The President released his FY2015 Budget Brief — a more detailed analysis of the President’s FY 2015 budget will be in the Weekly Insider and posted to the website. To see the budget in detail by agency, click here.
LOCK-IN OUR INAUGURAL RATES!For nearly three years, the Government Technology & Services Coalition has been building a community of company CEOs devoted to the homeland and national security missions at the U.S. Departments of Homeland Security, Defense, State, Justice and the Office of the Director of National Intelligence. We have grown to over 140 companies by providing the best value, high quality programming, information and networking in support of our Federal partners’ mission.We’re different because we were started by small business CEOs. People who had the vision and mission to create a professional, non-profit organization that would devote itself to the mission of our Federal partners and help companies grow and succeed at every stage of their growth in the Federal market. From the Emerging Small Business Group, to the Lion’s Den of mid-tier companies, to our Mentor leaders, the Coalition represents the continuum of success in the homeland and national security market.Just some of the benefits:
If you’ve been considering joining us — now is the time. Through the end of March, new members can lock-in our inaugural rates, avoiding a rate increase starting April 1, 2014.If you’re interested in checking us out, contact us so we can discuss membership and offer an opportunity to attend one of our upcoming sessions.Thanks to the support of so many in the community GTSC is proud to continue our work to represent your interests, provide our government partners with the best possible services and solutions, and build a better, smarter process to assure the safety and security of our country.Contact us today for more information – we look forward to hearing from you!
- Community devoted to DHS, DOD, DOS, DOJ and ODNI and the cross pollination of ideas and solutions to serve the homeland and national security mission.
- Intra-community introductions and opportunities for partnership among like-minded companies.
- First class list of Strategic Advisors and Partners to assure you have the best resources available.
- Priced for value — and your ROI.
- Focus on your external AND internal success with meetings that prepare your infrastructure for execution as well as your outreach to government partners.
- Improve the efficiency and effectiveness of your business development — saving you time and money.
- Provide exceptional Federal advocacy on behalf of companies working in the mission.
- Action groups to provide a platform for your leadership and engagement on topics of interest and expertise.
- Opportunities to recognize your leadership and excellence through the GTSC Awards for Mentors, Small and Mid-Sized Companies of the Year among many others.
- Designation of Leadership Excellence to differentiate your company from others in the field.
- Support and assist our government partners achieve their critical missions.
- Provide an ethical platform for information exchange between the public and private sector on homeland and national security ideas, technologies and innovations.
- Five types of platforms: Insight, Mentoring, CEO to CEO, Capacity Building and Market Solutions.
- Lion’s Den devoted to mid-tier companies and their challenges in the Federal market once they achieve “other than small” status.
- Thought leadership in a visible and vital community.
- Government relations supporting the innovation and quality of products and services provided by GTSC members.
- Giving back to our community by employing veterans and raising funds for charities serving the homeland and national security mission.
- An much more!!
With our fabulous Strategic Advisor, Michelle Mrdeza and her amazing team at Cornerstone Government Affairs, over 40 companies joined GTSC to carry our voice to Capitol Hill to meet with legislators with jurisdiction over the Department of Homeland Security. GTSC met with Chair of the House Homeland Security Appropriations Subcommittee Judge John Carter (R-TX) and discussed the Subcommittee’s priorities for the year. GTSC then met with the Senate Homeland Security and Government Affairs Committee, the Senate Homeland Security Appropriations Subcommittee, the House Homeland Security Committee and finally, Chair of the House Homeland Security Subcommittee on Oversight and Management Efficiency Jeff Duncan (R-SC). Thank you to all the GTSC members who made time to join us on this important day.
Washington, D.C., February 6, –The Government Technology & Services Coalition (GTSC), the premier organization for small and mid-sized companies in homeland and national security yesterday recognized numerous public and private sector leaders and innovators in homeland and national security at its Annual Awards.
John Morton, former director, U.S. Immigration & Customs Enforcement and John Fantini Porter, Chief of Staff, Management & Administration, were awarded Federal Small Business Champions of the Year; Chad Sweet, co-founder and CEO of the Chertoff Group received the Market Maven award; Robert V. Jones, CEO, PreSafe Technologies for Small Business Member of the Year; Brian Finch, Dickstein Shapiro for Strategic Partner of the Year; Bill Carroll, Managing Partner StrikeForce Consulting, Strategic Advisor of the Year and TASC Inc. for Mentor of the year. Read the release.
