2020 Annual Conference Thought Leadership Compendium by Professional Services Council

VIRTUAL THOUGHT LEADERSHIP COMPENDIUM

CBIZ Government Contracting Practice

VIRTUAL

TABLE OF CONTENTS 1

Conducting Public Policy Research During a Pandemic Abt Associates

Focusing on “Guiding Lights” in M&A Due Diligence to Drive Value Creation Arena Strategic Advisors

CMMC: Instilling a Culture of Cybersecurity Awareness Within an Organization Aronson

Advancing Our Customers’ Missions Through Innovative, Agile Technologies BAE Systems

Service Contract Act Health & Welfare Benefits: Contractor Obligations, Options and Best Practices CBIZ Government Contracting Practice

Cybersecurity and OSCAL: Geek Perspective; ‘C Level’ Perspective CMMC Solutions

Increased Efficiency in Government Performance DLH

Six Pragmatic Strategies to Spur Federal IT Modernization ICF

The Best They Can Be: Veterans and Active-Duty Military Mental Health Struggles and How Data Can Help Leidos

Joint All-Domain Operations: Redesigning the Ecosystems of Engagement Parsons

Return to the Workplace Salesforce

GAUGE: Gain Insights into Industry Best Practice Unanet

Tax Policy Outlook - Impact on M&A Wells Fargo

ABT THOUGHT LEADERSHIP PAPER

Conducting Public Policy Research During a Pandemic Katie Speanburg, Laura Peck, Lauren Olsho, Christopher Spera, and Alvaro Cortes Abt Associates

Introduction The World Health Organization’s (WHO) designation of COVID-19 as a pandemic will likely require health, social, and economic researchers to reconsider their study designs for ongoing research. This brief outlines how the COVID-19 pandemic could affect the design phase, data collection, and the analysis approach of health, social, and economic research.

Considerations for the Design Phase Study teams are still learning about the effect of COVID-19. They should consider modifying their study design to improve the world’s ability to respond to COVID-19 and learn about the pandemic’s potential effects on an array of outcomes. And of course, studies that require in-person interactions should carefully consider the health and well-being of research staff and study participants and determine if another datacollection method is appropriate. (1) Improving the world’s ability to respond. A few options for consideration include: • Adding questions to surveys, focus groups, and interviews about people’s attitudes toward social distancing and how people are (or are not) mitigating the spread of the virus • Adding new data collection activities that shed light on the transmission of the virus and treatment options • Adjusting the timeline for implementing an intervention if the intervention is designed to enhance the capacity of study participants to successfully enter the healthcare industry. For example, in a study of participants in healthcare sector training—such as becoming Registered Nurses—the training/service providers might accelerate their efforts (rather than shut down) to prepare training participants to join the healthcare workforce quickly and respond to COVID-19 sooner.

(2) Understanding the pandemic’s potential effects on an array of outcomes. While COVID-19’s impact on people’s health is the top concern, we also recognize that COVID-19 has affected a broad array of other important outcomes—e.g., employment, financial stress, educational attainment, substance use disorders, and homelessness (to name just a few). As a result, study teams could consider the effect of COVID-19 and rethink the outcomes of interest in their studies, which, in many cases, can be explored using administrative data. For example, study teams can leverage these administrative data: • Unemployment Insurance • National Directory of New Hires • Social Security disability claims • Census tracts • Consumer Financial Protection Bureau data • Medicaid or Medicare enrollment data and claims • Local Homeless Management Information System data • National Center for Education Statistics data. If there are additional data sets that should be analyzed, then researchers should plan ahead to collect those data within the appropriate timeframe. (3) Health and wellbeing of research staff and study participants. The pandemic obviously affects research staff and study participants. The design plan should include a clearly defined contingency plan should research staff become unavailable. Study teams must be prepared to make key design decisions in the potential absence of key technical staff.

Abt Associates 2

Operationally, study teams will encounter disruptions during the lifecycle of a study, especially since many organizations have moved to telework. That can cause confusion about review and approval processes and staff availability as staff juggles work and personal responsibilities. Accordingly, it is important to have staff who are cross-trained in many roles and can quickly pivot as needed. And study managers must adopt proven project management approaches to maintain appropriate staffing and deliver high-quality work. Design plans should also include well-conceived protections for human subjects that an Institutional Review Board (IRB) has approved.

Considerations for Data Collection COVID-19 is likely to affect a study’s data collection activities considerably. For example, organizations may decide to suspend all in-person data collection activities to prevent the spread of the virus. The intended study population also may be temporarily unavailable during the pandemic. They may include: • Healthcare professionals who focus on treating patients • Hospital or nursing home patients who can no longer accept visitors • School-aged children who are not in the classroom • Homeless populations in shelters • Individuals who are incarcerated and unavailable to participate in research during this time. Study teams have several options: (1) Consider switching modes from in-person to virtual data collection. With many options to reach people virtually, study teams are able to adapt and switch data collection modes. However, the switch may introduce other types of challenges to data quality, integrity, and compliance within the boundaries of applicable Federal regulations.

For example, study teams may need to train data collectors on the virtual data collection tool, and once data collection begins, teams must confirm that the correct respondent was reached. Also, study participants may not complete the entire survey or interview due to challenges with internet connectivity. Lastly, virtual data collection complicates the study team’s approach to obtaining consent and complying with the data security provisions of the Health Insurance Portability and Accountability Act (HIPAA). (2) Consider discontinuing data collection early if the study has sufficient data and statistical power to answer the research questions. In some situations, study teams may be able to suspend their data collection activities if, in conjunction with relevant stakeholders (e.g., federal government contract officer), the study team determines that it has sufficient data to meet the objectives of the study. (3) Consider pausing data collection until the population becomes available if doing so would not compromise the research. Temporarily suspending data collection is likely to be a common situation, especially when study participants are inaccessible. For example, consider research with children at this time. If children were in a classroom receiving an educational intervention before COVID-19, it is possible that the intervention will be found to be ineffective after COVID-19. However, this conclusion could be misinformed if there was a several month gap when the school was closed, or if the intervention was conducted in a virtual classroom where it could not be implemented effectively. When data collection is resumed, researchers will need to consider the impact on the quality of the data and bias in responses, post-pandemic. (This is discussed in the section below.)

Abt Associates 3

(4) Consider adding another data collection point to learn more about potential impacts of COVID-19, depending on the purpose and topic of the research. This additional data point could be relevant now and for several years following the end of the pandemic. A cautionary note, however—this should not be a fishing expedition! Once the study design is finalized, incorporating COVID-19 considerations as appropriate, pause to reflect on the decisions. If those decisions are still relevant given the daily changes in our environment, then proceed with the research plan. Project leadership will need to regularly reassess the study design to ensure it is meeting relevant Federal, state, and local guidance and mandates as well as ethical considerations.

Considerations for Analysis Phase When conducting analyses for a project that collected data during the pandemic, it will be important to look at the interplay of statistical power and respondent biases. It may be the case that the study gets a higher response rate than anticipated because many people are working from home and are therefore potentially more likely to answer an email or phone call from an unknown entity. Better survey response rates and larger sample sizes will improve the statistical power of the study to detect impacts. Depending on the topic of the research, however, responses are likely to be affected by the pandemic, which could introduce bias into the results. As research and evaluation professionals, we are always taught to maximize internal validity and guard for threats to internal validity, such as history. This is defined as an external event that that occurs while the study is in progress that could skew the findings, provide an alternative explanation for the intervention having a null or significant effect other than the intervention itself, and/or muddle the interpretation of findings when ‘pooling’ impact estimates. COVID-19 certainly poses the kind of threat to internal validity that could have wideranging impacts to ongoing research.

An event of history impacting internal validity in the last 20 years was 9/11 (September 11, 2001). Many studies that were in the middle of data collection showed significant differences pre- and post-9/11. Although an external circumstance like COVID-19 should theoretically affect participants in the treatment and comparison groups equally, studies back then found that additional work was needed when calculating impact estimates related to an intervention before and after 9/11. The degree of bias may depend on the extent to which evaluation sites in treatment and comparison groups are differentially located in COVID-19 hotspots. They may be a moving target given the many unknowns about the epidemiological trajectory in different regions of the country. In experimental evaluations, we assume that randomization enables the treatment and control group to account for all differences except the intervention. However, since COVID-19 heavily targets some communities and not others, the impact estimates, and resulting bias, may not be minimized by the nature of the experimental design. In quasi-experimental design studies, the potential biases may be even more acute. In addition, there are important questions about whether the magnitude of the intervention’s effect changes (increases or decreases) pre- and post-COVID 19. To handle these issues, study teams may revise their analysis plans to: (1) Conduct subgroup analyses. For example, researchers might consider analyzing impacts on early (pre-pandemic) versus late (post-pandemic) study participants. Subgroups based on age or health risk are also relevant because of the greater risk of becoming very ill among the elderly or those who are immune-compromised. (2) Account for geography-based impact variation. It is possible that participants living in cities or states that are greatly impacted might have different intervention responses from those living in areas with a less restrictive COVID-19 response.

Abt Associates 4

(3) Test for interaction effects. It is possible that COVID-19 directly interacts with the intervention being studied, especially if the intervention is being implemented in a healthcare setting. (4) Use appropriate weights. Study teams may need to revise statistical analyses to weight or adjust for biases that may exist. (5) Interpret with caution. When interpreting the data and findings, study teams should take into account this historical context, especially when data are pooled pre- and post-COVID 19.

Summary These are difficult times. Now more than ever, policymakers and other decision-makers need reliable data and rigorous analyses to help arrest the spread of COVID-19 and complete their important research studies. Until the pandemic subsides, it is imperative to maintain quality, rigor, and scientific integrity in research studies while following—and adjusting to—the ever-changing landscape of the COVID-19 pandemic.

For more information, please contact: Katie Speanburg, M.A. Institutional Review Board Administrator Katie_Speanburg@Abtassoc.com 617.520.2499 Christopher Spera, Ph.D. Division Vice President Health & Environment Division Chris_Spera@Abtassoc.com 301.347.5950 www.abtassociates.com/covid-19-insights

Abt Associates • 6130 Executive Boulevard • Rockville, Maryland 20852

Focusing On “Guiding Lights” In M&A Due Diligence to Drive Value Creation by Mike Kotarski and the Team at Arena Strategic Advisors M&A continues to play a critical role in the growth of businesses of all sizes in the government contracting industry, and the vast majority of current executives (and employees) have been involved in M&A in some fashion over the last 25 years. Yet, despite this collective experience, mergers and acquisitions remain filled with pitfalls, and there is, at times, surprisingly little consistency in how companies and investors assess potential M&A targets. For seasoned acquirers, often a false sense of security and/or confirmation bias takes hold. New buyers may not fully appreciate the underlying business complexity and specificity of certain markets and associated competitive dynamics. Coupled with lower cost debt, low tax rates, a large amount of private equity money waiting to be deployed, and investment bankers doing their best to portray companies in the most favorable light, it is easy for executives and investors to fall into the trap of pursuing acquisitions that fail to create meaningful value. To make matters worse, there are new market dynamics that make today’s M&A a bit more challenging. Though activity has begun to resume after the COVID-induced hiatus that began in the spring, the M&A environment today is far different than in prior years. COVID-related impacts to 2020+ financial performance in many companies add new layers to already complicated financial

forecasting. The upcoming presidential election adds meaningful uncertainty around mission and spending priorities. Beyond the politics, future discretionary federal budgets are likely to be impacted by the economic burden of COVID stimulus. In addition, for larger strategics and private equity firms, the reality is there is a decreasing supply of “traditional” M&A candidates with truly differentiated capabilities and limited reliance on Small Business Set-Aside (SBSA) contracts (more on that later). And yet, despite these challenges, M&A still offers routes to market and growth options that are often impossible to accomplish organically. A rigorous due diligence process can bridge the gap between the risks and benefits of M&A and provide a buyer with an objective and unvarnished truth about a potential target to help inform strategy, financial performance expectations, and valuation. Of course, at times, rigorous due diligence is not congruous with winning a deal, particularly if there is an irrational or uninformed buyer willing to pay far more than a target is worth. The paradox of disciplined investing is that being better informed can sometimes be a disadvantage, but most deal teams we know will assume that risk. Having worked with both strategic buyers and private equity investors, Arena has supported a wide

range of perspectives and experience levels in M&A. Our team has been involved in buy-side due diligence support of more than 300 services and products companies since 1999. It has been an interesting vantage point, to say the least.

▪

Does the target have access to the necessary contract vehicles and relationships to achieve growth within its customer base(s)?

▪

Successful acquisition strategies are forward looking; they do not assume past is prologue. Does the target have the recruiting, training, project management processes, certifications, IR&D, or other internal business engines necessary to remain a leader in the capability areas for which it is being acquired? If not, the buyer must understand the necessary investments and how the costs of those investments will impact both near and longterm revenue growth and profitability.

▪

Assuming general strategic fit, does the target have any true “franchise” positions – i.e. deep domain expertise, technical differentiation, proprietary solutions, sole source positions, and/or significant market share in certain customers or in targeted capability areas?

From a due diligence perspective, apart from early identification of obvious deal killers such as legal, tax issues, and/or fraud, the most successful acquirers employ a robust due diligence process focused on what we term “guiding lights” or key anchor points, questions, and analysis related to strategy, culture, and financial performance: ❑ Does the acquisition target fit with the buyer’s strategy? ❑ Are the cultural policies and norms of the target compatible with the buyer’s? ❑ Does the financial forecast justify the price?

A rigorous due diligence process provides objective and unvarnished truth about a potential target to inform strategy, financial performance expectations, and valuation

Fit with Acquisition Strategy The best acquisitions are focused on customers, capabilities, contract access, and/or the combined ability to pursue upcoming new business opportunities. The due diligence process should carefully assess how well a target company aligns with a buyer’s objectives, answering key questions about strategic fit: ▪

Do the target’s capabilities align with the buyer’s strategy and are those advertised capabilities real and differentiated? It seems nearly every company for sale today is a “cutting-edge, differentiated, Cyber, Cloud, C4ISR, AI, Space powerhouse…” A buyer must establish a detailed understanding of the actual capabilities of the target and go deeper than the latest buzz words.

