Interview transcript:
Eric White So compliance issues are the main target here for the government when they are trying to get defense contractors to submit to some cybersecurity compliance measures. There’s also a thing out there about pricing data, so to speak. What is front and center of your attention right now?
Stephanie Kostro We are facing a maelstrom, really, of activity in this area. We all have been tracking Department of Defense’s Cybersecurity Maturity Model Certification Program, expecting rules to come out at any given time as it begins to undertake its phased-in approach here on October 1. What is really eye-catching for us within the services and solutions industry is the fact that the Department of Justice is undertaking a real push towards litigating cybersecurity compliance vulnerabilities and also weaknesses. I say that because we have lots of companies out there that are trying their very best to be cybersecure and in line with the requirements of the government. Previous cases that would have been taken back to the negotiators or simple contract claims are now being prosecuted in court as a False Claims Act element. And so I just wanted to highlight that for you and your listeners that this is a change in approach.
Eric White This change in approach caught me by surprise as somebody who covers this and actually reads those DOJ memoirs. Let’s talk on this approach. I don’t want you to have to speculate or anything, but this is a new way to try and get some movement in the cybersecurity compliance area. Did the administration express that they’re just not happy with where industry currently stands and are thinking that folks aren’t taking it serious enough, or what was the reason behind this that you heard?
Stephanie Kostro It was the previous administration, under President Biden, where the Department of Justice declared its intent to use the False Claims Act for cyber compliance. This was back in October of 2021. That’s when Department of Justice launched its civil cyber fraud initiative. That said it, the activity has really stepped up since inauguration in January of this year. And so I believe it is President Trump and his team saying, you know, we want to take this a lot more seriously. We need to put teeth into this to make sure that our contractors, and to be honest as well as the folks in the government, that they’re all taking cybersecurity very seriously. It is a difference in approach that we are seeing lots of settlements come out of the courts regarding FCA or False Claims Act cases. But this is a really, really interesting time to be bringing down the hammer, so to speak, in this area. Because we are seeing that Cybersecurity Maturity Model Certification program start really with phase one, as I mentioned here on October 1st. CMMC has been in the works for years. We’ve all been tracking it. We’ve all submitted lots of comments about how it should be rolled out. I’ve talked to folks at the Department of Defense; if we don’t see the final rule come out, we do expect a class deviation to come out. And we will see this incorporated into contracts as early as October 1st.
Eric White Let’s talk on the contracting side, the now Truthful Cost or Pricing Data statute, formerly known as the Truth in Negotiations Act … it requires contractors to be upfront about their pricing data and back up their work for the reason why they’re charging the government for a particular service. That seems pretty straightforward, but now there seems to be a step up in enforcement on that level. What is different there?
Stephanie Kostro So as we look at what the Truthful Cost or Pricing Act will entail, we are seeing lots of activity, including on the Hill, regarding how to get out the real cost to contractors of the work that they’re performing on behalf of the government. I think we are changing a little bit of what the compliance requirements will be. I think we have a lot of contractors who are trying to get very smart on this very quickly. And I think as we move forward they are happy to share their data as much as it makes sense. The one question that we do have is, what is the requirement for folks to share subcontractor pricing and cost information? And that has always been a very difficult nut to crack. I’ll give you this example, Eric. If you have a large defense contractor who has 300 subcontractors or, you know, sub-tier contractors not directly reporting to them but a subcontractor reporting to a subcontractors reporting to a subcontractor reporting to the contractor, there is no way that prime knows the cost and pricing data of those tertiary and beyond subcontractors. And so as we roll up what it actually costs to deliver work for the federal government, it’s really going to be difficult to comply.
Eric White We’re speaking with Stephanie Kostro, president of the Professional Services Council. So it’s not just the administration that seems to be trying to get the biggest bang for its buck on the contracting side. The House Armed Services Committee is now moving to overhaul how it assesses whether or not a defense contractor actually fulfilled its end of a deal. What is happening on that front? And is this a legislative measure that may go somewhere? Or is it just one of those nice ideas, but we’ll-talk-about-it-later kind of deal?
