2022 PSC Annual Conference | Thought Leadership Compendium by Professional Services Council

Thought Leadership Compendium ARTICLES BY:

Table of Contents 03

Growing a Small GovCon Services Business Into a Mid-Size Firm – a Thousand-Day Strategy

The One Brief | How Organizations Can Find a Path to Net Zero

A Deep Dive Into Due Diligence for Transaction Advisory and Government Accounting

CMMC 2.0: Five Key Changes for Government Contractors

Understanding Cybersecurity Maturity Model Certification (CMMC) 2.0 Compliance

Reimagined Perspectives | Redefining What’s Possible

Leidos Helps IRS Incrementally Modernize Electronic Tax Systems

Defending Infrastructure by Building Resilience in Aviation and Transportation

As the Federal Landscape Evolves, Contractors Need Resource Management Tools That Can Keep Up

GovCon Business Systems | A Resource Guide for Contractors

Building Businesses One Government Contractor at a Time

Growing a Small GovCon Services Business Into a Mid-Size Firm – a Thousand-Day Strategy

ACT1 Thought Leadership for PSC’s 50th Anniversary Annual Conference

You may think of building your firm like building a house. What type of house do you want to build? Colonial? Mid-century? Tudor? This is your Vision. Then, ask yourself; for what purpose do you want to build the house? Generate equity quickly? Create a multigenerational legacy house? Make a vacation home? This is your Purpose. Then, ask yourself how you intend to use your home? To raise a family? Make it your retirement place? Develop a rental property? This would be your Mission.

Growing a Small GovCon Services Business into a Mid-Size Firm – a Thousand-Day Strategy. Thanks to the Small Business Administration’s rules requiring the federal government to award a portion of its contracts to businesses meeting certain socio-economic characteristics, the GovCon service market provides unique opportunities for entrepreneurs to launch small-business ventures.

We’ll carry this analogy through our story as we suggest how business owners can prepare their businesses to operate in the unrestricted GovCon environment as they transition into successful, stable mid-size firms.

Many GovCon services firms have experienced tremendous success in their first few years, or early in the lifecycle, of our companies. Unfortunately, for some emerging firms, success can be short-lived, when they outgrow size standards and must compete in the unrestricted market against far more sophisticated, established firms.

Part 1: Building a Successful Firm Start with a Sound Foundation. To focus your efforts on the most impactful actions to achieve your objectives, you must define a compelling Vision, Purpose and Mission as your foundation. These will help you crystalize how to best leverage your most precious resources, time, and money, while attracting and retaining talent. For example, your company Vision could be: “We would like to be the leader in Army Engineering and Logistics”. The type of foundation required by an Engineering and Logistics business that services the US Army is very different than an IT/Data Analytics business that services the Intel

The journey to success in the unrestricted market is hard, with many hurdles to jump and potholes to avoid, but not impossible. For example, many established 8(a), SDB, WOSB, SDVOSB, and HUBZone firms have been snatched-up in recent M&A transactions by larger primes. When studying the acquired firms’ success stories, most have followed similar approaches that include a few simple building rules.

Community. The same applies to your firm’s Purpose and Mission.

proposal process. Have a sense of your Price-to-Win as early as possible and push your team to produce the highestquality, 100% compliant and technically compelling proposal possible.

A key component to build your firm’s foundation is to develop an effective Culture. Referring to an overused, but accurate, quote from Peter Drucker: "Culture eats Strategy for Breakfast." Culture always determines success regardless of strategy. Success in GovCon is more likely to come from a kind and compassionate firm with a humble, smart, and hungry corporate culture that focuses on what matters most: Growth, Customers and People.

The ability to bid and win new business contracts is the most critical component of your firm’s success. However, depending on your Vision, Purpose and Mission, internal capabilities such as back-office support functions, processes, procedures and controls (i.e., accounting, contracts, IT, finance, HR, procurement, quality, talent acquisition) are critical to transform your small business venture into a GovCon services powerhouse. Tightly integrated processes can be both a major discriminator and robust valueadd in the GovCon arena.

Part 2: The Firm Takes Shape. Add Framework/Structure and Focus on Growth, Customers and People. Growing beyond the first few contracts takes discipline, flexibility, focus, and attention to detail coupled with a unique blend of skillsets and talent. In turn, discipline takes emotional restraint and solid approaches. Success is more likely to come from the right blend of discipline and flexibility. For example, develop your own firm’s version or interpretation of The Shipley Process. Allow yourself and your team to appropriately tailor this process when warranted to save time and effort. Trust yourself/your team to apply judgment as the best designed processes will never replace intellect and sound judgment. Fix your team’s focus on the prize. Start and end with your Win Strategy, incorporating time for technical solutioning and ideation throughout the

After a contract win, in conjunction with your transition-in approach, develop a Customer Engagement Plan. Nothing sells/builds your business better than great customer referrals and “Exceptional” CPARs. At the start of every engagement, focus on regular, meaningful multi-level interactions between your customer and your firm’s senior leadership, program managers and technical staff. The best winning recipe is to continually deliver highquality products and services while working alongside your customers. In practice, use monthly program reviews to ascertain your customers’ pain points and introduce new ideas, opportunities, and value. And don’t forget to follow-up

with detailed notes and minutes to buildupon and continue your commitment to customer dialogue. Document your CPAR self-assessment and do not hesitate to advocate for your well-earned “Exceptional” ratings.

“disciplined-flexibility” in execution, quality control, and diversity in skillsets and thought. Creating a deep, robust pipeline of opportunities that is reviewed/curated weekly is certainly one part, but another is to avoid falling in love with any one opportunity. You can easily get yourself and your team distracted chasing low probability-win opportunities that your firm is not wellsuited to win. In addition, the best pipeline in the world can only get you as far as your proposal development team’s throughput. You must balance the volume of your funnel and your proposal team’s capabilities without sacrificing compelling technical discriminators, or the quality and compliance of your proposals. And consider the data collection and analysis that goes into predicting price-to-win, and the pricing drills that ensure you can meet your price-to-win goal without jeopardizing the credibility of your execution model. To sum it up, sometimes focus means less is more!

Finally, always concentrate on your people, starting with human capital functions (talent acquisition, human resources management, and talent management) and your middle managers, especially your PMs. Charge your human capital leadership to identify, attract, retain, grow, and optimize your workforce. Develop your firm so people can’t wait to join you. Offer competitive pay and benefits— you will be rewarded handsomely. Recognize exceptional performance, provide career mobility, and allow a flexible work environment. And for your PMs and middle managers, hone their leadership skills because they are critical to scaling your business. PMs and middle managers are the key framework of your organization.

At this stage of your firm’s development, the holy grail is to have a functioning management dashboard. This includes real-time data feeds from your processes/procedures to operate and improve your firm’s results and teamwork. Key data and metrics must include your BD funnel and pipeline, your proposal development team’s throughput, your CPARs, your team’s kudos, staff utilization, contract margins, indirect rates, cash collection,

Part 3: Focus on Fueling Growth Shape the Firm’s Infrastructure. After establishing the firm’s foundation and structure, develop your detailed processes to ensure repeatable and predictable growth, stellar customer satisfaction, and a dedicated workforce collaborating as a Team. Repeatable, predictable growth is synonymous with focus and

recruiting stats, staff headcount, and similar data/KPIs.

Like value-added finishing touches on your property and inside your home (e.g., nice landscaping, updated kitchens/bathrooms, paint, and lighting) you need to develop Value-Added Capabilities within your firm. For example, you want the right type of growth, that which adds more profitable contracts, key IDIQ opportunities and increases proposal throughput, quality, and pricing capabilities. Similarly, with your customers you want to expand existing contracts, add more complex and valuable technical work, and add more complex customers with higher level technical work. This is like updating your home to keep pace with improved technologies and the changing environment. Finally, you might consider an acquisition or two to grow your existing market base, or to expand your firm’s technical domains and/or your functional capabilities. And we can’t forget adding value through your people. Add advanced degrees, more technical certifications, and higher clearance levels, all of which increase stakeholder value. And finally, build a Board of Advisors/Directors, and integrated C-Suite to add more value - just like developing your PMs and middle management teams.

To improve customer satisfaction and achieve customer delight, your processes/procedures (like ISO-9001, CMMI L3, and Financial Audit results) and regular, useful engagements with customers at all levels (PMs, middle managers, executives) must focus on problem solving and innovation to improve results for your customers. Demonstrate how your processes, procedures/controls drive consistent, repeatable, high-quality performance results and customer success. Finally, ensure your processes, procedures and controls support your workforce. Just like your growth and customer satisfaction strategies, you need a human capital/people strategy. Ensure you align your corporate strategy with your human capital/people strategy to include individual goal setting, staff recognition and training programs, especially for those high profile, highperforming PMs and technical SMEs. Balance internal support programs as well as social, community and philanthropic events within your local communities and governments that mesh with your company values and your staff’s outside interests.

Part 5: You Are Ready to Scale

Part 4: Create Value Around Growth, Customers, and your People – Add Finishing Touches for Stakeholders.

Now you and your firm are ready to scale. So, grow the firm vertically (like adding a new level to your home) or horizontally (like adding a new wing to

your home), or grow through acquisitions (like adding more land). Remember building a successful midsize firm is a project - whether it’s a Thousand Days or longer. Success starts with Building a Solid Foundation, followed by Adding Framework and Structure, then Shaping the Infrastructure, and adding the Finishing Touches. To build any successful business one must focus on driving growth, delighting customers, taking care of your people, and creating value for all stakeholders.

ACT I in ACTION Video - ACT I (acti.com)

www.act-i.com

The One Brief | How Organizations Can Find a Path to Net Zero

The One Brief

How Organizations Can Find a Path to Net Zero

How Organizations Can find a Path to Net Zero

The One Brief Overview As the conversation on climate change advances around the globe, the goal of achieving “net zero” — a state in which the amount of greenhouse gas (GHG) emissions produced and the amount removed from the atmosphere are balanced— has been gaining momentum. And with good reason. Achieving net-zero emissions is critical to managing the destructive potential of climate change1. Governments, businesses and investors are increasingly putting net zero at the top of their agendas — as seen in the number of discussions and commitments coming out of November 2021’s COP26 climate summit2 in Glasgow. But those commitments are just a start and must be followed up with action that is both decisive and measurable, and that focuses on both limiting GHG emissions and adapting to a more volatile climate environment. “Worldwide, there’s a drive to achieve net zero emissions, and the outcomes of these commitments will have far-reaching impacts across the global economy,” says Natalia Moudrak, managing director and climate resiliency leader, Public Sector Partnership at Aon. “There are important and ambitious targets being set, and the question is what actions, what investments, what behavioral changes and what technological advancements are required to get us there. For climate adaptation, time is no longer a luxury.”

1. “Why Every Business Should Be Thinking about Climate Change Risks.” The One Brief, November 23, 2021. https://theonebrief.com/why-every-businessshould-be-thinking-about-climate-change-risks/. 2. “COP26: What Was Agreed at the Glasgow Climate Conference?” BBC News. BBC, November 15, 2021. https://www.bbc.com/news/scienceenvironment-56901261.