Evaluating Culture – More Tactical Than You Might Think For all companies, but especially for government services contractors, employees are the key to success. Company culture plays an important role in retaining the right people. Many executives contend that their companies’ cultures are intangible, unable to be described in detail, but critical to their success. In our experience, culture is less mysterious. It is the manifestation of company values, policies, and norms that have a direct impact on employee job satisfaction and performance for customers. A buyer should assess how its own culture differs from the target’s and how this may impact recruitment, retention, performance, customer and market perceptions, and ultimately long-term success. ▪

At some companies, “values” are just marketing slogans, but at others they are a direct driver of the company’s success. If a company’s values play a key role in its culture and day-to-day performance, the buyer needs to be confident they will be able to maintain those

values post acquisition. Legitimate values are not just high-minded ideals, they are specific and visible means by which a company executes work, interacts with customers and the community, and promotes and rewards employee performance. Such values can take years to root and mature but can be quickly eroded or even destroyed by a careless or arrogant acquirer. ▪

▪

Employee benefits are one of the most quantifiable outputs of a company’s culture. Salaries, bonuses, health benefits, and 401K contributions are fundamental to attracting and retaining talent. Importantly, if the target has significantly different compensation policies than the buyer, it may be difficult to integrate both entities without losing key talent. Constructing separate fringe pools or compensation plans is a possible solution but comes with added complexity and can alienate legacy employees. Another key manifestation of culture is employee access to top leadership and how much impact employees feel they have over the direction of the company. Employees who are used to voicing concerns and participating in strategic decisions with the C-Suite in a smaller company often find it impossible to work in an environment where they have no interaction with top corporate leadership or where they feel their direct managers are not sufficiently advocating for their concerns.

▪

The reputation and brand of both the buyer and the target will also impact cultural fit. A buyer should maintain a clear-eyed understanding of its own and the target’s reputations in the marketplace and how the employees and customers of both companies may react to the combination.

▪

Assessment of cultural fit is more important than simply judging if a target’s culture is “good” or “bad.” The focus of due diligence should be to assess the differences between the buyer’s culture and that of the target.

Significant differences may make integration difficult and lead to employee retention challenges. ▪

That said, some underpinnings of company culture are inherently more difficult to overcome. Companies with mature and “cultlike” behavior may be harder to integrate than those with less cultural cohesion. Similarly, when target companies are owner-led or have only a handful of key leaders, an acquirer can be exposed to what we call the “Pied Piper” effect, where the departure of an executive can cause a significant number of other employees to follow.

▪

When attempting to understand a target’s culture, a buyer must speak with middle management and the target’s human resources leadership. Relying on a C-suite executive who is trying to sell the business may not be enough to determine how a company’s day-to-day operations and on-the-ground leadership styles have shaped real and perceived cultural norms.

Detailed Revenue & Profit Analysis to Prove the Business Case With valuations seemingly high, proving the financial case for a deal is critical. Even if strategy and culture are perfectly aligned, if the forecast cannot justify the price, value creation is unlikely. Determining realistic and achievable forecasts in government services businesses requires more than just run-rate sensitivities, Monte Carlo analysis, or similar processes that purport to be in-depth due diligence but fail to capture major risks, upside potential, and, most importantly, the most likely forecast for revenue and profit performance. There are several industry-specific elements to consider when forecasting existing contracts and a new business pipeline. Evaluating them as part of due diligence requires specialized market, customer, program, financial, and operational experience. ▪

A detailed understanding of what is driving the forecast is critical, both in current contracts

and for new business pursuits. Anyone with a red pen can reduce forecasts to get to a “Downside Case.” Isolating a mostly likely or “Base Case” and an achievable “Upside Case,” while creating convictions and defining variables for both, requires a more detailed understanding of market conditions, customer buying behavior, contracts, and often a multivariate approach to forecasting. ▪

▪

Probability of Win (“p-win”) is often the foundation of forecast models for services contractors, but this expected value method often prioritizes simplicity at the expense of precision or even realism. The most basic objective of forecast due diligence is to determine how likely it is for the target to win recompetes and new business pursuits. Effective due diligence tests p-win assumptions from several different angles, assessing competitive position, prime versus subcontractor roles, incumbent performance, changing contracting dynamics, pricing sensitivities, key personnel, customer perceptions, and a host of other factors. Additionally, at times, some opportunities are so large that it makes more sense to view them as a binary win or loss rather than a statistical uncertainty that skews the forecast. The rubber meets the road in profit forecasts. Do the forecasted increases in Gross Profit and EBITDA margins make sense, particularly when considering the target’s current and future mix of contract types (Cost Plus, Fixed Price or Time and Materials), the buying behaviors of their customers, and future competitive dynamics? Do assumptions about direct labor vs. subcontract labor and other direct costs (ODCs) support the gross profit forecast? Does the financial model accurately depict how wrap rates are applied to each contract? Do the forecasted Overhead and G&A costs reflect the necessary infrastructure and business development resources required to achieve the forecast and scale the business, or is the cost

structure hollowed out to present the best possible margin profile as part of the sale? ▪

Wrap rates and the indirect cost structure of a target are often afterthoughts in typical forecast models. Disaggregating Fringe, Overhead and General & Administrative expenses and understanding current and future wrap rate competitiveness are critical to establishing realistic revenue and profit forecasts in a services business. In addition, a buyer must pay careful attention to how the acquisition will impact the wrap rates of the combined entity. Often the cost structure and margin profile of a smaller business appear very attractive but would be uncompetitive or significantly less profitable when burdened with a larger company’s costs.

▪

Smaller firms transitioning away from heavy reliance on small business set-aside contracts are often attractive targets, but the buyer must fully understand the target’s lingering exposure to SBSA awards. Small business contract exposure is not necessarily a deal killer for a larger acquirer, but the details do matter. The ability to retain SBSA work after an acquisition, as well as the ability to continue using SBSA contract vehicles, differs from contract to contract and across customers. Many targets assert their SBSA contracts are likely to be recompeted as unrestricted. This assertion needs to be carefully validated, keeping in mind customer preferences within the program office can often be overruled by other parties (contracting officials, small business officials). Importantly, the shift from SBSA to a full and open competitive environment, as well as the requirements to onboard subcontractors as the prime (at the expense of direct labor), almost always result in profit margin erosion.

▪

Subcontracts to other prime contractors are often a material part of a target’s overall portfolio. Most subcontracts have contract clauses that require the prime contractor be notified in the event of a change of control. If the new buyer is competing directly with some 9

of the prime contractors to which the target company is subcontracting, those primes may decide to end the relationship(s). Moreover, the prime contractor may be receiving small business subcontract credit which may no longer be possible if the target is acquired. It is critical to determine if, and to what extent, the target will be able to maintain roles as a subcontractor to the buyer, both immediately post close and longer-term. ▪

▪

Revenue Synergies are one of the leading justifications for M&A. While 1 plus 1 sometimes does equal 3, the underlying assumptions need to be carefully assessed. Are there specific upcoming opportunities the buyer and seller alone cannot bid, but for which together they would be competitive? Would the combined entity have a higher probability of success on upcoming opportunities in their respective pipelines? Are there real prospects to cross-sell capabilities into each other’s customers or on each other’s contract vehicles? The underlying thesis supporting expected revenue synergies needs to be clearly articulated and supported by specific business development pursuits. It is not enough to be notional or wave hands at the “story.” Cost Synergies can often bridge the gap between the output of a stand-alone financial forecast and the required price to win the deal. These synergies can be real, but it is important they are built from a bottoms-up analysis, based on expected consolidation of functions and systems and with future combined wrap rates in mind. “Finger in the air” guesses of future cost savings rarely translate into actual value post close.

challenges and to achieve desired revenue and cost synergies. Importantly, a rigorous, cross-functional due diligence process should provide a buyer with a strong starting point for understanding a target’s operations, back office functions, employee base, and business systems, enabling more seamless integration planning.

Summary Takeaways While due diligence is a very broad term that includes Legal, Accounting, Human Resources, Information Technology, and nearly all other business functions as part of the review of target, from our perspective the true “guiding lights” of due diligence are strategic fit, cultural compatibility and a detailed understanding of the revenue and profit forecast. M&A is often a watershed event in corporate growth, and many of the leading companies in the government services market were built through numerous acquisitions. M&A comes with significant risks and uncertainties, but these can be mitigated by asking the right questions and thoroughly vetting potential acquisition targets.

Arena Strategic Advisors provides strategic planning, corporate development, M&A due diligence, integration, operational improvement, and risk management consulting services to companies and investors in the Defense, Aerospace, and Federal Services markets. Learn more at: https://arena-advisors.us

A Note About Integration If an acquisition makes it through the due diligence process and the purchase agreement is signed, significant work remains to ensure the acquisition creates value. Careful and detailed integration is vital to manage the inevitable cultural and financial

Cybersecurity Maturity

Model Certification (CMMC) Instilling a culture of cybersecurity awareness within an organization

Instilling a Cybersecurity Culture Earlier this year the Department of Defense (DOD) announced the final version of the CMMC Model (v1.02). The Cybersecurity Maturity Model Certification (CMMC) consists of distinct security maturity levels (ML) ranging from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”. CMMC is intended for Defense Industrial Base (DIB) contractors who will be required to be formally certified using the CMMC model as a requirement for future contract awards. CMMC will eventually replace the current self-certification process that is mandated by DFARS 252.204-7012 and implemented via controls specified in NIST 800-171: Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and organizations.

“The U.S. loses an estimated $600 billion per year in intellectual property and data because contractors aren’t following basic cyber hygiene practices.” - Katie Arrington, Chief Information Security Officer, Office of the Assistant Secretary of Defense for Acquisition

In many of the discussions about CMMC, I find one thing lacking which is an emphasis on developing a culture of cybersecurity within DIB contractors and how that translates into reality for companies large and small. Achieving certification at any of the 5 CMMC maturity levels isn’t just a one time or even triennial event (every 3 years) to demonstrate compliance with tens or hundreds of security practices to a certified 3rd party assessor (C3PAO). Businesses that think this way may be in for a rude awakening as they go through the initial assessments but even more so as the CMMC model evolves and becomes more complicated over time. In fact, each CMMC maturity level consists of both practices (i.e. security controls) and processes as characterized in this figure.

Note: All references from CMMC Model V1.02 published March 18, 2020.

For example, CMMC ML 3 “focuses on the protection of CUI and encompasses all of the security requirements specified in NIST 800-171 as well as additional practices from other standards and references to mitigate threats”. It is worth noting that all DOD contractors that process CUI have been required to self-certify compliance with all the NIST 800-171 standards since December 31, 2017. So in theory at least, for a DIB contractor that has already attested to meeting the NIST 800171 standard, the bar to achieving CMMC ML 3 is fairly low. CYBERSECURITY MATURITY MODEL CERTIFICATION 12

Understanding Compliance “Meeting CMMC is more than just developing and updating policy documents, providing training to end users and/or implementing new security tools.”

A lot of focus understandably has been on addressing the specific practices that are specified within the model in order to “pass” the assessment performed by an assessor. For example, CMMC ML 3 consists of 130 practices. However, CMMC ML 3 also requires processes that are “Managed” which “requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.”

So while it is important to ensure that each practice is being conducted and followed within an organization, it is just as important to have a plan in place to demonstrate how the practice is being managed. We’ll use a relatively straightforward security practice to demonstrate our point. “Perform maintenance on organizational systems” is a required security practice (MA.2.111) at ML 2 and higher. These maintenance tasks range from applying appropriate software patches and updates to endpoints to ensuring a network device has the most up-to-date secure firmware version. It includes planned and unplanned maintenance, configuration changes, etc., performed on any hardware, firmware, or applications within your organization’s boundary. Most organizations will likely feel this is an easy practice to meet. However, it is not enough to “check the box” and tell an assessor “Yes, we perform system maintenance”. Here are some questions that you should consider: Does your organization have a record of the maintenance activities that have been performed over the past month, quarter, or year? Do you have a record of the systems that maintenance was performed on or what was involved in the last maintenance performed? Can you communicate what maintenance activities have been deferred and have you documented why or when those maintenance activities will be completed? This is just 1 seemingly simple practice. Many practices are significantly more complex in demonstrating compliance as well as managing the processes related to that practice.

CYBERSECURITY MATURITY MODEL CERTIFICATION 13

Cybersecurity and IT Operational Maturity The security practice described previously demonstrates the interdependency between cybersecurity maturity and IT operational maturity. Large firms typically have the luxury of having dedicated staff for each separate but distinct function - IT operations (IT Ops) and IT security operations (SecOps). I would argue they are, on average, no more secure than the small to medium business (SMB) that has only IT Ops staff with little to no cybersecurity experience or capability. For example, in the case of Equifax breach, there was a known vulnerability that had been identified in a piece of software. But the team responsible for addressing the vulnerability didnâ&#x20AC;&#x2122;t implement the fix for months. The result was that an attacker infiltrated their network and exposed the data of 147 million Americans. See CSO source article here. Performing systems maintenance is typically the purview of the IT Ops function and not the SecOps function. But there are a lot of considerations that go into performing maintenance on a system. For example, the SecOps function will likely want to implement patches to critical systems right away to address existing vulnerabilities and potential security concerns. However, the IT Ops function may be reluctant to do so as it may cause unknown performance and application issues which will impact stakeholders. Here, both functions need to work in tandem to find the best approach while mitigating the risk appropriately. Similarly, actions taken by the IT Ops function can have a negative impact on the overall security of an organization. A configuration change to a device or system may introduce a vulnerability. Or a change in hardware or software may require a re-assessment of how the organization addresses security practices that were dependent on that system. As such, the IT Ops function must be critically aware of its responsibilities as it relates to maintaining the security of the organization and must take into account cybersecurity considerations in its decision making.

CYBERSECURITY MATURITY MODEL CERTIFICATION 14

Cybersecurity and Operations Maturity The IT Ops function is just one stakeholder group that is also involved with meeting and demonstrating compliance with CMMC standards (along with SecOps function). However, there are actually multiple stakeholder groups within the organization that are also involved in achieving and maintaining compliance with CMMC practices. Here are a few of these groups: Human Resources (HR) â&#x20AC;&#x201C; The HR function is typically responsible for screening individuals interested in joining an organization (e.g. performing background checks). The organization has to trust that this screening process is consistently followed in order to demonstrate compliance with practices identified within the Personnel Security domain. Similarly, timely notification of personnel events (such as transfers and terminations) must be provided to IT in order protect organizational systems. Facilities/Facility Security Officer (FSO) â&#x20AC;&#x201C; The Facilities function or FSO is typically responsible for limiting physical access to a facility. This includes escorting visitors and monitoring visitor activity and maintaining logs of physical access to the facility. Demonstrating compliance with the practices identified within the Physical Protection domain will rely heavily on this function. In addition to the above, your subcontract administrators, purchasing teams, and even employees themselves have responsibilities as it relates to maintaining the overall security of an organization.