Stephanie Kostro I’m a former House Armed Services Committee staffer myself, and I always like unpacking the HASC-passed National Defense Authorization Act. And it was really interesting on this front this year, Eric, because they do talk about contractor performance reports. They talk about how to evaluate contractor performance. And what they’re doing here is really interesting. What the proposal does is it directs the Department of Defense to amend — I’m going to get so wonky here, Eric, for you — the DFARs, the Defense Federal Acquisition Regulation Supplement, to create what they’re calling an objective or fact-based simplified system for contractor performance. Really, it would eliminate, they say, subjective ratings and limit reviews to only negative performance events. We do have some concerns about this, because if you’re evaluating a contractor based only on negative reports and not necessarily the goodness that they bring to the table, it is still one-sided. I appreciate the effort to be less subjective and more objective based on unquantifiable cost and timeliness of delivery. That said, I do think you run the risk of throwing out the baby with the bathwater here. I am hoping that as they go through the conference process with the Senate, that we can have some conversations about what “right” looks like from a contractor perspective. But that’s not all that they’re doing. They are talking a little bit about standardizing scoring mechanisms, etc., and looking at CAS compliance, which is that cost accounting standards piece that everybody loves — I’m being facetious there. And I think as we move forward, there’s a lot of room to help the Hill understand the contractors’ perspectives.
Eric White Yeah, from a punitive standpoint, it seems as if you do the job right, you get a thumbs up, you do the job bad, and all of a sudden you get to a landslide of consequences coming your way. Is that sort of what you all are worried about happening on that end?
Stephanie Kostro It is a concern, Eric, that again, you’re going to lose the goodness that somebody’s bringing to the table if you just focus on the bad.
Eric White All right. And you have been keeping busy, as you mentioned, and another agency that has been keeping busy itself is the General Services Administration. As somebody who covers this stuff, I’ve been struggling to keep up with all of the changes that they are making to their institutions on that side. What are the ones that you all are most highlighting when you speak to members?
Stephanie Kostro We are talking quite a bit with GSA about their OneGov aspect of what they’re doing here to make sure that there’s a one-stop shop for IT and IT modernization. As you know, there was an executive order that consolidated vehicles at GSA, for IT in particular. As we see that move closer to fruition, I think we’ll have lots and lots of questions. Another tool that they just rolled out earlier this month is focused on artificial intelligence. And this is called the USAI. This is really to give access to federal government employees to a test bed of how they can play around with using AI tools in procurement and in the fulfillment of their missions. And so this is a really interesting way for GSA to put themselves in the mix. They’re vetting some of these AI tools and then saying, hey, here are some tools that you, federal agency A or federal agency B, might want to consider. It’s a safe space for them to work. And so I think it’s a really interesting effort. Contractors in particular are involved; some of them are offering their AI tools. I think we have other contractors who would like to offer their AI tools to GSA for consideration as part of this effort. And we are very supportive of the ethical and correct use of AI in this space, but we’re going to see what devils are in the details here.
Eric White Over the past three years, it’s gone across all industries pretty much. We’ve had to all get a crash course in generative AI. Where does the govcon community stand, in your mind, on the actual implementation of AI, whether it is for procurement, or, you know, just trying to create some new products that the government may be interested in?
Stephanie Kostro The government contracting community has been very actively involved with what the administration has been doing. Earlier this year, the White House rolled out their AI action plan, and it was open to the public for comment. And so we, at the Professional Services Council, we gathered our member inputs and provided lots of input into that AI action plan, which is being run by the National Science Foundation on behalf of the Office of Science and Technology Policy at the White House. And so they’re really looking at frontier language models, they’re looking at AI, and our govcon community is very excited. If I can give you an example, Eric, a GSA official was present and participated in our PSC annual conference back in April and actually asked us to help organize a reverse industry day. And we all know what industry days are, right? The government brings in all the contractors and answers lots of questions. A reverse industry is exactly the opposite. The government put forward a question to industry. And industry helps determine how to answer that question. GSA asked us to help them unpack AI. And we are working on that event as we speak.
The post Federal contractors feel the push to comply on new cybersecurity requirements first appeared on Federal News Network.