities or work spaces should notify their employer of the denial and the basis for it,” she wrote. “In addition, in the event a contractor or subcontractor employee is denied entry, it is requested that the company notify the appropriate contracting officer, or contracting officer’s representative. If contract performance is anticipated to be affected due to the COVID-19 situation, please discuss the situation directly with the contracting officer immediately.”

Read more: Reporter’s Notebook

Over at the Pentagon, the Defense Pricing and Contracting office has been putting out memos and guidance nearly every day. Since early March, DPC has issued 12 memos, three class deviations and two announcements. It also has posted the memos and guidance from the military services and from Lord’s office.

Most recently, Lord issued a memo to expand the use of Other Transaction Authority agreements for coronavirus programs up to $100 million for prototypes and $500 million for follow-on production agreements.

DoD equitable adjustment guidance

One of the most important memos DoD recently issued was about Equitable Adjustments for contractors. This lets the military services and Defense agencies initiate the clauses in contracts that excuse performance delays, when the failure is beyond the control and without the fault or negligence of the contractor.

This memo states that in the event of such a delay, the contractor is entitled to an equitable adjustment of the contract schedule and cost (when those costs are sufficiently supported), which means the contractor will not be in default because of an event like COVID-19. DoD says contracting officers have the standardized guidance and are working with defense contractors.

Late last week, DPC followed up on the class deviation from DoD on accelerating progress payments to contractors with nine frequently asked questions that it has received from industry.

Read more: Acquisition News

DoD spokesman Lt. Col. Mike Andrews said in a statement that the increased progress payment rate to 90% of cost for large businesses from 80%, and to 95% for small businesses from 90% is already happening. The Defense Contract Management Agency has modified approximately 1,400 contracts that were already receiving progress payments to show the increased rates. It has also authorized the use of progress payments for additional vendors if they choose.

“We estimate this will result in over $3 billion in cash being flowed into industry,” Andrews said. “The department has high expectations that prime companies are ensuring cash flow is moving to small businesses in their respective supply chains who need it most.”

Additionally, Andrews said DCMA and the Defense Finance and Accounting Services (DFAS) are working together to ensure DoD is paying vendor invoices in a timely manner, and that DFAS has been paying at the higher progress payment rate.

Andrews said as of April 3, there have been no reported delays on contractor submitted invoices.

$265M in spending on coronavirus

Additionally, Andrews said the Joint Acquisition Task Force (JATF), led by Principal Deputy Assistant Secretary of Defense for Acquisition Stacy Cummings, serves as the single-entry point to the DoD acquisition enterprise to address the interagency’s requests for acquisition assistance.

As of April 3, DoD said it has obligated more than $265 million for actions related to the coronavirus pandemic.

“Of note, over $165 million out of the $265 million has been obligated for medical construction, mainly mobile hospitals, that will help allow civilian hospitals to free up additional space for the rising number of patients suffering from coronavirus,” said Andrews in a statement. “In addition, the remaining $100 million includes efforts to provide medical resources including masks, respirators, ventilators, gloves, gowns, fuel, food and other means of support.”

Chvotkin said whether it’s DHS or DoD or any agency, sharing their thinking and answering questions is so important since communication is more difficult.

He said more engagement from the White House or the Office of Management and Budget would be helpful too, especially around governmentwide issues and concerns.

Pulled from the “no duh” file, agencies missed a key IT and network modernization goal.

And pulled from the “I told you so” file, the $50 billion Enterprise Infrastructure Solutions (EIS) program remains on track to repeat mistakes of previous telecommunications transition efforts.

These are the common refrains of so many federal programs when there is little oversight and accountability from the Office of Management and Budget, and from Congress.

Over the last year, despite the General Services Administration’s best efforts, agencies continue to view the EIS program as “nice to have” instead of a must-have. This comes despite the fact that agencies who have taken steps to modernize their networks and infrastructures are faring better than those who did not in the current maximized telework environment.

That became clear once again this week when agencies fell well short of their goal of awarding task orders by March 31.

GSA expected:

• Nine out of 17 large agencies to award by March 31,
• 11 out of 25 medium agencies, and
• 38 out of 181 small or micro agencies.

The reality is:

• One out of 17 large agencies awarded their task order by March 31,
• Four out of 25 of medium agencies and
• five out of 180 small or micro agencies.