How Organizations Can find a Path to Net Zero

The One Brief In Depth

The Importance of Investors

The United Nations’s Environment Programme (UNEP) has estimated that meeting the Paris Climate Accords’ goal of limiting global warming to 1.5 degrees Celsius above pre-industrial levels would require reducing global emissions by 7.6 percent yearly between now and 2030.

Beyond the government and business commitments to net zero, it’s important to consider the commitments investors are willing to make, says Meredith Jones, partner and global Environmental, Social and Governance (ESG) solutions lead at Aon. Using investment as a tool to push businesses toward net zero must be done appropriately, however, according to Jones.

“We know that if we don’t do this — and we’re seeing it already — the frequency and severity of natural disasters will continue to increase,” says Moudrak. According to Aon’s new 2021 Weather, Climate and Catastrophe Insight3 report, weather- and climate-related events caused $329 billion in economic losses in 2021, the third highest total on record. More than 130 countries have set or are considering net-zero targets, as have 21 percent of the world’s 2,000 largest companies4. The COP26 gathering also saw the formation of the Glasgow Financial Alliance for Net Zero4, a group of 450 financial firms from around the world that have committed $130 trillion in assets toward the effort to achieve net zero.

De-Carbonization Technologies Aren’t Here Yet Taking the energy sector as an example, most of the emission reductions through 2030 come from technologies that are already on the market today. But by 2050, almost half of emission reductions will need to come from technologies that are still in development. “On one hand we have enormous momentum and trillions of dollars committed to achieving net zero. On the other, there is an appreciation that low-carbon transition risk landscape is complex and dynamic, requiring bold bets and innovative thinking,” says Moudrak. “So the question is how can we create better links between risk, capital and innovation to increase the flow of public and private finance towards de-carbonization solutions?”

“While many people associate GHG emissions and climate change with a handful of sectors, such as fossil fuels, the fact is that carbon and carbon-equivalent emissions are created throughout the economy,” says Jones. “So investors shouldn’t have a tunnel vision approach when it comes to de-carbonization, zeroing in only on fossil fuel divestment. As proof, if you look at the weighted average carbon intensity (WACI) of the MSCI All Country World Index (ACWI) ex fossil fuels, it registers as 117.1 tons of CO2e per million dollars of sales. If you look instead at the MSCI ACWI ESG Leaders or Low Carbon Leaders, you’ll find the carbon intensity is roughly 20 percent to 40 percent lower still. So the net-zero approach really should cut across all industries, all sectors and all parts of the global value chain to maximize carbon reductions.” However, investors must also recognize that the transition will take time and that change is required on multiple fronts. “Let’s say everyone decided to divest from fossil fuel industries at the same time tomorrow, what’s going to happen?” asks Moudrak. “We simply don’t have the right infrastructure in place to support this switch overnight. It will take time to transition the global economy in a way that is not too abrupt or disruptive, and that also doesn’t leave individuals or countries behind.”

3. “2021 Weather, Climate and Catastrophe Insight: Aon.” Better Decisions - Commercial Risk - Health - Reinsurance - Wealth. Accessed March 31, 2022. https://www.aon. com/weather-climate-catastrophe/index.aspx?_ga=2.241494279.48494092.1648756653-2028548450.1648577363. 4. Shetty, Disha. “A Fifth of World’s Largest Companies Committed to Net Zero Target.” Forbes. Forbes Magazine, December 10, 2021. https://www.forbes.com/sites/ dishashetty/2021/03/24/a-fifth-of-worlds-largest-companies-committed-to-net-zero-target/?sh=16c241b2662f. 5. Baker, Jill. “Mark Carney’s Ambitious $130 Trillion Glasgow Financial Alliance for Net-Zero.” Forbes. Forbes Magazine, November 9, 2021. https://www.forbes.com/sites/ jillbaker/2021/11/08/mark-carneys-ambitious-130-trillion-glasgow-financial-alliance-for-net-zero/?sh=5a92cfd03a31.

How Organizations Can find a Path to Net Zero

The One Brief Weighing the Social Impact It’s also necessary to consider the number of people employed in or dependent on fossil fuels and around the world, as well as the economic activity they represent. At the same time, however, it’s necessary to recognize that many of those that will be most affected by climate change are the world’s most vulnerable people, Jones says.

Thinking Through the Move to Net Zero The move to net zero will be challenging, but it’s critical to limiting climate change. Yet, as businesses commit to moving to net zero, they must do so thoughtfully. “Don’t just say, ‘We’re going to be net zero by 2050.’ and think you’re done,” says Jones. “You have to set interim targets for de-carbonization. You have to put a governance structure around de-carbonization. And you also must report on your efforts in a public and transparent way.”

“Achieving net zero will be a balancing act because you can’t consider the E without the S,” says Jones. “You have to look at the collateral implications of the environmental actions that you’re taking, or not taking, because there are going to be social implications.”

Opportunities in the Move to Net Zero In addition to the impact from a climate perspective, there is an economic case to be made for the net-zero actions governments and businesses would have to take. “We don’t want to lose sight of the technological advances, the up-skilling, the re-skilling, the possibility of bringing developing economies along in a faster way than they’ve been brought along before,” says Jones.

“And of course, while limiting global temperature increases to 1.5 degrees C from pre-industrial levels is critical for long-term habitats, given the effects we’re already seeing, we must continue to prioritize climate adaptation action,” adds Moudrak. “As the most recent report from the Intergovernmental Panel on Climate Change7 emphasizes, climate change is happening faster than expected and investing into resilience and disaster risk reduction, alongside low-carbon solutions is prudent to limit damage and life loss, especially to protect the most vulnerable populations.”

Recent research into energy sector transition6 estimates that the transformation required for this sector to meet the Paris Agreement goals could actually increase net jobs by about 8 million by 2050, primarily due to gains in the solar and wind industries.

6. “Hitting Global Climate Target Could Create 8M Energy Jobs, Study Says.” The Guardian. Guardian News and Media, July 23, 2021. https://www.theguardian.com/ environment/2021/jul/23/hitting-global-climate-target-could-create-8m-energy-jobs-study-says. 7. “New IPCC Report: Over 3BN People Face Rising Climate-Change Threat.” The Economist. The Economist Newspaper. Accessed March 31, 2022. https://www. economist.com/science-and-technology/2022/02/28/new-ipcc-report-over-3bn-people-face-rising-climate-change-threat/21807939.

Contact Us Natalia Moudrak Climate Resiliency Leader natalia.moudrak@aon.ca aon.com About Aon plc (NYSE: AON) exists to shape decisions for the better—to protect and enrich the lives of people around the world. Our colleagues provide our clients in over 120 countries with advice and solutions that give them the clarity and confidence to make better decisions to protect and grow their business. ©2021 Aon plc. All rights reserved.

A Deep Dive Into Due Diligence for Transaction Advisory and Government Accounting

A Deep Dive into Due Diligence for Transaction Advisory and Government Accounting WRITTEN BY BARRY RIEGER WITH GOVERNMENT ACCOUNTING INPUTS FROM CLINT WOOFTER

More than half of transactions that make it to a letter of intent fall apart during due diligence. There are many more that involve price reductions or drawn-out timeframes that can slow down transaction momentum and draw leadership’s attention away from strategic opportunities. The next stage in your company’s strategic growth could involve additional capital in the form of a larger investment, growth equity, or an exit; but no matter the direction, due diligence will be more rigorous with each successive round of financing. Over the years, we’ve seen transactions delayed or canceled for preventable reasons like an investor’s confidence in the company’s technology, IP, legal liability, accounting treatment, or tax matters. An investor’s confidence can significantly impact the pricing and timing of the deal. By preparing and strategically planning in advance for the diligence process, you can reduce the probability of wasted due diligence and transaction failure. We have seen many companies that have best-in-class business solutions become pummeled by professional investors. Such investors require documentation of every component of financial and operational performance during the pre-investment due diligence. The more rigorously you prepare these documents, the more you increase your likelihood of transaction success. In addition, it is important from a Government Accounting Compliance perspective to ensure your regulatory house is in order. Although the professional investors may not be savvy when reviewing this side of the operation, they will rely on experts in the field. It is important to be aware of unresolved items that can be a future liability. Are open risks properly assessed and reserved on the balance sheet? The following types of documentation should be retained and organized to prepare for the diligence process: •

Financial Records – Income statements, balance sheets, tax returns, budgets/ financial projections, and financing agreements.

•

Government Accounting Records – Government (DCAA) audit reports for unresolved rate years, Business System(s) Approval Letters from the Contracting Officer, Approved Provisional and Final Billing Rates, Unaudited Incurred Cost Submissions, Settled Incurred Cost Submissions and timely contract closeouts, Cost Accounting Standards Disclosure Statement(s) compliant or required.

•

Contracts – Proposals, monthly/quarterly internal performance reporting, executed versions of contracts, amendments/change orders, documentation/ correspondence regarding contract performance, quarterly pipeline reports, referrals, leases, material purchase orders, service agreements, and informal or off-the-books arrangements. A DEEP DIVE INTO DUE DILIGENCE FOR TRANSACTION

ADVISORY AND GOVERNMENT ACCOUNTING

•

Employees – Resumes, applications, employment agreements, background checks, clearance, education, annual reviews, changes in compensation, and organizational charts.

•

HR – Employee handbooks, internal policies and procedures, employment issues, accusations, threatened litigation or tips from hotline.

•

Legal – Pending, ongoing, or completed litigation (customers, vendors, shareholders, employees, government investigations, or any other legal issues that may come up during the diligence process).

•

Intellectual Property – Documentation of patents, trademarks, and agreements with third-parties to utilize intellectual property that is not owned internally. You may also be required to include an exhaustive list of the thirdparty components that are a part of your software, including free and open source components.

•

Technology – Description of technology, architectural charts, scalability and performance indicators, product design documents, architectural descriptions, security vulnerability scans, and penetration tests.

There are resources like Microsoft SharePoint or other online data sites that can assist in the organization and maintenance of documentation. If you don’t have the internal resources or bandwidth to organize and retain documentation, set up an arrangement with a professional custodian – accountants or attorneys – where you send documents contemporaneously and they maintain a repository either in an online data room or on secured servers. Start the due diligence process by reviewing the financial and operational documentation. The response to the request for this information will impact the investor’s confidence and ultimately, your company’s value. The capital raise may be several years away, but if you could talk to your future self, the advice you would likely heed is to start early and get organized.

A DEEP DIVE INTO DUE DILIGENCE FOR TRANSACTION

ADVISORY AND GOVERNMENT ACCOUNTING

About Aronson As a nationally ranked top 100 accounting firm, Aronson provides comprehensive assurance, tax, and consulting solutions to today’s most active industry sectors and individuals. For more than 60 years, we have purposefully expanded our service offerings and deepened our industry specialties to better serve the needs of our clients, people, and community. From startup to exit, we help our clients maximize opportunity, minimize risk, and unlock their full potential.

Contact Us BARRY RIEGER, CPA | Director, Transaction Advisory Services Barry Rieger, CPA, is an accomplished transaction advisory professional with nearly 20 years of professional experience across a wide variety of middle market industries. He specializes buy-side and sell-side financial due diligence for complex M&A initiatives. Email Barry at BRieger@aronsonllc.com.

