Information Technology Contracting

Last month, we discussed Information Technology (IT) Schedule 70, one of the largest contract vehicles administered by the U.S. General Services Administration (GSA). GSA now is evaluating whether Schedule 70 should be made more accessible to certain small contractors, new IT providers, and other, similarly situated firms.
Continue Reading GSA Seeks Input on Eliminating IT Schedule 70’s Two-Year Experience Requirement

Earlier this month, the U.S. General Services Administration (GSA) issued a Request for Information (RFI) soliciting feedback from industry on ways to improve the sale of Cybersecurity and Information Assurance (CyberIA) products and services through GSA’s multi-billion dollar Information Technology (IT) Schedule 70. IT Schedule 70 currently features more than a dozen special item numbers (SINs) for cybersecurity products and services.[1] In this RFI, GSA seeks information from vendors and federal agencies as to whether it should consolidate those SINs into one major CyberIA grouping, with a number of categories and subcategories.

The RFI, which was issued just weeks before the Office of Management and Budget (OMB) and the Department of Defense (DoD) announced their own major cybersecurity initiatives, is yet another sign that the federal government is leveraging its substantial buying power to harden government and contractor networks against cyber intrusions. As explained below, GSA’s appeal to industry offers a tremendous opportunity for the private sector to help shape the way commercial CyberIA products and services are bought by and sold to the government.
Continue Reading GSA Seeks Industry Input on Cybersecurity Schedule Offerings

On August 26, 2015, the Department of Defense (DoD) issued an interim rule that imposes expanded obligations on defense contractors and subcontractors with regard to the protection of “covered defense information” and the reporting of cyber incidents occurring on unclassified information systems that contain such information.  Nearly three years in the making, this interim rule

On August 11, 2015, the Office of Management and Budget (OMB) issued a draft guidance memorandum intended to improve cybersecurity protections in federal acquisitions. Specifically, the proposed memorandum provides direction to federal agencies on “implementing strengthened cybersecurity protections in Federal acquisitions for products or services that generate, collect, maintain, disseminate, store, or provides access to Controlled Unclassified Information (CUI) on behalf of the Federal government.” CUI is defined in a recently issued proposed FAR rule as “information that laws, regulations, or Government-wide policies require to have safeguarding or dissemination controls, excluding classified information.”

Although the OMB memorandum is a laudable attempt to create uniformity across the federal government, the Guidance leaves many questions unanswered and the details of its implementation by federal agencies remains to be seen. As described below, even with this Guidance, contractors will continue to encounter inconsistent requirements for what constitutes a “cyber incident,” how quickly a cyber incident must reported to the government, and what security controls are considered “adequate” for safeguarding CUI.
Continue Reading OMB Issues New Draft Cyber Guidance for Contractors

On July 24, 2015, the Defense Information Security Agency (“DISA”) issued three draft documents (available here for download) concerning the adoption of secure cloud computing systems by the Department of Defense (“DoD”).  DISA is tasked with developing DoD’s security requirements guides for cybersecurity policies, standards, architectures, security controls, and validation procedures.  Here, the just-released, draft documents are: (1) a Security Requirements Guide; (2) a Cloud Access Point Functional Requirements Document; and (3) a Concept of Operations for Cloud Computer Network Defense.  Any comments on these draft documents must be submitted to DISA by August 22, 2015.

Additional information regarding each of these three documents is provided below.
Continue Reading DoD Issues Three Cloud Computing and Security Documents for Public Comment

The private sector is likely to produce critical cyber innovations—at least, that is what the U.S. Defense Advanced Research Projects Agency (“DARPA”) and the U.K. Centre for Defence Enterprise (“CDE”) would like to see.

In the United States, although the internet may have been invented at DARPA, DARPA is turning to a private sector competition

As federal agencies are slated to spend almost $80 billion on federal information technology (“IT”) acquisitions this fiscal year and the OMB prepares to issue its final guidance on the Federal Information Technology Acquisition Reform Act (“FITARA”), GAO has released two reports this month that discuss ongoing efforts to improve IT procurement.  Combined with GAO’s recent addition of IT acquisitions and operations to its list of high-risk programs (which we previously discussed), these new reports underscore GAO’s ongoing emphasis on reforming IT acquisitions to reduce redundancy and increase efficiency.

In the first report, GAO added federal software licenses to its list of twenty-four areas in which it discovered evidence of fragmentation, overlap, or duplication in federal government programs.  Citing its May 2014 report on federal agencies’ management of software licenses, GAO explained that a vast majority of agencies do not have sufficient policies to manage their software licenses.  According to GAO, this mismanagement results in over-purchasing licenses, which leads to unnecessary spending, and under-purchasing licenses, which leads to fees for violating licensing agreements.  Therefore, GAO reemphasized that agencies should implement software license management policies that, among other things, provide for centralized management of software licenses and ensure that a software license inventory is created and maintained.
Continue Reading GAO Reports Highlight Ongoing Struggles in Reforming IT Acquisitions and Operations

March has been a busy month for the GSA in its efforts to implement what it has touted as a “new vision for Federal purchasing.” On March 5, 2014, GSA announced a proposed rule to reform pricing practices and contractor reporting requirements under multiple award schedule contracts. In its latest move, on March 20, 2015, the GSA issued a proposal to streamline the negotiation of Commercial Supplier Agreements, which are commonly used in acquisitions of software and other information technology. Such agreements typically contain standard contract terms that GSA regards as inappropriate in the context of a sale to the government. As a result, protracted negotiations with GSA are often necessary to reach agreement on acceptable terms before software and other items can be offered for sale on the Federal Supply Schedule.  
Continue Reading Another Proposal from GSA: a Class Deviation for Commercial Agreements

Late last week the House Foreign Affairs Committee approved H.R. 400, which would require the Department of State and the United States Agency for International Development (USAID) to propose a definition of recruitment fees within 180 days of the statute’s enactment.  H.R. 400 explains that “contractors sometimes employ foreign workers who are citizens neither of the United States nor of the host country and are recruited from developing countries where low wages and recruitment methods often make them vulnerable to a variety of trafficking-related abuses,” including the charging of certain fees during recruitment.  Highlighting the potential for harm associated with such fees, H.R. 400 discusses a  report of the Office of the Inspector General for the Department of State, which found that 77 percent of foreign workers reported paying fees to recruiters and that a majority of these fees resulted in “debt bondage at their destinations.”
Continue Reading Efforts to Define Recruitment Fees Move Forward as Newly-Revised Human Trafficking Rule Goes into Effect

GAO has added IT Acquisitions and Operations to its list of programs it identifies as posing a high risk for fraud, waste, abuse, and mismanagement.  This biennial list contains GAO’s analysis of newly- and previously-added high-risk programs and recommendations for improving their economy, efficiency, and effectiveness.

In adding IT Acquisitions and Operations to this list, GAO observed that “federal IT investments too frequently fail to be completed or incur cost overruns and schedule slippages while contributing little to mission-related outcomes.”  The GAO noted that “the federal government has spent billions of dollars on failed and poorly performing IT investments, which often suffered from ineffective management, such as project planning, requirements definition, and program oversight and governance.”  As a result, improving IT acquisition requires “[p]erseverance by the executive branch in implementing GAO’s recommended solutions and continued oversight and action by Congress.”Continue Reading IT Acquisitions and Operations Added to GAO’s List of High-Risk Programs