CYBERSECURITY MATURITY MODEL CERTIFICATION 15

A Culture of Security Awareness

It is impossible to have a secure and compliant IT environment without buy in and engagement from the entire organization. Here are some things to consider when evaluating your organization’s readiness to undergo a CMMC assessment: Is there buy-in from appropriate levels of management? Tone from the top is crucial when implementing appropriate IT and security practices. If management leads the way in promoting a culture of security and risk awareness, it tends to resonate with employees. Communication, updates, and tangible actions by management supporting the mission and goals of IT Ops (and Sec Ops) lets employees know that management is prioritizing these functions. This in turn leads to IT Ops and Sec Ops teams being provided the appropriate resources required to fulfill their missions. Do all users receive appropriate education about IT Ops and SecOps functions and missions? Security awareness training for DIB personnel is nothing new but having it be its own security domain within NIST/CMMC continues to enforce its importance. Users need to be aware of the role they play in ensuring their IT environment stays reliable and secure. Educating users about security awareness needs not only be a once a year exercise. Content and best practices should be communicated continuously to promote “It is impossible to have a culture of security and risk awareness. a secure and compliant IT And just as we expect a minimum level of education for our general user base, those environment without buy in charge of managing our IT systems need in and engagement from to also consider what specialized education and training is needed to stay ahead of the entire organization.” emerging threats and technologies. Do you have the right resources in place? While this certainly includes having the right technology to support your organization’s security posture, it also includes having the right human resources. Having individuals with appropriate knowledge of both IT Ops and Sec Ops will be helpful to work effectively with those who may only have experience in only one of those areas. Looking solely through a security lens may potentially cause blind spots when looking at the bigger picture. If implementing a security fix causes an application to become near unusable, was the cost/benefit properly analyzed? This is increasingly important as technology and systems become increasingly complex due to outsourcing, and use of cloud platforms, and other reasons. Having a strong Sec Ops functions in place is critical to ensuring that your organizational stays secure and compliant. However, there are also complementary functions needed to implement required security practices. It is a balancing act to ensure organizational and business needs while addressing security and regulatory requirements. Having the right system knowledge, understanding of supporting functions, support, and resources, will be essential to achieving and maintaining compliance with CMMC practices at your desired maturity level. CYBERSECURITY MATURITY MODEL CERTIFICATION 16

About Aronson LLC Aronson LLC provides a comprehensive platform of assurance, tax, and consulting solutions to todayâ&#x20AC;&#x2122;s most active industry sectors and successful individuals. For more than 55 years, we have purposefully expanded our service offerings and deepened our industry specialties to better serve the needs of our clients, people, and community. From startup to exit, we help our clients maximize opportunity, minimize risk, and unlock their full potential. For more information about Aronson LLC, please visit www.aronsonllc.com or call 240.630.0702.

AZUNNA ANYANWU Director of Information Technology aanyanwu@aronsonllc.com 301.231.6235

Advancing our customersâ&#x20AC;&#x2122; missions through innovative, agile technologies baesystems.com

Disclaimer and copyright This document gives only a general description of products and services and except where expressly provided otherwise shall not form part of any contract. From time to time, changes may be made in the products or conditions of supply. ÂŠ 2020 BAE SYSTEMS. All rights reserved. BAE SYSTEMS is a registered trade mark of BAE Systems plc

BAE Systems, Inc. Intelligence & Security www.baesystems.com No licensable export-controlled data evident. Review # IS-2020-1512

1020-961V3

October 2020

1 18

As a leading systems integration, sustainment and engineering company, our priority as a service organization is to ensure our customers have access to breakthrough technologies that solve their toughest problems. This includes capabilities that support the Department of Defense’s (DoD’s) digital engineering vision of “an integrated digital approach that uses authoritative sources of systems’ data and models as a continuum across disciples to support lifecycle activities from concept through disposal.” We’re at the forefront of the digital transformation age, providing digital engineering solutions to service branches and agencies. Digital transformation and digital engineering are absolute necessities because of the efficiency and decision-informing value they bring to the table.

Advancing Digital Engineering Capabilities As we support our customers’ priorities to preserve and advance our nation’s strategic defense advantage, we continue to expand our systems integration capabilities through state-of-the-art digital engineering technology at BAE Systems. Guided by the DoD’s digital engineering strategy, we are integrating new modeling tools and developing model-driven methods for many services, systems, and products.

We continue to invest in applying model-based methods and applying them to solve hard technical problems or existing problems in faster and more effective ways. We are doing this through carefully planned pilot projects targeted at real customer needs and problem sets. Examples of these methods include:

We continue to grow technical talent and expertise and to apply digital engineering – andmore specifically, modelbased systems engineering (MBSE) to solve hard problems and increase effectiveness of critical mission systems for our customers. We have started to see huge potential in the value we can add across many areas of DoD, federal agencies, and the Intelligence Community. As we see an increase in digital engineering opportunities today, we are more than ever committed to the path of digital engineering transformation that we started years ago. Emerging technology trends in MBSE, artificial intelligence, machine learning, and augmented and virtual reality (AR/ VR) have influenced our strategy. We are continuing to invest in tools, infrastructure, and in enhancing our employees’ skills to meet the needs of our customers. Digital Engineering (DE) is proving to deliver efficiency and greater capability across the board. We are recruiting for higher-end skills, and we are approaching programs of higher complexity with greater agility and efficiency than ever before. The use of AR/VR environments is allowing a level of collaboration between our engineers and customers that we have never had before. The pace of technology advancement is remarkable, and digital MBSE approaches has allowed us to accomplish activities in hours versus what used to take weeks. These approaches are also enabling the creation of digital twins for true virtualization of critical “no fail” weapons systems to optimize current system performance, to predict future performance, and enhance system readiness through predictive maintenance and analytics.

Disclaimer and copyright This document gives only a general description of products and services and except where expressly provided otherwise shall not form part of any contract. From time to time, changes may be made in the products or conditions of supply. © 2020 BAE SYSTEMS. All rights reserved. BAE SYSTEMS is a registered trade mark of BAE Systems plc

• Integrated system architecture based on cross-domain models connected by a digital thread for architecture design trades • Model-based system test and evaluation method for system functional IV&V automation • System availability modeling and dynamic data dashboards • Weapons system operational sequence and behavior modeling for functional verification • Model-based cybersecurity risk assessment and RMF automation • DevSecOps for mission-critical software lifecycle support In our Digital Engineering Lab in Maritime Plaza, Washington D.C., we implemented a high-fidelity VR and AR system. We are developing digital twin techniques in real-time, collaborating on engineering design, performing interactive system maintenance, and providing immersive enduser/support training. Our systems engineers at BAE Systems’ Digital Engineering Capability Lab in Utah apply a model-based approach to post flight test analysis, based on operational flight test data. They use a custom physics-based six degree of freedom model operating in our customer’s model based engineering environment that simulates rocket trajectories to research a flight test anomaly.

Work with us! If you are a skilled engineer looking for a challenging yet rewarding career in the defense space, and you are ready to join us in the digital transformation of the systems engineering discipline, please visit our Engineering and Technology careers webpage.

BAE Systems, Inc. Intelligence & Security www.baesystems.com No licensable export-controlled data evident. Review # IS-2020-1512

October 2020 19

Enabling secure cyberspace and information operations missions through Federated Secure Cloud Not only are we innovating in the digital engineering space, bringing breakthrough technologies and solutions to our customers across many different missions and platforms, but we are also innovating with our Federated Secure Cloud (FSC) framework. As more and more agencies are moving to the cloud, it is obvious why: The cloud offers agility, access to platforms and software services, and additional capabilities with decreased hardware costs and expense. Would you rather build a car from scratch or just take a ride-share service to get to the airport? With the cloud, the same concept applies: There are more options, it is more flexible, and you don’t have to start from scratch with millions in CAPEX. However, the most important detail to focus on when it comes to cloud migration is the security of the cloud environment. BAE Systems has designed some of the most secure digital workspaces for DoD and the intelligence community. We have designed and implemented secure clouds ranging in classifications from controlled unclassified information (CUI) and the upcoming Cybersecurity Maturity Model Certification (CMMC) to the highest levels of top secret Government classifications and everything in between. To ensure these levels of security, one must understand the complexities of cloud and how to secure workloads in compliance with all applicable Government guidance and regulations. BAE Systems is beyond just moving to the cloud: We are moving to the cloud in the most secure way. We understand the ever-changing cloud capabilities, compliance with Government regulations and standards, unique mission requirements, and how to design for cost efficiency. In fact, we are a leader in migrating software and solutions to the Commercial Cloud Services (C2S) AWS Top Secret cloud Region for the Intelligence Community. For example, BAE Systems achieved Authorization to Operate (ATO) on the most secure on-premise cloud deployment for the intelligence community at the time and it was authorized under ICD 503 as High, High, Moderate, with Int-C and Privacy overlays. If we can secure systems in the highest security levels for the Federal Government, then we can also design systems to a meet a wide range of security needs to meet any mission requirement. BAE Systems’ FSC is built on the lessons learned of a multitude of BAE Systems Government contracts to meet very stringent security controls and testing activities. While meeting the full set of applicable security controls for the Disclaimer and copyright This document gives only a general description of products and services and except where expressly provided otherwise shall not form part of any contract. From time to time, changes may be made in the products or conditions of supply. © 2020 BAE SYSTEMS. All rights reserved. BAE SYSTEMS is a registered trade mark of BAE Systems plc

given security classification and mission use, FSC delivers the core set of technical controls, to include test suites for each of the controls, necessary to achieve successful ATO. Security controls, best practices, and extensive ready-to-tailor documentation offer significant schedule and cost savings to an agency to rapidly consolidate data centers, and achieve ATO with a minimum timescale possible. BAE Systems currently supports multiple DoD and intelligence customers across multiple security classifications in the areas of Infrastructure-as-a-Service (IaaS), Platformas-a-Service (PaaS), and Software-as-a-Service (SaaS.) The comapny migrates, operates, and sustains multiple mission critical and classified workloads. Our experts have migrated large commercial off the shelf and Government applications, built a C2S micro-services layer for a large IC enterprise, and deployed AWS Snowballs globally. FSC operates on a federated cloud platform and meets Defense Federal Acquisition Regulation Supplement (DFARS) requirements, establishing a complete, trusted, and secure cloud under strict standards set forth by DoD. Not only are agency network administrators more aware and have more control, the FSC’s embedded network-monitoring capabilities also offer administrators a greater understanding of their users, data, infrastructure, and tools. Instead of managing, monitoring, and securing dozens of networks separately, the FSC administrators can instantly assess the performance of the entire cloud’s secure operating environment via specialized, user-friendly dashboards. The FSC platform allows agencies to offer users common access to a customized catalog of services. There are also optional managed services, which include an enterprise help desk, system management functions, and agencyspecific application marketplaces, where users can instantly download and access the latest mission applications, software tools, and other pay-as-you-go services. The flexible cloud framework enables agencies to add additional customer features quickly as mission priorities or needs evolve. We employ industry standards in our managed services line of business and have added to those practices a suite of custom tools and procedures, adaptable to each customer environment. A key to our success is our appropriately cleared, trained, and certified staff. We provide free training to our employees in cloud related skills and incentivize certifications with bonuses for obtaining certain in demand certifications.

BAE Systems, Inc. Intelligence & Security www.baesystems.com No licensable export-controlled data evident. Review # IS-2020-1512

October 2020 20

AWS Partnership BAE Systems is an AWS Premier Consulting Partner and holds AWS Competencies as a Public Sector Partner, DevOps, and Public Safety & Disaster Response. BAE Systems is a leading contractor for production workloads in the AWS Top Secret Region across 10 distinct programs. We perform services and development around cloud cost optimization, performance enhancement, and data analytics. We’re always looking for new and emerging partnerships. If you’re interested in partnering with us, please contact us today. E. Don DeSanto, Director of Strategic Partnerships ellery.desanto@baesystems.com (571) 477-4129

About BAE Systems BAE Systems is a global defense, aerospace, and security company. BAE Systems enables the U.S. Government to transform data into intelligence and provides systems, hardware and software engineering, integration, and sustainment support for critical military platforms and systems. We provide services and products to the DoD, the intelligence community, and federal/civilian agencies around the world. Our services include innovative, mission enabling enterprise, engineering and analytic solutions, application development, Tier 2/3 support, Operations and Maintenance, and support services that enable national security and critical infrastructure customers to perform their mission and protect their data and networks. Contributors: • Jon Dorn, Vice President of Business Development for BAE Systems Intelligence & Security • Mark Keeler, Vice President and General Manager of BAE Systems Integrated Defense Solutions • Kevin McCarthy, Chief Technology Officer for BAE Systems Intelligence Solutions • Gan Wang, Engineering Authority for BAE Systems Integrated Defense Solutions

Disclaimer and copyright This document gives only a general description of products and services and except where expressly provided otherwise shall not form part of any contract. From time to time, changes may be made in the products or conditions of supply. © 2020 BAE SYSTEMS. All rights reserved. BAE SYSTEMS is a registered trade mark of BAE Systems plc

BAE Systems, Inc. Intelligence & Security www.baesystems.com No licensable export-controlled data evident. Review # IS-2020-1512

October 2020 21

Service Contract Act Health & Welfare Benefits Contractor Obligations, Options and Best Practices

Bicknell C. Robbins, Esq. President and General Counsel Government Contracting Practice CBIZ Benefits and Insurance Services, Inc.

Gary E. Leavitt | Business Development Director gleavitt@CBIZ.com

Employers who have contracts with the federal government that are subject to the Service Contract Act (SCA) must meet the wage and benefit provisions of the contract’s Wage Determination (WD). The WD specifies the labor classifications, associated minimum hourly wage rate, the minimum hourly Health & Welfare (H&W) fringe rate, and the vacation and holiday benefits covered service employees are entitled to. It is important to understand that the hourly H&W fringe benefit rate listed in each “fixed cost” wage determination is an employer obligation separate from the hourly cash wage the employee receives. The SCA employee is not entitled to receive any portion of this fringe rate in cash, although the employer may choose to discharge its obligation by simply paying the fringe rate to the employee in cash. Nor is the employee entitled to select which benefits the employer will provide. The DOL Field Operations Handbook states that “The types of benefits or cash equivalents to be provided [to employees] is strictly a matter to be decided by the employer.” Some SCA employees misunderstand the law and feel they should be able to direct how the hourly fringe is spent. They view the hourly fringe as “their” money and feel the employer should not be able to force them to take benefits they don’t want. This is simply not the case. As long as the benefit premium is being paid directly out of the hourly fringe rate, the employer can require the employee to participate in that benefit plan. The hourly fringe is considered to be an employer cost. When an employer pays for a benefit out of the hourly fringe, it is considered to be at no cost to the employee, as the employee is not entitled to that fringe in cash or entitled to direct how that fringe should be spent. It is the same as when an employer pays for a benefit for a non‐SCA employee without requiring the employee to pay anything through payroll deduction. SCA regulations provide that the employer can meet the hourly H&W requirements by: • • •

providing benefits to each employee costing the employer a minimum of the hourly H&W fringe; providing the employee with a cash payment in lieu of benefits; or a combination of the two.

Most employers pay health and welfare premiums in monthly amounts. This presents the challenge of then accounting for those monthly payments for each individual SCA employee to determine if they were sufficient to meet the hourly H&W minimum based on the employee’s hours for that month. This often results in the employer looking for a way of meeting the fringe that eliminates the need for this seemingly complicated accounting.