CLINT WOOFTER | Director, Consulting Services With over 20 years of leadership experience, Clint provides a wide range of financial compliance advisory services for Federal Government Contractors. He serves as a corporate subject matter expert, bringing his extensive knowledge on all activities involving CAS, FAR, GAAP, and more. Email Clint at CWoofter@aronsonllc.com.

FOR MORE INFORMATION, VISIT ARONSONLLC.COM OR CALL 202.869.0995.

CMMC 2.0: Five Key Changes for Government Contractors

CMMC 2.0: five key changes for government contractors Understand key changes from the Cybersecurity Maturity Model Certification (CMMC) 1.0 to CMMC 2.0, how it impacts your organization and the questions that still need to be answered.

CMMC 2.0: five key changes for government contractors After conducting an internal review, the Department of Defense (DoD) announced a major change to the Cybersecurity Maturity Model Certification (CMMC) program. According to the DoD, the updated framework, now called CMMC 2.0, will: 1. Simplify the CMMC standard and provide additional clarity on cybersecurity regulatory, policy and contracting requirements 2. Focus the most advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs 3. Increase DoD oversight of professional and ethical standards in the assessment ecosystem

CMMC 1.0 vs. CMMC 2.0 comparison Organizations are now asking - what is changing with CMMC requirements and what stays the same? Review the below charts for detailed changes from CMMC 1.0 to CMMC 2.0.

CMMC Model 1.0 Level 5 Advanced

CUI, critical programs

Level 4 Proactive

Transition level

Level 3 Good

CUI

Level 2 Intermediate Transition level

Level 1 Basic

Model

171

practices

156

practices

130

practices

CMMC Model 2.0

Assessment

processes

maturity processes

Third-party

Level 3 Expert

Model

Assessment

110+ practices based on NIST SP 800-172

Triannual government-led assessments

110 practices aligned with NIST SP 800-171

Triannual third-party assessments for critical national security information: Annual selfassessment for select

17 practices

Annual self-assessment

None

Level 2 Advanced

Third-party

None

Level 1 Foundational Third-party

@BakerTillyUS

Baker Tilly US

bakertilly.com

What do government contractors need to know? Much of CMMC remains the same; however, many contractors need to evaluate these five key changes:

PREPARATION AND TIMELINE According to current guidance from the DoD, CMMC 2.0 will require 9-24 months of rulemaking. Organizations should use this time and their resources wisely by implementing NIST 800-171 (which is already present in contracts as DFARS 252.2047012). Implementing NIST 800-171 will improve the self-assessment score you post to the DoD’s Supplier Performance Risk System (SPRS), for which the DoD indicates there may be incentives for improved scores and/or early adoption of CMMC 2.0.

ANNUAL AFFIRMATION CMMC 2.0 calls for an annual affirmation from a senior company official. This requirement is reminiscent of Sarbanes-Oxley (SOX) 302. Additionally, the Department of Justice (DOJ) announced an intent to hold entities or individuals accountable that knowingly misrepresent their cybersecurity practices. Organizations should begin evaluating their process for completing this affirmation, determine who will sign the affirmation and what basis is required to be comfortable signing.

PLAN OF ACTION AND MILESTONES (POA&M) AND WAIVERS Only a small number of waivers will be granted, benefiting a limited number of contractors. POA&Ms will only apply to the minor requirements after an organization achieves a higher level of compliance.

POLICIES AND PROCEDURES

SELF ASSESSMENTS

While it is true that CMMC 2.0 eliminates the process requirements, NIST 800-171 requires 49 of the 110 items to be “defined,” which is typically in the form of a policy or procedure. Further, if you make claims about your organization’s cybersecurity environment annually to the DoD, it is beneficial to have rigor and structure to ensure those statements remain accurate.

While organizations pursuing CMMC Level 1 will benefit from self-assessments, most contractors who have concerns about CMMC were targeting the prior Level 3 (new Level 2) and above. Originally under CMMC 2.0, contractors that handle controlled unclassified information (CUI) will require a third-party assessment or DoD-led assessment if the associated programs “involve information critical to national security.” The DoD has since announced that all Level 2 assessments will be conducted by third parties. The DoD estimates that approximately 80,000 contractors fall into this category. However, a trend appears to be forming among primes - to require all subcontractors to be certified at Level 2. From the prime’s point of view, this would mean reduced risk of sharing CUI with a subcontractor that is not certified to handle it because all of their subcontractors are certified. So while the number who require third-party certification is reduced, there is still a large population that will require it.

@BakerTillyUS

Baker Tilly US

bakertilly.com

How will CMMC 2.0 impact your organization? Do you sell commercial items?

YES

Will your customers expect you to comply with NIST 800-171 or CMMC 2.0?

Do you handle CUI?

SIGNIFICANTLY DECREASED IMPACT. You are only required to comply with CMMC 2.0 Level 1. Under the changed approach, you no longer need to engage a Certified ThirdParty Assessor Organization (C3PAO) and instead will be able to provide a self-assessment score and affirmation unless you are eligible for a waiver.

CONFUSION BUT ULTIMATELY SIMILIAR IMPACT. You are required to comply with CMMC 2.0 Level 2. Originally, under the changed approach you no longer need to engage a C3PAO and instead will be able to provide a self-assessment score and affirmation. However, a February 2022 update from the DoD indicated that Level 2 assessments would require a third-party assessment.

YES

Do you handle CUI on programs that are critical to national security?

YES

Does the DoD require a CMMC Level 3?

Will your customers expect C3PAO certification?

NO IMPACT. Like CMMC 1.0, CMMC 2.0 will have no impact. You may receive questions from your DoD prime customers. Be prepared to explain why you are not subject to CMMC 2.0. Ensure that CUI handling contract clauses (i.e., DFARS 252.204-7012 or 7019-7021) are not included in your contracts.

SIMILIAR IMPACT. You are only required to comply with CMMC 2.0 Level 2. Under the changed approach you still need to engage a C3PAO. You still need to implement 110 items of NIST 800-171 unless a waiver or POA&Ms apply. LARGE IMPACT WITH SIGNIFICANT QUESTIONS. You are only required to comply with CMMC 2.0 Level 3. Under the changed approach you engage a C3PAO to obtain Level 2 before being eligible for Level 3. The government will lead the Level 3 assessment. How that will be requested and determination over the timing or team are unknown at this time. You will still need to implement all 110 items of NIST 800-171 and some items from NIST 800-172. Those details are not yet provided. It is also unclear if waivers or POA&Ms apply. Presumably waivers are highly unlikely for contractors in this area, and because Level 2 is a pre-requisite POA&Ms are not likely for Level 2 items but it remain unknown if POA&Ms are valid for Level 3 items.

Note A – While the DoD may not require CMMC 2.0, some prime contractors (prime) are pushing their supply chain to comply. Doing so makes it easier for the prime. If all preferred providers are CMMC 2.0 Level 2 or higher, they have less to worry about when sharing CUI. This behavior can drive more organizations to require CMMC 2.0 certifications. Note B – Similar to Note A, if primes require C3PAO assessments and not self-assessments that may drive organizations to seek certification who otherwise would not. This again would make it easier for the prime because they would not need to make the distinctions or fulfill/address requirements in contracts to understand when a self-assessment is permitted. Note C – Waivers appear to be very rare. If you have multiple contracts or plan to have multiple contracts in the future, it is unlikely that all would be eligible for a waiver. Note D – POA&Ms will only apply to minor items. While this might save you from a failure if you do not have one item in place, it does not mean you can be certified without addressing some of the larger, more costly aspects of NIST 800-171.

To better understand CMMC 2.0 and the impacts to your organization, or to discuss other opportunities or issues related to contracting with the federal government, please connect with one of Baker Tilly’s specialists, Matt Gilbert or Noah Leiden, or visit our website.

@BakerTillyUS

Baker Tilly US

bakertilly.com

Questions? Matt Gilbert, CISA, CRISC, CMMC Leader Principal matt.gilbert@bakertilly.com

Noah Leiden, CPA Partner noah.leiden@bakertilly.com

@BakerTillyUS

Baker Tilly US

bakertilly.com

The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Tax information, if any, contained in this communication was not intended or written to be used by any person for the purpose of avoiding penalties, nor should such information be construed as an opinion upon which any person may rely. The intended recipients of this communication and any attachments are not subject to any limitation on the disclosure of the tax treatment or tax structure of any transaction or matter that is the subject of this communication and any attachments. Baker Tilly US, LLP trading as Baker Tilly is a member of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. © 2022 Baker Tilly US, LLP

Understanding Cybersecurity Maturity Model Certification (CMMC) 2.0 Compliance

GUIDE

Understanding Cybersecurity Maturity Model Certification (CMMC) 2.0 Compliance A Government Contractor’s Guide to Preparation and Assessment Basics

TABLE OF CONTENTS

The History of CMMC

The New Maturity Level Guidelines

Key CMMC Players

Day-to-Day Impact for Government Contractors

Preparing for CMMC 2.0

November 4, 2021. The changes are intended to reduce barriers to compliance for small and mid-sized firms while maintaining the goal of protecting the Defense Industrial Base from cyber attacks. CMMC 2.0 focuses on the most critical requirements and streamlines the model from 5 to 3 compliance levels.

The History of CMMC The Cybersecurity Maturity Model Certification (CMMC) was created to safeguard sensitive unclassified information across the Defense Industrial Base (DIB) by addressing the gaps in prior regulatory requirements. The Department of Defense (DoD) found that private sector organizations doing business with the federal government were not satisfying the requirements specified in Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. The requirements included implementation of National Institute of Standards and Technology (NIST) SP 800-171 for systems processing Covered Defense Information, but did not include official certification or compliance reporting mechanisms. This resulted in organizations not fully implementing controls to a consistent maturity level, ultimately putting the government supply chain at risk. Since an official certification or compliance reporting mechanism did not exist, many companies fell short of their security control obligations, putting the government supply chain at risk.

CMMC addresses requirements for the protection of FCI and CUI data:

DFARS 252.204-7021, published Sept 29, 2020, introduces CMMC, which was intended to introduce a tiered standard based off data sensitivity as well as a certification component, validated by external auditors, to assess organizations’ controls against a variety of compliance standards.

•

Federal Contract Information (FCI) - Information not intended for public release. It is provided by or generated for the government under a contract to develop or deliver a product or service to the government. FCI does not include information provided by the government to the public.

•

Controlled Unclassified Information (CUI) Information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls.

As stated by Acquisition & Sustainment, Office Under the Secretary of Defense, CMMC 2.0 requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for information flow down to subcontractors.

Driven by feedback across the industry, CMMC has since reworked into a hybrid certification model. This new version, referred to as CMMC 2.0, was announced on

Understanding Cybersecurity Maturity Model Certification (CMMC) 2.0 Compliance 28

The New Maturity Level Guidelines CMMC 2.0 streamlines the maturity model from 5 to 3 compliance levels: •

Maturity Level 1 – Foundational, which allows organizations to conduct self-assessments, against FAR 52.204-21.

•

Maturity Level 2 – Advanced, includes 110 practices from NIST SP 800-171 and allows for self-assessment for Controlled Unclassified Information (CUI), but requires Certified Third Party Assessment Organization (C3PAO) to conduct assessments when working with sensitive controlled information.