A GSA spokeswoman said these figures are preliminary and the agency will update the data for the second fiscal quarter on or around May 15.

“As of the end of February, we expect to receive 192 solicitations across all agencies,” said Bill Zielinski, the assistant commissioner for the Office of Information Technology Category GSA’s Federal Acquisition Service, in an interview in mid-March. “So far, 19 have made an award, meaning about 10% of all agencies not only released their solicitation but have an award in place.”

This means between now and Sept. 30, which is the next major deadline for agencies under the EIS program, vendors and GSA expect a busy six months.

“We except to see the bulk of the fair opportunity solicitations in by end of this calendar year. Roughly, we’ve seen about one-third come through the door already, which means a busy time to get there all of them out by the end of this fiscal years. We do expect some may carry over into next year, but only a limited number,” said Chris Smith, vice president for civilian and shared services at AT&T global public sector, in an interview. “We are almost three years into EIS now and the solicitations are in different states. There are about three dozen pending to award and a good couple of dozen in progress with EIS vendors responding.  For CIOs and mission leaders, this is an opportunity to modernize, transform and take full advantage of this contract.”

Collecting best practices

Several EIS vendors said the continued delays in issuing solicitations are both unfortunate and frustrating.

“We are seeing the same problems as the FTS 2001 to Networx transition. Requirements are slow to come out and the number of requirements in the addressable market is small compared to what we expected,” said Tony Wellen, the president and CEO of BT Federal, in an interview. “GSA has given agencies the date that they should fully transitioned by May 2023, and it’s just going to be tough without the rigor and discipline that is needed.”

The industry-government group ACT-IAC is trying to provide some of that rigor and discipline.

Dave Powner, the director of strategic engagement partnerships at MITRE and the former director of IT management issues at the Government Accountability Office, said agencies have to have a short tactical and a long term strategy approach to EIS.

Powner, who is leading a working group developing case studies on several topics including IT modernization and EIS for the ACT-IAC Institute for Innovation, said when an agency looks at modernization and improving cybersecurity, the transition to EIS is important on a number of fronts, and it’s important to understand and take advantage of the catalog of products and services under the program.

“There’s always questions that come up under modernization about migrating legacy applications and systems and it can become overwhelming,” he said. “You have to prioritize to applications you want to migrate, or in the case of EIS, the systems and network pieces you want to modernize. You always will have a mixed environment so it’s a gradual process to modernize.”

The ACT-IAC working group is looking at the agencies who have made awards under EIS, such as the departments of Justice and Interior, and the Social Security Administration.

“What are the lessons learned? How did they go about awarding their projects? How are they taking advantage of the flexibilities under EIS?” Powner said. “Agencies that are doing something in the short term will progress and start building momentum. You can take those baby steps to build up credibility.”

GSA’s Zielinski said the agency is bringing vendors and customers together on a regular basis to explore technical and contractual opportunities.

“We have the opportunity to bring industry and government together so they are looking for the best of what the contract can bring to them,” he said. “Agencies should be open to listening to those proposal and perhaps different approaches to advancing modernization.”

The challenges with EIS, like Networx and FTS-2001 before it, isn’t getting agencies to understand the benefits of the new contract. It’s getting them to realize the imperative of realizing the cost savings, better services and improved cybersecurity much more quickly. Until either GSA can bring down a bigger hammer, or when OMB and/or Congress take over the accountability role, EIS will continue live in the “no duh” and “I told you so” world of IT projects.

Usually when we talk people on the move, it’s chief information officers or others in similar roles.

But in the recent months we’ve seen a couple of chief data officers taking their skills to the private sector or nonprofit world. Because as we all know now, it’s all about the data.

Ed Kearns, the Commerce Department chief data officer, is joining a nonprofit in April after 15 years in government.

Kris Rowley, the CDO at the General Services Administration, beat Kearns out the door, leaving in  March after 18 years in government.

Rowley joined the Conference of State Bank Supervisors (CSBS) as its CDO.

Kearns posted a note on LinkedIn said he will be CDO at the First Street Foundation, a nonprofit dedicated to the effective communication of climate risk to the public.

“Thank you to all my colleagues and partners that have made those years so rewarding, Kearns wrote in his note.