Providing the H&W hours to the employee in cash seems like a simple solution. The employer simply provides the employee the hourly fringe as cash in lieu of benefits each pay period. The employer could still offer employees the option of purchasing benefits through pre‐tax payroll deductions, effectively allowing the employee the choice of taking the fringe in cash or spending some or all of it on benefits. However, if the H&W fringe is managed in this manner, experience tells us most employees will opt to take the cash. This has two negative impacts to the company. •

•

First, it creates the likelihood of adverse selection in the company’s medical plan, resulting in higher claims experience. If employees are offered cash as an alternative to health benefits, they will generally take the cash unless there is an expected or immediate need for the health coverage. This means that those electing to take medical benefits will be those most needing the coverage, which in turn drives up medical claims and ultimately drives up insurance rates. Second, if the H&W is taken in cash, it constitutes a taxable wage and actually increases the employer’s costs. At a minimum the employer experiences the 7.65% FICA tax on H&W dollars paid in cash. But it also likely incurs additional costs in the form of premiums that are cash wage driven, such as workers’ comp and general liability premiums. This additional cost could be as high as 25%.

In some cases the contractor may provide a benefit package, but permit the employee to waive benefits in certain cases. Employee’s waiving benefits are then provided some or all of the hourly fringe in cash. In additional to the negative impacts listed above, this increases the administrative burden of meeting the hourly H&W requirements. Any cash payments to employees that are intended to meet the hourly H&W requirement must meet the following requirements: • •

They must be stated separately from the hourly cash wage the employee is paid. More importantly, they must be paid on the same schedule as the cash wage that is being paid for those hours.

In other words, unlike payments to “bona fide” fringe benefit plans which can be made quarterly, payments to employees of any cash intended to satisfy the fringe have to be made on the regular pay date for those hours. This is typically bi‐weekly. Making the necessary calculation as to what additional cash in lieu of fringe the employee is due by the required payroll date is often logistically impossible. Employer’s may find themselves requiring additional time to make the calculation, which then results in non‐ compliance with the regulations. Because of these negative impacts, most government contractors are moving away from cash in lieu of benefits as a means of compliance. The following is what we consider to be a “best practices” approach:

•

• • •

Provide full time SCA employees with a base Health and Welfare plan consisting of Employee Only Medical, Basic Life and Disability, and some other ancillary benefits such as Dental or Vision. This base plan is paid for entirely out of the employer’s required hourly contribution per the wage determination. Allow employees to buy up to additional coverage with a combination of employer H&W dollars and employee pre‐tax dollars. Allow employees who have proof of other group medical coverage (including Tricare) to waive the Medical coverage. Requiring proof of other coverage mitigates against the likelihood of adverse selection. If an employee waives coverage or otherwise doesn’t utilize the entire fringe on health and welfare benefits, the remaining SCA fringe dollars are contributed on a periodic basis to the employer’s qualified retirement plan, usually a 401(k) plan. This is an employer contribution and accounted for separately by the record keeper from employee deferral contributions. This contribution does not need to be made each pay period but rather can be made on a quarterly basis. The employer or benefit administrator thus has time to make the necessary calculations and make sure they are neither over nor under paying the fringe for each employee.

This approach gives some flexibility to the employee in his or her choice of benefits (which improves employee morale), allows employees having coverage elsewhere to waive so they don’t have to have double coverage (also improving morale), and eliminates the cash in lieu option and its attendant negative impact (improving the contractor’s bottom line). The approach does carry with it the need to account for the benefits provided to make sure they meet the hourly minimum for each covered employee. However, there are benefit plans available that have been specifically designed to manage this accounting. In addition, the contractor can outsource the hourly H&W accounting to a Third Party Administrator that specializes in managing SCA fringe benefit compliance.

The information contained herein is not intended to be legal, accounting, or other professional advice, nor are these comments directed to specific situations. The information contained herein is provided as general guidance and may be affected by changes in law or regulation. The information contained herein is not intended to replace or substitute for accounting or other professional advice. Attorneys or tax advisors must be consulted for assistance in specific situations. This information is provided as-is, with no warranties of any kind. CBIZ shall not be liable for any damages whatsoever in connection with its use and assumes no obligation to inform the reader of any changes in laws or other factors that could affect the information contained herein. As required by U.S. Treasury rules, we inform you that, unless expressly stated otherwise, any U.S. federal tax advice contained herein is not intended or written to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed by the Internal Revenue Service.

Cybersecurity and OSCAL: Geek perspective; ‘C level’ perspective “OSCAL is designed to take disparate control definitions from different sources and express them in a standardized way using its control element.” “The definitions of controls vary greatly from one standard or guideline to another in terms of the level of detail and the types of information the definitions include. A control definition may be as simple as, “The organization has an access control policy and procedures”, but most are considerably more complicated.” No matter what framework or frameworks you decide your company should follow, Cybersecurity is the security for the modern age. We have always had security. But with the advent of the WWW, the bad guy has found an open market for their taking. The 21st Century has framed WWW security as “Cybersecurity”. A company can now achieve security compliance in multiple arenas with a streamlined approach using OSCAL (the Open Security Controls Assessment Language). Executives, Assessors, Policy Authors, and Security Professionals will appreciate the benefits of OSCAL. OSCAL can bring Executives more statistics for global compliance in their vertical. Executives just need to be armed with the knowledge and understanding of what OSCAL can provide their company’s compliance. The Assessor will be able to digest the security information that arises from multiple frameworks. Policy Authors can further define, characterize and customize security controls in policy documents. Security Professionals can document the company’s security controls and how they get applied in critical systems. Let’s take a look at some examples in which OSCAL and Cybersecurity frameworks can help advance your company.

The ‘C Level” Perspective Let’s first look at the C Level perspective for OSCAL! Since OSCAL analyzes Cybersecurity Frameworks: NIST 800-53, FISMA, HIPAA, PCI DSS, NIST 800-171/CMMC, CoBit and ISO 27002, C Levels will ask “What is the benefit of the OSCAL Cybersecurity Framework’s comparison?” Let’s look at a few scenarios: •

I was fortunate to attend an OSCAL workshop last year at which a representative from FedRamp was in attendance as well. The representative stated that they have already started to integrate OSCAL to assist in gaining efficiencies to reduce the time required to be FedRamp certified. The other attendees were also looking to gain efficiencies. Corporations strive to adapt a Cybersecurity framework into their infrastructure. Corporations may be already ISO certified, but see a need to migrate to NIST 800-53 framework. OSCAL will allow the company to take existing discoveries of their current infrastructure, in this case, ISO, in order to reduce the time to develop a NIST 900-53 framework. The OSCAL mappings will bring the data from ISO to NIST 800-53, not only today, but also in the future. The ISO case (company) continues to be ISO certified and assess their ISO controls, but will be able to import the ISO work to NIST 800-53 ongoing.

•

A financial company may use CoBit for their framework. They may be looking for a System Security Plan (SSP), where the NIST 800-53 is their preferred methodology. Now, the financial company can use the existing CoBit work to accelerate their SSP development. I have personally been in this situation and believe me, creating a SSP with NIST 800-53 is a full-time job. OSCAL provides an efficient way to cut out double work during the SSP analysis. The financial company now has the option of using the NIST 800-53 SSP (such as the FFIEC) or the OSCAL SSP. Hence, OSCAL streamlines the review and assessment process.

•

Next, a look at a tech company, who already uses NIST 800-53. Tech wants to jump into the CMMC world and bid on government (defense) contracts. Since the CMMC readiness is not a low-cost process, Tech looks to utilizing OSCAL’s functionality for cost savings. Tech can use their current NIST 800-53 assessment to ‘Check Off’ many of the CMMC practice assessments that reside in the CMMC/NIST 800-171 format.

The end result of both of these scenarios produces a standardized, ongoing process, of simplifying creation and maintaining the SSP and ease of compiling a new assessment. The OSCAL system security plan model allows data to be analyzed using automated processes along with streamlining the review and assessment process. Cybersecurity systems and reports will now be more up to date. Flexible data provides usable information in standard formats for management. Thus, relationships drawn between policies, processes and procedures with the component definition model assist the company with their control implementation.

The Geek Perspective So now let’s be the Geek and look at the OSCAL definition: OSCAL is the Open Security Controls Assessment Language. NIST, in collaboration with industry, has developed and continues to mature the Open Security Controls Assessment Language (OSCAL). OSCAL being a set of formats expressed in XML, JSON, and YAML provides machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results. The Geek or tool developer will be able to build tools and utilities with OSCAL. When using Information in OSCAL Formats the Control-based information expressed using OSCAL formats allows you to: • • • •

Easily access control information from security and privacy control catalogs Establish and share machine-readable control baselines Maintain and share actionable, up-to-date information about how controls are implemented in your systems Automate the monitoring and assessment of your system control implementation effectiveness

The Geek or tool developer will utilize OSCAL’s ‘Layer and Model Reference’. The architecture is made up of a series of Layers. The series of Layers will provide a set of Models. • • • •

•

Catalog Layer – structures a collection of controls in catalog that are represented in a structure, machine readable format. Profile Layer – provisions for a model that selects a specific set of control requirements from one or more catalogs. Implementation Layer – describes how controls are implemented, as in a specific system or a distributed component that then incorporate into a system.

Assessment Layer – description of the assessment plan information. Assessment Results Layer – capturing the assessment’s results and findings.

The Cybersecurity End All We looked at the C Level Executive and the Geek (developer) perspectives. Advantages for both parties assist them in managing multiple regulatory frameworks. Conclusively, OSCAL is simplifying the risk management of many security plans and mapping the different frameworks into a single security plan. Looking to future use of OSCAL, other efficiency methods can be integrated within OSCAL, enabling it to support other company roles and efforts. One such efficiency method that can be integrated into OSCAL for this purpose is RegAudit. As a tool that assists in compliance of regulatory controls, OSCAL eases the pain of handling multiple regulatory controls. RegAudit remaps the regulatory controls for ease of interviewing. RegAudit supports the IT functionality relationships where mapping within OSCAL’s Catalog layer occurs for the regulatory controls. This and other processes help to automate Cybersecurity assessments and security plans.

The question is “Can your company take advantage of OSCAL?” Don’t let Cybersecurity Frameworks complicate your intricate IT environment and assessments. Be bold and reach out to simplify your compliance. Robert Ashcraft, CEO of CMMC Solutions Robert.Ashcraft@cmmc-solutions.com Special thanks to NIST for their support to our Cybersecurity frameworks and support of this article. A special welcome to Dr. Michaela Iorga for her support and assistance on our understanding OSCAL. Note that the OSCAL information as referenced in this article was obtained from the NIST – OSCAL website: https://pages.nist.gov/OSCAL/

Increased Efficiency in Government Performance How advancements in technology, program evaluation, and research are driving improved outcomes Prepared by

www.DLHCorp.com

(770) 554-3545

Corporate Headquarters: 3565 Piedmont Rd NE, Building 3, Suite 700, Atlanta, GA 30305 National Capital Region Headquarters: 8757 Georgia Ave, Suite 1200, Silver Spring, MD 20910 31

The rise of the Federal budget in recent decades has been accompanied by increased expectations from legislators, administrators, and taxpayers. An aging population and economic volatility are among the factors that require Federal programs to serve more beneficiaries than ever, and agencies are expected to meet this increased demand without sacrificing service levels. The work is vital. Federal programs secure our nation from attack, provide health care to millions of Americans, serve as incubators for scientific advancement, ensure equal access to quality education, and much more.

ernizing Government Technology Act requires Federal agencies to improve their cybersecurity systems and leverage the latest innovations in digital, mobile, and cloud technology to increase efficiency and outcomes.

Government spending, meanwhile, is subject to intense scrutiny from political leaders, the media, and watchdogs in-and-out of government. While other entities less-susceptible to public pressure might be tempted to reduce services in such daunting circumstances, government organizations and partners must take the utmost care to ensure standards are met and regulations are complied with. Fortunately, trends in technology, performance evaluation, and research enable the Federal government to meet these increased challenges, delivering services at reduced costs while maintaining and improving quality. Below, we use DLH’s experiences across a wide-array of government health and human service initiatives to illustrate the opportunities available to government programs that are willing to transform.

The bill codified an evolution that was already underway. Technology and data analytics had, and continue to be, an indispensable tool across all levels of government. Federal agencies require massive amounts of qualitative and quantitative data collection and analysis for projects of all scopes and sizes. From study design, to data modeling, provisioning and aggregation, all the way to predictive analysis and impactful real-time dashboard reporting, government now utilizes data analytics to evaluate results, increase efficiency, and drive improved outcomes.

The results are stark. Across the board, Federal programs that invest in innovation are more efficient and more effective. That leads to better outcomes, and it leads to better lives for the million of Americans the Federal government serves on a daily basis.

Technology When the average American thinks of the Federal government, it’s unlikely that state-of-the-art information technology systems come to mind. Following a run of unfavorable press stories regarding outdated IT infrastructure and cybersecurity lapses, Congress passed legislation in 2017 calling for an overhaul of government IT systems. The Mod-

The Federal government’s core driving data management needs have been consistent over recent years - with cornerstones such as accessibility, sharing, privacy and security. But to support these needs in a scalable fashion, allowing continuous integration of the latest tools and technologies, many agencies required investment in system modernization. That increased investment in IT architecture is driving the required digital transformation, which provides two key advantages: flexibility – the ability to adapt to user needs and roll out new system capabilities, and scalability – support for an increasing user base, data volume management, and complexity. Capably providing support and accessibility for large user bases is key for modern government systems. Real-time complex business decisions are predicated on access to large and diverse data sets. Easy data inte32

gration, consolidation, and dissemination are vital, and new systems must enable data mashups, dashboards, and data browsing services that support distributed and mobile users with real-time access. DLH has supported a state health care commission by developing, maintaining, and transforming their medical case database. Its claims and encounter data inform decision-making and improve access in a rapidly changing environment by providing access, cost, and quality data to policymakers, purchasers, providers, and the public. By managing data collection, extraction, auditing, and aggregation from 30+ carriers submitting tens of millions of claim records, the client was able to develop data flows and processing guidelines that have enabled data alignment and facilitated the submission of high-quality data, processed through efficient Extract, Transform, Load (ETL) processes into a multi-dimensional warehouse. Undoubtedly, this is a good example of an organization that has embraced an innovation roadmap. Agencies that are successful in claiming ‘data-driven’ decision making and CQI, achieve a true enterprise-wide adoption of their data management framework and tool-enabled automation. With top-of-the-line enterprise IT architectures in place, government entities can take advantage of the rapid advancements in analytics technology. Analysis has evolved from mere data reporting and user-driven exploration -- describing what happened -- to diagnostic analysis of why something happened. Current advances offer solutions that can reliably forecast using predictive analytics and optimization based on AI/ML-based automation. Successful AI/ML solution deployments are critically dependent on scalable and reliable data pipelines powered by advanced IT secure cloud infrastructures. Those agencies which have been willing to dive head first into innovation and transformation, are now able to explore the potential of their untapped data.

