Industry’s patience wearing thin with DoD’s CMMC, GSA’s follow-on to OASIS

Industry frustrations are rising. Whether it’s a lack of communication from agencies or a lack of patience from contractors, the honeymoon for the Biden administration seems to be ending with the late summer heat.

Two recent letters from industry associations demonstrate this waning patience.

First, the Coalition for Government Procurement sent the General Services Administration a letter in late August detailing more specific concerns with the OASIS contract vehicle replacement strategy.

Then just on Sept. 9, three associations — the IT Industry Council, the Professional Services Council and the National Defense Industrial Association (NDIA) — sent the Defense Department a letter detailing new and long-standing concerns about the Cybersecurity Maturity Model Certification (CMMC) program.

“Here we sit eight months into the administration, we had that summer lull and now as folks are coming back they expect things to move forward and that is where we are,” said Mike Hettinger, managing principle of Hettinger Strategy Group and a former Hill staff member. “If you look back over previous years, there is a hype cycle to a new administration. I remember feeling this way during [the] Obama administration, nine or 10 months in, there is a sense with every administration, let’s get going.”

That feeling is clear in the ITI Council, PSC and NDIA letter to Kathleen Hicks, the deputy secretary of Defense.

“Currently, our collective members are facing critical decision points that will impact their budgets, strategic planning and resource allocation without the benefit of knowing the status of DoD cybersecurity policy implementation. Further, the continued proliferation of federal cybersecurity requirements at the agency level compounds this uncertainty as it remains unclear how DoD requirements will align with those required by other federal agencies. This causes operational impacts that result in procurement inefficiencies and contractual modifications that are passed on to the government,” the associations wrote. “Without a statement of support for cybersecurity assurance, we are concerned that some companies may continue to delay implementation of important security practices pending an understanding of the final requirements.”

The Defense Department basically has gone dark in providing updates about CMMC.

The Pentagon launched a review of the program in April and offered a bit of an update during speeches and congressional testimony through June.

But since late June, there has been little, if any, public discussion about CMMC, leaving industry holding their collective breadths.

Increased level of uncertainty

The three associations asked DoD for more clarity about the review process because it has increased the level of uncertainty throughout the defense industrial base.

“Changes to CMMC, for example, would conceivably impact the timeline, scope, and manner of implementation for program requirements. Considering this uncertainty, contractors, subcontractors, and suppliers may defer substantial investments pending communication and greater certainty about the program’s requirements,” the letter stated. “Simultaneously, companies will find it easier to develop innovative services, technologies, and processes to fit their needs if they clearly understand requirements, practices and operational efficiencies. The initial public announcement of CMMC and the interim DFARS rule motivated many companies to work diligently to improve their cybersecurity practices. We believe that increased communications and reinitiating collaboration in the areas detailed below will build on the initial success to further improve our nation’s security posture across the dynamic threat landscape.”

Hettinger said DoD’s lack of update about its plans for CMMC also is causing rumors to swirl, such as the Pentagon may delay implementation for a few years.

“There is the sense, particularly around CMMC, that we have been waiting for guidance or updates and nothing has come,” he said. “There is a sense that contractors are ready to take the next step and want more information from DoD.”

ITI, PSC and NDIA offer six recommendations for how DoD could improve CMMC.

“[W]e see an increasingly urgent need to standardize and improve the marking practices for the department’s controlled unclassified information (CUI) requiring protection and dissemination instructions. Currently, DoD agencies must only list what the department has described in the National Archives and Records Administration (NARA) CUI registry as CUI requiring protection,” the letter stated. “Recently, however, DIB members have been encountering DoD agencies that require the protection of all the 100-plus federal agency specific categories in the NARA CUI Registry without an attempt to identify the particular categories that relate to contract performance. For the CUI program to work, it is imperative that all DoD agencies involved in all acquisition contracts clearly, accurately, and correctly identify, define, and describe the CUI requiring protection.”

Another area of concern that the associations want DoD to address is around the Defense Federal Acquisition Regulations (DFARs) interim rule from September 2020 to implement CMMC. The groups say DoD officials indicated that an updated DFARS rule for CMMC would not be ready until the end of calendar year 2021 — more than one year since public comments to the interim rule were submitted.

“It is unclear how those comments from 2020 on DFARS 252.204-7012, -7020, and -7021 have been or will be adjudicated. If there will be significant changes to CMMC, we encourage DoD to share those changes via a proposed rule rather than an immediate final rule,” the letter stated. “We also encourage DoD to conduct virtual public hearings if the department contemplates material changes to the present structure and methods. Such steps would demonstrate to industry that DoD is receptive to new perspectives and aware that input in the fast-moving IT industry may have changed since late 2020. It would also alleviate some of the uncertainty that the ecosystem is facing while the department completes the adjudication of received comments.”