He has been Commerce CDO since July and before that held a similar role with the National Oceanic and Atmospheric Administration.

Kearns was on detail from NOAA as the Commerce CDO. In that role, he led the implementation of the Federal Data Strategy and the Foundations of Evidence-Based Policymaking Act across Commerce.

At NOAA, Kearns oversaw the bureau’s project to enable wider use of its data by the private sector, non-profits and academia sectors.

He also served as a federal data fellow under the White House’s Federal Data Strategy effort where he lead the commercialization, innovation and public use working group to define practices and actions for all agencies to apply to federal data assets.

Before coming to Commerce, Kearns served as the NASA program examiner at the Office of Management and Budget and was an oceanographer at the National Park Service.

Rowley spent seven years at GSA, serving as one of the first people with the title of CDO in government starting in 2015.

During his tenure as GSA’s CDO, Rowley set the strategic vision for data management and built a data governance framework. He also established data standards, and made more use of cloud storage and business intelligence and analytics.

He also worked in GSA’s Office of Governmentwide Policy, where he stood up a performance management line of business and developed an application to standardize and collect performance management data.

Before coming to GSA, Rowley spent a year on detail to OMB as a project manager and worked for the Treasury Department, including the IRS, for 10 years.

Two other federal technology personnel changes that came across the transom.

Lee Becker, the former Veterans Affairs Department’s chief of staff for the Veterans Experience Office, joined Medallia as a solutions principal. Medallia is focuses on experience management through cloud tools to help businesses understand and manage customer and employee services.

Becker spent 10 years at VA, including the last three-and-a-half helping to lead the customer experience office.

In that role, Becker worked to implement and realign VA’s customer experience efforts. He helped bring in concepts like human centered design, user and digital experience and data science mechanisms from the voice of the customer to modernize and improve the experience for over 50 million veterans, families, caregivers, and survivors.

Unlike the other three executives, Rob Leahy is remaining in government, but moved to a new job. Leahy is the new CIO at NASA Goddard Space Flight Center, coming over from the IRS.

Leahy served as the deputy CIO for operations at IRS for the last 17 months before moving to NASA Goddard in February.

He replaced Dennis VanderTuig, who left in late 2019 and had been CIO since 2014.

Leahy also served as the deputy CIO at the Office of Personnel Management and spent 11 years before that also at the IRS.

March 31 is another one of those deadlines under the Enterprise Infrastructure Solutions contract that will come and go with little fanfare.

Sure, the General Services Administration is taking a harder line with this one than with previous mandates under this $50 billion telecommunications modernization contract.

Bill Zielinski, the assistant commissioner for the Office of Information Technology Category GSA’s Federal Acquisition Service, said starting on April 1, agencies which have not claimed responsibility or have been non-responsive to his office’s outreach will no longer be able to extend or modify services under the current contracts called Networx, Washington Interagency Telecommunications System (WITS 3) and Local Service Telecommunications.

Then, by Oct. 1 GSA will begin freezing all future growth under these contracts to help accelerate the pace of transition to EIS and not repeat the mistakes it made during the transition from FTS 2001 to Networx.

As we’ve heard many times and just as a reminder, the Government Accountability Office estimated the 33-month delay during the Networx transition cost the government more than $395 million.

“The intent there is to disincentivize, not just to request that agencies move forward, but actually put mechanisms in place so they cannot continue to utilize the old contracts as a mechanism to force more transition progress,” Zielinski said in an interview with Federal News Network. “The first phase of that is services for which no agency have claimed responsibility and for small agencies who were non-responsive to the transition outreach. In future phases, it will be based on each agency’s status at that time and the individual circumstances impacting the transition, like, for example, any potential protest, a lapse in appropriations or pending contracting modifications.”

Zielinski said GSA didn’t create these disincentives under the transition to Networx and force the transition.

“There were instances in the last transition where agencies were ordering wholly new services on the old even as we were in the midst of the transition,” he said. “In this case, if you are looking to add new services above and beyond the set you have today, they really need to go on EIS. Now as you move through EIS and put your solicitations out and move toward award, you can continue to use the old contracts for operating what you have in place, but it’s the substantially new services that will not be allowed under Networx and the associated contracts as we move into these next phases.”

