As a result, there has been no shortage of procurement legislation and regulation prohibiting or curtailing the federal government’s purchase of Chinese products: Section 889 of the Fiscal Year (FY) 2019 National Defense Authorization Act (NDAA) (restrictions on the use of telecommunications equipment and services); Section 847 of the FY 2020 NDAA (mitigating risks related to foreign ownership, control, or influence of Department of Defense (DoD) contractors or subcontractors); Section 223 of the FY 2021 NDAA (disclosure of funding sources in applications for federal research and development awards); and Section 5949 of the FY 2023 NDAA (prohibition of certain semiconductor products and services).

Even more legislation may be on the way, as we see provisions in the House version of the FY 2025 NDAA (see, e.g., Sections 173, 178, 242, 807, 1706, and 1722) and in the Senate version of the bill (see, e.g., Sections 885, 886, 887, 888, and 889).

Two different supply chain supply regimes essentially govern supply acquisition: The Buy American Act (BAA) and the Trade Agreements Act (TAA). Recently, there has been a renewed focus on the BAA, as the domestic component requirements have been increased.

The BAA, however, is a price evaluation preference, which means if the price of a Chinese product is low enough, the federal government will buy that product. For large business offerors, the price preference added to non-domestic offers is 20%, and for small business offerors, it is 30%. Under DoD acquisitions, the preference is 50% for all domestic offerors, regardless of size.

Depending on the item and the value of the acquisition, the TAA or other specific free trade agreements might apply because the United States Trade Representative (USTR) has waived the BAA for many supply acquisitions above specific thresholds, ranging from 50,000 to 174,000. If the TAA applies, offerors generally must supply products made domestically or in allied countries.  Most major acquisitions for commercial products, like the MAS program, are subject to the TAA.

Under the TAA, Chinese products are not eligible for purchase because China is not a signatory to the TAA. Although the BAA favors domestic production, it has the downside of allowing the acquisition of Chinese products in certain circumstances. The TAA provides a holistic approach to strengthening the supply chain, by taking advantage of the economic advantages and technical capabilities of our domestic sources and our allies, with the added benefit of providing domestic firms with the ability to participate in the procurements of allied countries. The differences between the BAA and TAA are important considerations as government and industry work together to address supply chain security and resiliency.

The post Competing global supply chain approaches first appeared on Federal News Network.

Senate Armed Services Committee leaders filed their version of the National Defense Authorization Act for fiscal 2025 on Monday, which was passed behind closed doors last month in a 22-3 vote. The bill is now heading to the Senate floor for consideration.

The legislation includes an amendment to a portion of Section 1521 of the defense bill for fiscal 2022, which centralizes the procurement of cyber products and services across the Defense Department. 

The fiscal 2022 defense bill states that the DoD components can’t independently purchase cyber services unless they can buy services at a lower per-unit price than what the DoD chief information officer office, which leads department-wide procurement of cyber services, offers. The components can also procure cyber services independently if the DoD CIO office approves the purchase.

If passed, the amendment included in the 2025 defense bill would allow DoD components to buy cyber services independently if they can demonstrate the “compelling need that the requirement of the product has due to its urgency, or to ensure product or service competition within the market.”

Sen. Eric Schmitt (R-Mo.), who has long expressed concern about the Defense Department’s increasing reliance on Microsoft for its cyber products, initiated the amendment.

“DoD CIO has used this authority to create a one-size-fits-all approach to all DoD components, causing serious concerns related to a single zero-day flaw being used to create massive disruptions across DoD’s networks. The amendment returns decision-making power back to DoD components, so they can adopt tailored cybersecurity approaches based on the threats they face,” the amendment summary shared with Federal News Network says.

In May, Schmitt, along with Sen. Ron Wyden (D-Ore.), sent a letter to the Pentagon inquiring about the department’s push to implement Microsoft’s most expensive licenses, known as E5, across all components. The Pentagon already widely relies on Microsoft products and services but it has been considering mandating all components to upgrade to Microsoft’s E5 license as part of its effort to achieve the target level of zero trust by 2027.

“Although we welcome the department’s decision to invest in greater cybersecurity, we are deeply concerned that DoD is choosing not to pursue a multi-vendor approach that would result in greater competition, lower long-term costs and better outcomes related to cybersecurity,” Schmitt and Wyden wrote.

Another amendment, also spearheaded by Schmitt, would require companies that conduct software development in China to notify the Pentagon if they are required to disclose any software vulnerability to any Chinese agency, such as the Ministry of Industry and Information Technology.

“PRC security laws mandate that cyber companies with presences in China must report any flaw discovered to their government, potentially giving state-sponsored hackers a treasure trove of zero-day flaws to exploit. This bill would ensure that companies doing business with DoD that have presences in the PRC report the same information to their US-based arm as their PRC arm reports to the CCP government,” the summary of the amendment provided to Federal News Network reads.

The provision amends Section 855 of the fiscal 2022 defense policy bill and is identical to the Defense Technology Reporting Parity Act, which Schmitt filed on the floor prior to the 2025 defense policy bill.

The two amendments signal lawmakers’ growing concern about the Pentagons’ reliance on a single vendor for its cybersecurity products.

The fiscal 2025 defense policy bill authorizes a topline of $911.8 billion, which exceeds spending limits imposed by the Fiscal Responsibility Act passed last year.

Sen. Jack Reed (D-R.I.), chairman of the Armed Services Committee, voted against the legislation due to the funding increase that would break the spending caps.

“I regret that I needed to vote against passage of this bill because it includes a funding increase that cannot be appropriated without breaking lawful spending caps and causing unintended harm to our military. I appreciate the need for greater defense spending to ensure our national security, but I cannot support this approach,” Reed said in a statement.

The House passed its version of the defense bill last month, and the two chambers will have to negotiate to pass the bill before the end of 2024.

The post NDAA amendment to give more authority to DoD components to buy cyber products first appeared on Federal News Network.

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) is exactly what it sounds like: a mandate for reporting. There’s also a cyber reporting rule from the Securities and Exchange Commission already in effect. Is it overkill? Executive Vice President for Policy at the Professional Services Council Stephanie Kostro shared more with the Federal Drive with Tom Temin.

Interview transcript:

Tom Temin
Sounds like contractors are waking up and looking across the landscape at reporting rules. And everywhere you look, there’s another one.

Stephanie Kostro
I have likened to this set of proposed rules and final rules, etc., as a flurry. And it really has been a plethora of cyber incident reporting requirements coming down, not just for companies across the economy, but specifically for government contractors. And we’re following I think it’s 16 separate actions very, very carefully. And those things range from exactly what you said, the SEC had a rule go final last December, that talked about reporting of significant cyber incidents, and it already looks like there are companies out in the economy who are not paying attention to that rule, and has been called to question in several ways in the courts. And so as we move forward with this CIRCIA proposed rule, PSC submitted comments. I think they received close to 300 very substantive, meaty sets of comments. It really is an active space, and contractors are watching it very, very closely.

Tom Temin
Because there doesn’t seem to be a lot of coordination among the agencies that are imposing these rules. Here, you’ve got two we just mentioned that our cyber alone and there might be more coming.

Stephanie Kostro
That’s exactly right. Last year, the second half of 2023, the Office of the National Cyber Director — that’s an office within the White House — released a request for information, asking the public, ‘how can we better harmonize these cyber requirements,’ not just reporting requirements, but across the board. And we, along with others provided some substantive feedback on that. But the landscape continually changes, and we’ve seen lots of proposals introduced, since those comments were due so in the last, say, eight to 10 months, even more cyber incident reporting requirements have come across the transom. Courts are challenging, companies are not necessarily following the rules. It’s really sort of I would liken it to a maelstrom of activity. We are very concerned that some of these reporting requirements might be overly burdensome, particularly on government contractors whose very livelihoods depend on federal work, and they want to be compliant. It’s just what rules should they be more compliant with? It goes back to the old literary references to all these things are created equal, but some are more equal than others. Which ones take precedence for government contractors, which ones should really be the name of the game? And we have some thoughts on that. PSC stands ready to help with collaboration, to help with cooperation with the government to figure out what actually makes our nation more cyber secure, and what incidents should be reported. What ones have the potential to materially impact either the company or the work that the government needs to perform? And so as we move forward, we, alongside several other associations and other companies, want to be helpful in this regard. There’s just so much going on?

Tom Temin
Well, I guess the SEC, to use that example, can only ask publicly traded companies to report and then I presume — I haven’t read their rule — but it would be any incident that might materially affect their being invested in or something, some result that they would have that investors would make a decision on. But in the case of the Cybersecurity and Infrastructure Security Agency, they would be concerned about impacts on the cybersecurity operations and the continuing operations of infrastructure providers. So different purposes for the rules. What’s PSC’s main commentary here? What are you saying, in general, to all these agencies?

Stephanie Kostro
Really happy that you mentioned that, Tom, because some of those government contractors are publicly traded companies. So they are subject to both sets of rules. And our position is, what is CISA trying to do in this space? We want to be supportive of the maintenance and sustainment of government operations, to make sure folks are more cyber secure. So we are hoping to work with them on what entities should be covered, what kinds of cyber incidents should be covered. And to be honest CIRCIA also, this proposed rule talks about ransomware payments or ransom payments. As we move forward, information about payments, etc., that’s important. But does that actually make you more cyber secure? it’s really unpacking what causes the cyber incursions and incidents and preventing them from starting even in the first place. And that is what makes us more cyber secure. And that’s what we at PSC would like to focus on.

