Interview transcript:
Terry Gerton Last week, there was a lot of news in your space, so let’s try to take a couple of them one by one. Let’s talk about the CMMC memo. It finally came out after many years of back and forth. We talked a little bit about it with some other guests focusing on the government’s perspective, but I want to hear from you about the contractor perspective. What are you seeing in here that’s new or surprising or challenging?
Stephanie Kostro First off, Terry, I want to say industry breathed a sigh of relief in a way because we have been waiting five years for this final rule. What this final rule does is it includes contract language that will be incorporated, and so as we all know, the devil is in the details. And so when contractors are looking for guidance on the Cybersecurity Maturity Model Certification Program, CMMC, what they were looking for is, what are their requirements going to be? And so again, although we sometimes chafe under requirements, particularly reporting requirements, some of the compliance requirements about when you report a cyber incident, et cetera. But this actually was long anticipated and very much welcome. We now have some certainty to the program. We know when it will start. We know what contract language will be included in contracts. And so now that we know the details that the devils are in, we can proceed. And so that was one of the major pieces of relief that came across recently.
Terry Gerton Well, even after five years of development, are there pieces in here that you and the contract community feel might need some more discussion?
Stephanie Kostro I think that’s a great question, Terry, because there are areas where the government offered much needed clarification, and then there are some areas where still clarification is still needed. We are grateful that it lifted burdens on commercial off-the-shelf providers. There is now something called conditional certification. So for higher CMMC levels, there are three levels, three being the highest, contractors can receive a conditional certification for up to 180 days as they complete remediation tasks. So all of that was very welcome. However, there are still very high compliance costs, particularly for small businesses. We’re talking about a level two certification, which is that mid range there can cost over $100,000, which has been difficult for small businesses to swallow. And there is a shortage of assessors, in terms of the CMMC third party assessor organizations, or as we call them, C3PAOs, not to be confused with any Star Wars references of C3PO, of which we hear a lot. And then finally, where the language in the final rule could have been clearer is on defining controlled unclassified information boundaries, what’s covered under the rule, what’s not covered under rule. There is still a lot of gray area when it comes to the CUI, this controlled un-classified information. And this creates uncertainty over what information and systems are covered and what’s-not. And it could lead to over-implementation, over-spending on getting certifications, et cetera. And so we are going to be working with the government on those issues.
Terry Gerton Will some of that get clarified as the DFARS rules that will come along with this come out?
Stephanie Kostro So we’re hoping that some clarity will come, not just from further rulemaking, but also in the implementation guidance, in terms of, all right, so now that the program’s starting, when the rubber meets the road, we know we’ll see memos, et cetera, about here’s the right way to do it, here’s a wrong way to do it. Or maybe not, memos on here’s wrong way to do it, but certainly course corrections, and I think that’s to be expected. CMMC, for its full implementation, is going to take three years. We’re just kicking off the one-year phase one here in November of 2025. That will last a year and then we’ll go to phase two. So there’s lots of time for course correction.
Terry Gerton And what guidance are you sharing with the contracting community right now as you move into this first phase of implementation?
Stephanie Kostro Again, a great question, Terry. There are several things we’re suggesting that contractors do. We don’t offer legal or accounting advice, but there are certain common sense steps that contractors can take that we’re recommending. The first is to assess your readiness if you haven’t already done so, and look at a gap analysis to identify any deficiencies in your cybersecurity posture, to look at your documentation, what is required now by this new final rule, including a system security plan and something we all call a PAAM, but that actually stands for a plan about action and milestones. So they are very concrete steps. And then finally, really to work with your assessors, these C3PAOs that I mentioned, to make sure that you can get the certification necessary, and then for some companies who have subcontractors, this will also impact subcontractors. So they do need to manage their subs in a way that makes sense under the CMMC program. So this is sort of the ecosystem we’re working with, Terry.
Terry Gerton I’m speaking with Stephanie Kostro. She’s the president of the Professional Services Council. Well, there’s going to be a lot to watch there and a lot of lessons learned as that all rolls out. Let’s talk about another space where there’s lessons learned, GSA Contract Consolidation Workforce Development, this also came out last week. Tell us about what PSC sees here and what you might be concerned about.