It very much still to be determined if this disincentive will work and encourage a faster transition. So far, vendors and other experts say EIS is following a similar transition path as Networx, and that’s not a good thing.

To their credit, GSA implemented some of the lessons learned from the Networx transition. GAO even highlighted that fact at a recent House Oversight and Reform Subcommittee on Government Operations hearing. But GAO also told lawmakers, the onus is on the agencies to switch to EIS.

But that’s also why the March 31 deadline and the previous three others that agencies have all but ignored leaves EIS vendors with little confidence that the current contract will not fall into similar traps as Networx.

“We are seeing same problems as the FTS to Networx transition. The requirements are slow to come out and the amount of agency requirements in the addressable market are smaller than expected,” said Tony Wellen, the president and CEO of BT federal, in an interview. “What we are seeing is agencies are going back to their old ways of procurements where they are putting something out that is ‘winner take all.’ There are other ways agencies can do this with multiple awardees that lets them migrate to services like managed security services. It gives them a different way of looking at things and allows them to take advantage of EIS savings.”

Quality and quantity suffering

Interviews with five of the nine EIS vendors found similar concerns about the transition taking on too much of a Networx-like flavor.

Vendors, both large and small, raised concerns not just about the delays in releasing task orders under EIS, but what the solicitations are asking for and the quality of the requirements detailed in the documents.

Read more: Reporter’s Notebook

“The quality the task orders haven’t improved since the early days of EIS and I think that is unfortunate,” said Diana Gowen, general manager and senior vice president of federal programs at MetTel. “We are still seeing a lot of like-for-like contracts. A lot of agencies are finalizing their solicitations and don’t feel like they have time to write a complex, innovative request for proposals.”

David Young, senior vice president for public sector for CenturyLink, said while agencies are talking a lot about IT modernization and transformation, the amount of like-for-like requirements is disappointing.

“There are agencies hell bent to do something by March 31, but some of those statements of work aren’t clear so it becomes challenging to put together a bid when people are so focused on March 31,” he said. “There are conflicts of information inside the statement of work. One page says one thing and another page says something else and you try to get clarification and it becomes more challenging. If you are trying to modernize in that environment, it’s too hard especially with the time constraints so we are seeing more and more like-for-like.”

Chris Smith, the vice president for civilian and shared services at AT&T global public sector, said he too has seen consistent errors in agency solicitations, which also delays the timeline to award.

GSA’s Zielinski said the agency is aware of the concerns from vendors about the lack of transformation or modernization requirements in solicitations. He said the data shows something different:

• Of the 109 solicitations GSA has received so far, 79 included the move or expansion of Ethernet or voice over IP capabilities and away from the traditional telephone technologies over copper wires.
• Of the 109 solicitations, 27 are calling for the use of software-defined wide area network (SD-WAN) capabilities.

“In many other instances, we are seeing that agencies have a mindful, thoughtful plan for how they will move forward,” Zielinski said. “When we take a look at the solicitations that are being put out, there may be a specific set of business services that an agency will need more time in order to support that change so they will move forward with a more of a like-for-like in that area. But they also are putting out solicitations that will substantially transform their underlying technology today. So it’s mixed and it’s really based upon what best fits the needs of the agency.”

Zielinski said GSA also has encouraged agencies to explore all the vendor choices they have, particularly through the EIS vendor days. The next one is scheduled for June.

AT&T’s Smith said he has seen solicitations with an initial like-for-like strategy and then a longer-term modernization and transformation plan. Smith reminded that EIS has 12 years left on the contract.

“We are seeing organizations ask for the full set of modern capabilities across their network like unified communications to voice capabilities to security around that to mobility, and there is a lot of interest in next generation network extending 5G to the edge,” he said. “The trend is pretty much everyone is looking for that modernization and transformation story and approach, and the question is what is their appetite for quick versus medium versus long term transition?”

‘Winner take all’ overlooks innovation?

But the trend of agencies putting a “winner take all” solicitation given the short timeline also is a growing concern, particularly for new entrants into the market like BT Federal, MetTel and Granite.

Tim Heaps, general manager of Granite government solutions, said as agencies stick with even an initial like-for-like approach, it gives the incumbent contractors—AT&T, CenturyLink and Verizon—an advantage over the newer providers.