Performance Evaluation Increasingly sophisticated data analysis lends

itself directly to superior performance evaluation across government. Simply put, government programs with defined measurement and analysis processes perform better. Without analytical reflection, inefficient processes can persist. That hurts outcomes. To make large, systemic progress against any array of social, health, or environmental challenges—substance abuse, natural disaster recovery, healthcare quality improvement, or public health pandemics, to name a few — the Federal government increasingly applies evidence-based processes and tools which reliably represent program activities and outcomes. DLH provides performance evaluation services to a large Federal program that serves children and families. Ensuring that an eco-system of programs, policies, and services are coordinated and responsive to the needs of the program’s beneficiaries is vital.

Thorough analysis and evaluation has taught agency leadership that building capacity through multi-system collaborations and interagency coordination is the best path forward to ensuring efficiency and effectiveness. Traditionally, public child welfare systems, like many similar systems throughout the Federal government, have operated in silos that allow for very limited interactions and relationships amongst Federal data owners. This approach produces significant obstacles for data sharing, accessibility and real-time decision making. Our analysis shows that when systems are integrated, they improve agency performance, thereby successfully meeting their goals, and creating a long-lasting environ33

ment of data sharing and integration that ultimately fuels the data-driven positive outcomes for their beneficiaries. Monitoring and compliance is a natural outgrowth of any holistic program evaluation. The use of an independent agent in monitoring and compliance provides an objective way to detect the early warning signs of potential areas of risk and ensures business integrity and accountability. Much like an annual physical, monitoring and compliance regularly takes the pulse of whatâ&#x20AC;&#x2122;s going on to make informed decisions on improving program outcomes. The process answers important questions that communicate whether a program is meeting its objectives and goals. Accurately and efficiently capturing those answers provides valuable insights on program performance by serving as indicators of the vital signs of program health. Effective and innovative monitoring and compliance encourages action, enhances any concurrent evaluation activities, and incorporates user-friendly technology to provide valuable insights, saving time, money, and efforts. Recent U.S. Government Accountability Office (GAO) recommendations have pointed to disaster recovery, opioid use disorder, and Veterans health as domains that could benefit from monitoring and compliance. GAOâ&#x20AC;&#x2122;s calls for monitoring and compliance urge program oversight, the establishment of performance measures, and development of effective tracking systems to drive critical program efforts to meet their goals and objectives. Recent years have seen Federal partners adapting monitoring and compliance to incorporate technological advancements and connectivity to optimize program activities and increase transparency and accountability. A framework for monitoring and compliance can ensure key components are present for a high-performing process and useful outcomes. Such a framework includes four main components: 1) mature processes, evidence based, tailored and scalable data collection; 2) adaptability in using technology, optimized

through incremental innovation; 3) expertise in managing complex programs, and 4) access to a strong network of relevant domain subject matter experts. High-performing monitoring and compliance efforts yield consistent and reliable program information that allow program leaders to focus on analysis and action. This framework provides a flexible structure to guide the monitoring and compliance process and functions effectively across Federal programs to address various social, health, and environmental challenges.

Research Scientific research is another area in which innovation is driving improved government outcomes. DLH has supported government health research agencies for over 40 years as they strive to improve the quality, cost, safety, and utilization of health care services. The breadth of this work illustrates the numerous steps agencies across government are taking to bolster their research capabilities. Database management, analytic file development and documentation, data analysis and dissemination, web-based application development and website maintenance, and technical support are all key components of DLHâ&#x20AC;&#x2122;s research framework. In one example, the creation of online interactive query systems for Federal-State-Industry partnerships informed researchers, medical professionals, and policymakers on hospital utilization, as well as the cost and quality of health care, and health insurance. In another case, policy analysis assisted Congress in understanding the performance of the U.S. health care system, its strengths,

and areas needing improvement. Across government, highly trained specialists, statisticians, communicators, and operations experts delve deep into policy analysis, evaluating public and private solutions to vital challenges. This analysis considers all factors, costs, and benefits, and determines what evidence-based solutions give agencies and organizations the best opportunities to accomplish their goals. DLH manages

(CAWI, CATI, mobile, paper) per year across numerous projects. Subject areas spanned from environmental studies to health outcomes. These surveys can be used to track customer experience. This is important, as ensuring satisfaction improves outcomes. DLH analysis of a Federal military health program determined that speedy, responsive personal contact with beneficiaries helps yield trust and cooperation. Forward-looking Federal programs are developing new channels of service delivery such as mobile service and social media for proactive two-way communication.

Moving Forward

data, conducts analyses, and publishes manuscripts and briefs for numerous clients using data from insurance claims, electronic health records, national surveys, population-based studies, and many other sources. Many of these analyses examine trends in disease prevalence and health care costs and utilization, risk factors leading to poor health outcomes, access to care and quality of care. Scientific surveys are a key tool in the research paradigm. Multi-modal instruments provide customers with the flexibility tochange questions on a frequent basis, while databases of samples and response data are created and stored for analysis. Vendors work with government customers to understand the survey toolsâ&#x20AC;&#x2122; intent and ensure the toolsâ&#x20AC;&#x2122; evaluation and framework are appropriately designed, ensuring the survey is developed with internal and external scientific validity. Government can run studies on the impact of the current modeling and surveys to ensure outcomes are being met. DLH has designed and implemented 80,000 - 100,000 repeated and modified multi-modal, multi-lingual surveys

The Federal government provides services to millions of Americans everyday. Taxpayers and political leaders have high expectations, and despite limited resources, Federal agencies carry out their vital missions in health, defense, science, welfare, and more. Innovation drives improved outcomes throughout government. When agencies, organizations, and initiatives are willing to invest now to achieve more efficient operations down the line, output increases and cost savings add up. Technology, performance evaluation, and scientific research are just three of the many areas in which a transformative evolution in thinking and investment has begun to maximize government performance. Beyond numbers on a spreadsheet, that increased productivity has real results for real people. Increased government efficiency provides for better outcomes in health, security, economics, or any of the areas in which Americans look to the Federal government. As Federal partners, itâ&#x20AC;&#x2122;s on all of us to keep innovation moving forward.

Six Pragmatic Strategies To Spur Federal IT Modernization About ICF ICF (NASDAQ:ICFI) is a global consulting and digital services company with over 7,000 full- and part-time employees, but we are not your typical consultants. At ICF, business analysts and policy specialists work together with digital strategists, data scientists and creatives. We combine unmatched industry expertise with cuttingedge engagement capabilities to help organizations solve their most complex challenges. Since 1969, public and private sector clients have worked with ICF to navigate change and shape the future. Learn more at icf.com.

Federal CIOs and senior IT leaders who embrace IT modernization as a pragmatic management approach have the greatest success moving vision to action. Here’s how to do it. For many CIOs, managing modernization efforts is akin to renovating a house while living in it—a gradual yet consistent transformation that does not significantly disrupt the day to day but embeds an experimental mindset driven by increased collaboration across silos. How do you manage the process effectively? After interviewing industry professionals and former Federal subject matter experts in IT modernization, change management, agile delivery, and emerging technologies, we arrived at six pragmatic strategies to help agencies move beyond strategic planning to execution.

1. Identify Problems to Envision Outcomes—Know Where You Want to Go Technology is effective at fixing problems (increasing productivity, decreasing costs, delivering services) but cannot add meaningful value without measurable outcomes. Advancements in technology mean we can embrace more nuanced evaluation instruments. For example, we can move from monitoring grantee spend rates to measuring results, and this shift necessitates collaboration between IT and program. Consider these recommendations:  Develop a strong vision for the future grounded in reality. Collaborate with program and policy leaders to clearly articulate the business problems you want to solve together and the outcomes you want to achieve.  Conduct customer research—quantitative and qualitative—including feedback

from customers and employees to understand the current state and refine your vision to address the most pressing needs.

 Define (and continue to define) modernization at your organization. Focus on

building capabilities instead of installing software.

 Define quantifiable goals and actionable metrics aligned to mission outcomes

and measure progress throughout.

 Tie mission outcomes to work done at the program level. The large mission

outcomes are the product of smaller successes achieved in iterations and batches. Use impact maps to help actors align their activities to mission outcomes.

2. Inventory and Assessment—Know What You Have  Technology: What does a portfolio analysis reveal about the current state of

your technology, systems, and architecture? Identify functionality, vulnerabilities, operational costs, and compliance issues.

 Data: Data and analytics are an untapped resource for most agencies.

Do you have the capability to unlock insights from your data? Does the organization have the ability to access and analyze structured and unstructured data? Do you have modern data architecture in place to manage the exponential growth of data? Do you have the right amount of governance in place to prevent duplication and silos? Building the capability to collect, analyze, and synthesize your data can illuminate gaps and opportunities.

 Customers: Understanding the needs and motivations of customers—including

employees, grantees, and the public—is often an underutilized approach. Do you know who your customers are? What do their journeys and challenges look like? Conducting frequent qualitative research (i.e., talking to your customers) informs which problems to solve for the highest impact.

 Maturity: What is your team’s level of experience with product management,

user-centered design, and agile development? What is your level of experience with continual integration and product delivery?

 Culture: Do you have executive backing and trust from key agency

stakeholders? Do you have the mechanisms to create change? How engaged are stakeholders? How transparent, open, and collaborative are your internal teams?

 Rationalization: To justify the consolidation of systems or business processes,

are your teams able to use analysis methods such as lean process improvement and design thinking to engage stakeholders in the decision making?

 Legacy IT: Which IT investments are underserving the mission (assessing cost,

risk, and importance to the mission)? Can you identify what needs to be rearchitected, replatformed, retired, or replaced?

 Surprises: Are there interdependencies in your enterprise systems? Shadow IT?

3. Prioritize and Prepare—Know Where You Want To Start By following your vision, using supporting data, and considering the broader PMA CAP goals, you can prioritize which problems to solve first. Key considerations:  Mission value: Services that impact large user communities; opportunities to

eliminate waste, fraud, and abuse; opportunities to improve employee experience and support citizen services.

 Cost: The Government prioritizes cost savings; for example,

TMF projects are ultimately repaid by agencies’ savings.

 Risk: Vulnerable systems housing sensitive data, or technology with known

performance problems require more immediate attention.

4. Manage Lean and Start Small—Make Progress Early and Often A pragmatic approach borrows from lean startup principles and the agile mindset. Start small to show success early through quick wins and measurable outcomes. Consider the following concepts:  Build-measure-learn: Develop a minimum viable product through iteration,

practice continual deployment, test business hypotheses, and learn from data—including feedback from users through both testing and observation.

 Quick wins: Use scalable prototypes developed in months or weeks that

demonstrate early success and generate valuable insights through user testing and feedback.

 Champion the change: CIO and leadership must give people cover to

conduct small experiments. Celebrate teams that adopt the behaviors and new capabilities the agency is trying to build—even if the project fails in other ways. Don’t let small failures block the change.

 Measure to manage: Remember that many measures will be lagging and

may take years to influence. Pay close attention to analytics to inform business decisions. But also measure signs that new approaches and capabilities are being adopted.

 Tools and technology: Don’t over-engineer solutions, and be cautious of the

latest buzzword. Focus on developing mission capabilities, and establish an architecture that allows you to swap out technology as it evolves.

5. Shift Culture by Doing—Make Change Visible Entrenched cultures can kill the best intentions of leaders. Successful culture change is more likely when initiated in increments that demonstrate near-term value. Empower people to experience (and see) change early; continually reassess and communicate often. Consider these initiatives:  Put people first: Assess the needs of your workforce. Know what levels of

support, training, and direction staff need; identify early adopters and champions; motivate with awards, work opportunities, or titles; and be sensitive to change fatigue.

 Identify resistance: Resistance often sprouts from fear and a lack of

understanding or awareness. Identify the drivers of opposition and actively address them.

 Spread the message: Clear and consistent messaging is key to buy-in.

Different levels of leadership need to be on the same page with the same message. Invest in internal marketing and communications. Marketing campaigns let people know what is changing and what is in it for them; internal communications create an ongoing conversation (e.g., the same ideas are repeated).

 Form integrated teams: Establish small integrated, multi-discipline teams. A

business analyst, a user experience (UX) expert, a scrum master, and developers together can work with a product owner to solve small problems (slices of a larger problem); encourage collaboration

(e.g., product owners should continually invite input from key stakeholders and users). Pair teams with experienced people either from industry or government to guide them.  Document the evolution of change: Produce video diaries and testimonials

that resonate—visual, real-life examples of how the change improved how people work, the way they feel about their job, and the way the agency delivers services to stakeholders and citizens.

 Support cultural rituals: Model and reward rituals that reflect the culture

your agency is trying to reflect. For example, retrospectives at the program, project, or even sprint level will provide judgment-free opportunities to reflect on progress and acknowledge successes and failures.

 Develop the workforce of the future: Define your workforce goals, and

assess the needs and current gaps to build a roadmap to the future. Use change management techniques, training, brown bag sessions, and more to address skills gaps or redeploy workers.

6. Draw on Experience—Move as One Team Shifting from rigid silos to an open, transparent culture takes time. It is a continual effort of improvement that is easily stalled or even derailed. Starting your modernization journey with experienced professionals who understand your agency operations, security requirements, budget, and procurement process is critical to building a foundation that goes the distance. Seek to build:  Domain expertise: Onsite experience—such as former agency subject

matter experts or industry professionals with Federal modernization experience—ensures that teams understand and work within your agency’s unique constraints and limitations.

 Flexibility and adaptability: Work with experts who easily adapt to your

unique environment and level of maturity, and provide the support to match it—from simply advising to embedding within your teams as needed.

 An integrated approach: From business processes to change management to

automation, agile development, UX, security, analytics, and more, consultants need to combine capabilities to deliver business functionalities that bolster the mission.

 A high degree of trust: Create trusting environments where consultants and

staff work side by side, share information, contribute ideas, and accomplish goals as one team.

 A problem-solving mentality: Build teams around solving problems rather

than individual capabilities (e.g., “I only do ‘x’ on this project”). Leverage different skills, levels of experience, and perspectives so consultants can become trusted advisors.

The Golden Age of Federal IT Modernization For more information, please contact: Mark Youman Mark.Youman@icf.com +1.703.934.3658

Or visit: icf.com/landingpage

Modernization is as much a commitment to the agency’s future as it is a response to the present. The PMA is a galvanizing force for change within the Federal Government. By placing technology at the center of management priorities, the administration makes a clear case for agencies to get serious about modernization—and fast. IT modernization requires a widespread culture shift—which is a serious challenge for large, siloed, bureaucratic agencies. Rushing into massive change efforts comes with risks, costs, and setbacks. A pragmatic approach allows agencies to begin to add value right away and address PMA CAP goals with quick wins and small, scalable proofs of concept. The benefits of modernizing at a smaller scale significantly minimize risk and allow agencies to visibly and continually change their technology, data, and workforce while maintaining what works. The golden age of Federal IT modernization is here. Now is the time to embrace it.