Tom Temin
We’re speaking with Stephanie Kostro, executive vice president for policy at the Professional Services Council. There’s another rule reporting situation, of different context, and that is a final rule from the Small Business Administration, getting rid of the idea that you can self-certify that you are service-disabled veteran-owned. And there is a site at which people could do that. That site is not working too well. So what are you finding here? What’s going on?

Stephanie Kostro
I love that you bring this one up as well, Tom, because comments were due here on July 8, regarding this SBA direct final rule, and it’s something that’s not going through their proposed rulemaking process. It’s a direct final rule. And it would implement a section of the fiscal year 2024 National Defense Authorization Act, which eliminates the ability for these service-disabled veteran-owned small businesses to self-certify, to say that they are in fact, service-disabled veterans who have ownership stakes in these small businesses to go through the [Veteran Small Business Certification (VetCERT)] program. We, on the face of it, are supportive of this. It’s the timelines that we are questioning. And here’s the rub. And you mentioned it, Tom: This direct federal rule goes into effect August 5. If you go to the VetCERT program website, they are taking it down to upgrade it on August 1, and it estimates that it will be out for about a month or so, potentially longer, to do system wide upgrades. And what they say is if you’re trying to apply for certification as a service-disabled veteran-owned small business, please wait until this upgrade is over. The issue that we’re facing here is if the website is down and you can’t have new applicants applying for certification here, you’re going to run into a backlog of folks looking for certification. And we wonder whether the SBA has the manpower and the resources necessary to work through that backlog as quickly as they need to. Because, as of October 1 of this year, if you want to get credit for participating as a service-disabled veteran-owned small business, or you have that kind of business among your subcontractors, if you want to claim credit for participation, they have to be certified through this program. So it’s one of these things where I am not entirely sure that, on the face of it, it could be the people writing this direct final rule didn’t talk to the website folks. That happens a lot, not just in government, but across the economy and in companies too. But I hope that they can look at this and go, ‘Hey, maybe we can we can find some wiggle room here for companies to be able to comply with this final rule in a timely manner in a way that makes sense.’ Currently, it just looks like they’re gonna run into a brick wall here.

Tom Temin
Yeah, sounds like the technology and the policy aren’t quite aligned, and not the first time we’ve seen that happen.

Stephanie Kostro
Exactly, exactly. Again, that’s not solely the realm of the government; this happens in companies too. But I would like the SBA, when they read our comments, to note that this is really not a great situation. And they have the power to change some of this.

Tom Temin
All right. And in the couple of minutes we have with you, I wanted to go to a third topic, and that is some of the National Defense Authorization provisions in the House version. And there is a little bit more inflation relief, temporary authority to help adjust for inflation. I’m presuming PSC is in favor of that one?

Stephanie Kostro 

We are very much in favor of that. This was a provision that was put into law last year, and it was extended again, and the House passed version of the National Defense Authorization Act for Fiscal 2025 would extend it again. This is temporary authority to allow companies to claim costs incurred for inflation related expenses. And so this is subject to the availability of funds — these kinds of provisions always are — we just like to have the ability for companies to recoup any unexpected expenses due to inflation. And we talked a lot about inflation two years ago, a year and a half ago, even a year ago, it still hasn’t come down to where companies had planned for it to be. And so some of these costs are much higher than they had anticipated and planned for.

Tom Temin
Right. There’s a pretty strong labor market in the United States. And that’s where a lot of the inflation you might see in professional services.

Stephanie Kostro
That’s exactly right, Tom, and we have a tight labor market where we’ve got more job openings than job seekers. And so, as we move forward, we’re gonna have to adjust how we think about labor. And I think we are all for paying laborers more, certainly a wage that they deserve, and even thinking through what the long term implications of this higher-than-expected inflation would be.

Tom Temin
And then there’s the pilot project that the NDAA would launch, and that is that the loser pays for protests, legal costs.

Stephanie Kostro
So this is sort of Groundhog Day for us, Tom, this provision, when if a protest lodged with the Government Accountability Office is denied, that the contractor would pay [the Defense Department] for costs incurred to defend the protest. This was the law of the land from the fiscal year 2018 NDAA; it was repealed. Studies have been done that this kind of approach isn’t the most effective. There aren’t a lot of frivolous protests. And a lot of times GAO comes down not with a clean denial of protest, but something in between where the government and the company work something out. And it’s really unclear to us what would count as a cost incurred by the department in defending a protest. And so, PSC, like we did last year when this provision was in the NDAA, stands ready to talk about negative impacts of protests and to figure out a way that we could help in this regard. I just don’t think rehashing old language is the way to go. And we’re looking to be helpful in that.

The post Contractors see new cyber reporting rules everywhere they look first appeared on Federal News Network.

Complaints are coming from contractors on the General Services Administration’s multiple-award schedule. They say contracting officers are trying to re-negotiate finished contracts and making unreasonable demands for information. For more, the Federal Drive with Tom Temin talked with federal sales and marketing consultant Larry Allen.

Interview transcript 

Tom Temin  And you have found that this is mainly happening in the information technology part of the Unified Schedules program.

Larry Allen That’s right. And at the outset, you know, I’ve worked on the GSA Schedules program for well over 30 years. And we certainly have seen things ebb and flow over that time. But recently, the level of industry discussion on problems, particularly with the IT schedule, has been pointing up close to an all-time high. And it’s time to get these issues out in front of people… get a little disinfecting sunshine on them, if you will, so that we have a program that works better not just for contractors, but for government customers.

Tom Temin Well, what is happening? What are contracting officers actually doing, that the contractors are complaining about?

Larry Allen  They’re doing several things. I think one of the most notable things, Tom, is that there seems to be no end to the amount of data that contracting officers feel that they are entitled to. Papering the record, just one more set of transactional data, and you know, all of that data…everything a contractor submits, it has to be accurate, current and complete. And the more you’re asked to submit, the more, you’ve got to keep track of everything and make sure you’re meeting that standard. And if you’re not, then you are setting yourself up for some future potential audit problems, not to mention the paperwork that you’re having to provide in an endless stream of requests that come. One of the other things that’s happening is — and you alluded to it in the setup — and that is (for) contracts that are already in place, GSA has already negotiated it, the contracting officer has found that to be a fair and reasonable price. Six months (or) a year later, a company comes in and asks for a contract modification. And the contracting officer now uses that as an occasion to reopen negotiations on everything and say, ‘Well, wait a minute, that maybe wasn’t a fair and reasonable price.’ And the contractor is left saying, ‘Well, wait a minute, this is how I’ve been selling. I’ve been doing this for the last year, people enjoy doing business with me this way.’ You know, there’s only so much blood in the turnip that you can give. And that’s an issue too. I think one of the things that every contractor ought to be concerned about as well, Tom is contracting officers asking companies who have their contract set up through GSA’s Transactional Data Reporting pilot, for contractor-based sales information. That’s not supposed to happen at all. And it’s a real danger for me, I think, look, when TDR was set up, I put a blackbox warning out on it on exactly this issue. And since then, things have you know, mitigated a little bit where TDR has proven to be a viable pathway for companies who can’t use the traditional method to get on scheduled. But if we’re getting into a situation where there’s no standard for what constitutes enough data, or how much data because there’s not supposed to be any data in the first place, that is a moment that every TDR contractor should wake up and say, ‘Stop. What’s going on here?’

Tom Temin We’re speaking with Larry Allen, president of Allen Federal Business Partners. I mean, there are legal restrictions on what the government can ask for — correct? — in what are basically totally commercial products. This is not cost plus contracts or development contracts, but simply commercial items available widely.

Larry Allen Right. And I think this is one of the disconnects, Tom. First of all, the Paperwork Reduction Act is a rule that even the schedules program has to adhere to, where the government is only supposed to make reasonable data requests. And in fact, GSA has to go out every so often, and renew its authority to collect data from contractors. Usually, that type of request is rubber stamped at the FAR Council. But right now, I don’t think it should be. It seems like if it just sales through the rulemaking process, then the idea is that whatever we’re asking for is fine, and we’re not asking for anything more than we should be. And that’s manifestly not the case. Ironically, we’re talking about this at a time when GSA is trying to be pro-environment, but there are a lot of trees that are losing their lives to provide the paperwork, the contracting officers want. Are you aware that GSA management is aware of this? And maybe we’ll do something to mitigate it… get some word out to their CEOs? Tom, I think they weren’t aware of it before this, but they’re aware of it now. I know that the schedules program management office is aware of these issues. They’ve already indicated that they want to have discussions with the contracting officer management team at the IT part of GSA. I think that’s a good idea. But I do think it’s going to take some senior level intervention here to say, ‘Hey, look, this program worked best when it’s a partnership. When contractors and GSA work together to serve our common federal customer. This is not a program that works well of contractors have a target on their back.’  And just because you’re doing $20 billions a year today through this program, from the IT schedule doesn’t mean that thus now and forevermore, it shall be. One need look no further, Tom, than the Oasis Plus Program and the fact that Oasis overtook the GSA professional services schedule in terms of sales a couple of years ago. So you can actually kill the goose that lays the golden egg.