•

Maturity Level 3 – Expert, requires CMMC 2.0 L2 C3PAO certification, adds NIST SP 800-172, and requires an assessment from the DoD when working with the most sensitive controlled information

*The New CMMC 2.0 Maturity Levels Map Directly to NIST 800-171 Controls.

The Maturity Level certification requirements will be driven by the type of data being stored to support a contract with the DoD. In general FCI and basic CUI such as government-provided PII and financial data will require Maturity Level 1 certification. More sensitive covered defense information (CI) such as purchase orders, parts lists, and inventory may require Maturity Level 2, and technical documentation such as a blueprint for the F18 program which may Maturity Level 3. Contracts will be required to specify the CMMC Maturity Level needed to work with any government information provided or created as part of a contract. The DoD has adjusted and streamlined the CMMC accreditation program with CMMC 2.0. This new version will be focusing on the most advanced cybersecurity standards while minimizing barriers to compliance. This new approach will require additional accountability for organizations to implement critical cybersecurity standards to meet the challenges of evolving threats and take the necessary steps to protect national security information.

Understanding Cybersecurity Maturity Model Certification (CMMC) 2.0 Compliance 29

Key CMMC Players Assessors: Individuals who have successfully completed the background, training, and examination requirements as outlined by the CMMC Accreditation Body (AB), and to whom a license has been issued. Assessors are not employed by the CMMC-AB and may or may not be employed by the Certified Third Party Assessment Organization (C3PAO). Certified Third Party Assessment Organization (C3PAO): An entity with which at least two assessors are associated and to which a license has been issued to engage with organizations seeking certification (OSC) to complete their associated CMMC assessment. CMMC Accreditation Body (AB): The accreditation body that establishes and oversees a qualified, trained, and highfidelity community of assessors that can deliver consistent and informative assessments to participating organizations against a defined set of controls/best practices within the CMMC program. Organizations Seeking Certification (OSC): The organization that is going through the CMMC assessment process to receive a level of certification for a given environment. Cloud Service Providers (CSP): A third-party company offering a cloud-based platform, infrastructure, application, or storage services. CSPs may be storing sensitive unclassified information that is subject to CMMC certification. government websites to focus on the most important areas of the project and deliver the most relevant, actionable information directly to you, in language that you understand.

Understanding Cybersecurity Maturity Model Certification (CMMC) 2.0 Compliance 30

Day-to-Day Impact for Government Contractors Most organizations fulfilling government contracts for the DoD will need to address CMMC requirements in requests for information (RFIs) and requests for proposal (RFPs) bids for DoD acquisitions, with the potential exception for commercial items. The various cybersecurity standards and best practices upon which the CMMC is based are largely self-certified. The CMMC represents a major change to that by introducing the C3PAO requirement to review systems and processes for certification. To standardize this process, the DoD established the non-profit, independent organization, CMMC-AB, to define the assessment and administration needed for certification. Currently, the CMMC-AB is in the process of licensing assessors and the firms that will serve as C3PAOs. Government contractors will initially see DoD requirements to satisfy Maturity Levels 1 and 2 for anyone handling FCI or CUI. The majority of contractors will need to certify first at Maturity Level 1 and then Maturity Level 2. Maturity Level 3 will be required for organizations working with the most sensitive CUI or confidential data, however, it will be required to first certify at Maturity Level 1 and Maturity Level 2 before Maturity Level 3. Maturity Level requirements will be specified in contracts and are expected to flow down only to subs that are working with the controlled information. Therefore, it is important to know what type of data you are storing. Once an organization is CMMC certified, the certification is expected to be valid for three years.

Understanding Cybersecurity Maturity Model Certification (CMMC) 2.0 Compliance 31

Preparing for CMMC 2.0 To ready their organizations, government contractors should ensure they cover the following steps. •

Step 1 – Identify and classify the type of data you store to support existing or new contract awards.

•

Step 2 – Understand the Maturity Level your firm will likely need to satisfy based on the type of data you store and identify the gaps that could prevent achieving certification.

•

Step 3 – If you are unsure and work with CUI, start with Maturity Level 2, based off the 110 controls from NIST 800-171.

•

Step 4 – Make sure you have the documentation of formalized processes and controls.

•

Step 5 – Be familiar with all of the major definitions and compliance standards that make up CMMC 2.0.

Questions? Contact us today

Better software means better projects. Deltek is the leading global provider of enterprise software and information solutions for project-based businesses. More than 23,000 organizations and millions of users in over 80 countries around the world rely on Deltek for superior levels of project intelligence, management and collaboration. Our industry-focused expertise powers project success by helping firms achieve performance that maximizes productivity and revenue. www.deltek.com

US & Canada 800.456.2009 UK +44 (0) 20 7518 5010

EMEA + 45 70 20 33 18

APAC/AUNZ +61 2 9911 7740

Reimagined Perspectives | Redefining What’s Possible

Issue 2 | 2021

REIMAGINED PERSPECTIVES Redefining What’s Possible

In this issue Global Energy Transition Low Carbon Computing

Climate Response Reimagined Perspectives Issue 2 | 2021

David Stader Global Market Director, Energy Transition Denver, Colorado, United States Read David’s profile

Its critical role in a decarbonized future.

Tackling the Global Energy Transition Decarbonizing our energy systems and sources is the critical pathway to achieving net zero, and getting there will require a monumental global effort. Scientists are about knowing and engineers are about solving. I read that recently, and it’s apropos of the approach we need to take to advance climate action solutions. We need the knowledge of scientists, who have long been telling us climate change will have devastating impacts on communities and society. And we need solutions from engineers, who are developing ways to mitigate and address the damages from these impacts.

Where do we start? Transitioning to clean, zero carbon energy will have the single, biggest impact, and prioritization is a smart place to start. The first area to decarbonize is electricity generation, which is leading the global transition with more low-cost renewables coming online every day, such as wind and solar. Hydropower, geothermal and bioenergy technologies are established renewable energy sources also in use today. Additionally, low-carbon hydrogen and hydrogen-based fuels are key and require massive advances that are being developed, as well as retrofitting existing gas‐fired capacity to co‐fire with hydrogen or ammonia. Nuclear power also has an important role with small modular reactors moving toward full‐scale demonstration, as well as nuclear fusion, which has a longer time horizon. And we need major investment in energy transmission, distribution and storage to provide secure and reliable power for everyone. The second area involves the three biggest end-use sectors: transport, buildings and industry. Electrification is the smartest way to reduce emissions from road and rail, and although we’re seeing progress in these sectors, we need to make significant advances to decarbonize aviation and shipping.

The race is on to develop synthetic, hydrogen‐based fuels and biofuels for long-haul flights, and biofuels, hydrogen and ammonia are sustainable options in shipping, with some global shippers committing to using green ammonia as a sustainable fuel source in the near future. Energy efficiency and electrification are the two main decarbonization drivers in the buildings industry, which require transitioning to zero-carbon energy building codes worldwide and retrofitting (heat pumps, direct electric heaters, appliances, lighting) buildings and homes — a massive shift given the number of buildings and houses in the world today, with a forecasted 75% increase in floor area in the next 30 years*. Lastly, chemicals, steel and cement — essential to our way of life — account for nearly 60% of industrial energy consumption and around 70% of industry sector emissions. Recycling and circular economy principles are important here, along with hydrogen and carbon capture, utilization and storage applications.

continued

Reimagined Perspectives Issue 2 | 2021

As an engineer I’m naturally drawn to figuring out problems, and one large and complex challenge we need to solve is getting every part of our global economy to eliminate greenhouse gas (GHG) emissions by 2050 and limit global warming. The scope and scale of this challenge is truly monumental – fossil fuel literally drives the global economy, and carbon-based energy is the source of approximately three-quarters of today’s GHG emissions.

We can do this Viewed holistically, the global energy transition seems daunting with its unprecedented pace and scale. But it also holds great promise and opportunity. Given the commitment of governments and businesses around the world and the acceleration of investments and innovations, there is great hope. Although scientists and engineers play an important role in helping to secure our planet’s future, it’s going to take all of us.

Creating a Clean, Reliable and Uninterruptible Power Supply

Listen to the podcast

Demystifying the Drive to Net Zero In this episode of Jacobs’ If/When Podcast, we demystify the terminology surrounding decarbonization and discuss some of the major challenges and opportunities facing the world today.

By delivering new underground cable connection, SuedLink will help to better integrate renewable sources, such as wind and solar power, into Germany’s electricity grid, and also link with interconnectors to provide cross-border energy resilience.

We need a concerted effort from everyone on the planet – from national and local governments right down to me and you – to achieve this moonshot goal. So, let’s begin.

More Resources *Net Zero byy 2050 - A Roadmap p for the Global Energy gy Sector,, International Energy gy Agency, y, May 20201 (rep port) Jacobs Power and Offshore Wind Solutions

Strategy gy for Long-Term Energy gy Storage in the UK (strategy paper) Toward a Zero Carbon Future (thought leadership paper) Leverag ging Cross-Sector Knowledg ge to Inform Australia’s Pursuit of a Larg ge-Scale Hyydrog gen Economyy (white paper)

Talking g with Jacobs Global Market Director, Energy gy Transition,, David Stader (article)

Nuclear Lifecyycle (article)

Talking g with Jacobs Global Director for Power,, Pete Adams (article)

Small Modular Reactors (article)

Hyydrog gen Hurdles: Breaking g Down Commercial Barriers to a Decarbonized Future (If/When podcast)

Nuclear Fusion: The Power of the Future (If/When podcast)

Integ grating g renewable sources into Germanyy’s electricityy grid g (article)

Reimagined Perspectives Issue 2 | 2021

Jed Van Dyke VP, Innovation & Strategy Columbia, Maryland, United States Read Jed’s profile

Harnessing digital modernization for the U.S. military’s computing future.

Pathways to Lower-carbon Computing The U.S. military has historically and necessarily been focused on the threat posed by human adversaries. However, climate change may be a more immediate and insistent threat. Climate change represents a destabilizing force — through extreme weather patterns, water stress and scarcity, food insecurity, rising sea levels and mass population migrations — with profound implications on geopolitical dynamics and global security. The U.S. military has the resources, the opportunity and the will to take meaningful climate action, while concurrently reducing climate-induced threats to global stability and security, by starting with its own resource consumption and “boot-print.”

Available data suggests global Information and Communications Technologies (ICT) activities are responsible for 4% of global electricity consumption and 1.4% of global carbon emissions. As an organization that operates one of the world’s largest ICT infrastructures, the U.S. Department of Defense’s (DoD) digital boot-print has meaningful environmental consequences. However, technology also can represent part of the solution as we consider pathways toward a lower-carbon future. While the primary motivation of our DoD customers is, and unequivocally will remain, mission performance, Jacobs is partnering with DoD to reduce the energy consumed by its vast, enabling ICT infrastructure. Through digital modernization — modernizing both the underlying enterprise information technology infrastructure and optimizing how that infrastructure is used — Jacobs is leading our DoD partners toward a lower-carbon future while also enhancing mission capability.

continued

Reimagined Perspectives Issue 2 | 2021

While the performance and cost efficiencies of the cloud are well-established, the cloud also delivers environmental benefits. We’re helping DoD take advantage of: 1. Operating efficiencies. Through a combination of facility, power and technology engineering, today’s cloud data centers have become hyper-efficient in delivering computing power relative to energy consumed.