The best they can be Veterans and active-duty military still struggle with mental health, but data and analytics can help.

By WP BrandStudio AUGUST 19, 2020

Civil War soldiers knew it as “soldier’s heart.” For those in World War I, the condition was called “shell shock.” It’s even mentioned in Shakespeare’s Henry IV. Throughout history and literature, post-traumatic stress disorder has been the de facto poster child of mental health issues in the military. But it’s not the whole story. With time and insight, we’ve learned the mental challenges military members face are both more complex and more common than once thought. In 2018, the suicide rate of active-duty soldiers was 24.8 per 100,000 , up from 21.9 in 2017. Veterans are 1.5 times more likely to die by suicide than non-veterans, after adjusting for differences in age and sex. These troubling statistics have compelled many in and outside the government to take action. In the last decade, the U.S. Departments of Defense and Veterans Affairs have received increased financial and political support for mental health and suicide prevention. The U.S. Senate earlier this year approved landmark bi-partisan legislation that increases rural access to VA counselors and telehealth services, offers alternative therapy options like yoga and acupuncture and bolsters the VA’s mental health workforce.

Businesses are stepping up as well. Leidos, a science and technology solutions leader, is one of the largest health IT service providers to the VA, continuing the company’s long-standing commitment to military members and their families. From operating counseling programs to optimizing electronic health record systems, Leidos’s work ensures service members get the help they need more efficiently than ever.

Bridging a gap In 2018, the suicide rate of active-duty soldiers was 24.8 per 100,000, up from 21.9 in 2017. Veterans are 1.5 times more likely to die by suicide then non-veterans, after adjusting for differences in age and sex.

Despite these efforts, a persistent gap remains in mental health care. Many active-duty military members don’t take advantage of the programming available to them, and about half of surveyed veterans don’t receive the counseling they need. Why the divide? One reason is a simple lack of awareness. Many service members don’t know about the VA’s mental health resources, where to go,

how to apply—or even that they needed help to begin with. Another is fear of the stigma attached to seeking counseling. While the larger society has made great strides in these areas, encouraging active duty military members to report psychological health issues is still a problem, especially since it can have career consequences, such as loss of security clearance. From their research and experience, the behavioral health experts and clinicians at Leidos have found that early prevention and normalization are two keys to overcoming these barriers. Many of the programs they develop and manage embrace an outreach model, such as the landmark Adolescent Support and Counseling Service, which was started in 1987 to provide counseling for military dependents suffering from substance abuse. In the program’s first 30 years, Leidos has served 20,000 adolescents—statistically one of the most at-risk populations—without a single suicide. By introducing programs like ASACS aimed at adolescents, counselors can help the young people who make up much of the active duty military force (most new recruits are under the age of 25) before mental health issues manifest. And if such problems emerge later in their military careers, whether it’s PTSD or other common disorders such as anxiety or depression, service members are better equipped to seek support.

“As scientists progress and we receive better data, we can actually come up with signature programs at scale.” Michael D. Lumpkin, head of human performance, Leidos

“It [mental health] is not just a question of exposure to traumatic situations,” said Louis Valente, a Leidos clinical supervisor who served two tours of duty in the Vietnam War with the U.S. Army’s Special Forces. “So much of what a service member brings into the military is from their family of origin. Many Leidos recently launched MHS Genesis, the new electronic health record system for the DoD, a tool that is poised to bring in a new era of more informed ethics and choices and early detection of suicide risk. With even more data at their fingertips, analysts hope to seamlessly connect the dots between studies and the real world.

come from poverty, domestic violence, and substance abuse. Those issues don’t go away by virtue of putting on a uniform. I think we’d come a long way if we follow young inductees through their service in a less invasive capacity.” Valente also credits the overwhelming success of ASACS with providing his team access to the broader military—another important step in erasing the stigma of mental health care. “It bought us an entry into working with

command, which is important when talking about normalization of mental health,” he said. “ We had the opportunity to brief local commanders on developments and risk factors in their specific community. We need to bring that more within the military culture.”

The intersection of data and holistic mental health Data and analytics offer another strategic insight into how we can lower suicide risk and provide the military with the best possible mental health care. By parsing through vast databases of patient information, linking datasets like medical records, personal data and service information, and applying complex modeling and statistical measures, analysts can determine patients most at risk for mental illness, as well as the best and most effective treatment. Thanks to a 50-year relationship with the federal government and 40 years serving the VA, Leidos has become a leader in this space with an unprecedented level of research and data across the continuum of military service, from recruitment to retirement. “As scientists progress and we receive better data, we can actually come up with signature programs at scale,” said Michael D. Lumpkin, head of human performance, who is a former Navy officer and was Assistant Secretary of Defense for Special Operations and Low Intensity Conflict during the Obama administration. “We have to take the individual and make them the best possible individual they can be.”

“We’re looking at the whole continuum–from working with the data in our electronic health record business to the research that our group does to then providing information to clinical decision-makers and providers that can translate to patients.” Kevin Kaiser, Vice President and Division Manager Biobehavioral Research, Leidos

The Human Performance and Behavioral Health division at Leidos takes it one step further, conducting human subject and data-based research on physical and psychological health in multiple test environments, including virtual reality. Their work, which focuses on the entire deployment cycle, has led to notable discoveries such as how the use of morphine in-theatre to treat significant bodily injury can minimize long-term psychological health issues like PTSD. That finding may have implications for other disorders such as suicide and insomnia. The division currently is running a study on the effectiveness of surf therapy as an intervention for PTSD and depression. “We’re looking at the whole continuum—from working with the data in our electronic health record business to the research that our group does to then providing information to clinical decision-makers and providers that can translate to patients,” said Kevin Encouraging active duty military members to report psychological health issues is still a problem, especially since it can have career consequences, such as loss of security clearance.

Kaiser, vice president and division manager of Biobehavioral Research at

From their research and experience, the behavioral health experts and clinicians at Leidos have found that early prevention and normalization are two keys to overcoming these barriers.

electronic health record system for the DOD, a tool that is poised to bring in

Leidos. Leidos also recently launched Military Health System Genesis, the new a new era of more informed choices and early detection of suicide risk. With even more data at their fingertips, analysts hope to seamlessly connect the dots between studies and the real world. But integrating years of longitudinal data into clinical workflows and

sharing that information among organizations also presents challenges. To bridge this knowledge-sharing gap, the DOD and the VA in April implemented a new capability for sharing electronic health records with community partners. “We have great data on our active-duty military,” Kaiser said. “But once people leave active duty, it’s sometimes very difficult to see what type of things they’re getting treated for and their longer-term health care.” Linking the active-duty and VA datasets offers the power of creating a holistic picture from start to finish. “There are almost 1.5 million people on active duty right now, and not one of those 1.5 million people are the same,” Lumpkin said. “But if we have enough data, we can create programs at scale to support everybody as an individual to optimize their performance, have readiness on the battlefield, and provide them with good lives and a good future. I think it’s a noble goal we need to strive for.”

This content is paid for by an advertiser and published by WP BrandStudio. The Washington Post newsroom was not involved in the creation of this content. Learn more about WP BrandStudio. SOURCES: U.S. Department of Veterans Affairs Leidos The Washington Post Smithsonian Magazine The National Academies of Sciences, Engineering and Medicine Department of Defense

Joint All-Domain Operations (JADO) Redesigning The Ecosystems Of Engagement

Transitioning to a New JADC2 Operations Model During the last PSC Leadership forum, Parsons provided a broad overview thought piece on Multi-Domain Command and Control (MDC2) and Multi-Domain Operations (MDO). In the 18 months following, there have not been significant tactile changes to allow modified Warfighter practices; however, recognition and acceptance for the need to change from legacy ways of conducting development, procurement, and execution of operations in this highly dynamic environment has spread across the Department of Defense (DoD) and within the militaries of our allies. This is especially true regarding how software development, procurement, delivery, and execution connects all actions across the battlespace. Specifically, all operations from the Seabed to Space require coordination, integration, and synchronization to execute Joint All-Domain Operations (JADO). JADO reaches across the spectrum of operations from Humanitarian efforts and Gray Zone actions to Peer-on-Peer conflict, however, the concepts and capabilities are not just for military applications but could apply to finance, transportation, energy, or other segments.

Engagement Loop

It has become apparent that the only way to execute JADO effectively and efficiently is to ensure a robust, flexible, and scalable Command and Control (C2) system. The new Joint AllDomain Command and Control (JADC2) concept must radically depart from the legacy C2 construct of today, which is based around hardware (e.g. planes, ships, vehicles, radios), and not a seamlessly integrated and synchronized System-of-Systems (SoS) akin to the body’s neural network. This neural network vision is widely accepted, but as acceptance grows, so does the realization of the complexity. At Parsons, we acknowledge the intricacy and depth of this problem set and have emerged as a thought leader in this domain. We began by breaking the highly integrated single system-of-systems, with unfathomable connection points, into five smaller ecosystems as identified in Figure 1. In this construct, it is crucial to maintain the overarching vision of the interconnectedness between all five areas while also maintaining the connection points found within each individual ecosystem.

Sensor Grid • • • • •

Terrestrial (Air, Land, Maritime, EW) Space Cyber Non-Traditional Conductivity

Eﬀects Delivery

System Integration

Data Transfer, Fusion, Dissemination

• • • • • •

• Legacy Systems • Emerging Capabilities • Cyber • Data Province • Security

• • • • •

Kinetic (Direct, Standoff) Non-Kinetic (Cyber, Space) Direct Actions (SOF) Non-Traditional (Financial, Energy) Defensive Integration/Deconfliction/Synergies

Terrestrial (Air, Land, Maritime, EW) Space Cyber Infuse AI/ML & Automation Tactical Edge Ingestion & Distribution

Command and Control • • • • •

Strategy Force Management COA Development (Levels of War) Tasking Execution Monitoring

Figure 1: Engagement Loop Breakout for Joint All-Domain Command and Control (JADC2)

Figure 1 does not directly call out software development and data flow, but they are the 2nd level enabler for success in all these areas since this is the path toward creating a C2 neural network appropriate for Joint and Coalition operations. It’s the only way to ensure that commanders across the spectrum of conflict have the right information and ability to access the variety of options available to the them, both kinetic and non-kinetic.

As Dr. Will Roper mentions, integrated, synchronized data capability as a paramount, in terms of moving far left in the decision cycle and leads to the ability to make rapid decisions and potentially avoid conflicts based on actionable intelligence available across domains. Due to the length of this piece we’ve provided five areas for consideration and thought.

Joint All-Domain Operations (JADO) | Parsons

New Developmental Processes Containerization has opened a whole new approach to software development, deployment, and maintenance, which now allows for more scalable, flexible, and robust systems. Specifically, it allows for the development of cloud-native microservices architecture and rapid deployment as part of any hosted or on-premise cloud-based SoS, on physical network hardware, or in a hybrid configuration. The features and driving factors for using a microservices architecture are analogous to a SoS which shares a common approach and the need to break capabilities or applications out into separate, nonmonolithic pieces. The microservices architecture is designed and implemented to support flexible distribution, evolving software development, operational and managerial independence, and emergent behavior. These attributes enable the rapid integration of disparate capabilities that can be tailored to the situation quickly and efficiently.

Along with containerization, container hardening should be implemented in a Continuous Integration/Continuous Deployment (CI/CD) pipeline (e.g. Gitlab CI runner) and be source controlled and standardized across all container build processes. CI/CD pipelines can provide automated notifications of everything from security scan results to build failures significantly reducing development time as issues are identified and resolved early and often. These are more than just general approaches – Parsons is proving these concepts working hand in hand with government organizations such as PM Mission Command (PM MC), the Information and Intelligence Warfare Directorate (I2WD) the Air Force Research Lab (AFRL), and others to reduce to the time it takes to deliver meaningful software updates to the field quickly enough to be operationally relevant. Containers have enabled us to quickly accept software solutions from across industry and bring them together with both our own capabilities as well as government solutions and deploy them as seamlessly integrated solutions.

DevSecOps The General Services Administration (GSA) website describes DevSecOps as, “DevSecOps improves the lead time and frequency of delivery outcomes through enhanced engineering practices; promoting a more cohesive collaboration between Development, Security, and Operations teams as they work towards continuous integration and delivery (https://tech.gsa.gov/guides/ understanding_differences_agile_devsecops/). The acceptance and promotion of both agile and DevSecOps across the DoD has been a sea-change event for the development, modernization, and implementation of software capabilities. One of the leading programs is the Air Force’s PlatformONE. The development of the PlatformONE DevSecOps pipeline has been foundational in the creation of the DevSecOps culture that defines the rapid development and delivery of secure software. It includes a container hardening factory that supplies secure containers to the downstream software factories. It also contains the PlatformONE factory, which supplies a push-button pipeline enabling a Continuous Authority to Operate (C-ATO) process for software product teams (and factories). The platform’s deployment process accepts accredited mission applications and automates the process of delivering capabilities to the end user at multiple security levels. These are concepts and processes that must be implemented industry-wide.

Figure 2 depicts the DevSecOps lifecycle phases with proposed technologies and associated processes. The tools and strategies described above apply to all phases of the lifecycle below. Our approach emphasizes the SecOps portion of the CI/CD flow. The platform will be deployed in hardened containers on a K8s cluster to enable a push-button, secure factory pipeline. The platform gives developers, vendors, and users the opportunity to monitor and influence the integration of novel solutions as they are introduced. This includes build requirements in the core architecture, where new containers are first defined using technologies such as Helm Charts, which not only help to on-board the new solution into the containerized cluster properly, but force the documentation of the container and its requirements, which are necessary for Risk Management Framework (RMF) documentation and accreditation. Additionally, the security phase encompasses several stages to include static code analysis, dynamic code analysis, dependency checking and container security verification.

Figure 2 – Software Product DevSecOps Pipeline Parsons | Joint All-Domain Operations (JADO)

Data Rights

Integration with Existing Systems

Data Rights continue to be a point of contention, but if we are to truly provide the nation with an effective, scalable, and flexible C2 construct, all technology exclusively funded and developed under government efforts should be transferrable with unlimited data rights. For technology that has been developed previously but augmented under government funding, government purpose rights would be appropriate. Technology that has been created and funded privately should carry with its limited rights but may be subject to negotiation. Finally, for COTS products, licenses will be transferrable to the government (if not already purchased by or licensed to the government).

Finally, it is critical to address the integration of existing systems into a modern agile construct. The ability to upgrade highly complex systems built with legacy capabilities is a significant undertaking, especially when linked with the need to maintain functionality through the implementation of or integration into a new system. Gaps between currently fielded capabilities and future systems to meet new enemy Tactics, Techniques, and Procedures (TTPs) is an ever-evolving dynamic, especially as we encounter threats from near-peer aggressors. New sensors have protocols that can’t be ingested by intel systems and intel can’t talk to new mission planning or firing platforms, etc.