Tom Temin All right, well, we’ll keep an eye on that one and see what develops. Especially as you say, there’s a lot of G wax around that people can use alternatively to the to the schedules. Also your reporting that whistleblower lawsuits are reaching companies in greater frequency, especially to help enforce the cybersecurity regime.

Larry Allen That’s right, Tom, we’d forecast when all the cybersecurity rules started coming down, that the primary way that they would be enforced would be through whistleblower cases. And we’re just starting now to get some evidence that that’s actually what’s playing out. We had a whistleblower, this time, blowing the whistle against SAIC alleging that on one of their government contracts, they didn’t fulfill all the cybersecurity duties they were supposed to adhere to. We don’t know whether that’s true or not. But what we can say is that once the allegations were made, the contractor in this case acted in a way that is probably not a best practice. You don’t solely isolate the employee, you don’t take away their rights, you don’t fire them for blowing the whistle. There are FAR rules on that type of stuff. And you can actually make the situation worse for yourself. Because now instead of just having to defend against the cybersecurity allegations, you’ve got a retaliation suit that you’re gonna have to settle as well. So it’s just really full employment for your legal staff.

Tom Temin Yeah. So, what’s your best advice for companies then, besides making sure the cyber procedures are in place that are required to start with?

Larry Allen Well, I think at a basic level, if you have whistle — every company has, on paper anyway, whistleblower protections. Those whistleblower protections actually have to be operational. It’s nice to have them on a piece of paper, it’s nice to have them in a policy document, but they actually have to be lived. And don’t fear the people who blow the whistle. Look if, at a minimum, if you’d listened to the whistleblower in this case, you would have an opportunity to know whether or not the allegations were valid or not. Now you’ve got lawyers involved and the Department of Justice, it’s going to cost you a lot of money, it’s probably going to cost at least one person, their job in the company. And you didn’t need to do it. So, my advice is to relax, work through it, follow the rules that you’re supposed to follow. They’re there for a reason. And they can actually save you some time and aggravation.

Tom Temin I guess that’s our theme today. Stay within your guidelines and your lanes of travel, whether you’re government or industry.

Larry Allen I think that’s a good takeaway. These things exist for a reason and they help make sure that we have a good government market. And that’s really what the outline is. We want to be able to have the business of government run smoothly.

The post GSA contracting officers are driving schedule holders crazy first appeared on Federal News Network.

The committee today voted to approve a bill from Rep. Carlos Gimenez (R-Fl.), “Decoupling from Foreign Adversarial Battery Dependence Act.” The bill would block DHS from procuring batteries from six Chinese companies over concerns about human rights abuses, as well as supply chain and cybersecurity concerns.

Under the legislation, the ban would begin on Oct. 1, 2027.

During today’s markup, Gimenez said he had engaged with DHS in developing the legislation over the past two months. “The committee incorporated nearly all of DHS’s inputs,” he said.

Gimenez also said he was expecting a report from DHS within the coming months describing the potential impacts of the proposed ban.

Under the bill, DHS would be able to waive the prohibition if it determines the battery purchases don’t pose a national security risk. DHS would also be able to issue a waiver if there are no viable alternatives.

The latest push targeting major Chinese battery manufacturers comes after the fiscal 2024 defense authorization act included a corresponding ban on the Defense Department buying batteries from the same six companies. The DoD ban will also go into effect on Oct. 1, 2027.

That law, however, gives the Pentagon the ability to waive the limitation for any reason.

TSA commuting legislation

The homeland security committee today also unanimously passed legislation that would explore better compensating Transportation Security Committee employees for the time they spend commuting to the job.

The “TSA Commuting Fairness Act,” introduced by Rep. Tim Kennedy (D-N.Y.), would require TSA to conduct a feasibility study on allowing employees to clock in for work when they arrive at airport parking lots or bus and transit stops. The study would evaluate whether such a program could rely on location data from employees’ phones.

“Doing so would reduce commuting costs and improve quality of life for employees while allowing TSA leadership to manage the workforce appropriately and maintain order and discipline,” Kennedy said during today’s mark-up.

Kennedy referenced how TSA employees typically have to navigate a lengthy secondary commute between airport parking lots and their assigned airport checkpoints. Many have to wait for bus or light rail connections, or they have to walk to the from the lot to the airport. “And if these hardworking Americans are just a few minutes late to clock in, they can face discipline and punishment,” he added.

“This study will help both TSA and Congress gain insight into ways to address these challenges and the potential costs and benefits of pursuing an innovative program along these lines,” Kennedy said.

Digital identity report

The committee also unanimously approved a bill introduced by Rep. Clay Higgins that would require TSA to submit a report on the current state of “digital identity” ecosystems, as well as the value of digital IDs in the transportation sector.

Higgins said he supports TSA’s digital ID initiatives. “It’s also important that we understand the full extent of the risks and benefits of utilizing this technology to advance the agency’s homeland security mission,” he added.

“Using a digital ID is not only more convenient, but also better for ensuring privacy protection as opposed to using conventional physical IDs,” Higgins said. “Digital IDs do not need to be handled by a [transportation security officer].”

TSA has started accepting digital IDs, such as mobile drivers licenses that are stored in a mobile phone’s electronic wallet, at some airport checkpoints. The agency this week announced it would begin accepting New York state-issued mobile drivers licenses at select airports. The announcement brings TSA’s digital ID initiative to nine states and 28 airports so far.

TSA’s work has represented a primary pathfinder in the federal government’s acceptance of digital IDs. Meanwhile, the National Institute of Standards and Technology is considering including mobile drivers licenses and other digital credentials in its revised digital identity guidelines.

The post Lawmakers advance DHS bills to ban Chinese batteries, help TSAers with commute first appeared on Federal News Network.

The Navy isn’t the only military service that struggles with big shipbuilding programs. Two of the Coast Guard’s biggest programs — the Offshore Patrol Cutter and the Polar Security Cutter — are years behind schedule and billions of dollars over budget. The Government Accountability Office (GAO) says those cost and schedule increases are signs of broader management and oversight problems. For more on the Federal Drive with Tom Temin, Federal News Networks Host of On DoD, Jared Serbu talked with Shelby Oakley, GAO’s Director for Contracting and National Security Issues.

Interview Transcript: 

Jared Serbu I think it’s fair to say the Coast Guard has really had major struggles over the years with these major acquisition programs. I know your recent testimony was focused really on just a couple of those, the offshore patrol cutter and the polar security cutter. So what did those programs sort of tell us about the state of play in major shipbuilding programs across the Coast Guard, and how much things have improved or not over the years?

Shelby Oakley Yeah, unfortunately, I think with OPC (Offshore Patrol Cutter) and PSC (Polar Security Cutter), they are kind of indicative of the things that we’ve seen as struggles for Coast Guard shipbuilding, but also Navy shipbuilding over the years. Just major challenges with achieving stable designs to support actually beginning construction, and what that often results in is rework and delays and that kind of thing. And I think, OPC and PSC are delayed four and five years respectively, are now 11 billion and at least $2 billion over budget. So these outcomes are just a bit of a challenge, especially for an organization like Coast Guard with such a small budget for acquisitions.

Jared Serbu Yeah. And you talk about concurrency in the testimony, is that really the main issue here, moving ahead into later phases of the program before you really have a clear picture of what you’re doing?

Shelby Oakley It’s a huge issue. We’ve done a lot of work over the years on commercial shipbuilding. And the outcomes that commercial shipbuilders achieve are nothing like we see in the Coast Guard and the Navy. They are on time and on budget. And it’s not kind of a question. And the common things that we see them do, or what we call leading practices for shipbuilding and ship design, and one of the main parameters is they just don’t move forward until they’re, key elements of their design are matured. This is like structural layouts, where the equipment’s going to go. All sorts of things like that need to be figured out before you move forward and start cutting steel or bending metal, as they say, because any changes at that point really result in reverberating bad effects. And we saw that on PSC. They had designed the height of the deck, for one of the lower decks of the ship incorrectly. And that had reverberating design change impacts throughout the ship. Had they have begun constructing that ship, at this point, we would have been in big trouble. But at least they’re just focused on redesigning those aspects at this point.

Jared Serbu You mentioned the agency size issue earlier, and that’s kind of where my head goes sometimes when I think about the Coast Guard challenges relatively small agency doing incredibly complex engineering and acquisition work. But then I remind myself, well, the Navy has an entire command that’s, I think, bigger than the whole Coast Guard that does this stuff. And they face many of the same issues. So is there just something inherent to naval shipbuilding or is this really all process improvement stuff?

