THOUGHT LEADERSHIP COMPENDIUM
What Does the Future Hold for Government Acquisition - Opportunity or Challenge?
pg. 1
Five Reasons Mid-Tier Companies Make Great Partners for Small Business
pg. 2
Securing the Supply Chain for Government Contractors Through Integrated Risk Management: How to Compete in the Deliver Uncompromised Environment
pg. 3
Government Contracting Industry Study
pg. 5
Navigating Cybersecurity Requirements to Win Contracts and Avoid False Claim Act Allegations
pg. 9
What Does the Future Hold for Government Acquisition – Opportunity or Challenge? What the market holds for acquisition is yet to be seen, but from my perspective small businesses have numerous challenges they face over the next few years. One of the biggest challenges will be ongoing merger and acquisition which leads to consolidation and the reduction of bid opportunities for small businesses. This all depends on the political impact and resiliency of the government services community. In the late 1990s hardware and software manufacturers were “encouraged” to consolidate the overcrowded defense market. Smaller companies found themselves being bought by the “Big Four” - Lockheed Martin, Raytheon, Boeing, and Northrup Grumman. Today we face a similar situation within the services community today. Companies such as Leidos, ASRC, SAIC, CACI, Parsons and Mantech are all trying to take the lead in providing services in a very intense, and fast-growing high technology market, where the contractor has developed or procured capabilities, through mergers or acquisitions. What was once a niche company-based skill or capability has now become the next acquisition for many of these larger companies. Leidos jumped to the top of the market by buying Lockheed’s Information Services business. Now other companies are following the same path. For example, GDIT buying CSRA, SAIC buying Engility and Parsons buying Polaris Alpha. Each are growing or maintaining the capabilities necessary to perform in the market as much as they are trying to keep up with the competition. The result could be that small businesses will become left behind, either to fend for themselves in this GSA based competitive environment or be acquired as a niche player that adds capability to get a leg up. With the budget expected to shrink over the next two years (FY20-FY21), it is the small company who will be working harder to find opportunities to grow or make themselves attractive to these growthbased companies whichever satisfies their 1
goals. On the other hand, they might consider ways to consolidate with other small businesses and maintain or grow their workshare, but also providing the capabilities the government is demanding. We can only watch to see if the consolidation of the service companies will continue or eventually find the same result that the Big Four of the 1990s found themselves – in a market consolidation process that led to fewer procurements and being less competitive. The environment shifted from the use of fixed-price contracts to cost-plus contracts. Unfortunately, this is already happening. This leads to the area for opportunity in the GovCon services community and a way to improve the services business capability. Today, acquisition reform is different than we have experienced since the Goldwater‐ Nichols Act of 1986. Specifically, I am referring to Section 804 of the FY16 National Defense Authorization Act (NDAA) and it’s FY17 modification which changes how programs are being developed, acquired, managed, executed and deployed. Those programs which follow the Section 804 requirements and implement them will not be subject to the Joint Capabilities Integration Development System (JCIDS) and DOD Directive 5000.01 “Defense Acquisition Systems”. What is being accomplished is a Mid-Tier acquisition pathway, separate from the traditional acquisition system, for rapid prototyping intended to be completed in a period of two to five years as well as rapid fielding to acquire new or improved capabilities. This was driven by the need to identify, develop, acquire and field programs in a manner which maintains or improves US superiority in weapon system delivery. On its surface, you might ask why is this important and how can this be an opportunity for the services community? Since Section 804 bypasses the requirements for the program to meet the JCIDS process and the 5000 series requirements for managing and reporting program within DoD, the assumption is that the need for understanding program/project progress or milestone achievement is not as important as it once was. Under the current system,
government analysts and the service contractors perform these requirements. They evaluate the cost of companies performing these requirements and how they are meeting the expectations for delivery. This assumes the hardware and software manufacturers are measuring whether the system can meet the specification compliance which proves it can accomplish its mission. To do this, it is necessary to achieve the desired end state performance (capability) by understanding what the system cannot do. How can this be accomplished without monitoring progress or implementing performance measurement techniques? We must use modeling and simulation techniques, tech order development, and acquisition strategy to make a top down assessment of the system and what it cannot do in a multi-domain environment. We need to collect data to understand