Sensor Integration and Data Access Integration of sensor data from all domains requires a centralized, scalable solution capable of ingesting, normalizing, analyzing and persisting real-time sensor feeds. This system needs to be aligned with a microservices architecture that allows for the dynamic ingestion of new sensor protocols as more advanced sensors are deployed to the field. Most importantly, once in the system, the DoD needs to truly multi-modal data analytics and fusion algorithms capable of making sense of the massive amount of sensor data constantly flowing through our networks. Currently, the amount of raw multi-domain data presented to users can quickly trigger cognitive overload in analysts, causing them to miss critical information hidden with the torrent of repetitive or unrelated data scrolling across their screens. Parsons has been working with the government for years in pursuit of this, developing modular, government owned frameworks capable of quickly ingesting new types of sensor data as they are introduced into the field. Providing the government tools to bring together and analyze disparate types of data is the foundation for an effective JADC2 solution. Both the raw data and the products created by analytics has become an important commodity, potentially the most important commodity available, and there needs to be an understanding that data will be freely shared between the government and industry partners, and vice versa. Tools which sequester data or limit its unincumbered transferability need to be approached very cautiously, and with the understanding that the lack of transparency could have significant impacts on future capability, cost, and data reconciliation. Data analytics technologies and techniques are widely used to enable organizations to make more-informed decisions and are critical for successful implementation of Artificial Intelligence and Machine Learning (AI/ML). The data – AI/ML relationship is the most significant capability needed to allow JADO decision making to operate at speeds necessary to maintain/gain advantage against adversaries. This is an area in which Parsons has extensive experience, however, for this piece we’ve focused on the other foundational aspects which allow for solid data, processes, and capabilities that ultimately facilitate the data – AI/ML relationship.

Parsons’ capabilities reside at the intersection between all of these systems and allow them to communicate and normalize messages into standards that systems upstream can understand, which enables the government to limit costly changes to programs of record as new technology is deployed to the field. As an example, over the last two years, we have been modernizing our C2Core Air capability which is based on our Master Air Attack Planning Tool Kit (MAAPTK) application used in every Air Operations Center (AOC). The application has a diverse and distributed customer base that allows us to realize efficiencies and share sustainment and modernization costs. Through each of these efforts, we developed application enhancements with the larger community of users in mind, while ensuring all users could take advantage of the upgraded capabilities. Parsons modernized the code by migrating legacy capabilities into a web-based modular microservices architecture while soliciting Warfighter feedback through interim releases. We developed a hybrid approach for modernizing the software that enables the legacy desktop application and web-based UIs to share and act on the same data allowing for incremental delivery of web enhancements without losing functionality in the mission-proven desktop application. This approach reduces operational risk and costs while delivering capabilities to the Warfighter faster than the “green field” approach to modernization and modularization. Our modernization effort is yielding a deliverable with low technical debt, as shown by the recent positive Silverthread analysis of the current source code.

Joint All-Domain Operations (JADO) | Parsons

Parsons selected Silverthread, an independent third-party software assessment firm, to provide cumulative technical debt analysis of developed code, specifically addressing architecture degradation and code implementation deficiencies of our new microservices architecture in comparison to the legacy builds. After completing the analysis, Silverthread reported the current code was in the top 10% when compared to peer system benchmarks and had substantially improved compared to the original legacy codebase. Their report stated: 1) the current codebase contained no critical cores, indicating a significant improvement from a code-level view; and 2) had no areas that needed to be addressed immediately to mitigate or avoid the proliferation of complex design problems. Their report also indicated the new codebase had much lower development costs in addition to higher code quality than the previous legacy codebase and a high majority of competitor capabilities.

Conclusion Given the vast range of challenges the DoD is forced to face in combating adversaries in JADO, itâ&#x20AC;&#x2122;s difficult for any single vendor to come in and solve every challenge alone. Therefore, the United States Government, Allies, and Industry partners must continue to work together to push forward the vision of JADO and JADC2. Acquisition processes must continue to be refined to meet this seismic shift in technological capabilities and must also allow for close partnerships and transparency between government and industry as opposed to the legacy client-supplier mentality. Parsons stands ready as a teammate across government and industry to ensure Commanders and Warfighters have the tools available to defend our nation and save lives.

This use case provided us with a process and greater understanding on how to deliver a more scalable, flexible, and sustainable software capability without losing functionality of the legacy systems during transition. This knowledge, linked with our DevSecOps environment and agile process, provides an outstanding model and proven path for moving legacy systems into a new, more interconnected world.

Parsons | Joint All-Domain Operations (JADO)

Return to the Workplace For Government Contractors

Introduction

“If you work in a critical infrastructure industry, as designated by the Department of

In a moment of the COVID-19 global pandemic, it is difficult to think beyond the next hour, the next day, or the next week. This is a very human crisis, and many important decisions have to be taken quickly. For most company leaders, this is therefore a pivotal time. There is enormous pressure on business and government leaders to provide the structure, guidance, and clear communication that people are looking for to get back to their places of work. For this to be possible, access to information is more critical than ever before. Work needs to happen faster and responses scaled more effectively. As companies across the globe continue to deal with the current effects of COVID-19, they also face the upcoming task of returning their employees safely to the workplace. Once the spread of coronavirus has been contained, government policies and health strategies will need to transition away from stay-athome orders and move towards bringing businesses back online and gently restoring the economy with social distancing measures potentially extending into the foreseeable future. “What will a return to the workplace look like? That is the question weighing heavily on the minds of government leaders and public health officials, employers and their employees, and American families striving for the delicate balance of staying safe and making ends meet. It is a question that begs more questions. But this much is increasingly certain: returning to work will be gradual, phased-in, and will vary by factors such as location, sector, business type or size, and the health status of workers.” Suzanne Clark

Homeland Security, you have a special responsibility to maintain your normal work schedule, we need your support and dedication in these trying times to ensure the security of this Nation. I understand that this national emergency presents a challenge and we are dedicated to working closely with you to ensure the safety of the workforce and accomplishments of the national security mission.” Ellen Lord — Undersecretary of Defense Acquisition and Sustainment

In the US, the federal government developed a three-phased approach providing guidance to state and local officials on gating criteria for disease containment before reopening the economy. While states, provinces, and local governments decide on what policies to enact for companies to re-open, companies need guidance on what areas need to be considered as they plan to return employees to work. Large companies that work with suppliers, resident non-employees, and contractors will need to add guidelines to reduce risk beyond employees as well. Each facility location will need consideration, evaluation, and a plan to safely bring all who attend into a safe working environment. How do government contractors respond to the variety of challenges faced when approaching the return to the workplace? How can technology assist with giving company leaders the information they need to make data-based decisions and responsibly bring their employees back to a workplace with the right precautions in place?

— President U.S. Chamber of Commerce

Return to the Workplace

Salesforce

Benefits Overview Many companies across the globe have already deployed Salesforce-based solutions for early phase mitigation of COVID-19. For returning to the workplace, capabilities like Contact Tracing are relevant in addition to new applications for managing shifts, assessing employee health, and evaluating facility readiness. • Employee support including Assessments, Scheduling and Tracking • Contact Tracing and Isolation Management from travel or exposure • Response to employee needs and maintaining business continuity during crisis • Business Reopening Preparedness, operational impact, and resource mobilization • Analytics for operational intelligence and internal communications • Employee Outreach and communications • Facility management tools such as visitor tracking and shift management Each of the solution areas presented below can be implemented individually or in any combination to deliver comprehensive capabilities. Salesforce can partner with companies to quickly identify areas of pressing need and rapidly deploy solutions in government accredited cloud environments that meet the specialized compliance needs of the companies that help deliver on the government mission. Proposed Solution Areas: 1. Employee Wellness 2. Travel Management & Isolation 3. Employee Self-Service Assessment 4. Contact Tracing 5. Employee & Customer Outreach 6. Visitor Tracking 7. Shift Management 8. Resource Mobilization 9. Workplace Readiness Certification 10. Feedback & Inspections 11. Return to the Workplace Performance Metrics

Return to the Workplace

Salesforce

Employee Wellness

Salesforce can help visualize and manage shifts by allowing teams to:

Corporate operating practices have changed. Routines are no longer the same, and we’re figuring out where to focus and how to pivot based on changing data and operational considerations. As companies begin to bring their own staff back to the workplace, they must manage this process with a focus on employee health and safety. Salesforce provides a centralized “command center” to help support known impacted employees (e.g. an employee who is sick or displaced) and also review the readiness status of locations/services/ operations (e.g. closure of or damage to an office). Automating with Salesforce workflows ensures timely follow-up with employees with efficient responses to concerns and questions. Office closures, cleaning schedules, and repairs can also be tracked and scheduled from a single integrated application. By quickly deploying a crisis-centric employee portal using Salesforce Community Cloud, agencies can create a central hub for their employees to access the most up to date information on building status and revised capacity plans. Additionally, employees can leverage the portal to update their availability and status, as well as submit requests for assistance

• Understand what shifts are covered and which are available for employees

Shift Management As guidance emerges at the state/province and local levels allowing business to re-open, companies may need to alter the way employees show up to facility locations. For example, companies may need to stagger which employees are in an office/facility location to an every other business day to reduce the number of employees in a given space to reduce risk. Providing a plan will help maintain operational efficiency and provide peace of mind to employees so they understand when they can attend an office/facility location.

Return to the Workplace

• Categorize shifts into types of work to make sure the right employees will be in attendance • Add and manage shifts to provide a comprehensive view at a given facility or project. • Create flexible work shifts for periods that don’t require a rigid structure

Visualizing Shifts across work groups at a given time

Feedback & Inspections As companies start to re-open their doors to employees, the public must have a way to report concerns of potential violations such as overcrowding or other unsafe conditions. Salesforce Service Cloud can manage the intake of reported feedback regarding physical distancing measures such as capacity limits that may require followup and inspection. This feedback can be received in Salesforce from virtually any channel, including phone, web, email, SMS and social media. Once a feedback case is created and reviewed, Salesforce can also help automate the assignment of inspection staff to a particular business location. Using the native Salesforce Mobile application, inspectors can receive notification of their inspection assignments, plan their routes and capture the necessary information to substantiate or close the inspection case.

Salesforce

Return to the Workplace Performance Metrics Utilizing data visualizations that highlight employee and facility trends will help an agency differentiate between decisions that are likely to be safe, timely and effective, and those that aren’t. By operationalizing processes in Salesforce, executive leadership will have a view of the readiness status of all locations and operations (e.g. employee health to closure of, or damage to, an office). Providing the ability to quickly determine how quickly and safely employees, contractors, partners and visitors can return to your facilities. From embedding interactive dashboards on websites or Salesforce Community portals to making data sets available for the employees in the intranet to ask their own questions, transparency drives collaboration and change. Reducing information silos improves results for everyone. Tableau makes it easy to quickly create charts, graphs, maps and calculations using both publicly available data and your own data sources. The Tableau COVID-19 Data Hub (https://www.tableau.com/covid-19-coronavirus-data-resources) contains resources to help you visualize and analyze the most recent data on the coronavirus outbreak. On the hub, you’ll find a jumpstart workbook, pre-loaded with COVID-19 case data, available to download and use immediately. Get clear visualizations that turn the most complex data into easily digestible snapshots. Organize the metrics you want to access frequently into simple, customizable dashboards. With Tableau’s Analytic visualizations that are easy to use and understand, you’ll have crucial case trends, business activity and health system readiness insights gleaned from a range of data sources at your fingertips.

Return to the Workplace

Provide up-to-the-minute information for better decision making

Salesforce

Summary Staying connected and responsive to employees, and your customers is always important, but absolutely vital right now when COVID-19 details are changing by the hour. Reopening your companyâ&#x20AC;&#x2122;s facilities will require the coordination of all business divisions and operational teams. This balance of confronting current conditions today with what lies in the future is more than stressful. Being informed with real-time information can help increase safety and wellness, as well as reduce uncertainty during these uncertain times. The Salesforce Platform is designed to provide the capabilities needed to quickly address and respond to the various aspects of emergency management while also allowing companies to slowly reopen businesses and reestablish their economies. A single, unified platform can deliver integrated capabilities no matter where your company is in the back to the workplace management lifecycle - before, during, or after. Through a comprehensive response, you can ensure that leaders have the information and the structure they need to confidently explore all of their options and deliver solutions with transparency, authenticity and optimism.

Immediate Next Steps Salesforce looks forward to assisting you with next steps in your companyâ&#x20AC;&#x2122;s response. Get in touch with Salesforce, call 1-844-807-8829, or contact your Account Executive to learn more about these robust capabilities

About Salesforce Salesforce transforms government agencies and their industry partners into highly connected, efficient, and productive organizations. The Salesforce Platform accelerates transformation to deploy solutions with a multi-tenant cloud infrastructure that meets security and compliance requirements. To learn more, visit www.salesforce.com/ government or call (844) 807-8829 to speak to a government expert.

Document Disclaimer The information provided in this whitepaper is strictly for the convenience of our customers and is for general informational purposes only. Publication by Salesforce does not constitute an endorsement. Salesforce does not warrant the accuracy or completeness of any information, text, graphics, links or other items contained within this whitepaper. Salesforce does not guarantee you will achieve any specific results if you follow any advice in the whitepaper. It may be advisable for you to consult with a professional such as a lawyer, accountant, architect, business advisor or professional engineer to get specific advice that applies to your specific situation. ÂŠ 2020 Salesforce, Inc. All rights reserved. Salesforce, Salesforce1, Sales Cloud, Service Cloud, Marketing Cloud, Chatter and others are trademarks of Salesforce, Inc. The Salesforce Cloud logo and other creative assets are owned and protected under copyright and/or trademark law. For more information, please visit www.salesforce.com.

Return to the Workplace

Salesforce

2020 EXECUTIVE SUMMARY

FROM THE EDITORS The fourth annual GAUGE is a tool for the government contracting community to gain insights into industry best practices and performance metrics. It can be particularly valuable to contractors striving for constant improvement by learning from others who face similar challenges and opportunities. In the following pages, we share results from our survey to help you address current challenges, identify key performance indicators, and benchmark your organization against your competitors. This year’s GAUGE comes at a time of unprecedented change. Nearly overnight in mid-March, the COVID-19 pandemic turned the world into a different place, drove widespread fear and cost-cutting for some industries, and forever changed the way we work. Government contractors—essential and non-essential—suddenly had to contend with managing the ranks of newly remote workers, subcontractors, vendors, and customers. 2020 continues to be a year of reckoning as government contractors are either reaping the rewards of having laid

a sound business and technology foundation, or paying the price of playing catch-up. In spite of the disruption, optimism remains high among 74% of our respondents, although 3 of 10 contractors noted cost of compliance as a concern to their business. 80% boasted growing workforces, 2% confessed they were shrinking, and 18% said they were holding steady. Study the following pages for other interesting and helpful strategic highlights. Keep an eye out for our new feature, “Voice of the Experts,” in every section, which shares a nugget of practical wisdom from our interviews with subject matter experts. Bottom line, the federal government remains a stable industry. Government contractors have the chance to prove yet again how nimble and resilient they are. Our hope is that the insights offered through the GAUGE can serve as a useful guide to navigating the challenges ahead.