Shelby Oakley Yeah. I think one of the key differences that we see, between like government shipbuilding and commercial shipbuilding is this issue of lack of discipline. And this is sometimes driven by, the industrial base. So with commercial shipbuilding they have a ship lined up right after one another. So they have to keep those ships moving through the shipyards, otherwise there’s severe financial ramifications for those companies. That’s just not what we see in government shipbuilding. And government shipbuilding, they’re allowed to proceed with design, with construction too early. Any challenges that we run into, we end up just throwing more money at these programs. There’s been a lack of incentive in the industrial base because of kind of fits and starts of demand signal from the Navy and the Coast Guard. And so there’s a lack of incentive to do and key investments, in technology or processes that could improve their performance in design and construction. And so there is something about government shipbuilding that’s a little bit different. But if you look at the practices that we outline, there really just kind of common sense, they’re not shocking to anybody. They’re like logical and disciplined approaches that anybody would apply to their own life if you were buying a house or designing a pool.

Jared Serbu One of the things in in your testimony that was striking to me, as you talk about these very long periods between milestone events, which are, I guess, the triggers that are designed to get senior leaders to really review a program in depth and make course corrections if they need to. They’re like 4 or 5 years apart on these programs, like how big a role does that play in letting these things kind of spin out of control?

Shelby Oakley Well, it’s the early warning signal. If you don’t have a milestone for several years, you’re not tracking anything. You’re not tracking delays to that. So it doesn’t trigger this oversight review from Coast Guard officials or even DHS officials to be able to say, hey, wait, we’re heading in the wrong direction or things aren’t going so great, maybe we need to figure it out. And so we’ve made a number of recommendations over the years for the Coast Guard to add milestones to their acquisition baselines, so that there can be closer tracking of that progress to give a sense of how well the program is doing.

Jared Serbu These two programs that we were talking about, specifically the OPC and the PSC. They’re pretty far down the line at this point. On those programs specifically, to what extent is the diet kind of cast by past decisions that have been made? And how much can they specifically do to improve on these two?

Shelby Oakley Yeah. So I think there’s two separate answers there. So OPC as you know, has two stages. OPC stage one with just the first four ships are already underway and construction. OPC stage two is planning to start construction in September. And so we would suggest that the Coast Guard has an opportunity to make sure that the design of OPC stage two is matured sufficiently to be able to justify moving forward with that construction decision. And so if they do that, that could put them on a better path for OPC stage two. After those first 15 ships, the Coast Guard’s intending to buy 25 ships total. We think for that next ten, there’s an opportunity to really rethink how we’re going about building these ships and driving more of these commercial practices into their approaches for that. So we think that there will be an opportunity in the long run for this program to make some changes. With regard to PSC, they plan to start construction by the end of the year. And we made a recommendation that they ensure that their design is mature and they understand how everything’s working before they move forward with that. They concurred. But we have yet to have, confidence that they will actually ensure that the design is mature before they move forward. If they don’t, it’s going to lead to a lot of risky decisions and a lot of risky, risky outcomes that hopefully the Coast Guard at that point would more closely manage and ensure that we’re executing that program to the best extent possible, given the risk that we’ve accepted by moving forward.

Jared Serbu As you mentioned, these leading practices have been down on paper since 2009. Still not much evidence of them showing up in programs. Is this something Congress should consider getting involved in?

Shelby Oakley Yeah. So, we did our first tranche of work in 2009. And Congress has taken some action, specifically with regard to Navy programs, in requiring certain aspects of those leading practices. We have some matters for congressional consideration out there for Coast Guard programs that we’re hoping that the Congress takes a good look at, especially in light of our most recent report that we updated those practices, this spring. There are a lot of similarities, but some new nuances given ten years, ten plus years of advancements in technology that these commercial shipbuilders all around the world are really employing to a great extent and to great success.

Jared Serbu I did want to ask you one more question about the comparison between commercial and military. It seems like it wouldn’t be that easy for government work to just get plugged into one of these commercial shipyards that doesn’t already do much government work. That’s one of the issues here, you sort of do need people with government experience?

Shelby Oakley Yeah. I think we’ve seen on the, OPC and PSC that the shipbuilders have a lack of experience in government contracting. And that has led to some of the problems. They don’t have the systems or capacities available that a lot of these major shipbuilders have that are consistently in this kind of government space. And so with the commercial practices, we’re not necessarily saying go to commercial yards and have those ships built there. What we’re saying is these builders that work for the government, that’s their primary business, need to begin thinking about those practices that commercial builders use and how they could apply them in the government space to achieve better outcomes. And the DoD and the Coast Guard play a role in incentivizing them to do that, and requiring them to do that.

The post Coast Guard still struggling with major acquisition programs first appeared on Federal News Network.

When it comes to software development, the Army is going to stop worrying about the color of money.

That’s because as part of its new approach to software modernization, the Army is rethinking what sustainment means.

Margaret Boatner is the deputy assistant secretary of the Army for strategy and acquisition reform, said one of the main tenets of the policy signed by Army Secretary Christine Wormuth in March is to reform several legacy processes that is keeping the service from adopting modern software development approaches.

“We are targeting a couple of really key processes like our test and evaluation processes, and importantly, our cybersecurity processes. We really are trying to modernize and streamline those as well as changing the way we think about sustainment because software is really never done. We really have to retrain ourselves to think about and to acknowledge the fact that software really needs to stay in development all the time,” Boatner said in an exclusive interview with Federal News Network. “Right now, our systems and our acquisition programs, once they’re done being developed, they go through a process that we call transition to sustainment, meaning they’ve been fully developed and are now going to live in our inventory for 10, 20, 30 years. We’re going to sustain them for a long period of time. When a system makes that transition, the financial management regulations dictate that they use a certain color of money, operations and maintenance dollars. With that color of money, we can really only do minor patches, fixes and bug updates. So that’s an example of a legacy process that, when you’re talking about a software system, really tied our arms behind our back. It really prevented us from doing true development over the long term with the software solutions.”

Boatner said under the new policy, software will no longer make the transition to sustainment. Instead, the program office will keep operating under research, development, test and evaluation (RDT&E) funding.

“It’s recognizing that a continuous integration/continuous delivery (CI/CD) model software is never done. That way, our program managers can plan to use the appropriate color of money, which in many cases might be RDT&E, which is the color money you need to do true development,” she said. “So, that will give our program managers a lot more flexibility to determine the appropriate color money based on what they want to do, such that our software systems can really continue to be developed over time.”

The Army has been on this path to software modernization path for several years, with it culminating with the March memo.

With the lessons from the 11 software pathways to testing out a new approach to a continuous authority to operate to the broad adoption of the Adaptive Acquisition Framework, Boatner and Leo Garciga, the Army’s chief information officer, are clearing obstacles, modernizing policies and attempting to change the culture of how the Army buys, builds and manages software.

Army updating ATO policy

Garciga said by keeping programs under the RDT&E bucket, the Army is recognizing the other changes it needs to complete to make these efforts more successful.

“We need to relook at processes like interoperability. Historically, that was not a parallel process, but definitely a series process. How do we change the way we look at that to bring it into this model where we’re developing at speed and scale all the time?” he said. “I think we’re starting to see the beginnings of the second- and third-order effects of some of these decisions. The software directive really encapsulated some big rocks that need to move. We’re finding things in our processes that we’re going to have to quickly change to get to the end state we’re looking for.”

Since taking over the CIO role in July, Garciga has been on a mission to modernize IT policies that are standing in the way. The latest one is around a continuous ATO (C-ATO).

He said the new policy could be out later this summer.

“We’ve told folks to do DevSecOps and to bring agile into how they deliver software, so how do we accredit that? How do we certify that? What does that model look like? We’re hyper-focused on building out a framework that we can push out to the entire Army,” Garciga said. “Whether you’re at a program of record, or you’re sitting at an Army command, who has an enterprise capability, we will give some guidelines on how we do that, or at least an initial operational framework that says these are the basic steps you need to be certified to do DevSecOps, which really gets to the end state that we’re shooting for.”

He added the current approach to obtaining an ATO is too compliance focused and not risk based.

Pilot demonstrated what is possible

Garciga highlighted a recent example of the barriers to getting C-ATO.

“We started looking at some initial programs with a smart team and we found some interesting things. There was some things that were holding us back like a program that was ready to do CI/CD and actually could do releases every day, but because of interoperability testing and the nature of how we were implementing that in the Army, it was causing them to only release two times a year, which is insane,” he said. “We very quickly got together and rewickered the entire approach for how we were going to do interoperability testing inside the Army. We’re hoping that leads to the department also taking a look at that as we look at the joint force and joint interoperability and maybe they follow our lead, so we can break down some of those barriers.”

Additionally, the Army undertook a pilot to test out this new C-ATO approach.

Garciga said the test case proved a program could receive at least an initial C-ATO in less than 90 days by bringing in red and purple teams to review the code.

“I’d say about three months ago, we actually slimmed down the administrative portion and focused on what were the things that would allow us to protect our data, protect access to a system and make a system survivable. We really condensed down the entire risk management framework (RMF) process to six critical controls,” he said. “On top of that, we added a red team and a purple team to actually do penetration testing in real time against that system as it was deployed in production. What that did is it took our entire time from no ATO to having at least an ATO with conditions down to about less than 90 days. That was really our first pilot to see if we can we actually do this, and what are our challenges in doing that.”

Garciga said one of the big challenges that emerged was the need to train employees to take a more threat-based approach to ATOs. Another challenge that emerged was the Army applied its on-premise ATO approach to the cloud, which Garciga said didn’t make a lot of sense.