“How do we ensure agencies recognize importance of past performance in the commercial sector? It’s not just about size and scope,” he said. “Agencies have to provide as much information about their legacy networks, current usage of data, for instance, to create a more level playing field and then it’s more likely more of primes will bid on the solicitation.”

Vendors say agencies such as the departments of Justice, Labor and the Defense Department, are or have been too focused on the one and done approach to EIS.

“What I am discovering, and we brought this up to GSA, is some agencies have released solicitations and did not included all EIS vendors. That’s problematic and against the Federal Acquisition Regulations,” said MetTel’s Gowen. “If you know about it, then you could file a pre-award protest. But if you don’t know about it, then you can’t.”

Busy summer expected

Vendors say they expect a busy sprint and summer as agencies try to hit the next deadline of March 31, 2021, of transitioning at least 50% of all services to EIS.

“I’m expecting all of those 191 solicitations that we are supposed to eventually see to come out. So far, we know about 106 have been submitted for GSA scope review and about 101 have gone through scope review so we expect to see an onslaught,” Gowen said. “As you could imagine that’s a big deal for industry. We have to carefully pick and choose what we think we have a good shot at winning especially when you end up with 30 or 40 coming out at once. That is unfortunate. By waiting to the end, industry does have limited resources to bid and agencies will miss an opportunity.”

BT Federal’s Wellen added because the penalties for not transitioning quickly or to modern technologies are minimal or non-existent, the only taxpayers are truly impacted because costs continue to be high.

“Maybe there needs to be a serious discussion to perhaps to give GSA some tools to hold agencies accountable,” he said.

Or as other vendors suggested having Congress create a transition scorecard and hold hearings more often.

No matter the plan, it’s clear GSA can only do so much pleading, begging and convincing. Until lawmakers or the Office of Management and Budget truly bring down the accountability hammer, EIS, like Networx and like FTS-2001 before it, will continue to be just another soft, unfunded mandate on an agency’s to-do list.

Title 2 of the Code of Federal Regulations is getting its first comprehensive update in seven years.

What’s Title 2 of the CFR and why should you care? Well there are 700 billion reasons to care — this is the part of the CFR that tells agencies how to hand out more than $700 billion a year in funding to state, local, non-profit and academia communities. That’s right, it’s the regulations that govern grant making.

Victoria Collin, the chief of the management controls and assistance branch in the Office of Federal Financial Management at the Office of Management and Budget, said the administration hopes to accomplish three main goals and three policy objectives with the new grant regulations.

The first goal is straightforward and outlined in the President’s Management Agenda both around more accountability and through shared services:

“There are a number of policy objectives that we are trying to advance that can be found throughout the guidance that taken together, we hope, will change the framework and shift the framework,” Collin said in an interview with Federal News Network. “We know grantees report spending about 40% of their time on compliance-related activities associated with managing grants. We know that’s not the most efficient way to manage these taxpayer dollars. Really our goal, first and foremost, is to comb through the suite of guidance and find opportunities to shift that balance so grantees can be truly focused on achieving their mission and ultimately the purpose of the award.”

The other policy objectives center on implementing the Grant Reporting Efficiency and Assistance Transparency (GREAT) Act — which President Donald Trump signed into law on Dec. 30 — the Digital Accountability and Transparency (DATA) Act, the Evidenced Based Policymaking Act and other statutory changes over the last seven years.

Collin said a final policy area will address questions and concerns from grantees — technical nits — that were inadvertently causing challenges.

OMB released the draft of the Title 2 rewrite in January and comments were due March 23.

The update centered on reducing burden, managing risk more effectively and overall achieving program goals and objectives by focusing more on the reason for the grant than the management of the grant processes.

The word “burden” is mentioned 58 times throughout the revision. OMB wants to ease the burden around everything from financial reconciliations to exempting foreign entities from registering in the System for Award Management (SAM) to the timing of submission of the disclosure statements.

Collin said reducing burden isn’t easy and agencies haven’t done a great job figuring out how best to hold grantees accountable.

This has led to administrative and compliance cost eating up more than 20% of all spending for 27% of all respondents in the recent 2019 Grants Management survey conducted by the National Grants Management Association, the George Washington University and REI Systems.

Respondents said financial compliance takes up about 30% of their time and non-financial compliance takes up 15% of their time, while bureaucratic processes and funding uncertainty were among their biggest challenges.