the dollars spent and available to ensure the government fields a system that meets all the capabilities necessary to perform its mission. To ensure this is done properly, the government services community can use a big data strategy and measure performance to end state desires. The services community is best able to accomplish this since they have supported the federal government for over three decades. The government is increasingly asking for contractor support as well as federal worker support to provide the necessary labor. Even when requirements are reduced to meet rapid development and fielding requirements, the change appears to negatively impact the use of service contractors. However, the result of their efforts will provide the opportunity to stand out using innovation, solving the problems with technical expertise and how this can provide a pathway to adapt and deliver capabilities faster and better. This will only be accomplished by addressing the analyses necessary to ensure the systems procured and deployed are competent and meet the mission environment within dollars planned and accounted for. Written by: Neil F. Albert, President Advanced and Technologies International, LLC (ACT I)
Five Reasons Mid-Tier Companies Make Great Partners for Small Businesses by: Timothy W. Cooke, Ph.D. | President and CEO | ASI Government, LLC email: tcooke@asigovt.com | mobile: 703-969-9037 | www.asigovt.com
Government contracting continues to shift its focus to small business. These businesses are seeking partners to help them win and deliver outstanding performance. In acquisition and program management, the size standards are small and the work is demanding, requiring the right kinds of teams to be successful. As a leading mid-tier provider of these services, ASI Government LLC regularly partners with small businesses seeking to add our capabilities to theirs to win bids and bolster capacity to deliver on government requirements. ASI was also a small business at one time. Through our own journey and collaborating with many small company partners, we have developed a set of considerations we now recommend to all prospective teammates. While small businesses certainly should focus on the same primary concerns as all companies bidding for government work--capabilities, contracts and customer intimacy—some special considerations can make the difference in winning and delivering. By examining themselves and potential teammates early in the “dating” process, small businesses can build stronger competitive positions in a changing market. 1. Be an ethical, reliable and committed partner yourself–whether prime contractor or subcontractor. In government contracting, the reputation of your firm is your most precious asset. Always act with integrity and follow through on your agreements with partners and customers. Sometimes this may be painful and costly in money and in relationships with companies less committed to honesty and service. Sometimes holding to your values can cost you a win when you wisely decide not to team with a sure-winner who has a conflict of interest. Find partners with solid, long-term reputations for values-based behavior and outstanding performance. 2. Recognize the extra value that a proven mid-tier performer can bring to your proposal and delivery. When you pursue business that offers opportuni-
ties for mid-tier niche providers, you will get the full attention of the company and its leadership. You also will gain from mid-tiers’ ability to move fast and be nimble. Their empowered leaders bring competitive offerings and have the authority to make fast decisions that will enable you to deliver unexpected value to your clients. You will be a priority for a mid-tier partner, not an afterthought. 3. Team with partners who have shown they can deliver mission outcomes at the speed of relevance. Managing acquisition programs is complex, requiring experience and expertise to be successful. Niche mid-tier companies offer some of the best capabilities in industry and have truly outstanding past performance, whether as prime contractors or subcontractors. Outcome-orientation is essential to the ultimate success of all government missions. So when you team, choose partners who understand your prospective clients’ missions and what it takes to succeed. Perform market research on mid-tier companies to find those attributes. Realize that velocity is critical as well, since great outcomes can be useless if delivered too late. The expertise and methods needed to cut time from the acquisition cycle are rare but critical, so make the necessary effort to ensure your partners have them. 4. Select partners that can mitigate your potential Organizational Conflict of Interest concerns. Service providers often are faced with a choice: Provide services directly or support program functions, thereby gaining access to information that government contracting officers view as creating a conflict of interest and an unfair advantage over other providers of the service. Choosing the right partners with the right business models can help avoid or mitigate perceived conflicts. 5. Finally, if you are pursuing work in the complex world of acquisition program management, find a partner who knows federal contracting cold, one that can help you shape a totally compliant, but also innovative bidding strategy and shave time and cost from the procurement process for you and for the agency client.