“We put some new policy out to really focus on what it means to accredit cloud services and to make that process a lot easier. One of our pilots, as we looked at how do we speed up the process and get someone to a viable CI/CD pipeline, we found things that were really in the way like interoperability testing and how do we get that out of the way and streamline that process,” he said. “In our pilots, the one part that we did find very interesting was this transition of our security control assessors from folks that have historically looked at some very specific paperwork to actually now getting on a system and looking at code, looking at triggers that have happened inside some of our CI/CD tools and making very difficult threshold decisions based on risk and risk that an authorizing official would take to make those decisions. We’re still very much working on what our training plan would be around that piece. That’ll be a big portion of how we’re going to certify CI/CD work and DevSecOps pipelines in the Army moving forward.”

The post Army changing the color of money used to modernize software first appeared on Federal News Network.

It’s been four years since the Defense Department created six new acquisition pathways — including one specifically intended to speed up software acquisition. But as often happens with policy reforms, implementation is off to a slow start, so officials are building a cadre of software experts at the Pentagon to help speed up adoption.

DoD created the software acquisition pathway as part of a broader overhaul to make its acquisition system more “adaptive” to the particular products or services the department buys. The software pathway in particular came out of a recognition that most of DoD’s traditional approaches were geared toward large weapons systems. It’s designed to encourage rapid development and close coordination with users, and also eliminates some steps of the traditional acquisition process that don’t make sense for software.

Cara Abercrombie, the assistant secretary of Defense for acquisition, said she has heard positive feedback from program managers throughout the military services, but they don’t always feel empowered to use the new pathway.

“They love it. They want to use it more expansively,” she said Thursday at the Naval Postgraduate School’s annual acquisition research symposium in Monterey, California. “But my sense is there’s a little bit of risk aversion in the system, a little bit of worry, because it moves fast, it doesn’t have to check all the same boxes as the other acquisition pathways. And I do think there can often be reluctance to use it.”

Only about 50 programs using software acquisition pathway so far

According to the Government Accountability Office, there are only about 50 programs across DoD using the software pathway. In a report last summer, GAO also found that software-intensive programs that aren’t using the software pathway don’t tend to use modern, agile development methodologies.

But Abercrombie said DoD is looking to drive wider adoption, and is establishing a specialized cadre of software experts within her office.

“It will be a team of experts who know how to use the software pathway, who know how to do agile acquisition strategies,” she said. “We’re going to make sure they are more or less a SWAT team, if you will, that can parachute into program offices to provide deskside support, to help walk program office teams through how to get the software pathway going effectively. We also need to do some forensics as to understanding why there hasn’t been wider adoption, but I suspect some of it is that it’s so different from what we’ve done before.”

Congress mandated the standup of that new software cadre in the 2022 Defense authorization bill. Lawmakers also ordered DoD to create a dedicated software specialist career path to help develop that group of experts, and to develop military members with technical skills into software experts.

Military services also pursuing changes

Meanwhile, the military services are doing work of their own to get more out of the software pathway. In March, the Army, for example, issued policies that told the acquisition workforce to “maximize” their use of the software pathway and move to industry best practices for software development.

In an April interview with Federal News Network, Margaret Boatner, the deputy assistant secretary of the Army for strategy and acquisition reform, said the service has only used the pathway for 11 programs so far, but officials have seen clear benefits.

“There’s a lot less documentation and review requirements to start a program on the software pathway. But even more importantly, it actually requires us to use modern software practices. It’s not an option; we have to use agile, lean DevSecOps, continuous integration and continuous delivery, those types of things,” she said. “Traditionally when you look at our software systems, we released capability drops every three to four years. We have programs now that are operating on the software pathway that are delivering every 12 months, every nine months, and striving to deliver capability every six months. Sure, that’s not quite as quickly as industry, but it’s absolutely progress.”

A separate challenge: funding software

But even if the pathway helps solve some of DoD’s acquisition process problems, it doesn’t do much to fix the way Congress and the department fund software development.

As of now, program managers have to run through complex legal hurdles to determine whether specific aspects of their programs need to be funded from procurement, R&D or operations and maintenance accounts. Congress has authorized a pilot program that lets officials fund software with just a single color of money — and program managers love that approach too — but lawmakers have only authorized six programs for the pilot so far.

In its final report in March, the congressional commission on Planning, Programming, Budgeting and Execution Reform said Congress needs to expand the single color of money idea to all DoD software programs.

“I’ve had to be on reprogramming actions where you’re changing money between appropriations just because of the way [an aspect of a software program] has been defined,” Elizabeth Bieri, the commission’s director of research and a former DoD financial management official, told the NPS symposium Thursday. “Well, it’s really not that different. I think back to the years when you had to use procurement to buy all your IT equipment, and now it’s just regular O&M money. This would be just kind of the continuation of how people work things today, and the continuation of the evolution of software. If I’m changing code because of a bug fix, how is that any different than incorporating something for new interoperability features? I think if you combine all of these things, you’ll have the ability to make the changes that are required when needed without an arbitrary seam.”

The post DoD stands up ‘SWAT team’ to help speed software acquisition first appeared on Federal News Network.

Now that it have been 10 years since issuing them, the White House has updated what is known as Uniform Guidance on grants and federal assistance. One reason for the update: reducing regulatory burden on both agencies and grantees. For some highlights, the Federal Drive with Tom Temin spoke with Haynes Boone procurement attorney Dan Ramish.

Interview Transcript: 

Tom Temin Dan, the uniform guidance is a little bit outside of FAR and contracting concerns. But yet, something you felt is important to highlight here.

Dan Ramish Yes, Tom. So the federal government spends more than $1 trillion a year in grants and other federal financial assistance. So it’s a really important tool, and it’s important to taxpayers. And government contractors will sometimes participate in the federal grant space, either as contractors or as recipients or sub recipients. So there’s a lot of money. And increasingly, the federal grant in assistance space is becoming subject to more requirements that start to look like government contracts. But this latest change in the uniform guidance is really intended to make things easier on awarding agencies and recipients and sub recipients.

Tom Temin So what are some of the big changes people can expect? I mean, this has been like a rulemaking, even though it’s not a rule per se, but there has been commentary and drafts and final versions. Fair to say?

Dan Ramish Yes. So the uniform guidance forms the basis for agency grant and federal financial assistance regulations. So even though it’s not a regulation itself, different agencies adopt it with a little bit of their own flavor. So the big things in this rulemaking, it was mostly changes in the margins. And there are some changes that are intended to improve access and the ability of recipients and some recipients to participate. So one of those changes is there’s a new template for the standard solicitation and notice of funding opportunity. And that’s in Appendix One of the Uniform Guidance. And there are some new guidelines contained in that appendix that tell federal awarding agencies to pull out their Strunk and White. They’re supposed to reduce word count and use plain language, leave out provisions that aren’t strictly necessary, and even include an executive summary 500 words that tells applicants the goals and objectives of the program, the target audience, and eligibility requirements.

Tom Temin Sure, and there are also some updated thresholds for what gets audited, what gets investigated by the government, and also for some of the provisions for equipment and ancillary costs associated with a grant. What are some of the top ones there? Let’s talk about maybe the threshold for what gets audited.

Dan Ramish Yes. So the Single Audit Act requires audits for state and local governments and nonprofit organizations under federal grants and assistance. And that threshold hasn’t been increased in many years. And now the updated guidance will raise that from $750,000 to $1 million in total expenditures of federal funds for a single fiscal year. So that’s directly intended to make it easier for recipients that aren’t receiving that higher volume of awards to not have to be subject to an audit.

Tom Temin So for an agency that’s giving awards, then if it gives a lot of them that are under a million, then its own burden is relieved if it doesn’t have to audit every one of them.

Dan Ramish That’s right. The auditing agency may be different from the awarding agency, but it’s certainly the burden on the auditors could also be reduced. And focusing on where the risk is,  and certainly the order of magnitude is part of that risk analysis.

Tom Temin Sure. Another big one is the de minimis rate adjustment. Tell us about that.

Dan Ramish Sure. So the de minimis rate is a default indirect cost rate that the uniform guidance allows for recipients to use instead of negotiating at an indirect cost rate. And the benefit to recipients there is that there’s no documentation requirement to justify the rate. And that rate also hasn’t been adjusted for many years, and it’s a pretty low indirect rate of 10%. And the updated guidance will increase that rate to 15%. And it also makes a related increase. So there’s a limit on the amount of sub award funds that count as part of the modified total direct cost. So the de minimis rate is applied against a base that is the modified total direct cost of the award. And one of the adjustments is sub awards over a certain value are excluded. And the result there is, of course, the recipients aren’t receiving as much of their indirect cost recovery as they otherwise would. And so that rate is also increasing from $25,000 to $50,000. So it will help recipients that use the de minimis rate to recover more of their actual indirect costs.

Tom Temin We’re speaking with Haynes Boone procurement attorney Dan Ramish. So that’s the equivalent, well, the analog of when you look at a charity and what percent of the money actually goes to the charities and what percent is overhead. That’s kind of what the de minimis is all about.

Dan Ramish Yeah, it’s covering administrative and general expenses that aren’t directly tied to the award. But those are real costs that the recipients have to bear, and it’s fair for them to get compensated for them. And particularly for newer recipients or sub recipients, it’s more burdensome to have to go through the indirect rate negotiations with an agency. So this is a good option for many of them.