An infrastructure makeover Modernizing DoD’s infrastructure means moving from its traditional on-premise computing models to the cloud.

2. Alternative energy sources. By moving to centralized cloud computing models, DoD gains the ability to co-locate and tie its computing infrastructure to sources of renewable and redundant energy. 3. Capacity flexibility. By exploiting the flexibility and scalability of cloud models to reduce the unused capacity “overhead,” DoD enterprise computing demand can be satisfied with a smaller infrastructure and energy footprint.

Podcast: Cloud Condos: Co-location for Hyperscale Our data center subject matter experts discuss their new design concept for Cloud Condos, which brings together the best of both hyperscale and co-location data center design, offering both flexibility and scalability.

Listen to the podcast

Maximizing performance Modernizing the infrastructure is only one part of the equation. Perhaps more important is maximizing the potential of those newly modernized systems by optimizing 1) the data moving through the infrastructure, and 2) how services are delivered to the user. Optimizing data and service models can enhance performance, maximize system efficiency and further reduce computing and corresponding energy requirements. µ Data management. We’re helping our DoD customers use the computational and analytic power of its newly modernized cloud and edge-enabled infrastructures to rearchitect and better manage data, dramatically reducing security vulnerabilities and the computational energy required to collect, move, store, analyze and process that data. µ Service optimization. By bringing together our domain experience with the right enabling digital technologies, we’re developing and delivering services to DoD users that optimize both the capability of their modernized infrastructure and the mission and operational outcomes that rely on it.

Building sustainable, reliable data center solutions We understand the need for a global network of expertise and knowledge to design for scalability, adapt for market demand and innovate to remain several steps ahead. Find out more.

As a significant consumer of energy resources and a material contributor to humanity’s carbon impact, DoD recognizes the global threat posed by climate change and our modernization work is accelerating DoD’s ability to reduce and mitigate the climate impact of its digital operations.

Reimagined Perspectives Issue 2 | 2021

Leidos Helps IRS Incrementally Modernize Electronic Tax Systems

Leidos Helps IRS Incrementally Modernize Electronic Tax Systems When the Internal Revenue Service (IRS) asked Leidos to overhaul a critical part of its electronic tax filing systems, we knew the importance of getting it right. Leidos collaborated with IRS developers to migrate three aging software applications to a new, streamlined platform that lowered costs and raised functionality for the IRS and its users. As the needs of tax practitioners grew, the IRS needed to improve the performance of web-based systems that allow companies to retrieve a range of tax documents electronically. The agency challenged Leidos to modernize three significant systems that serve tax practitioners and other third parties. These mission critical systems handle tax transactions and queries electronically. In the nine years from 2009 to 2017, Leidos and IRS methodically transformed these systems to provide better, faster data at lower cost.

The Imperative to Modernize

Re-engineering the Platform

There were three software systems the tax practitioners interacted with, eFile application, Transcript Delivery System (TDS), and Taxpayer Identification Number (TIN) Matching.

When Leidos first won the contract in 2008, we understood the IRS had two important goals. The short-term goal involved managing the operation of the existing suite of systems. The longer-term aim was to completely re-engineer the underlying platform for the eFile application, TDS, and TIN Matching systems. This would bring it more in line with the newly evolving technology stack at the IRS, which relied on Java programming language and J2EE application servers.

f f

eFile registers individuals working for tax-filing organizations (such as tax preparation and accounting companies), and authorizes them to file taxes electronically. The Transcript Delivery System (TDS) enables banks and other companies to retrieve tax details. The Taxpayer Identification Number (TIN) Matching program, which references a person's name against their tax number, is an important fraud fighting technique applied to incoming tax returns and other data.

These systems were all originally built on a PeopleSoft Customer Relationship Management (CRM) module that had been heavily customized to fit the job. The first eServices application began public use in 2003. Over the ensuing decade workloads increased and the programs were struggling to perform, while costs were escalating to maintain this highly tailored PeopleSoft platform.

After planning, the redesign and modernization started in 2009 when IRS and Leidos began a co-development project to optimize this key platform for accountants, tax preparers, banks and financial services companies. TDS was the first system for conversion from PeopleSoft's PeopleCode into Java because reliability was less than required. It was suffering from multiple outages each week, which not only incurred a substantial engineering overhead but also affected citizens' everyday lives. If TDS was down, banks couldn't pull tax returns. If they couldn't pull those returns, people couldn't get loans.

Better Systems, More Functionality

The existing strain on TDS was growing by the month. When Leidos started its work in late 2009, the system was handling approximately 80,000 transactions each day. By the time the team finished the rewrite of TDS 18 months later, it was fielding 125,000. Today it is running over 500,000 transactions a day.

These reengineering projects reduced cost and complexity in several key areas. It eliminated PeopleSoft licensing fees along with support contracts for the older operating systems on which it relied. The new software runs on a shared hardware infrastructure while offering more capacity. Since the TDS migration, the system's workload has increased fourfold to reach 500,000 transactions a day.

The development team’s familiarity with the IRS development strategy contributed to the project's success. The Leidos team worked closely with IRS developers in following this methodology to create a new system that ran on Oracle databases and J2EE app servers.

The migration brought new levels of functionality too. Individuals can now access their own transcripts via TDS with Get Transcripts. And in 2019 Leidos collaborated with the IRS to launch a series of Application Program Interfaces (APIs) that enable other software to interact directly with these systems. That's a relief for organizations that needed to retrieve tax transcripts so frequently that they previously had to create their own programs to automate interactions with the TDS web application.

With TDS improved and reliable, the joint IRSLeidos team turned its attention to the TIN Matching application in 2012. It migrated and modernized this functionality from a monolithic PeopleCode-based application running on a mainframe to a componentbased system. The third migration focused on the eFile application component, which the IRS renamed the External Services Authorization Management (ESAM) module. This system, which today has more than 875,000 registered user accounts, humbly began in 2014 as an application designed to authorize the submission of information returns for the Affordable Care Act (ACA).

Now that ESAM is completed the IRS is able to integrate more systems to provide expanded functionality to its user community. For instance, ESAM is now interacting with a key component owned by the FBI, a service called RapBack, which automatically updates ESAM should any tax preparer participate in criminal conduct that would make them unsafe and unsuitable to prepare taxes for taxpayers.

The combined IRS-Leidos team completed the ACA information returns authorization module in 18 months, and then began re-engineering the eFile application. The eFile application contained four distinct modules providing authorization of third parties to access eFile, TDS, TIN Match, and the Income Verification Express Servie (IVES). Each module was reengineered separately and added to the ESAM product baseline. The team began with the TIN Match module adding it to the ESAM framework. Building upon the ESAM framework, the team in succession completed TDS, IVES, and eFile. In 2017, ESAM was completed. Since then, the team has added two more application modules with several more in the works. ESAM’s elegant architecture provides for faster changes and organizes all third party roles in one place, improving access security, as it reduces the cost for these services.

Leidos and the IRS have come a long way together, and the relationship will continue to flourish as the IRS focuses increasingly on enhancing the customer experience and digitization of data. ESAM is an important incremental modernization in the IRS IT environment to help serve the public. The synergy between the two organizations provides a solid platform for further modernization that will help enhance, protect and streamline one of America's most crucial IT environments.

FOR MORE INFORMATION leidos.com | leidos.com/contact ©2021 Leidos. All Rights Reserved. The information in this document is proprietary to Leidos. It may not be used, reproduced, disclosed, or exported without the written approval of Leidos. Export control #21-Leidos-0414-22615 | 21-237401

Defending Infrastructure by Building Resilience in Aviation and Transportation

DEFENDING INFRASTRUCTURE BY BUILDING RESILIENCE IN AVIATION AND TRANSPORTATION In late 2021, Congress passed the new Infrastructure Bill and kickstarted the most significant investment in America's infrastructure since President Eisenhower created the interstate highway system in the 1950s. The $1 Trillion Infrastructure Investment and Jobs Act paved the way for long-overdue upgrades of the nation's roads, railways, airports, water systems, and much more. In addition, new advancements in technology continue to push the need to ensure we protect the assets we create, build, and maintain throughout the nation. For most of us, our world is one of connections. But, because of the ongoing pandemic, those connections have primarily been virtual-through Facebook, Zoom, Teams, Skype, email and text. As we start to emerge from pandemic-era work and virtual realities, two critical infrastructure assets that take front and center stage are the aviation and transportation industry. These two industries have a massive connection to our everyday lives in terms of how we get to where we need to go. The connection to these two infrastructures is made possible, these days, by the advancement of technology. And as we continue to advance technology, the risk of cyberattacks looms over the Critical Infrastructure industries as they lie in wait for the opportunity to strike. Both the Aviation and Transportation Industries constitute a significant concern for cyberattacks that are widespread and targeted by cybercriminals. Any cyberattack has massive impacts on public and national security; the global fallout can devastate many economies when an attack occurs. According to a 2018 report by the International Civil Aviation Organization (ICAO), "4.3 billion passengers [were] transported in 2018 [and that number is] expected to grow to around 10 billion by 2040" (ICAO, para 1). ICAO's aim is for the aviation industry to become more resilient to cyber-attacks, although barriers continuously thwart efforts. As gateways to other countries, cities and rural, remote areas, airports are critical connectors of people and communities. And airports and airlines, just like people, rely on connections made possible by technology to control security, keep passengers comfortable, refueling planes, and make sure baggage gets where it needs to go (most of the time!) The aviation industry's infrastructure is very complex and interconnected. It relies heavily on automated supporting systems that make airlines and airports work effectively. There's a significant interdependency on maintenances services, networks that make planes fly, systems that operate check-in counters, fuel systems, and the list continues. When a breach occurs on one of these systems, it's a domino effect, and the consequences are severe.

In early 2020, the COVID-19 pandemic hit in full force and significantly impacted the aviation industry. This shift in limited air travel and restrictions put the aviation industry back for funding and investments. As a result, budgets were cut and restructured to maintain operations with skeleton crews and redistributed resources to keep the doors open and the airlines and airports running. Consequently, the aviation industry has had to stretch its priorities and strike a harmony between cybersecurity risks and operations to ensure that balance achieves both growth in the industry and resiliency against cyber-attacks. Like the Aviation industry, rail and transit infrastructure has traditionally relied on automation and network connectivity, a target for cyber-attacks. In April 2021, one of the most noteworthy cyberattacks occurred on New York City's Metropolitan Transportation Authority or the MTA. Cybercriminals were able to breach three of the eighteen systems used for MTA. This breach exposed many concerns and vulnerabilities. And in a place as busy as the MTA in New York City, the next cyberattack could prove more costly and deadly if we do not take measures to improve cybersecurity. The bipartisan Infrastructure Investment and Jobs Act (IIJA) provides over $165 Billion to the aviation and transportation infrastructure services nationwide. The goal is to expand these services, like MTA and Amtrak, to cities and make much-needed improvements with an eye toward safety and security. Because of the Infrastructure Bill, it becomes crucial that our critical infrastructure get the much-needed security assessments to determine where companies lack the needed protections in their operating systems. In addition, cybersecurity hygiene principles and best practices are paramount in developing these new infrastructure projects. Finally, incorporating resiliency and security as part of a build-back better strategy is critical to protecting critical infrastructure assets. The government has not mandated cyber measures within critical infrastructure in the past. Still, with more attackers targeting infrastructure, many agencies, including the Transportation Security Agency (TSA), are introducing new cybersecurity mandates to improve the security of connected systems in the transportation industry. What do agencies need to consider as they work to prevent incidents while being prepared if they happen – and maintain compliance with TSA and other mandates? With combined decades of experience anticipating and neutralizing cyber threats, cyber experts at Parsons Corporation offer the following advice on where to start: What do agencies need to consider as they work to prevent incidents while being prepared if they happen – and maintain compliance with TSA and other mandates? With combined decades of experience anticipating and neutralizing cyber threats, cyber experts at Parsons Corporation offer the following advice on where to start: ▪ The National Institute of Standards and Technology (NIST) offers an excellent starting point with its

Cybersecurity Framework. Designed to help organizations better understand their risks and improve their security, the framework includes five key points – identify risks, assets, and environment; protect data, control access, train employees, and maintain equipment; detect anomalies and events with continuous security monitoring; respond with communications, analysis, mitigation, and improvements; and recover by learning from the incident and improving systems moving forward. ▪ Do you know if there is a cybersecurity person at your company? If there is, do you know who? When’s the last time you sat down for a chat? ▪ Are cyber ops integrated into your emergency management plans? If you don’t have an incident response plan (IRP) yet, that’s a good place to start.