Tiffany Kessler, the vice president of NGMA, said during a recent panel discussion rolling out the grants survey, that one of the problems is there isn’t a clear definition of what an administrative or program cost is.

“We talked about whether we could get clarification on it, but I don’t think we can because there is too much gray area,” Kessler said. “It’s pretty clear there has to be a balance between programmatic outcomes and compliance. Do we have to have strong internal controls to maintain that balance?”

Cynthia Baugh, the deputy associate administrator in the Office of Federal Assistance Management at the Health Resources and Services Administration in the Department of Health and Human Services, said there are things agencies can do to reduce the compliance and administrative burdens such as pre-populating forms and streamlining processes.

“We think the GREAT Act will reduce the amount of data people will have to submit and the data will get more consistent,” she said at the panel. “Right now data standards are all over the place. We are working with HHS and other agencies to come up with standard data elements, and that will help.”

Collin said OMB tried to develop craft some language that gives agencies the tools, policies and controls to be more proactive to design programs to focus on outcomes and following it through until the end of the grant.

“Once we’ve done that, we can give agencies much more flexibility to structure the terms and conditions of any given award based on the risk that may be associated with a particular recipient and based on that particular recipient’s performance,” she said. “The dream at a very high level is that one day there will be a world where for recipients who are low risk, who have demonstrated financial management competencies and also who are high performing that agencies can give those grant recipients an award where the terms and conditions are much more streamlined in order to enable them to focus their time and effort on achieving the mission and far less time on the compliance requirements that would otherwise be distracting and burdensome.”

Collin said one of the most prominent changes is on program design, which would be the first time OMB has given guidance to agencies on how best to design their programs that focuses on outcomes and not outputs.

At the same time, Collin and the respondents in the grants management survey blamed legacy technology for adding to the compliance burdens.

“We know by implementing the GREAT Act and coming up with standards for grants reporting and being able to create updated, modernized and digital tools that make use of those standards, we also will be able to reduce a lot of that administrative burden associated with grants right now,” she said. “In October, we published our first round of standards for grants. We are starting to think about how to implement them. In the proposal, there is language that would require all grant recipient reporting to align to those standards.”

Survey respondents said their access to technology and their ability to use technology were unsatisfactory and getting worse when compared to 2018 results.

Collin said OMB hopes to get the new 2 CFR finalized by the end of calendar year 2020. She said the number of comments OMB receives will impact the timeline.

“That would finalize the requirement for agencies to align to the standards. As far as the timing for that to actually happen, we imagine it will take more time. Agencies will have to update their systems as they have the need for that and as systems that align to the standards become available,” she said. “We are actively working with HHS and other agencies to better understand what that world my look like and how we get there from an implementation perspective. It will take some time to actually make that happen.”

Collin said this is also why the grants management shared service, which HHS received the pre-designation of being a quality service management organization (QSMO), will help usher in new technology and new standards. OMB said on the Peformance.gov website that HHS would deliver a five-year plan to OMB and the General Services Administration in April, and then OMB would make a final designation by fiscal 2021.

The Defense Department is one small step away from officially getting the Cybersecurity Maturity Model Certification off the starting blocks.

Ellen Lord, the undersecretary of Defense for Acquisition and Sustainment, is ready to sign off on the memorandum of understanding with the CMMC accreditation body that would jumpstart the training of third-party assessment organizations.

Katie Arrington, the chief information security officer for acquisition at DoD, said the MOU is through the clearance process and is just awaiting Lord’s signature.

Arrington, speaking at the Washington Technology CMMC event in McLean, Virginia on March 13, said once the MOU is signed, the six-month push to begin putting CMMC standards in procurements officially will begin.

“The accreditation board, the Johns Hopkins University Applied Physics Laboratory, Carnegie Mellon University and DoD are going through simulations of training, working through the kinks,” she said. “The first session of classes will actually be a lot of the proof in the pudding, and DoD will be there to help through this. This is new so we want to make sure we get it right.”

Until the MOU is signed, contractors are in limbo in how much they can prepare for the CMMC assessments.

Alan Chvotkin, the executive vice president and senior counsel at the Professional Services Council, said until contractors know what assessors are looking for, they can only do so much to prepare for CMMC.