Tom Temin A couple of the provisions I wanted to make sure we covered. There are new whistleblower protections and new requirements for reasonable cybersecurity internal controls that seems to be like maple syrup covering everything the government is eating these days. But let’s talk about whistleblower protections in the context of grants.

Dan Ramish Well, so whistleblower protections have been a focus across the government, including, of course, in government contracts. And this is directly related to concerns about controls over waste, fraud and abuse, and ensuring that there are mechanisms to prevent that and to promote enforcement. And so there’s now a specific whistleblower protection that prevents recipients or sub recipients from reprisals against whistleblowers that report waste, fraud and abuse, and also requires them to notify employees of the whistleblower rights and protections.

Tom Temin All right. And that’s kind of making it a little bit more uniform with how whistleblowers are, in theory, protected elsewhere in other types of activities.

Dan Ramish Yes, I would say that’s one of the ways in which they’re aligning things with government contracts.

Tom Temin And then new requirements for reasonable cyber security, internal controls also kind of in alignment with what they’re asking contractors for in various ways across the government.

Dan Ramish That’s right. Clearly cybersecurity has been a big priority for the administration. And I would say, though, that this requirement is pretty generic. They opted against imposing some of the more detailed rules that the Department of Defense has applied to government contracts. But it’s a movement in that direction and reflects kind of the priority for the government in this area.

Tom Temin And one more I wanted to ask you about, and that is the equipment threshold, because sometimes grants might be for laboratory work or for developing some kind of a new technology test and so forth. So there’s a hardware, if you will piece to the grant and not just brainpower.

Dan Ramish Yes. So there’s a threshold for what constitutes equipment under the uniform guidance as well. And that is another threshold that is increasing to reduce the burden from 5,000 to $10,000. And the reason that’s important is that there are special requirements for managing equipment. And so if an item that is purchased under an award doesn’t constitute equipment that reduces the burden.

Tom Temin All right. Anything else we need to know. And so agencies need to, I guess get this into their grant making apparatus and inculcate these guidance.

Dan Ramish Yes. So there will be relief in a number of ways, as we said, with the thresholds, with efforts to make notices of funding opportunity, more plain language and easily understood by prospective recipients. So the effectiveness date is established as Oct. 1, 2024. Agencies also have the discretion to implement the new guidance earlier, but it has to be no earlier than June 21, 2024, and so agencies will be coming up with their own plans in the coming weeks to roll out their implementation of the final guidance. So recipients and sub recipients should be tracking that. May 15 is the date for the new guidance, so we’ll see how this plays out.

 

The post What new White House guidance on grants means for agencies that hand them out first appeared on Federal News Network.

Agencies, once again, set new records almost across the board for contracting with small businesses in fiscal 2023. New data from the Small Business Administration shows agencies awarded an all-time high of 28.4% of all eligible federal contract dollars to small businesses.

At the same time, SBA’s new small business scorecard data shows agencies met or surpassed governmentwide goals in three of five socio-economic category, including service disabled veteran-owned small businesses.

In all, agencies awarded $178.6 billion to small businesses last year, which is an increase of $15.7 billion from 2022.  The governmentwide small business contracting goal is 23%.  House Small Business Committee lawmakers recently passed a bill to increase that goal to 25%.

FY23 Prime Contracting by Dollars and Percentages for All Categories*:

• In accordance with federal law, SBA provided double credit for prime contract awards in disaster areas that were awarded as a local area set aside. SBA also included in the calculation of government-wide achievements Department of Energy first-tier subcontracts required to be included by section 318 of the Consolidated Appropriations Act of 2014 (“CAA”), Public Law 113-76.

Overall, SBA says 10 agencies received “A+” grades and two others received “A” grades on the scorecard, including the SBA, the departments of Agriculture Housing and Urban Development, Interior, Homeland Security and Commerce as well as the National Science Foundation, the General Services Administration, the Nuclear Regulatory Commission and the Office of Personnel Management.

The White House and SBA recognized the small business contracting accomplishments during a roundtable today as well as during National Small Business Week, which kicked off yesterday.

As part of the 2023 scorecard, SBA also released contract data broken down by business owner race and ethnicity, which shows that businesses owned by historically underrepresented groups earned more through federal contracts across every category. Agencies awarded $76.2 billion to small disadvantaged businesses, the most ever, surpassing the Biden administration’s goal of 12%. The White House set a 15% goal for 2025.

“This represents the third consecutive year of record-breaking awards to SDBs under President Biden, and puts the administration on track to reach the President’s goal of increasing federal contracting dollars to SDBs by 50% by 2025,” the White House said in a fact sheet released today.

For example, African-American owned businesses received $10.2 billion in federal contracts in 2023, $800 million more than in 2022. Meanwhile, Hispanic-owned businesses saw their overall contract dollars increase by $943 million to $10.9 billion last year.

FY23 Federal Contracting Dollars to Minority-Owned Small Businesses:

In addition to beating the SDB goal, the SBA says agencies also exceeded the service-disabled veteran-owned small business goal of 3%. Agencies awarded $31.9 billion, or 5.07% of all contracts to these firms.

This also is first time agencies came close to meeting the goal for women-owned small business awards in several years, missing out by less than 1%, while still awarding $30.9 billion to these companies.

Along with prime contracts, agencies exceeded their goals in making sure small businesses received subcontracts. SBA says 33.34% of all subcontract dollars went to small companies, more than 2% above the goal for a total of $86.4 billion.

Unlike with prime contracts, agencies missed all socioeconomic goals under subcontracting except for women-owned small businesses. The women-owned small business goal was 5% and agencies achieved 5.65%, while missing out on the SDB, HUBZone and service-disabled veteran-owned small business goals.

This latest scorecard comes when House and Senate lawmakers are pushing SBA to hold agencies more accountable for small business contracting. Sen. Joni Ernst (R-Iowa), ranking member of the Small Business and Entrepreneurship Committee, introduced the Accountability and Clarity in Contracts to Engage Small Suppliers and Small Businesses (ACCESS) Act last September to revamp the goaling structure.

House Small Business Committee lawmakers also passed several bills earlier this month to address long-standing concerns like making sure agencies use plain language when writing contracts and bring more transparency to decisions when agencies cancel small business contracts.

The post Agencies set records for small business contracting in 2023 first appeared on Federal News Network.

That new White House guidance on agency use of artificial intelligence: It embodies guardrails, but also a few opt-out scenarios that give agencies plenty of discretion. One analyst thinks it gives them too much discretion. For more on the Federal Drive with Tom Temin, Federal News Network’s Eric White spoke to the senior counsel at the Brennan Center for Justice, Amos Toh.

Interview Transcript: 

Amos Toh I think that the OMB memo does provide one of the most robust frameworks for regulating how governments, how federal agencies should regulate their use of AI. But the problem is that this robust framework has major loopholes that government agencies may invoke to avoid the very strong and sensible safeguards that the OMB has outlined. So let’s start with the good, for AI that impacts rights and safety. The OMB memo requires agencies to conduct an impact assessment before they deploy the system. During the impact assessment phase they have to consider whether the expected benefits of the system will actually outweigh the costs, including its risks to civil liberties and rights. They also have to assess whether an AI system is better suited to accomplishing the tasks that the agency wishes to accomplish compared to a non AI strategies. So all of these criteria and mechanisms are really in place to compel agencies to think very carefully about deploying AI and whether it’s suitable for that function and that task. There’s also ongoing risk monitoring that the federal agency must do once they’ve deployed the system. There are requirements for human training and oversight and transparency and providing notice to people the fact that, by the system, as well as requiring agencies to provide options to opt out of an AI system, and providing AI alternatives to people directly affected by these systems. So there’s a lot of good in there. But, there are ways that agencies can exempt themselves from these safeguards. And there are two main ways. One is obtaining a waiver when they determine that the system that complying with these safeguards will somehow impact. So safety or would be an impediment to critical agency operations. And they can also define their AI systems in such a way where they are exempt from the guidance.

Eric White So yeah, those are the two critical loopholes that you think. Is your beef with them that they give agency leaders almost a little too much leeway? Because, yeah, I’ve read that same part of the rules. And yeah, I got a little bit of sense of the implied powers clause from the Constitution there. Just saying kind of describing how leaders can make the decision if they feel the need to almost.

Amos Toh Right. So the OMB memo, grants, chief artificial intelligence officers at agencies, which are essentially the agency appointed leads on overseeing the AI systems for that particular agency. It essentially grants CAIO’s discretion to apply waivers to the systems, and also to define whether an AI system is a principle or basis for a given agency, decision or action. If it is, then it would be covered by the OMB memo, and the minimum practices would apply if it does not qualify as a principal basis according to the CIO and according to the agency, then it would be exempt from these practices. So that’s really kind of the two ways, in which agencies can exempt themselves from the minimum practices. And I think the criteria is highly subjective and potentially also overbroad. Particularly in the law enforcement context, we have great concern that agencies will seek to waive minimum practices in the name of critical law enforcement imperatives. When we’ve seen time and time again, when agencies don’t follow safeguards, that leads to significant impact on civil rights and civil liberties.