Stephanie Kostro So first, Terry, I would like to take you all the way back to March, which seems like a lifetime ago, but on March 20th, the President signed out an executive order. It’s number 14240. It is quote unquote, Eliminating Waste and Saving Taxpayer Dollars by Consolidating Procurement. That’s the title of the EO. And in it, it offered, well, it didn’t offer, it directed GSA to start taking over some of the contracting for domestic procurement of common goods and services. It also directed GSA to consider on a case-by-case basis taking over the government-wide acquisition contract vehicles for IT. Now, what all that means is that GSA got a lot more work six months ago, or nearly six months ago, and so as we move forward, we were looking from a contracting community as, all right, so who are we going to be able to talk to in the government? Who’s going to at GSA to answer the call or the email about concerns or issues, et cetera? And so we very much welcome this reorganization at GSA and also this workforce initiative. I’ll give you one example of a major agency, a major department that is probably sending its GWAC for IT, its governmentwide acquisition contract vehicle, over to GSA. And I was talking to one of the officials at that agency and they have lost two thirds of their contracting officers. Now that is a big deal, but if they can shift their GWAC over to GSA, they don’t need the contracting officers that go along with that contract vehicle. So the question remains, who’s there? In the pitching and catching scenario, who is there at GSA to catch that GWAC? And so I’m very excited to see that GSA is taking deliberate steps to increase their workforce.
Terry Gerton How are contractors in general responding to this initiative?
Stephanie Kostro So the initiative, the workforce initiative, it remains to be seen since it is just so recently announced, but they are hopeful that there will be somebody to answer their calls and questions. I will say on the overall initiative to consolidate contracts, there are some concerns that we are conveying to GSA and the broader government as well. For example, when you consolidate contracts at GSA, agencies may lose some unique flexibilities that they had in their own contract vehicles. Contractors may not be able to get onto a vehicle in a timely manner. It may, if there are more people on the larger contracts, it may dilute an individual contractor’s ability to win a task order. And again, the GSA workforce issue is always there. And finally, I would be remiss if I didn’t mention, contract consolidation oftentimes leaves small businesses a little bit in the dust, in particular, organic small businesses that don’t partner in a joint venture, so we are watching that space very closely as well.
Terry Gerton Well, that might lead us right into the next topic, which is on FAR Part 8, as the FAR council has been rolling out its revolutionary FAR overhaul. PSC has some industry concerns about what’s going on with the Part 8.
Stephanie Kostro Yeah, thank you so much, Terry, for mentioning this. The Revolutionary FAR Overhaul is a huge undertaking by the General Services Administration and the FAR Council writ large. And so as we talk to GSA, OMB, the rest of the alphabet soup of agencies about what’s going on, FAR Part 8 has recently come up with several concerns coming from industry. This is the FAR part that talks about required sources of supplies and services. And so, it looks like some of the changes in the Revolutionary FAR Overhaul affecting FAR Part 8 would drive companies to need to be on a best in class contract, a BIC contract, or another so far undefined, a separate category of contracts that are called preferred use contracts. And we’ll probably hear more from GSA about what that means going forward, but that’s a separate category. But on the BIC piece, lots of concerns about this if you’re not on a best-in-class contract. What happens vis-a-vis competition? Can you actually get on there? What happens to your market share? Is there an emphasis on larger vehicles? Like GWACs, I mentioned, are also multiple award schedules from GSA, but we are expecting to see streamlined ordering procedures. And so I think that is sort of the other side of the coin of, all right, if we’re simplifying and streamlining, what is the benefit we’re getting, and that is faster award times. And then for those on best in class, they’re going to start having to compete quite a bit more. And potential market consolidation, we may see some M&A activity as well.
Terry Gerton So it sounds like the acquisition industry, the government contractor space, has been pleased with many of the acquisition reforms that are coming out from this administration, but they may need to be attuned for some unintended consequences.
Stephanie Kostro So I mentioned the Revolutionary FAR Overhaul. It is a two-step process. Right now, we’re looking at all these class deviations, but the next step is to go into the formal rulemaking process. And that is where it’s imperative for the government to give contractors at least 60 days to comment on each of these major rule changes, because it’s going to reshape the marketplace in which these contractors function. We have a vested interest in commenting on everything that’s relevant to companies and making sure that it’s not just business as usual, we rush through a process and we start changing rules, that there is a deliberate comment period and the government takes those comments seriously.
The post Contractors need to stay focused and flexible in this fast-changing federal acquisition space first appeared on Federal News Network.