The views expressed in this article are solely those of the author and do not reflect the opinion of the General Services Administration or the Department of Defense.
I always start out any discussion of cybersecurity by emphasizing the context of the problem. In our increasingly hyper-connected world, cyber risks affect us all – governments, private sector organizations, and individuals. Cybersecurity events have become commonplace, almost daily occurrences, and with the advent of the “internet of things,” they are only going to increase in frequency and magnitude. It is a shared problem. And it demands a shared solution. We have an obligation to take actions in our personal and professional lives to help provide for our personal, national and economic security. Changing how the federal government buys things using our tax dollars is an important part of the solution.
Last week DoD and GSA released a report that provides six strategic acquisition reforms to improve cybersecurity. I’m pleased that the recommendations have been well received by the federal acquisition community. In my opinion, the report has been well received because it is a community product. The recommendations reflect the views and expertise of a diverse set of stakeholders from sole proprietors and individual citizens to multinational corporations and government agencies. The report does a decent job of articulating what needs to be done; now the hard work of figuring out how it gets done is in front of us.
As a threshold matter, it’s important to know that the order of the recommendations in the report is not indicative of their relative importance or the sequence of implementation. The most important recommendation is actually number four. Why is number four most important? Because the other recommendations can’t be fully implemented until number four is. For example, recommendation number one suggests including new “cybersecurity hygiene” requirements for appropriate contracts. However, we won’t know which contracts are appropriate until the risk management strategy of number four is at least partially developed. I’ll explain below.
Recommendation number four is titled: “Institute a Federal Acquisition Cyber Risk Management Strategy.”
The goal of this recommendation is to develop a repeatable, scalable process for addressing cyber risk in federal acquisitions based on (1) the risk inherent to the product or service being purchased, and (2) the risk tolerance of the end user.
The first step is to develop a consistent method to measure cyber risk in the things the government buys. Once we specifically identify which types of acquisitions present cyber risk, we can decide which types are “appropriate.” From National Security Systems to paper clips – a primary question here is, which types of buying do or don’t present cyber risk?
Because we can’t possibly address all the types of acquisition at once, the next step is to prioritize the types of federal acquisition by risk so we can identify the right starting point. The prioritization should probably consider cyber risk, mission-criticality of the function supported by the type of acquisition, and the amount of money spent on the type of acquisition annually, among other things. Which other things should this prioritization consider?
After the prioritization is complete, starting with the highest risk type of buying, develop acquisition-cybersecurity “overlays” applicable to all buys of that type. The overlays will include both procurement and information security practices – two very different and arcane disciplines. Which security controls from NIST SP 800-53 revision 4 should apply to a type of acquisition? Which acquisition practices should apply? When should the government not use lowest-price-technically-acceptable source selection?
The DoD-GSA report gives us a good strategy, and it provides a solid frame of reference, but as the old saying goes – the devil is in the details. Nothing could be truer about the next steps here.
The government has committed to continuing the collaborative process used to develop the recommendations as it develops the implementation plan. In the next few weeks, the agencies will publish a request for comment on a draft plan for implementing the recommendations. The draft plan will propose specific actions to accomplish the recommendations, starting with the cyber risk management strategy.
So, stay engaged. And when the request for comment is published, do your part to help solve one of the most pressing issues of our time by submitting your suggestions.
By Contributing Author: Emile Monette
Emile Monette is a recognized authority in the legal and operational aspects of public procurement, cybersecurity supply chain risk, and supply chain sustainability. His background includes domestic, international, and U.S. military experience investigating, negotiating, and managing multimillion-dollar contracts. Emile is a fifteen-year veteran of procurement law and policy development, and he has served in various positions in the legislative and executive branches of the federal government.
Government Contracting Weekly television today announced that Kristina Tanasichuk, Founder & CEO of the Government Technology & Services Coalition has joined the program as its first Contributing Editor of Homeland & National Security. Tanasichuk will work with GCW to cover challenges and opportunities in the Federal market. Read the entire release here.
On January 23, 2014, the Department of Defense (DoD) and General Services Administration (GSA) Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition (Working Group) submitted its eagerly anticipated final report on integrating cybersecurity requirements into all federal procurements. This report, which satisfies Executive Order (EO) 13636 and Presidential Policy Directive (PPD) 21, includes recommendations on the increased use of cybersecurity standards in all federal acquisition activities, including strategic planning, capabilities needs assessment, systems acquisitions, and program and budget development.