Kim Koster VP of GovCon Strategy Unanet

Christine Williamson Partner CohnReznick

GAUGE 2020

REPORT HIGHLIGHTS The Impact of Covid-19 Nothing we’ve seen in recent history has had such deep, course-altering impact on all industries, including government contracting, as the novel COVID-19 pandemic. The government is spending and could be considered over-spending to keep the economy afloat, including keeping government contractors at a “ready state.” Government contractors that are doing well are leaning in and embracing the change by empowering teams to be productive in any setting and

How would you characterize the current business environment for government contracting? Very Optimistic

18%

14%

Cautiously Optimistic

65.5%

54%

Neutral

11%

21%

Somewhat Pessimistic

5.5%

Very Pessimistic

Pre-March 13

Post-March 13

adapting quickly to new ways of operating—and technology plays a big part in their success. Our survey timing perfectly straddled the highly disruptive pandemic shutdown. It is likely that some responses were impacted by the disruption, for instance, “What is your biggest business development challenge?” We did contemplate in our analysis the impact of a protracted quarantine.

What issues are of the most concern to your GovCon organization today? 40%

Lack of Qualified Talent Budget and Funding Constraints Cost of Compliance Lack of Integrated Project Management/Accounting Tools

30% 20% 10% 0%

2019

2020

GAUGE 2020

Optimism dropped from 84% prior to the COVID-19 shutdown (pre-March 13) to 68% following (post-March 13), settling at 74% overall. Postshutdown, responses clearly show consistent downward shifts charted to neutral and even 2% of respondents very pessimistic on the business environment. With the stock market volatility and COVID-19 infection rates on the rise, this was not surprising. Major contractors of >$50M looked slightly more favorable because of cash reserves and variety of contracts held. Mid 2020, with the aid of the CARES Act funding and new awards on the rise, many government contractors are reaping the benefits of expenses dropping in some categories, such as travel, lunches, supplies, and other costs associated with having an onsite workforce. All the while, costs for cleaning, technology, and compliance are on the rise. Cost of compliance doubled in our survey over the past three years from 15% in 2018 to 30% in 2020.

ÂŠ CohnReznick & Unanet

Survey Respondents Our 2020 GAUGE survey captured responses from 1,468 contributors between January and May of 2020. The diversity of responses spans a broad array of company sizes, titles, and roles, as well as industries and company types.

Respondents by Job Title CFO 30% President/CEO 31% Contracts Manager

Controller

Operations Manager

Other C-Suite Position

48+13+2217P Respondents by Annual Revenue

17%

$0-10M $10 - 25M

22%

$25+ - 50M

13%

48%

Other 14%

> $50M

Respondents by Set-Aside Designations Small Business 45% Veteran-Owned 14% SDVOSB 13% Woman-Owned 12% Mentor/Mentee Program Participation

HUBZone

GAUGE 2020

Leveraging Technology to Optimize Your Business Technology is the theme of this year’s GAUGE, and in this season of remote work and operational disruption, technology finally gets its day in the spotlight. By this point, most government contractors use technology to help run their businesses. However, only some are using it to run their businesses better. What is the difference? One automates a work step, the other improves efficiencies. Winning firms are doing more of the latter, leveraging technology solutions to elevate their businesses. The 2020 GAUGE responses indicate there is still work left to do for many government contractors in the area of technology. Excel remains the technology of choice for what many consider to be the four key functions (outside of Accounting): Purchasing, Resource Management, Estimating, and Pipeline (PREP). Excel is inexpensive, and is universally understood and available. However, as workers are forced to work remotely for an extended period of time, and as the pressure mounts to squeeze every ounce of efficiency out of their operations, companies may soon collide with the limitations of trying to push Excel to replicate what project-based software can deliver.

of the

EXPERTS

Leading companies have stopped asking, “Do I need this technology?” Instead, they are inspecting every challenge and obstacle throughout their operations and asking, “How can technology help me address this?” Technology adoption and optimization will be a defining factor for leaders and laggards in the coming age.

What technology do you use in the areas we call PREP? 100%

Excel

80%

Project-Based ERP

60%

Others

40% 20% 0%

P Purchasing © CohnReznick & Unanet

R Resource Management

E Estimating

P Pipeline

GAUGE 2020

With increased technology adoption comes elevated concerns about security. CIOs will be pushed to embrace key NIST security controls, and today over two-thirds report success here. Government contractors will also be asked to meet DOD’s Cybersecurity Maturity Model Certification (CMMC), a framework that verifies contractors have adequate cybersecurity safeguards to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). In some cases, a required CMMC level will be specified in RFP sections L & M and will drive a “go/no-go decision” for a contractor to propose. Compliance with CMMC will be challenging for some contractors. Nearly one-third of companies in this year’s survey rate themselves CMMC Level 3 —an indicator of good cyber hygiene and the baseline for DOD contractors. Going forward, as more defense contractors recognize the competitive advantage a higher CMMC rating provides, we expect to see contractors continue to invest to climb the maturity scale.

69% Yes 17% No

Not sure

14%

What CMMC level would you assign to your company?

12+14+30+4+20+19

In this report, we dive into how government contracting leaders need to leverage technology to best position their companies for the next five years. Within each of our report findings, technology is a game-changer and highlights what the winners are doing to offer insights into their own digital process transformation. For those feeling behind the curve, it’s not too late. Many companies are telling the story of quickly evolving from spreadsheets and pen-and-paper processes into high-performing, technology-driven engines. We are here to shed light on what’s possible through the intelligent use of technology in contractors today.

69+17+14P

Has your organization implemented security controls using NIST 800-171/171B or NIST 800-53?

12%

Level 1

14%

Level 2

30%

Level 3

Level 4

20%

Does Not Apply

19%

Not Sure

GAUGE 2020

2020 REPORT

Want to know more? The complete GAUGE 2020 contains an expansive range of valuable insights about how government contractors are utilizing technology to optimize business in the face of remarkable new pressures. Plus, this year’s GAUGE also features: •

“Voice of the Experts” callouts identifying key takeaways and predictions

•

Survival Guide for continued COVID-19 impacts

•

Industry Insights from KippsDeSanto & Co.

•

Access to our new Benchmarking Tool, launching in September

Download your free copy now. www.unanet.com/gauge

Tax Policy Outlook – Impact on M&A September 2020

Confidential – For Discussion & General Information Purposes Only

Near-Term Corporate Support in CARES Act – Outlook For Extension is Unclear Massive government stimulus may amount to $10T of fiscal & monetary spending for a $20T economy Overview of Select Corporate-Focused Provisions Within the CARES Act

Total Cost Estimate: $1.7T1

Bonus Depreciation for QIP

 Retroactively corrects technical error in TJCA to allow for immediate deduction for qualified improvement property

Estimated Cost: Part of $24B ‘Other Tax Provisions’

Employee Retention Tax Credit

 Up to $5,000 tax credit for wages paid from 3/13/20 to 12/31/20, applied against social security taxes; potential expansion to make more companies eligible

Estimated Cost: $55B in 2020-21

Payroll Tax Deferral

 Deferral of social security taxes arising from 3/27/20 to 12/31/20; half due in at end of ‘21 and ’22, respectively

Estimated Cost: $351B in 2020-21

NOL Carryback

 Permits losses generated 2018-20 to be carried back up to five years for tax refund; extremely unpopular among democrats

Estimated Cost: $80B in 2020

Interest Expense Deduction

 For 2019-20, interest expense deduction limit increases from 30% to 50% of 2019 or 2020 EBITDA

Estimated Cost: Part of $24B ‘Other Tax Provisions’

Federal Reserve 13(3) Programs

 Backstop for Federal Reserve purchases of investment grade and fallen angel corporate bonds; CBO noted a high probability that programs will be profitable

Estimated Cost: Up to $454B

Source: Congressional Budget Office and the staff of the Joint Committee on Taxation (JCT) filed 4/27/2020, KPMG, Wells Fargo Securities, LLC 1. On a preliminary basis, CBO and JCT estimate that the CARES Act will increase federal deficits by about $1.7 trillion over the 2020-2030 period

Biden Tax Proposals Released Before Primaries Provide High Level Outline of Increased Corporate Taxes In December 2019, Biden released a tax proposal perhaps better characterized as a set of aspirations rather than a detailed plan Overview of Select Proposals Within Biden Tax Plan

Total Revenue Est.: $3.7T1

Corporate Income Tax

 Higher corporate tax rates at 28% may be challenging to pass if the economic backdrop is depressed

Estimated Cost: $1,300B

Payroll Tax

 Modifies the current cap on Social Security taxes, effectively increasing personnel costs ~4.9% for every dollar the cap is raised

Estimated Cost: $808B

Capital Gains Tax

 Proposal would tax capital gains as ordinary income for individuals with incomes above $1 million

Estimated Cost: $503B

Global Minimum Tax

 May reduce the deduction for how much CFC income is taxable in the U.S., effectively doubling the minimum tax, while switching from aggregate CFC income to country-by-country analysis

Estimated Cost: $309B

Alternative Minimum Tax

 Initially proposed at 15% (rather than the previous 20%); AMT is generally despised among tax practitioners as it requires duplicative calculations

Estimated Cost: $166B

Passage of Biden’s tax proposals would likely require Democratic control of the White House and Congress – recent polling data indicates this outcome may be increasingly likely Source: Tax Policy Center Urban Institute & Brookings Institution, “An Analysis of Former Vice President Biden’s Tax Proposals,” March 5, 2020, including proposals as of February 23, 2020 1. Estimated cost details over a 10-year period based on conventional method are adapted from “Details and Analysis of Former Vice President Biden’s Tax Proposals,” April 29, 2020

Illustrative Implications of Higher Capital Gains Tax Rates Owners may Drive Business Success but Generate Less Sale Now

($ in Millions)

Sale in 5 Years

Commentary

EBITDA Exit Multiple Proceeds from Sale

$100 12.0x $1,200

$161 12.0x $1,933

Annual EBITDA growth of 10%

Capital Gains Tax Rate Taxes Paid Net Proceeds

23.8% 286 $914

39.6% 765 $1,167

Capital Gains Rate = Personal Income Rate

$914

$725

10% discount rate for time value of money

Present Value

($190)

Value Gain / (Loss) of Holding

Difference of future sale and sale now

(21%)

% upside / (downside)

% Upside / (Downside) Sensitivity of Holding Tax Rates 25.0%

30.0%

35.0%

40.0%

5.0%

(17%)

(22%)

(27%)

(32%)

(38%)

10.0%

+5%

(2%)

(8%)

(15%)

(21%)

15.0%

+31%

+23%

+15%

+7%

(2%)

20.0%

+62%

+52%

+42%

+32%

+22%

Discount Rate

Annual EBITDA Growth

20.0%

Tax Rates 20.0%

25.0%

30.0%

35.0%

40.0%

6.0%

+26%

+18%

+11%

+3%

(5%)

8.0%

+15%

+8%

+1%

(7%)

(14%)

10.0%

+5%

(2%)

(8%)

(15%)

(21%)

12.0%

(4%)

(10%)

(16%)

(22%)

(28%)

Given likelihood of tax increases many businesses are actively exploring ways to return capital to shareholders in 2020 (and 2021 assuming tax changes are not retroactive) Source: Wells Fargo Securities, LLC

Potential Ways to Get Ahead of the Tax Man

While timelines are tight for a 2020 execution, we are working with various family and managementowned businesses as they explore ways to return capital to shareholders before the end of the year



Change of control sale transaction, either LBO with meaningful shareholder rollover or complete sale to a strategic



Accessing the capital markets, e.g., term loan B or HY issuance, to fund a dividend



Structured minority equity/mezzanine debt raise to fund a dividend



Op co/Prop Co structure that includes 3rd party investment in Prop Co and significant distribution to shareholders

Source: Wells Fargo Securities, LLC

Disclaimer

This document and any other materials accompanying this document (collectively, the “Materials”) are provided for general informational purposes. By accepting any Materials, the recipient thereof acknowledges and agrees to the matters set forth below in this notice. Wells Fargo Securities makes no representation or warranty (express or implied) regarding the adequacy, accuracy or completeness of any information in the Materials. Information in the Materials is preliminary and is not intended to be complete, and such information is qualified in its entirety. Any opinions or estimates contained in the Materials represent the judgment of Wells Fargo Securities at this time, and are subject to change without notice. Interested parties are advised to contact Wells Fargo Securities for more information. The Materials are not an offer to sell, or a solicitation of an offer to buy, the securities or instruments named or described herein. The Materials are not intended to provide, and must not be relied on for, accounting, legal, regulatory, tax, business, financial or related advice or investment recommendations. No person providing any Materials is acting as fiduciary or advisor with respect to the Materials. You must consult with your own advisors as to the legal, regulatory, tax, business, financial, investment and other aspects of the Materials. Wells Fargo Securities is the trade name for the capital markets and investment banking services of Wells Fargo & Company and its subsidiaries, including but not limited to Wells Fargo Securities, LLC, a member of NYSE, FINRA, NFA and SIPC, Wells Fargo Prime Services, LLC, a member of FINRA, NFA and SIPC, and Wells Fargo Bank, N.A. Wells Fargo Securities, LLC and Wells Fargo Prime Services, LLC are distinct entities from affiliated banks and thrifts. Notwithstanding anything to the contrary contained in the Materials, all persons may disclose to any and all persons, without limitations of any kind, the U.S. federal, state or local tax treatment or tax structure of any transaction, any fact that may be relevant to understanding the U.S. federal, state or local tax treatment or tax structure of any transaction, and all materials of any kind (including opinions or other tax analyses) relating to such U.S. federal, state or local tax treatment or tax structure, other than the name of the parties or any other person named herein, or information that would permit identification of the parties or such other persons, and any pricing terms or nonpublic business or financial information that is unrelated to the U.S. federal, state or local tax treatment or tax structure of the transaction to the taxpayer and is not relevant to understanding the U.S. federal, state or local tax treatment or tax structure of the transaction to the taxpayer. All information provided in this presentation represents the views of Wells Fargo Securities’ Investment Banking and Equity Capital Markets team, and not the independent views of our Research Analysts. Wells Fargo Securities has adopted policies and procedures designed to preserve the independence of our Research Analysts, whose views may differ from those presented herein. IRS Circular 230 Disclosure: To ensure compliance with requirements imposed by the IRS, we inform you that any tax advice contained in the Materials is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding tax penalties or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. ©2020 Wells Fargo Securities. All rights reserved.

4401 Wilson Blvd. Suite 1110 Arlington, VA 22203 www.pscouncil.org