▪ Who manages Information Technology (IT) and Operational Technology (OT) systems or networks? ▪ What security technologies do you have in place to monitor and report cybersecurity incidents?

Beyond these essential investments in critical infrastructure and the need to expand services, the need to be vigilant to cyber activity remains. Thanks to the interconnections of technology, cybercriminals now target OT systems common within Critical Infrastructure. While infiltrating IT has severe consequences, attacks on OT systems cause devastating effects, from a considerable loss of revenue to safety concerns. In contrast, targeting the OT system can disrupt rail lines and operations, airline functions and control towers, runway operations, gas supplies, oil, electric, and even explosions at targeted power plants. Attacks will continue to happen more frequently because operational technology, such as smart devices, relies on embedded operating systems and software that lives within the Internet but, for the most part, lacks even the most basic security. As a result, what used to be walled-off from other networks, OT has become the new target for cyberattacks. Here at Parsons, we do all we can to leave a lasting imprint on driving innovation for the future. Our goals are to deliver new technologies for Critical Infrastructure that help its advancement and security. We specialize in technology that makes our projects resilient in aviation and transportation. Our holistic Cyber IT and OT programs incorporate a phased approach to baseline cybersecurity and functionality goals and standards, assess current networks, and identify potential vulnerabilities and design while implementing mitigations to improve a network's security posture continuously and programmatically. Parsons' proven cybersecurity experts deliver information and operational technology security for the US government and many intelligence communities. We marry technology and infrastructure to ensure cybercriminals don't have the opportunity to hack our defenses. In addition, we design and deliver rapid, interoperable, scalable cyber capabilities to protect infrastructure and infrastructure's operational technology systems from cyberattacks. Due to the needed dependencies on technology, much of our infrastructure is now vulnerable to cyberattacks in every industry. When cyberattacks occur, it is costly, operations come to a halt, and employee positions, not to mention employee retention, are impacted. Furthermore, it creates enormous liabilities for information to be collected and, in more deadly situations, the toll of human life. Cybersecurity history has shown that it is unlikely that all attacks can be avoided. Therefore, if attacked, Parsons is well-positioned to apply best practices: quickly identify the attack, immediately respond by applying a carefully crafted incident response plan, recover to full operation as soon as practical, and adjust normal operations to add mitigations to the type of attack experienced. We understand that many of our customers effectively operate 24 hours a day, 365 days a year, but to operate in this fashion, our customers must also be resilient. Parsons' risk-based approach helps establish the organization, policies, procedures, tools, and techniques to succeed in cybersecurity operations. Our expertise and agility help protect the most demanding challenges, whether on the ground or high in the sky. Do you need help managing cybersecurity at your airport or agency? Our team has transportation and cyber experts at the ready to help you understand your needs and design a system unique to your airport. Contact us to learn more.

As the Federal Landscape Evolves, Contractors Need Resource Management Tools That Can Keep Up

As the Federal Landscape Evolves, Contractors Need Resource Management Tools that Can Keep Up Managing resources and staff for government contracts is no simple task. Resource management begins even before a contract is awarded, lasting the duration and involves managing staff and applicants, requesting resources, engaging with stakeholders, tracking deliverables, staying on budget and more. And it becomes even more challenging to scale. To add to the complexity, the federal acquisition landscape is evolving and as regulations and compliance standards rise, the supply chain around human capital is becoming even more difficult. To manage these changing circumstances and ensure contracts can deliver on-time and on-mission, agencies and contractors need better visibility into internal expertise and external resources, a system that can help bring together disparate data sources to drive insights, and a platform stack that can streamline resources and collaboration. Ultimately, they need a comprehensive resource strategy. “It’s very important to have a great resourcing strategy if you want to be really successful, especially in the coming years of how contracts are evolving,” says Raj Shankar, Vice President of Digital Transformation and Go-to-Market for Aerospace, Defense and Government Contractors at Salesforce.

RESOURCE MANAGEMENT

Today’s Resource Management Challenges Resource management is a critical component of

Contractors need better data and visibility around

government contracting, from the bids and

their resourcing needs to be able to respond fast

Requests for Proposal through the contract’s

and accurately, and quicker partnering capabilities

lifecycle. When contractors are responding to

to prepare to meet these accelerated cycle times.

RFPs, they must supply a list of key resources and relevant resumes with the needed characteristics.

“The increasing pressure on response stems from

All of this is supplied during the bidding process,

the changing modes of government acquisition

and when a contract is awarded, remains a

is going to put a real challenge to contractors,”

critical activity throughout the entirety of the

Shankar says. “And frankly, the ones that are good

contract.

at this will do really well. It’s an opportunity for them. The ones that are not will struggle.”

“And then, a lot of your program margins and your commitment to [Service Level Agreements]

The availability and retainment of skilled resources

and so forth depend a lot on resources,” says

are also challenging. Onboarding, offboarding and

Shankar. “Resourcing is a very central part of any

the employee experience while part of a contract

government contract.”

are critical, and it’s made even more difficult with the executive order on requiring COVID-19 vaccination for federal employees and contractors,

Traditional modes of federal acquisition offer

and Cybersecurity Maturity Model Certification

enough lead time for contractors to partner with

requirements.

other companies and devise the plan they need to respond to a contract. However, a recent rise

“That is certainly putting a lot of pressure on all

in Other Transaction Authority contract vehicles

the contracting organizations, because they have

require a faster response time — about a fifth of

to comply with those same regulations,” Shankar

the traditional six months for a Request for

says. “They have to invest in technology to manage

Quotation (RFQ).

the attestation process and such, and actually understand that is a big challenge.”

“What that means is that even though the response might not be as big as a typical RFQ, however, you still have to do all the things that are required as part of a traditional response,” Shankar says.

RESOURCE MANAGEMENT

Improving Visibility and Insights To overcome these hurdles, Shankar says

Program execution is the mechanics of managing

contractors must first ensure they have the right

programs, in terms of resourcing, program margins,

processes in place to meet the audit criteria and

forecasting, proper workflows and collaboration.

parameters of regulatory requirements. Then, they

Collaboration is key, considering the various

must invest in the right technologies. “Technologies

partners and entities involved within a single

will be an enabler in this space,” he says.

contract.

Investing in the right platforms will go a long way

Across Salesforce’s portfolio of products, users

in maintaining compliance, improving employee

can integrate disparate data sources by tapping

experience, having data available for decision-

into HR systems and enterprise resource planning

making, managing contract lifecycle and more.

systems with MuleSoft. Tableau drives the insights on dashboards to provide dynamic views of

Salesforce, complemented by MuleSoft, Tableau

resource staffing and various program aspects

and Slack, can manage the entire contracting

while maintaining workflows in the core Salesforce

lifecycle. Its platform stack provides applicant

platform, and Slack offers a faster, better organized

tracking, hire-to-retire and human resources

and more secure collaboration opportunity across

management capabilities for the government.

all contractors and customers involved.

“Salesforce is uniquely positioned right from the bid standpoint, as well as to program execution,”

Salesforce’s purpose-built products for

Shankar says.

Government, provide full employee lifecycle management from recruitment to onboarding and maintaining employee engagement. Managers and employers are able to initiate and track personnel

Systems like ours or platforms like ours play a big role because we can really tie together different aspects across the organization.”

actions, and complete onboarding activities. A recruiting dashboard provides analytics, data drill downs and mapping so teams can meet targets, while open API capabilities integrate data from internal and external sources.

RAJ SHANKAR, Vice President of Digital Transformation and Go-to-Market for Aerospace, Defense and Government Contractors, Salesforce

“Systems like ours or platforms like ours play a big role because we can really tie together different aspects across the organization,” Shankar says.

RESOURCE MANAGEMENT

Streamlining Resource Management Data for Program Success The primary advantage of investing in a good

Program managers managing large contracts

platform stack is having all the levers — or the

focus on people and customer management daily.

right data and insights — to make right decisions.

Data can help them understand key aspects like

Contracts fundamentally depend on good supply

employee and customer satisfaction, productivity,

chain strategies, meaning the right people are in

proper resource allocation and task completions to

the right places executing on the right work. And

mitigate any unforeseen risks.

having the right data insights can help contractors allocate resources effectively.

“That is where the employee experience piece comes through, because that’s where you’ve got to

For instance, prior to responding to a bid,

keep people happy,” Shankar says. “You’ve got to

contractors must first know they have the

have access to the information that they require.”

resources, partners and capabilities to execute. In order to know that, they must have access to past

This is why solutions like Salesforce’s resource

performance data and partners’ data of available

management platform stack plays a significant role

resources, skill sets and competencies.

in tying together all parts of the contract across the organization. By integrating HR systems with ERP

“I think the platform stacks are going to be

systems with collaboration tools like Slack, all the

super important because . . . it’s almost like a

pieces of a contract lifecycle and those involved

decision assist system. It’s pulling all these factors

come together.

together and helping you make those decisions,” Shankar says. This is particularly beneficial when

“We call it enabling the digital thread across the

it comes to making quick decisions in today’s

enterprise,” Shankar says. “I think that’s equally

acquisition landscape.

applicable across a program, of tying all these different pieces together so that you can actually

Another challenge program managers face is

mitigate the risk and keep the program profitable.”

ensuring the right resources are doing the right activities on the contract, and employees are

Learn more about how Salesforce can

staying on board. To execute properly and ensure

help government contractors win more

the contract is not negatively impacted, program

business and efficiently manage resources.

managers must understand the current risk profile and risk mitigation. This is also where data comes in.