Eric White So this is all new territory for everybody. I think I get a sense that you’re not saying that the waivers aren’t unnecessary. There does need to be some sort of escape clause for agencies if they feel the need. But what you’re saying is that should those waivers should be under more scrutiny.

Amos Toh Well, I do think that there are certain minimum practices. And in the OMB memo, that should never be waived. I do think, for example, that the duty to conduct an impact assessment is before you deploy an AI system is something that should be applied regardless of whether there are emergency circumstances or not. AI can be a very powerful tool that can have a lot of harm in rolling it out without even an assessment of its potential impact on people and rights and safety can really need to mask violations of people’s rights and may actually be damaging to safety at scale. So you can imagine an agency, if they need to roll something out quickly, because it’s a critical agency operation. And that’s happening, and in a limited time frame. They could opt to do a shorter impact assessment and do a more deliberate one later on when there is less time pressure. But to waive that requirement entirely is something that actually can lead to the opposite of what the agency intends, which is that it might not, it may be even counterproductive to the operation that the agency is trying to undertake. So I do think that there are certain requirements that shouldn’t be waived. For requirements that arguably waivable, such as certain transparency requirements and kind of public disclosure requirements. I do think that needs to be really combined to instances where the AI system, for example, aspects of the AI system may actually be sensitive, law enforcement or national security information that can be genuinely classified as such. So we’ve seen a glut of over classification of information in the government. And so there’s not a lot of confidence that agencies, will apply classification markings that actually adhere to both the letter and the spirit of classification directives. And I think to OMB’s credit, you’ve said in some of their guidelines that even if some aspects of an AI system may not be disclosed to the public, the agency should make kind of best efforts to disclose the rest of the system that can be and should be disclosed to the public.

The post Is the AI leash on federal agencies too long? first appeared on Federal News Network.

The General Services Administration is putting the final touches on its solicitation for the Alliant 3 IT services contract.

But one of the sections that GSA is already finished with is a new approach to attracting small businesses with new or emerging technology capabilities.

Large businesses can get started today on meeting the requirements of GSA’s small business emerging technology solutions engagement requirements under Alliant 3 contract.

Paul Bowen, the director of the center for GWAC programs at GSA, said this evaluation factor is among the first of its kind.

“There’s an opportunity for an ‘other than small business’ offeror to engage with small businesses that have eligible emerging technology solutions in any of these 11 areas. So if I’m an other than small business company, I have the opportunity to go out and interact with up to five small businesses that have emerging technology solutions, meet with them, have them sign a form that shows that we met, we had an engagement and that we spoke,” Bowen said at an event sponsored by ACT-IAC on Friday. “The small business has to provide the proof that they have the eligible product, and then when the other than small business submits it to GSA. The other than small business would receive 200 points for each of the five engagements up to a total maximum of 1,000 points.”

As part of the draft solicitation for Alliant 3 issued last December, GSA detailed this new approach to hold large businesses accountable for learning about small businesses in specific emerging technology areas. The 11 areas included such as big data, cloud, cyber, AI, zero trust and quantum computing.

GSA highlights 11 emerging tech areas

What the small business emerging technology solutions engagement requires is for large businesses to meet with at least five small businesses who work in one of these 11 areas. The 11 emerging tech areas came from work GSA’s IT Category office has been and continues to do.

Bowen said GSA isn’t being prescriptive about how the engagements work or what may or may not come from them.

“GSA does not dictate how these meetings are set up, how long they last, the terms of them. It’s entirely for you to all figure out how you want to do it and to come to terms with each other, whether it’s a phone call, whether it’s a meeting, whether it’s a demonstration, however you work it out, you work it out,” he said. “There’s no expectation that you will have done business in the past. Nor is does it create an obligation in GSA’s eyes that you’ll do business together in the future. It’s a way to match make.”

GSA, however, put some parameters on the size of the emerging small businesses. The firm has to have done at least $100,000 worth of business or being a part of the Small Business Innovation Research or Small Business Technology Transfer (SBIR/STTR) programs.

Under the terms of the program, the large business may only get credit for meeting with a different small business for all five engagements and can’t meet with small businesses in any of the 11 categories like cyber or AI more than twice. Bowen said that means if large company X meets with two different AI companies, then they have to pick three other emerging technology areas like cloud or health IT for their other meetings.

Matchmaking made easier

Small firms bidding on Alliant 3 do not have to participate in this part of the evaluation. GSA says they would receive the 1,000 points automatically.

Bowen said GSA’s decision to take this approach made sense for several reasons.

First, it just made sense to make small business matchmaking part of the evaluation factor just made sense.

“We know that small businesses have really been leaders in emerging technology, which is such a focus for everyone, including the government. For us to have an evaluated factor where other than small business offers on Alliant 3 have a scored element where they can go out and meet with small businesses with emerging technology solutions is a win-win for everyone,” Bowen said. “It’s a win-win for the small businesses with the emerging technology because they have the ability to go meet with these companies where previously may have been difficult to get in the door. It’s a win for the other than small business offers because they get to learn about these technologies. They demonstrate to the government that they have the ability to go out and find small businesses with emerging technology because so much of the emerging technology is being done to almost the garage level and above at this point.”

Bowen said this approach also gives the small businesses some leverage with the large firms in terms of getting meetings and explaining their technologies and value.

In addition to this 1,000 point evaluation factor, Bowen said GSA also will hold vendors accountable for meeting their subcontracting goals as part of the contract.

GSA expects to issue the final solicitation for Alliant 3 toward the end of May or early June.

One big change to the Alliant 3 is the number of awards GSA is expecting to make. Bowen said GSA is targeting about 76 awards, which is up from the 60 awards it made under Alliant 2 back in 2018.

One reason GSA is looking to make a larger number of awards is the number of contractors who ended up leaving Alliant 2. GSA started with 60 awards and has lost 22 over the last six years. Of those 22, 11 were lost to mergers and acquisitions and another 11 to the companies “volunteered” to leave the contract as they were not meeting specific bidding and winning requirements.

There now are 38 vendors under Alliant 2 and GSA expects the larger number of awardees to provide better and more competition.

Alliant 2 remains a popular contract among agencies, adding a lot of focus and excitement on Alliant 3.

GSA data shows agencies obligated more than $8.6 billion across 117 task orders in 2022. Since GSA awarded Alliant 2 in 2018, agencies have obligated more than $26 billion.

The popularity of Alliant 2 caused GSA in August 2022 to increase the ceiling of Alliant 2 to $75 billion from $50 billion because it saw the increasing spending trends.

Over the last four or so years, Alliant 2 has been a go-to contract for many of the major and high dollar programs agencies have pursued. The average task order under Alliant 2 is around $120 million.

Industry and GSA expects Alliant 3 will be just as popular with spending continuing to increase.

The post GSA’s new approach to small business matchmaking first appeared on Federal News Network.

The command was initially granted limited acquisition authority in fiscal 2016, with 10 billets and $75 million in buying authority over five years. Congress has since lifted the command’s spending limitations and restrictions.

Courtney Maggiulli, the program executive officer for cyber, J9 acquisition and technology at CYBERCOM, said her PEO is aiming to add 50 billets this year.

“So we are staffing up for a right sized and ready workforce, and it’s a pretty exciting place,” Maggiulli said at the CYBERCOM legal conference last week.

Earlier this year, the command was also designated as a federal laboratory. The designation gives CYBERCOM more authorities to work with industry and academia on technology research. Additionally, it also has “enhanced budgetary control,” meaning it has a greater say in how DoD makes decisions about cyber programs and investments.

“So we’re expanding our ability to acquire cyber goods, cyber services for the DoD in an integrated and holistic way,” Maggiulli said.

And CYBERCOM is also building out a program office to oversee and integrate the “Joint Cyber Warfighting Architecture,” a collective term for the cyber products and services used across the military services by the 133-team Cyber Mission Force.

“Integration is crucial, because things are changing every day,” Maggiulli said. “And we have to be unified. We bring together the best in breed of all the different tool capabilities. And most importantly, it’s the talent of the people across the services as well.”

But as it builds out its acquisition program, Maggiulli said CYBERCOM is acutely aware it can’t rely on the traditional DoD acquisition system to buy and integrate new cyber capabilities.

“The cyber domain is different,” she said. “It’s fast, it’s rapid. So we don’t have the ability to take the time that you would normally put into building a tank or a fighter jet or putting up a satellite in 10 years. We don’t have 10 years to wait.”

She pointed to the command’s early collaboration with the Defense Innovation Unit to procure “Hunt Forward” cyber mission kits using DIU’s prototyping process. DIU typically uses Other Transaction Agreements that aren’t governed by the Federal Acquisition Regulation.

“We are committed through what our lab is doing and through our teams of professionals and then through our partnerships with folks like DIU to growing that innovation at the command,” Maggiulli said.

CYBERCOM is also leaning on DoD’s Adaptive Acquisition Framework to tailor its procurement strategies for the cyber domain.

Maggiulli referenced both the software acquisition pathway and the middle tier of acquisition pathway as “allowable ways to pursue acquisition that have strategies that are more responsive and tailored to the types of acquisitions we’re doing.” The software pathway uses agile development and DevSecOps practices, while the middle-tier authority is used to quickly prototype and field new capabilities.