2
Securing the Supply Chain for Government Contractors through Integrated Risk Management: How to compete in the Deliver Uncompromised Environment
“Deliver Uncompromised” aims to protect critical technology from cradle-to-grave by establishing Security as a fourth pillar in acquisition, on par with Cost, Schedule, and Performance, and to embrace security, not as a "cost center" but as a key differentiator. – Defense Security Services (DSS) At last month’s Spring Joint NDIA / AIA Industrial Security Conference, there were some indications as to how DSS plans to execute on Deliver Uncompromised. A few key mentions were the passage of Public Law No: 115-390 – The SECURE Technology Act, NIST 800 – 171, and the establishment of a Cybersecurity Maturity Model Certification (CMMC) where a required CMMC Level (potentially 1 through 5) will be contained within RFP sections L&M and will serve as a gate of entry to bid on a contract. All these requirements are targeted at lowering supply chain risk. One approach for the Defense Industrial Base (DIB) to consider as it will have to compete within a Deliver Uncompromised environment and perhaps one that will require certification by 3rd party assessors for compliance with CMMC is through Continuous Adaptive Risk and Trust Assessment (CARTA). CARTA was coined by Gartner in 2018 and they’ve provided seven imperatives to assist in its implementation:
3
Imperative No. 1 Replace One-Time Security Gates with Context-Aware, Adaptive and Programmable Security Platforms
Imperative No. 2 Continuously Discover, Monitor, Assess and Prioritize Risk — Proactively and Reactively
Imperative No. 3 Perform Risk and Trust Assessments Early in Digital Business Initiatives
Imperative No. 4 Instrument Infrastructure for Comprehensive, Full Stack Risk Visibility, Including Sensitive Data Handling
Imperative No. 5 Use Analytics, AI, Automation and Orchestration to Speed the Time to Detect and Respond, and to Scale Limited Resources
Imperative No. 6 Architect Security as an Integrated, Adaptive Programmable System, Not in Silos
Imperative No. 7 Put Continuous Data-Driven Risk Decision Making and Risk Ownership Into Business Units and Product Owners
Additionally, the ACT-IAT Zero Trust project recently published Cybersecurity trends paper defining trust as a foundational element of Zero Trust implementations. Dynamic, context aware trust elements are necessary in such projects. Many vendors are answering this call to action by providing risk or trust scoring as part of their next generation firewalls or endpoint services. Continuous Adaptive Trust (CAT) is an arbiter or orchestrator of that trust providing context beyond cyber data streams and looks beyond basic User and Entity Behavioral Analytics. Deploying solutions supporting combined person-centric and device-centric architecture provides a way to further close the supply chain security gap between the person, their personnel / industrial security profile, and their exposure to the entire supply chain – from subcontractors to prime contractor to classified contracts and associated secure facilities, and the acquiring Government Agency. In short, this architecture continuously updates a person’s Trust Score via Continuous Vetting from multiple sources which determines accessibility to networked resources. CAT serves as a failsafe for the Zero Trust environment; providing continuous authorization and attribute-based access control. Use of these types of systems and their integration capabilities can provide a much lower capital and operational cost to the DIB by allowing them to maintain a single system of record, collapse networks, access tokens and help link the need for access with personnel security systems. Additionally, this approach ensures that the user is still the same user who was authenticated, and the system deemed trustworthy. As the DIB prepares to compete in a Deliver Uncompromised environment, they should take a closer look at CAT and trust engines for solving supply chain complex security challenges and uncertainty while remaining innovative, competitive, compliant and profitable.
© COPYRIGHT 2019, CANDA SOLUTIONS, LLC. ALL RIGHTS RESERVED.
info@CANDASolutions.com www.freshhaystack.com
www.unisys.com/stealth
4
1
Government Contracting Industry Study Executive Summary
10TH ANNUAL
INDUSTRY STUDY
Deltek Clarity | Government Contracting Industry Study
EXECUTIVE SUMMARY The 10th Annual Deltek Clarity Government Contracting Industry Study depicts a healthy market characterized by steady levels of government spending, continued growth and increased competition. Deltek has been able to identify the most important trends, challenges and benchmarks in the government contracting sector. The trends and data points in this survey are designed to provide actionable insights into the sector as a whole while also capturing forecasts into the next year.