RESOURCE MANAGEMENT

GovCon Business Systems | A Resource Guide for Contractors

GOVCON BUSINESS SYSTEMS A RESOURCE GUIDE FOR CONTRACTORS In July 2021, the U.S. Small Business Administration announced that the federal government awarded $145.7 billion in federal contract dollars to small businesses—a $13 billion increase from the previous fiscal year. In fact, about 95% of federal contracts are awarded to small- and medium-sized business vendors. Clearly, there are a great deal of contracting opportunities with the federal government. However, with those opportunities come government requirements regarding accounting systems. BASIC FAR REQUIREMENTS The requirement to have an adequate accounting system started with Part 16 of the Federal Acquisition Regulation. FAR 16.301-3 requires the Contracting Officer to confirm “the Contractor’s accounting system is adequate for determining costs applicable to the contract or order.” This must be done before award of any procurement instrument that calls for reimbursement of actual costs (a cost-type contract). Often, the Contracting Officer can rely on experience with previous contracts to make that determination. But, if the proposed contract is the first for that contractor on a cost-reimbursable basis, a Pre-Award Survey is required. The process for that review is laid out in a FAR Standard Form, SF 1408, which asks 10 questions. The entire review can be performed from documents.

The adequate accounting system is a gate contractors must pass through if they want to do business with the government on a cost-reimbursable basis. OTHER TYPES OF CONTRACTS A contractor may do business with the government on other types of contracts, including time and materials, or fixed price and all the variants, without ever being reviewed. Yet when a contractor reaches a certain size, the Administrative Contracting Officer (ACO) may decide that a review of its purchasing system is warranted. Contractors without approved purchasing systems can still purchase goods and services while performing government 52

contracts, but each award requires that a “consent to subcontract” be obtained from the ACO prior to award. Conversely, contractors with approved purchasing systems do not have to obtain consent prior to the subcontract award. In the past, some contractors have routinely ignored the requirement to obtain consent. As a result, over the last few years, the Defense Contract Audit Agency (DCAA) has been checking for documentation of the consent prior to award for contractors without approved purchasing systems and questioning the entire subcontract cost where those documents could not be produced. In addition to accounting and purchasing, DCAA has in the past reviewed or audited estimating systems, material management systems for manufacturers, government property systems, and Earned Value Management Systems (EVMS). Between 2009 and 2011, DOD effectively removed all authority to “approve” systems from DCAA and restored that power to the ACOs at the Defense Contract Management Agency (DCMA). CRITERIA FOR SIX BUSINESS SYSTEMS DCAA also sought to define specific acceptability criteria for all six business systems, as outlined in the Defense FAR Supplement (DFARS) at 252.242-7005, Contractor Business Systems. Only the ACO at DCMA can make a determination of “adequacy” regarding the accounting system, estimating systems, material management accounting systems (MMAS), and government property management systems. The ACO is also the only entity with the power to approve purchasing systems or issue a “letter of acceptance” of EVMS. Determinations are made as follows: Accounting, estimating and MMAS: •

Determinations are made based on DCAA’s audit report. DCAA is only responsible for reporting findings – they do not make any recommendations to help solve potential issues.

•

This leaves ACOs to interpret the findings for themselves.

Purchasing, government property and EVMS: •

Determinations are based on reports and recommendations from reviews performed by DCMA’s own industrial specialists.

•

The industrial specialists are not auditors. Since DCMA is not an audit agency, those reviews are not referred to as audits.

In 2012, DOD codified all the changes to business system criteria in the FARS, including detailed acceptability criteria for all six business systems. The criteria are intended to be outcome-based, not directive, and thus do not tell contractors what to do or how to do it. Instead, they specify the required outcome. ENTER THE GAO AND FEDERAL COURTS When Contracting Officers defined solicitation requirements to include demonstrated adequacy for accounting and/or estimating, an approved purchasing or government property system, or an accepted, EVMS, they quickly realized they received fewer proposals on each solicitation. Workload for the acquisition workforce dropped from impossible to merely crushing, and the occurrence of such requirements in solicitations increased dramatically.

purchasing system or an accepted EVMS, but so long as they are competing only with each other, the “level playing field” protest argument won’t fly either. It’s important to note that it’s not an advantage for the larger firms or a disadvantage to the smaller ones with respect to their buying power for these systems. None of these systems can be just purchased as compliant systems “out of the box.” In fact, some of the systems have hardly any software component to them at all, as they are file or record systems. While the status quo is not likely to change any time soon, it’s important to understand why the government cares about each of these systems and what a contractor can do to achieve an adequate, approved, or accepted status.

It appears as though the status quo is not likely to change any time soon. For that reason, it’s important to understand why the government cares about each of these systems and what a contractor can do to achieve an adequate, approved or accepted status. ACCOUNTING SYSTEMS

Contractors filed protest after protest to the Government Accountability Office (GAO) and even the Federal Courts over what they viewed as unduly restrictive requirements and unfair restraint of competition, but to no avail. GAO steadfastly refuses “to disturb the judgment of the agencies in the determination of their own requirements.” The courts did the same. Today, hardly a single solicitation for a Multiple Award Contract (MAC) or Government Wide Acquisition Contract (GWAC) is issued without at least a requirement to demonstrate an adequate accounting system. Many solicitations also require an approved purchasing system. Where it is not a requirement, some solicitations offer extra points in the evaluation criteria for an approved system. Others offer extra points for an accepted EVMS system, even in the small business portion of the competition. Of course, the actual requirement for some of these systems may be slightly suspect, but thus far, GAO and the courts will not intervene when it is couched as a requirement of the agency. That could change, of course. One recent GWAC solicitation already has dozens of protests, and it hasn’t even closed, much less made any source selections. Small businesses find it very difficult to achieve an approved 53

Of the six business systems for which the Defense FAR Supplement provides acceptability criteria, the accounting system is the only one used by all government contractors and the one most often examined by the government. The main reason for this is the provision in FAR 16.301-3, Limitations (on the use of cost reimbursement contracts), which states: •

The Contracting Officer must confirm that “the Contractor’s accounting system is adequate for determining costs applicable to the contract or order.”

•

For a contractor with previous cost-type contracts or subject to audit by DCAA, that confirmation is often a simple “check off” on a form.

•

If the firm has never been awarded a cost-type contract before, a review of their system (or proposed system) might be required.

The Standard Form 1408 (SF1408) outlines the process and is unique in that authorities can complete the system review and issue an opinion purely based on documents. An SF1408-based accounting system review (called a Pre-Award Survey) can be conducted using just a firm’s policies, procedures and the manual for the software they use or intend to use. An SF1408 review can be conducted on an accounting system not yet implemented.

•

Click here to see the audit program for the Pre-Award Survey at the DCAA web site.

•

Click here to review the Pre-Award Survey Checklist (also at the DCAA web site) which contractors must complete and submit before DCAA comes in to do the review.

Every other business system requires examination of actual practices in effect, not just policies and plans. Of course, the opinion expressed as a result of an SF1408 review is supposed to be limited and applicable to only the contract for which the review was requested, but many Administrative Contracting Officers (ACOs) will issue an adequacy letter based on a prior SF1408 review.

Within the government, almost all estimating system reviews are performed by the DCAA. While they will express an opinion on the system, the adequacy determination is actually made by the ACO. For DOD contracts, the ACO represents DCMA. For civilian agencies, this role comes from whatever organization performs the contract administration function—often the PCO who made the original award. There is little or no software component to an estimating system review. And, like all the business systems, the government does not express an opinion on software or other tools. The estimating system consists primarily of the policies, procedures and practices that guide the estimating process, including the estimating of labor and material requirements, calculation of out-year indirect and labor rates, as well as pricing in general.

WHEN A FULL ACCOUNTING SYSTEM AUDIT IS REQUIRED If an ACO requires more than just a 1408 review to make an adequacy determination, DCAA will perform a full Accounting System Audit. A 1408 review can be conducted in a day and rarely takes more than a week start to finish, including time to write and distribute the report. The full Accounting System Audit, on the other hand, can take 90 days or more of field work, involves fairly extensive transaction testing in a live system and can require interviews with most, if not all, of the accounting staff. From start to finish, the full audit can take six to nine months. •

“approve” a contractor’s estimating system. Instead, they will express an opinion that the system is or is not adequate for use on government contracts. To aid in this process, you may engage a CPA firm to perform an audit or review of your estimating system and give you an opinion on its adequacy. Most, but not all, agencies will accept that opinion as fulfillment of a contractual or solicitation requirement.

Click here to see the audit program for the full Accounting System Audit at the DCAA web site.

Whether an SF1408 review or a full audit, the “system” the government is reviewing or auditing is not simply the software. The system consists of the firm’s policies, documented procedures, actual practices, and the tools (software) used. Since the government does not approve specific accounting software, no software vendor can claim to be “certified” as compliant.

ESTIMATING DEFINED Budgeting and forecasting are not estimating. Most ERP systems capture and cost out a budget. Some can also develop quite sophisticated cost and revenue data based on that budget. Purpose-built GovCon project-based accounting systems do both extraordinarily well. Budgets and forecasts both arise out of estimates. They are both measures of what the estimate will cost. The estimate itself is a measure of what resources will be required to get the job done. These include how many hours will be required, when, and what materials are needed. Costs are certainly important, but only after the requirements have been estimated and time-phased. In short, estimates are about quantifying resources. Budgets and forecasts are about how much it will cost to consume those resources. While most Contractors already have the indirect rates part of the system implemented in their accounting system, they need to document their policies and processes and get them reviewed. Estimating has no FAR-specified review process like the SF-1408 process for accounting. DCAA and thirdparty reviewers use the DFARS Business Systems Rule adequacy criteria (DFARS 252.215-7002) and the DCAA Estimating System audit program for the

ESTIMATING SYSTEMS The Estimating System is very similar to the accounting system. The government does not 54

review. An opinion letter from a CPA firm is usually, but not always, accepted by the government as evidence of an adequate estimating system.

rare. In the civilian agencies, it’s very common for the same person, or at least the same organization, to perform the duties of both the PCO and ACO.

•

Click here for the full text of the DFARS Estimating Systems requirements.

•

Click here for the DCMA Instruction to ACOs on the Estimating System Review.

•

Click here for the full text of the DCAA audit program for an estimating system review.

Purchasing is also never the subject of an audit. DCMA calls its CPSR a “file review” because they look at your documentation of purchases made and charged direct to contracts to evaluate your purchasing system. Software plays little or no role in that evaluation. DCMA considers the purchasing functionality of an ERP to be accounting and not purchasing.

TIP: While reviewing an estimating system is not as time consuming as a Contractor Performance System Review (CPSR), it still takes time to convince a Contracting Officer to request one or to engage a CPA firm to review your system. Don’t wait until the solicitation is on the street to get your system reviewed. PURCHASING SYSTEMS While the government does not “approve” other business systems, the purchasing system is an exception. FAR actually contains provisions for your ACO to approve your purchasing system. The best you can hope for with the other systems (accounting, material management accounting, estimating, government property management and EVMS) is a determination that the system is “adequate” for use on government contracts. Purchasing is unique in that it is subject to government approval and only the ACO can approve it. With accounting and estimating, there are other auditing organizations (such as commercial CPA firms) that can opine on your system adequacy. While the government is under no obligation to accept their opinions, it usually will. With purchasing, only the government can approve it.