GSA’s new services vehicle concerning

Industry input and better understanding of GSA’s plan is at the heart of the Coalition for Government Procurement’s letter to Jeff Koses, the agency’s senior procurement executive.

The CGP said GSA’s plan for the OASIS follow-on, called the services multiple award contract, is perplexing and would run contradictory to the agency’s stated goals of its Federal Acquisition Service’s IT category and the administration’s category management initiative.

“The unintended consequences of the current strategy are significant. The follow-on acquisition strategy eliminates the highly successful dual contract vehicle structure, eliminating OASIS SB and OASIS in favor of a single, overarching contract vehicle for professional services. The follow-on strategy also eliminates the best value evaluation methodology for contract award that has been foundational to the success of OASIS SB and OASIS in delivering strategic mission support to customer agencies,” CGP wrote. Finally, the follow-on strategy essentially duplicates GSA’s Multiple Award Schedule (MAS) program, increasing operational costs and complexity for customer agencies, the General Services Administration, and its industry partners.”

The duplication of the schedules program is one of the most significant concerns the association outlined.

The CGP found the services MAC would duplicate the schedules program in 14 of 15 areas, ranging from continuous open seasons, to large and small businesses in a single contract, to being able to do firm fixed price, labor hours and time and materials-type contracting.

“During [a July 22] industry day, FAS also indicated that it would rely on a dedicated team of contracting officers, including those with MAS experience. To the extent this management approach shifts services MAC workload to MAS contracting officers or otherwise diverts contracting staff from the MAS program, it raises questions about the allocation of resources and contracting support for GSA’s governmentwide contracting programs,” the letter stated. “A plan that utilizes MAS contracting officers to help administer the OASIS follow-on contracts prompts concerns about the overall impact on contracting operations and the support and development of the contracting officers. Coalition members are very concerned that already overtaxed MAS contracting officers will now be faced with additional workload, as this additional work could impact the integrity of the Schedules program. This risk of harm is not speculative. Though unquestionably successful and the single largest source of overall small business contracting, there are current workload challenges in the MAS program to be addressed. For example, concerns have been raised about the time it takes for vendors to receive a contract award or secure contract modifications.”

The coalition also said it’s unclear why GSA wants to move away from the approached used under OASIS, with one contract for large businesses and one for small businesses. And despite asking for industry input, the association said it’s apparent that GSA has all but made its decision on its approach for the services MAC.

“This decision has been made despite the fact that, as FAS announced during an industry day presentation on July 22, 2021, the business case for the follow-on strategy has yet to be completed to support its plan for the Services MAC. Under these circumstances, the credibility and utility of the business plan may be perceived, not as a discipline to identify the best contracting approach, but as a shield to defend a pre-determined contracting approach,” the letter stated. “That the OASIS follow-on strategy is a 180-degree departure from the IT Category approach raises significant questions regarding FAS’s overall market strategy and its continuing support of small business opportunities. It is difficult, from an industry partner perspective, to see how FAS reconciles the two diametrically opposed approaches. Finally, as noted, the planned elimination of a specific channel for small and disadvantaged businesses, and the associated increase in difficulty of use for agency customers and those businesses, appears to run contrary to the express goals of this administration.”

The coalition asked for a meeting with Koses to further explain its concerns and understand GSA’s plans.

These two letters are just a small sample size of what portends to be a growing frustration between industry and government on this governmentwide initiatives. Hettinger said the honeymoon may be over in some areas like CMMC and the services MAC, but in others, like cybersecurity, industry, generally speaking, is quite pleased with what they have seen from agencies.

Memorial service for Rob Coen

The family of Rob Coen, a long-time federal acquisition executive who recently and unexpectedly passed away, is holding a memorial on Sept. 18 in Annapolis, Maryland, at the Calvary United Methodist Church at 12 p.m.

The memorial service will be held only in person.

“We will gather to share some of our favorite stories and to honor Rob’s memory,” the invitation states.

Coen, who worked at the General Services Administration and the National Institutes of Health’s IT Acquisition and Assessment Center, was 51 years old. In lieu of flowers, donations may be made in his memory to the David J. Coen Scholarship Fund c/o St. Agatha School, 440 Adams St. Milton, Massachusetts, 02186.

Related Stories

Comments