The final report is perhaps most notable as another step toward an era where most every government contractor must satisfy baseline cybersecurity requirements. While the final report does not provide explicit guidance on the details of creating such a new procurement environment, in light of recent, imminent and forthcoming government activity, including the final rule imposing cybersecurity and reporting obligations on DoD contractors (issued November 18, 2013 and summarized here), the upcoming final cybersecurity framework of the National Institute of Standards and Technology (NIST) (to be released in mid-February), and the forthcoming final rule governing the safeguarding of government contractor information systems (likely finalized next year), we view this final report as a bellwether. Government contractors who ignore the final report and the course it has set do so at their own peril.
Cybersecurity issues will increasingly affect agency standard setting, coverage issues and incentives, government audits and investigations, security breach litigation, and other business drivers. Government contractors and other companies that handle government information or supply components that could be compromised electronically must begin, to the extent they have not already done so, to think both strategically and pragmatically about developing an integrated approach to these cybersecurity issues.
On February 12, 2013, President Obama issued EO 13636 – Improving Critical Infrastructure Cybersecurity. Section 8(e) mandated that the Working Group, in consultation with the Department of Homeland Security (DHS) and the Federal Acquisition Regulatory (FAR) Council, “make recommendations to the President . . . on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.” Section 8(e) also directed the Working Group to “address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.”
On May 13, 2013, the Working Group published a request for information (RFI), inviting public comment on the appropriate cybersecurity measures and parameters for federal procurements (summarized here). The Working Group also consulted with representatives from the DoD, GSA, DHS, FAR Council, the Office of Federal Procurement Policy, NIST, and others before issuing the final report.
Working Group Recommendations
The final report makes six recommendations, including that the federal government and/or contractors, as appropriate, should:
(1) institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions;
(2) address cybersecurity in relevant training;
(3) develop common cybersecurity definitions for federal acquisitions;
(4) institute a federal acquisition cyber risk management strategy;
(5) include a requirement to purchase from original equipment or component manufacturers (OEM), their authorized resellers, or other trusted sources, when available, for appropriate acquisitions; and
(6) increase government accountability for cyber risk management.
For contractors, the most helpful recommendations ask the government to clarify, with more specificity, the standards to which contractors will be held accountable. For example, the first recommendation correctly observes that, “[o]ften, cybersecurity requirements are expressed in terms of compliance with broadly stated standards and are included in a section of the contract that is not part of the technical description of the product or service the government seeks to acquire.” This, the report concedes, “leaves too much ambiguity as to which cybersecurity measures are actually required in the delivered item.” Accordingly, the report recommends expressing baseline cybersecurity requirements as part of the acquisition’s technical requirements and including performance measures to ensure the baseline is maintained and risks are identified. The final report also recommends common cybersecurity definitions, which if adopted would dramatically advance anxiety about contractors’ and the government’s current and near-future cybersecurity obligations.
Though the recommendations are instructive, the final report does not actually mandate specific baseline requirements or propose common cybersecurity definitions. Nor does it propose a cyber risk management strategy or otherwise attempt to identify the acquisitions in which baseline requirements or OEM limitations are “appropriate.” Instead, the final report “intends” that others will harmonize these recommendations with ongoing rulemakings, cybersecurity standards, and statutory frameworks. In short: stay tuned.
First and foremost, change is coming. Although the final report recommendations are directed more toward government program managers and acquisition decision makers than industry, the harmonization of such recommendations with recent and forthcoming regulations, mandatory contract provisions, and other statutory requirements and protections will affect the industry directly and significantly.
Other critical points for government contractors to consider as the final report’s recommendations are implemented include:
- What cybersecurity terms will be defined, and what will those definitions look like? Considering that the definitions will be used government-wide, it is imperative that contractors provide feedback lest a definition be issued that is contrary to their interests, much less defies common sense;
- What topics will be covered in the cyber education program for the procurement work force? If procurement officials are not properly educated on a variety of threats, then they may fail to incorporate standards and requirements that are necessary for information protection;
- How will federal risk management strategy be developed? And will it be flexible enough to account for the rapidly evolving threat environment?;
- Are contractors prepared to fight back against cybersecurity requirements in federal acquisition programs that are being used to exclude otherwise acceptable vendors and technologies?; and
- How deep will these requirements reach into federal contractors’ business? In other words, will the cybersecurity obligations be limited just to public-contracting programs, or will they effectively become company-wide requirements regardless of the buyer?