With accounting and estimating, other auditing organizations can opine on your system adequacy. With purchasing, only the government can approve it. PCO VS. ACO If you do business primarily with civilian agencies, you may not hear the term ACO often. In DOD, the duties of the PCO (purchasing) and the ACO (administration) are separate, and all the ACOs work in DCMA. While a PCO in DOD may occasionally retain administration of a particular contract, it is 55

For clarification, an integrated ERP can help keep records of certain procurement actions such as requisition approvals, receipt of goods and services, and charges to and payments from government contracts. However, DCMA does not usually review those. Instead, they concentrate on your policies, procedures and documentation of actions taken. This documentation may include anything from market surveys to competition among suppliers to compliance with the Buy American Act. For most contactors, the CPSR is done by DCMA. A few civilian agencies do their own or contract the CPSR out, but the government does not recognize and will not approve a system based on a non-governmental entity’s CPSR unless they were specifically contracted for the review. When the government makes an approved purchasing system a contractual requirement or includes it in evaluation criteria, the question that arises is, “How do I get DCMA or some other agency to review and approve my system in time to claim credit on this solicitation?” Unfortunately, if that solicitation is already “on the street,” it’s probably not possible. DCMA has a one- to two-year backlog of CPSR actions already scheduled. What’s more, a Contracting Officer must request the review, or the contractor must demonstrate $50 million or more in revenue from cost-type contracts in the next 12 months. The revenue criteria may get your firm on ACO’s radar eventually, while getting a Contracting Officer to request a CPSR on your system is a sure thing. But, at the same time, you still have to get on DCMA’s schedule and go through the full CPSR process. EARNED VALUE MANAGEMENT SYSTEMS (EVMS) Like all the business systems, a Contractor’s EVMS consists primarily of the policies, procedures, and practices that govern how the discipline is implemented at a specific contractor. Unlike the other systems, the EVMS discipline has a specific name for that documentation—System Description. The System Description is a single integrated set of processes, practices, and applications that state how

the firm will implement the discipline of EVM in compliance with EIA 748.

WHY UNANET Unanet is the only purpose-built, project-based accounting system for GovCon professionals. In fact, Unanet is the only native integrated Cloud ERP solution built from the ground up to serve this unique market. DCAA compliance and audit confidence are foundational, not simply a goal to achieve—Unanet features DCAA requirements at each stage, employing one database and one connected set of applications.

Like other accounting systems, the government does not certify or validate software for EVM compliance, nor does it “approve” systems. The government will, however, issue a “letter of acceptance” for a specific contractor’s system following a successful assessment or validation. Only the government can issue such an acceptance, but some firms have had success claiming “points credit” in solicitation evaluation schemes using an opinion letter from a third-party EVMS consulting firm. While acceptance is not assured, that approach may be preferrable to waiting years for DCMA to perform a system review or validation. Purpose-built GovCon project-based accounting systems can significantly improve EVM process maturity and can help create a project management culture by adopting EVM as a best practice, including calculating key EVM metrics and producing relevant reports.

Purpose-built GovCon project-based accounting systems can significantly improve EVM process maturity and can help create a project management culture by adopting EVM as a best practice. If a firm has contract-specific EVM needs—including a solicitation or evaluation requirement—a separate EV calculation and reporting engine will be required to meet the stringent requirements of EIA 748. It’s recommended that you consider a third-party EVM software tool such as forProjectTM Technology for the calculation and reporting processes, as well as expert EVM consultants to help you implement the discipline. For more information about government acceptance of EVMS, check out this guide from the National Defense Industrial Association (NDIA). •

Click here for a discussion of the EVM project accounting reports native to purpose-built GovCon project-based accounting systems.

•

Click here for a Step-By-Step Guide to EVM from the Unanet Knowledge Center.

TIP: If you need an opinion on your EVMS or assistance with developing a System Description, don’t wait until the solicitation is on the street or the contract negotiations have begun. 56

Learn More About Unanet ERP for Government Contractors here.

Building Businesses One Government Contractor at a Time

US Federal Contractor Registration

BUILDING BUSINESSES ONE GOVERNMENT CONTRACTOR AT A TIME SIMPLIFYING GOVERNMENT CONTRACTING SINCE 2010

ERIC KNELLINGER, FOUNDER OF USFCR Eric Knellinger, founder and president of US Federal Contractor Registration (USFCR) comes from a diverse entrepreneurial background. He attended college at the University of West Florida on a four year athletic golf scholarship. After college, he started several companies focusing on overseas purchasing, product development, and international trade. Advertising and business development, though, is where he felt his true calling. After seven years working overseas, Knellinger began working in advertising for Verizon and AT&T, and quickly excelled in the art of business relations. In 2007, while at the peak of his career at Verizon and AT&T, Knellinger and his family's life was turned upside down. His wife, Linda, was diagnosed with brain cancer. With two children to take care of, ages 8 and 18, Knellinger became Linda’s caregiver, and all attention turned to her, and her fight. For two years, work became an afterthought. 58

Beginning of US Federal Contracter Registration Around that time, Knellinger was approached by a friend, Stan Lusczynski, who was a purchasing officer at MacDill Air Force Base in Tampa, Florida. Lusczynski urged Knellinger to start a company focusing on helping businesses get registered to work with the federal government. Lusczynski said, “I’m having to buy products for the base from all over the country when I could have simply bought products and services from local merchants.”

In Knellinger’s own words, “I was selling companies the dream of being registered to work with the federal government.” Shortly after launching USFCR’s website, a friend gave Knellinger a $100 Google Ads gift card. Knellinger recalls redeeming the gift card in the morning; “That afternoon I had to leave the office at two thirty because I had to be home at three to give Linda her chemo. When I got home, [one of my employees] called and said, ‘Hey, we got one. Somebody ordered on our website!’”

During this discussion, Linda in her weakened state, bedridden, only able to move with the use of a wheelchair, walked into the kitchen and leaned carefully against the doorway of the kitchen. Knellinger still clearly remembers what she told him that day, “You can't save me, but you can save our family.”

Knellinger initially viewed Lusczynski’s idea as crazy, but with the urgings of his wife "Eric, you can’t save me, , his friend and just $5,000 to his name, but you can save our he proceeded to start family." the business.

Collectively surprised, yet ecstatic… “About 30 minutes went by and my employee called me back and says, ‘We got two more’,” Knellinger

recollects. It was at that moment Knellinger said, “We’re onto something here.”

Knellinger started US Federal Contractor Registration in a tiny 600 sq. ft. one room office, with three desks, three borrowed phones, and two computers. He and two other employees, whom he promised to pay after they made their first sale, would all squeeze into this tiny office together.

After that, the company’s growth was explosive.

Selling the Dream of Working with the Government GROWING SERVICES “Through the course of all this, Linda made it to our first Christmas party and then passed shortly thereafter. If it wasn't for her pushing me to do this, we wouldn't be here today. A little bit of Linda's spirit exists in everything we do,” Knellinger states.

"Federal systems were hard to navigate. The systems were just too difficult to use," Knellinger says referring to the systems in place to find government opportunities. APP is a web-based contracting search and management platform that simplifies researching and bidding on government contract opportunities. All the information you need on government contracting opportunities and available teaming opportunities – you can find it in APP.

Focused solely on basic registrations, Knellinger realized after a year and a half that they weren't doing enough for their clients. That's when Knellinger put on his advertising hat and brainstormed different ways to stimulate success in the federal government. From that, the Verified Vendor seal was born. The seal signifies to contracting officers and other agencies that the vendor’s registration is complete and compliant with federal regulations. The seal would be prominently displayed on vendor's websites.

ERIC'S OWN FIGHT

Continuing with their accelerated growth, Knellinger and his team created the Simplified Acquisition Program (SAP). A program focusing on helping businesses not only get registered in SAM properly but also created an avenue to showcase the businesses’ capabilities and to market themselves to the federal government.

Knellinger immediately reached out to an old friend who happened to be one of the top urologic surgeons in the world, Dr. Cary (CJ) Stimson MD, JD.

“Our company was growing quickly. We were moving in the right direction. And in 2017 I was diagnosed with a tumor on the kidney.”

“I sent him my medical information at four in the afternoon. He called me and he said, ‘Can you come up? Can you be in my office tomorrow at eight in the morning?’” Knellinger, who was still in the hospital after being diagnosed, immediately packed his bags and flew to Baltimore.

“Soon after we realized that our customers wanted more. We had to train our clients. everything That’s Train them on what? On everything.” how the company shaped Bid Training and the Advanced Procurement Portal (APP).

Familiar Battles Knellinger was the first one in CJ’s office that morning. He recalls, “[CJ] was turning on the lights when I arrived. He walked right over to me and gave me a big hug. And he says, ‘I got you, buddy.’”

Dr. Choueiri then replied, “Well, then let's start today.” They immediately proceeded to removed half of Knellinger’s right lung, as the cancer had spread there, and put him on a cancer trial which was very aggressive.

Surgery was performed right away and that’s when they found that the cancer had started to metastasize throughout his body, into Stage IV.

Knellinger recollects during this time that he struggled to even get out of bed, as his hands and feet would start bleeding if he applied any pressure to them. Knellinger wouldn’t let this slow him down. Even with bloody hands and feet, he would wrap them up with gauze and go into the office – garnering wild-eyed but caring eyes from the employees.

At this point, Knellinger asked his friend, “Is there anything you can do? He said, ‘Eric, I can't save you. But there’s one place in the world. If anyone has a shot, it’s Dr. Toni Choueiri in Boston at Dana-Farber Cancer Institute.’” Dr. Stimson quickly got in touch with Dr. Toni Choueiri, MD and set up a meeting. After reviewing Knellinger’s scans, Choueiri says to Knellinger, “You have two choices. I can put you on standard of care and you'll pass quietly, [or you can fight].”

After that initial run of chemo, Dana-Farber Cancer Institute developed an immune therapy treatment that helped Knellinger’s body fight the cancer without all the horrible side effects of normal chemotherapy.

With tears in his eyes, Knellinger recalls, “I’ll never forget that day. I told Toni, I'm not dying, I can't! [My son] has already lost his mom, he’s not going to lose me. It's not going to happen.”

Knellinger calls the immune therapy “a gift.” He would go up to Boston once a month and have an infusion treament instead of taking chemo every day. “And every time I went up, you know, I had some setbacks, but for the most part, things were looking better and better.” The cancer was seemingly losing, and Knellinger was feeling better every day. The treatment was working.

“I’ll never forget that day. I told Toni, I'm not dying, I can't! [My son] has already lost his mom, he’s not going to lose me. It's not going to happen.” 61

Knellinger states, “This place (referring to USFCR), believe it or not, it helped me heal

I look at this place as the company that Linda helped build. I didn't build this. She built it. She built it from her love and from passion.

from Linda. But now my work was helping me heal from my own battle with cancer.” After his battle, Knellinger resumed his duties at USFCR and took the company down the road, which it is on now. While always focusing on registrations, USFCR has expanded its services to include training, consulting, vendor management, a new and improved Advanced Procurement Portal (APP), and so much more. USFCR’s workforce has swelled to 60+ employees with the team growing nearly every week since inception. USFCR has helped complete over 180,000 compliant SAM registrations for businesses and nonprofits and helped its clients obtain hundreds of billions in government contracts. Knellinger's battles have shaped both him and the company. Even with the massive growth, he will never forget how the company started, “I look at this place as the company that Linda helped build. I didn't build this. She built it. She built it from her love and from passion.”

VERIFIE

Eric Knellinger is a fighter for himself, for his family, and for your business.

D VE N D O R