“We’re being given flexibilities and tools by Congress that allow us to be faster and more responsive for the type of acquisition we’re doing with cyber,” Maggiulli said.

A key aspect of CYBERCOM’s acquisition ambitions will be training and empowering its growing acquisition workforce, she added. The command is using training programs through Defense Acquisition University to build an education and culture around what Maggiulli hopes is a creative acquisition program.

“It’s not a stodgy and antiquated and outdated acquisition model that we want people to come in with,” she said. “We really want to leverage these tools that we’ve been given with a workforce that knows how to use them strategically and effectively.”

The post CYBERCOM embraces the non-traditional as acquisition program grows first appeared on Federal News Network.

The Army has seen enough from its testing of the Adaptive Acquisition Framework to know what its future looks like.

And that future is around six pathways that moves the services away from a one-size-fits all approach to buying and managing technology.

Margaret Boatner, the deputy assistant secretary of the Army for strategy and acquisition reform, said these six pathways outlined in the Defense Department’s released in 2020 have shown enough promise to force the service to change its approach to how it buys and develops software.

“I think two really key things about the software pathway. One, it eliminates a lot of bureaucracy and process that is typical of the traditional acquisition process. For example, we can operate totally outside of the traditional requirements process. There’s a lot less documentation and review requirements to start a program on the software pathway,” Boatner said on Ask the CIO. “But even more importantly, what it does do is it actually requires us to use modern software practices. It’s not an option. We have to use agile, DevSecOps, continuous integration, continuous delivery (CI/CD) and those types of things. We have to deliver capabilities within one year and annually thereafter. So really it’s forcing faster cycle times then what we employ traditionally when you look at our software systems.”

She added the Army typically released new features or capabilities every three to four years in traditional waterfall based programs. But now with the software pathway, it’s accelerated the release of new services to every 9-to-12 months, at the very most with a goal of releasing every six months or sooner.

While the Army is far from industry standards of releasing new capabilities every few weeks or even more quickly, she said these initial changes show real progress in changing the culture and outcomes.

“I do think it’s a sign that we have adapted and are adapting to more of these agile processes that are required by the software pathway. The Army has 14 programs on the pathway now, but we are actively in the process of transitioning more over including more of our traditional defense business systems because those are now allowed to transition and pivot over to the software pathway as well,” she said. “For any of our software intensive capabilities, we want to get on the software pathway because of all of these unique flexibilities and the fact that it forces us to align to some of these industry best practices.”

DoD’s Adaptive Acquisition Framework splits the acquisition approaches into six pathways:

• Major capability acquisition (the pathway that will handle most of the military’s traditional hardware procurements).
• Urgent capabilities.
• Software (including, in some cases, software that will be part of major weapons systems).
• Business systems.
• Services.
• Middle-tier acquisitions that use the recently-enacted “Section 804” authority for rapid fielding and rapid prototyping.

Under AAF, the objective is to flip the script: Start with a baseline of rules that only really matter for the pathway that best fits their program, and “tailor-in” whichever additional requirements and acquisition best practices fit the actual product or service they’re buying or building.

Reducing documentation requirements

Boatner said the AAF is changing the Army’s mindset in two main ways.

“First, it really allows us to tailor acquisition approaches. So moving away from the one size fits all approach, we now have the ability to choose between six different and distinct pathways based on the characteristics of our program,” she said. “We could choose one or we could choose multiple pathways depending on the needs of our program. It also emphasizes tailoring-in versus tailoring-out of other requirements. So instead of having to comply with 35 documentation and review requirements for everything we get to say, ‘hey, this document in this review requirement is appropriate based on the program.’ The second thing that it does really is empower our program managers. We can delegate decisions down as much as possible, including the choice of the pathway, including what documents review requirements. It’s really pushing down a lot of that decision making which helps to streamline the process.”

The expanded use of the AAF also is part of a broader effort across the Army to change the way it manages and buys software.

Secretary Christine Wormuth issued a new agile software policy detailing five changes to reform what she called the institutional processes of the Army.

Leo Garciga, the Army’s chief information officer, said recently the policy changes will help the service streamline its ability to build contracts based on agile and DevSecOps methodologies.

Boatner said these changes will not happen overnight, recognizing the Army has built up these habits and processes over the course of decades.

“We’ll do a full communication blitz, where we go to all of the program executive office shops and all of the contracting shops to make sure they understand the direction that we are moving in. We’re also trying to centralize expertise in a couple of places. Contracting, for example, is one way that we’re trying to centralize this expertise, such that contracts will flow through the same group of people who really can become very, very savvy in this, who are more skilled in in writing and executing contracts or agreements for software development efforts,” she said. “We’re trying to pool another group of experts that are going to help folks from the headquarters level as they do their software development efforts, more from the technical software development side. It’s really making sure we have the right expertise in the right place to actually execute a lot of these things, in addition to all of the communication and the roadshows that we, of course, plan to do.”

She added her office also will work with the larger cybersecurity and test and evaluation communities to ensure they understand how the AAF works and what it means for their specific areas.

The post Army has burned the software development bridges behind them first appeared on Federal News Network.

GSA is expanding the number of providers from three to eight, including six new ones.

Along with current platform providers Amazon Business and Fisher Scientific, GSA awarded spots on the next generation Commercial Platform Initiative (CPI) contract to:

• e-Procurement Services
• Grainger
• Noble Supply & Logistics
• Pacific Ink
• Social Glass
• Staples

Four of the awardees, ePS, Noble Supply, Pacific Ink and Social Glass, are small businesses, opening the door for agencies to obtain small business credit for these small dollar buys.

“This is about meeting our customers where they are with a modernized user experience and streamlined process for government purchase cardholders,” said Tom Howder, the acting Federal Acquisition Service commissioner, in a release.

GSA created the CPI program under a proof-of-concept moniker with awards to Amazon, Fischer and Overstock Government in 2020 under direction from Congress with a goal of capturing data on and managing products under the micro purchase threshold of $10,000. Initially, GSA thought the market was about $6 billion, but came down in the last few years to the potential market being about $500 million.

Overstock Government decided not to bid on the next generation platform, sources say.

Lawmakers detailed its desire for GSA to pilot online commercial platforms in Section 846 of the 2018 Defense Authorization bill. The House Armed Services Committee’s initial goal was to make federal procurement less complex and more competitive through the use of commercial platforms.

“GSA’s announcement of eight contracts awards for the commercial platform initiative represents the passing of a significant milepost on its journey to bring enhanced electronic commerce to agencies,” said Roger Waldron, president of the Coalition for Government Procurement, in an email to Federal News Network. “Collectively, these contracts represent a streamlined channel through which agencies can acquire commercial off the shelf products quickly. They also put competitive pressure on the Schedules program to improve its administrative efficiency, which is a positive result that will help buyers and sellers in the market.”

The awards come at more and more agencies are using the initial three platforms, though data shows Amazon Business received the vast majority of the orders, accounting for 96% of all orders in fiscal 2022, according to an August 2023 report from the Government Accountability Office.

GSA says for 2023, 34 agencies spent $80 million, which is double the amount of money spent in 2022.

GSA also says total orders also increased to 305,000 from 105,000 in 2022, and 52% of all users were repeat buyers and agencies spent on average between $250-$350.

“This is a pivotal turning point in the Commercial Platforms Program as we expand the number of platforms available, including a number of small business awardees,” said Keil Todd, the Commercial Platforms program manager, in the release. “We’re excited to move out on the next-generation of this program to further our commitment to agencies in helping them get the products they need to support their missions.”

With the additional companies GSA is adding, agencies have access to buy from well-known diverse companies like Amazon Business, Fischer Scientific, Staples and Grainger that provide a large variety of products, but from the four small companies.

Noble Supply, for instance, provides the Defense Department with access to products from 13,000 companies.  Pacific Ink offers office supplies and Social Glass provides access to small purchases across 50,000 products. And ePS  filed a protest of the solicitation in December only to gain corrective action and win an award.  ePS is a platform providing access to small business suppliers.

“We are looking forward to assisting GSA in meeting the goals of the Commercial Platform program. This award allows us to bring other federal agencies the benefits that federal buyers are currently experiencing within the e-Procurement Services (ePS)  Army and Air Force eMarketplace programs,” said David Saroli, CEO of e-Procurement Services (ePS), in an email to Federal News Network. “Being part of the Commercial Platform program will also help increase the growth our small business suppliers are currently experiencing through the Army and Air Force ePS e-marketplaces.”

The journey to this award, and it’s unclear if GSA has crossed the finish line given several unknown factors like how many bidders there were and if any that were unsuccessful would file a protest, was not an easy one. GSA took heat for initially overlooking, or ignoring, the requirement to comply with the Javits-Wagner-O’Day (JWOD) Act. The 1938 law mandates the AbilityOne Commission publish a procurement list that identifies commodities and services that the commission has determined are suitable to be furnished to the government by companies who employ people with disabilities. Agencies must buy these specific products and services unless there are specific circumstances that require exceptions.

GSA ended up fixing the solicitation to satisfy the protestors’ concerns.

The post GSA’s commercial platforms program to grow by five providers first appeared on Federal News Network.