Growth and competition increases for most businesses. The overall market for government contractors remains healthy as government spending has continued to increase. Businesses are seeking to make the most of the bullish spending environment by pursuing growth and profit-maximizing strategies. Competition is up as contractors are expanding into new government agencies and looking to grow their customer base.
Diversification into new agencies and pursuing new customers are increasingly successful strategies. Diversification is increasingly important to all businesses. As firms are looking to increase revenue and mitigate risks associated with agency-specific budget cuts, firms are expanding into new markets. Diversification has challenged firms by exposing them to unfamiliar contracting vehicles, making opportunities more difficult to identify early and increasing the importance of selecting the right teaming partners.
Attracting qualified talent and retaining top performers continues to be a major factor for success—and a high priority among the most successful companies. High-performing talent is increasingly hard to find, hire, and retain in this economy. Firms are challenged by the ability to both match qualified candidates to open positions and retain top performers. Accordingly, employee retention has emerged as a competitive response. Businesses are now increasingly focused on improving the entire employee experience with new HCM technology, continuous performance management and robust career development programs.
6
IT departments are prioritizing security, compliance, and cloud-based applications for the second year in a row. Cybersecurity concerns continue to challenge contractors, especially as they transfer an expanding number of business functions to the cloud. About half of businesses reported that the number of cybersecurity incidents had stayed the same compared to last year, whereas 37% reported an increase. Accordingly, 48% of firms cited IT/data security as one of their top concerns. Strong interest in cloud-based applications continued for this year, with 46% of firms reporting that they have more than 50% of their business applications in the cloud. The expansion into the cloud has also introduced companies to new compliance standards, increasing costs, and regulatory burdens.
Cost of compliance for Contracting Purchasing System Review (CPSR) audits are on the rise. CPSR audits were indicated as a significant cost for firms in 2018, with 83% of respondents indicating it as a “moderately” or “more costly” compliance to meet. This is a relatively significant increase of 17 points from respondents last year.
7
4
Deltek Clarity | Government Contracting Industry Study
Better software means better projects. Deltek is the leading global provider of enterprise software and information solutions for projectbased businesses. More than 23,000 organizations and millions of users in over 80 countries around the world rely on Deltek for superior levels of project intelligence, management and collaboration. Our industryfocused expertise powers project success by helping firms achieve performance that maximizes productivity and revenue. Š Deltek, Inc. All rights reserved. All referenced trademarks are the property of their respective owners. www.deltek.com
info@deltek.com
+800.456.2009
CLIENT ALERT Navigating Cybersecurity Requirements to Win Contracts and Avoid False Claim Act Allegations By John S. Pachter, Armani Vadiee, and Todd M. Garland Companies doing business with the U.S. government are familiar with unnecessary regulatory burdens imposed by the federal procurement system. The process has become more difficult with the federal government’s recent focus on cybersecurity. Contracts with executive agencies typically include FAR 52.204-21—Basic Safeguarding of Covered Contractor Systems (June 2016). If non-public contract information resides in a contractor’s system, the clause requires the contractor to provide 15 safeguards to protect contractor information systems. The safeguards require a contractor to limit access to its systems, control information on publicly accessible systems, and monitor visitor activity. The Department of Defense cybersecurity requirements are more stringent. Since January 1, 2018, DOD contracts that involve storing, processing, or transmitting covered defense information are subject to DFARS 252.204-7012. Under the clause, contractors must implement the standards imposed by National Institute of Standards and Technology (“NIST”) 800-171. Prime contractors must also ensure lower-tier subcontractors meet the DFARS cybersecurity requirements. Companies that cannot meet cybersecurity demands risk relinquishing the opportunity to obtain new awards. But if a company exaggerates its compliance with cybersecurity regulations—or fails