The final report is a clear signal that mandatory baseline standards, training protocols, and other risk-based requirements are on the horizon. Those standards will likely be based on the NIST framework or, in specialized areas, even stricter protocols. Government contractors and other companies that handle government information must implement an integrated strategy that mitigates the risks associated with these cybersecurity issues, and where viable, the opportunities that these changes might create.
Brian Finch, a partner in Dickstein Shapiro’s Washington, DC office, is head of the firm’s Global Security Practice. Named by Washingtonian magazine in 2011 as one of the top 40 federal lobbyists under the age of 40, Brian is a recognized authority on global security matters who counsels clients on regulatory and government affairs issues involving the Department of Homeland Security, Congress, the Department of Defense, and other federal agencies. Dickstein Shapiro is a Strategic Partner of the Government Technology & Services Coalition. You can reach Brian at firstname.lastname@example.org (202)420-4823.
Justin Chiarodo represents clients in all aspects of federal, state, and local procurement law. Named by Law360 in 2013 as a “Rising Star” in Government Contracts, Justin has extensive experience in government contracts litigation, compliance, and regulatory matters, with particular expertise in the defense, health care, technology, and professional services sectors.
Daniel Broderick is a Washington, DC-based associate in Dickstein Shapiro’s Energy Practice. He focuses on regulatory and project development matters affecting clients in the electricity industry, including electric market design, municipalization, compliance, certification, and power purchase agreements.
If you are a GTSC member serving federal customers through the GSA Multiple Award Schedules (MAS) program, you may already be feeling the effects of pricing policies adopted by the agency last year. For others vendors, these changes could disrupt your offerings and impede agencies from receiving the best available solutions.
While well-intentioned and possibly in response to pressure from fiscal conservatives on Capitol Hill, an emerging procurement trend is the GSA placing new emphasis on lowest price as the primary basis of award over historical best value in awards. SIA members, particularly integrators, have certainly felt the effect of GSA policy changes for justifying pricing.
The new policy follows a MAS contract amendment allowing the GSA to consider pricing on competitor contracts and pricing in “other venues” to make a fair and reasonable price determination in accepting/rejecting offers or requiring price reductions. However, the price comparison used is so wide that it includes prices from unverified and/or unqualified sources likely to be outdated or invalid, making the tool inaccurate. Simply put, these new GSA pricing guidance encourages contracting officers to conduct “apples-to-oranges” price comparisons through sources ranging from GSA Advantage to public Internet sites listing the products of vendors not subject to GSA requirements.
As federal contractors, GTSC members know that a business obtains a GSA Schedule Contact after negotiating fair and reasonable pricing with GSA as based on their commercial practices and their most favorable customer(s). These Schedule Contract holders are audited and re-negotiated again, when negotiating each five-year evergreen period afterward. If a vendor has already negotiated a best price determination for the basis of the contract award, why should there by further comparison of this vendor to another vendor to verify the pricing? If GSA negotiations are successful, government customers are getting better than or equal to a GSA supplier’s best customer. Right? Why then would such as supplier be required to change its pricing based on comparisons to vendors of different scale and/or not vendors not subject to the same GSA requirements? These are some of the questions on the minds of many GSA contractors seeking to provide best value to their government customers.
For suppliers within the security industry, the revised GSA pricing policy could have the following effects:
• Bogus or outdated internet prices could be used to disqualify legitimate offers.
• Security integrators could be forced to supply parts at comparison prices that do not include the service/maintenance component.
• Security integrators could be forced to remove key parts of a security system as pricing updates on components are often rejected, splintering the ability to offer a complete security system under the Schedule Program.
• Erroneous comparisons could be made among prices offered by dealers or distributor versus security integrators. Sales of individual items should have different pricing consideration than security integrators offering a total solution with trained and certified staff.
• Small businesses are put at a disadvantage when lowest price consideration overrides all others.
• Loss of participation in the MAS program could result due to unreasonably low prices.
The Security Industry Association strongly supports the MAS Program and sincerely respects the work of GSA contracting officers. Our members are optimistic that industry and GSA can work together to modify this price comparison policy and prevent businesses from concluding that the cost to maintain a GSA contract exceeds the intended benefit.
Contributing Author: Donald Erickson
Donald Erickson is CEO of GTSC’s Strategic Partner, the Security Industry Association (SIA). He has served on the GSA Multiple Award Schedules Advisory Committee and worked for Senator Rod Grahms (R-MN) on telecommunications and technology policy.