The good news, Chvotkin said, is many companies who do work for DoD already have to go through some sort of certification process whether it’s ISO or CMMI or others.

“Under the CMMC, it’s binary or pass/fail. You either meet all of the controls for a given level or you don’t. That’s a significant difference that companies have to think about, too,” he said. “It will require a lot of investment in addition to the preparation so you are ready when the assessors come in.”

Preparing for CMMC with other certifications

Citizant is one of those companies.

Alba Aleman, CEO and founder of Citizant, an IT services firm, said the biggest challenge is what is the evidence the assessors are looking for in their audits.

“When you do the interviews, when you try to get that evidence, it requires all of your people to speak the same language. It’s different than it happening behind the scenes and IT is handling it. That requires a lot of internal training and communications to get everyone up to the same page. That’s more resource intensive than just self-assessments.”

Read more: Reporter’s Notebook

Pam Schoppert, the director of quality programs at Citizant, added it’s a people, process and tools challenge.

“The pragmatic application of selecting from those three areas to bring to bear the evidence is a different mindedness than saying, ‘we do it, it’s behind the walls and our people know it,’” she said. “This is a people issue, not just an IT issue. It’s getting the culture to understand this is the way we do business.”

Schoppert said Citizant just went through its sixth capability maturity model integration (CMMI) assessment and are ISO 9001 and 27001 certified so it’s used to preparing for the audits.

But Aleman said that doesn’t mean her company is ready for CMMC.

“We are in the process of doing our gap analysis now so the three areas they are looking at is documentation changes, infrastructure changes with our managed services provider and what tool investments,” she said. “We will be looking at our costs this year to get to assessment. But the ongoing costs of continuous monitoring, we don’t know what that looks like.”

Chvotkin said the biggest costs for companies who go through the CMMC assessment will be in the up-front preparation.

“Costs will come in a couple of areas. The first is your systems preparation to be ready. The second is the cost of the assessment itself. And the third is the ongoing application of those standards for individual programs and contracts,” he said. “The biggest issue on cost is what level a company seeks certification at—1, 2, 3, 4 or 5. The higher the level of certification, the more significant the cost because the number of controls and processes that have to be complied with.”

Beware of scammers

In the meantime until the accreditation body gets the assessors trained, DoD is warning vendors against any one claiming they can get you certified.

Lord issued a statement on March 13 warning against any third-party assertions about CMMC.

“At this time, only training materials or presentations provided by the Department will reflect our official position with respect to the CMMC program,” she wrote.

Chvotkin said the other major piece of the CMMC roll out is the release of the Defense Federal Acquisition Regulation (DFARs) rule for CMMC.

He said that also will help vendors understand what falls under the “allowable cost” for cybersecurity that DoD is now permitting.

“For companies working on a fixed price basis, allowable costs don’t mean anything. For companies working on a cost reimbursable basis, it could. There are a lot of rules about allowability and reasonableness that have to be assessed,” Chvotkin said. “How the department finally permits and addresses the allowable cost nature of CMMC will be important and whether there will be other resources available either directly or indirectly.

Read more: Acquisition News

While vendors are waiting on the accreditation body, DoD is testing out the CMMC standards with the Missile Defense Agency vendors.

Arrington said MDA has been running a series of pathfinder programs using supply chain risk management standards. DoD is taking the data from those pilots and working with the vendors to see how the CMMC requirements would’ve fit into the effort.

“Those pathfinders has been very cooperative and collaborative with the primes in terms of how we do the flow down of information. It only made sense to use those as the jumping off point because we all had such a collaborative nature on those pathfinders. We just mapped the CMMC to what those look like so we can validate with the primes and subs and say is this the way you would’ve read this? Is this [the] CMMC level you think this would’ve been at? So we actually have an understanding of what it looks like,” she said. “This will help us validate the way we structured the model and the contracting so as we go through these RFIs, we have the right structure in the acquisition. We used heavily the Defense Industrial Base cybersecurity assessment capability (DIBCAC), [from the Defense Contract Management Agency], we used that pretty extensively on how they actually did an assessment on the NIST standards, their methodology and what they were doing. We are using what already has been laid out and using the best practices to get the most bang for the buck.”

DCMA did audits of its contractors using the NIST SP 800-171, which is the cybersecurity compliance standards for contractors.