to fully disclose noncompliance—it could face allegations that it fraudulently induced the government to award the contract. The Federal Government’s Increased Emphasis on Evaluating Cybersecurity Compliance Effective cybersecurity compliance is increasingly important to the ability to win awards, and protect successful proposals from challenges by competitors. Recent events—such as the 2014 Office of Personnel Management (“OPM”) data breach exposing personnel files for 4.2 million government employees and 21.5 million security clearance files—mean contractors should expect that their ability to meet cybersecurity requirements will be subject to increased scrutiny. Contractors with inadequate cybersecurity systems may find themselves eliminated from the competition. See Syneren Techs. Corp., B-415058, Nov. 16, 2017, 2017 CPD ¶ 363. Even if a contractor is not required to meet stringent cybersecurity requirements, agency solicitations often use a contractor’s cybersecurity system as a technical evaluation factor. Agencies can assign strengths for a proposed cybersecurity framework if the system helps manage cybersecurity risk and leads to improved efficiencies. See IPKeys Techs., LLC, B-414890, Oct. 4, 2017, 2017 CPD ¶ 311. In IPKeys Technologies, the contractor’s award was based, in part, on its agreement to voluntarily exceed cybersecurity requirements in the RFP. In another case, the agency assessed deficiencies against three contractors that failed to address cybersecurity requirements in their proposals. Jardon & Howard Techs., Inc., B-415330.3, May 24, 2018, 2018 CPD ¶ 195. Similar to IPKeys Technology, the awardee’s proposal included information regarding its cybersecurity system that went beyond the solicitation requirements. These decisions establish the potential benefits for contractors demonstrating they can exceed an agency’s minimum cybersecurity requirements. 9
Exaggerating or Misrepresenting Cybersecurity Compliance May Lead to an FCA Claim Contractors misrepresenting compliance with cybersecurity requirements could also face allegations under the False Claims Act (“FCA”), 31 U.S.C. § 3729 et seq. Last month, a federal court permitted a contractor’s former senior director of Cyber Security, Compliance, and Controls to proceed with a qui tam action alleging the company entered into government contracts while knowing it could not meet requirements to guard information from cybersecurity threats. U.S. ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., 2019 WL 2024595 (E.D. Cal. May 8, 2019). The case is still in the pleading stage, so the court assumes the allegations are true. And the Department of Justice, after investigating the allegations, declined to intervene—meaning the claims may lack merit. Still, the case illustrates the need to ensure compliance with cybersecurity requirements. Contractors must also ensure their representations regarding the ability to meet cybersecurity requirements are complete and accurate. In Aerojet, the contractor disclosed its noncompliance with certain cybersecurity regulations. The relator argued the contractor disclosed some of its noncompliance, but, according to the relator, the contractor had not disclosed the full extent of its inability to meet cybersecurity regulations, including the ability to meet security controls and establish firewalls. Failing to disclose non-compliance with cybersecurity requirements might be a “misleading-half truth,” and, under the FCA, “representations that state the truth only so far as it goes, while omitting critical qualifying information, can be actionable misrepresentations.” Univ. Health Servs., Inc. v. United States, 136 S. Ct. 1989, 2000 (2016). Failing to fully disclose the inability to meet cybersecurity obligations could be considered “misleading in context,” thus serving as the basis for an FCA claim. See id. Conclusion The recent imposition of contract clauses mandating that contractors safeguard information from cyberthreats has made contracting with the federal government more difficult. Despite these challenges, contractors must ensure compliance with cybersecurity regulations and that their disclosure of any noncompliance is complete and accurate. Cybersecurity system defects may lead adverse evaluations and rejection of your proposal. At the same time, attempting to hide defects— or failing to disclose the full extent of noncompliance—could result in a qui tam action alleging you fraudulently induced the government to award the contract.
John S. Pachter jpachter@smithpachter.com
Armani Vadiee avadiee@smithpachter.com
Todd M. Garland tgarland@smithpachter.com
Smith Pachter McWhorter PLC 8000 Towers Crescent Drive, Suite 900 | Tysons Corner, VA 22182 | 703.847.6300 | www.smithpachter.com
10
4401 Wilson Blvd. Suite 1110 Arlington, VA 22203 www.pscouncil.org