The BDO GovCon Week Ahead - November 2021

November 22, 2021

White House Provides Clarification on Contractor Vaccination Deadline: As many Federal contractors are working to implement policies to comply with the Federal vaccine mandate, the White House issued new guidance to clarify the vaccination requirements. “Covered contractor employees must be fully vaccinated no later than January 18, 2022…” unless they are granted an exemption, said updated guidance from the Biden administration’s Safer Federal Workforce Task Force. “After that date, all covered contractor employees must be fully vaccinated by the first day of the period of performance on a newly awarded covered contract, and by the first day of the period of performance on an exercised option or extended or renewed contract when the clause has been incorporated into the covered contract.”
 
Initially, the deadline to be fully vaccinated was December 8th, which was then pushed back to having received the second dose of either the Pfizer or Moderna vaccine, or the single Johnson & Johnson dose by January 4, 2022 to align with mandates issued by the Occupational Safety and Health Administration (OSHA.) The new guidance provided some clarification on the timing of the deadline, stating “people are considered fully vaccinated for COVID-19 two weeks after they have received the second dose in a two-dose series, or two weeks after they have received a single-dose vaccine.” January 18, 2022 falls two weeks after January 4, 2022, and this date change for contractors means that recipients of the Moderna or Pfizer/BioNTech vaccines must have their first dose by at least January 4, 2022. The new guidance also says there is sample signage that contractors and subcontractors can post in their workplaces about safety protocols for fully vaccinated and not fully vaccinated individuals. It also clarifies that covered contractor employees who work in Federal buildings must also abide by any safety requirements there.
 
We invite you to join us on Dec. 3 for the Government Contractor 2021 COVID-19 Vaccine Mandate webinar at 1 p.m. EST, where the Government Contracting team will take a deeper dive into the EO, the FAR and agency-specific FAR supplement clauses, and their impact on federal contractors and subcontractors.

For more information, please click this link and this link.

Securing Trustworthy Communications Equipment is Critical: Huawei Technologies, ZTE Corp, Hytera Communications, and the list goes on...The Government made a big stir in 2019 surrounding these companies, their affiliates, and their subsidiaries, stating that their products and services were not safe for use within the United States.
 
The National Defense Authorization Act (NDAA) Section 889(a)(1)(A) prohibits agencies from "procuring, obtaining, extending or renewing a contract to procure or obtain, any equipment, system, or service that uses covered telecommunication equipment or services as a substantial or essential component of any system, or as a critical technology as part of any system", unless an exception applies or a waiver has been granted. These prohibitions went into effect on August 13, 2019, via the publication of the Federal Acquisition Regulation (FAR) Circular 2019-05, which created FAR subpart 4.21 and the corresponding solicitation provision and contract clause at FAR 52.204-24 and FAR 52.204-25.
 
Since August 2019, Federal contractors and their subcontractors, have been required to make representations that they are not using covered telecommunications in their solutions or, if they are, then they must identify such equipment/services and describe its proposed use. There has been an effort via the System for Award Management (SAM) to allow offerors to make a one-time annual representation to bypass the more stringent representation requirements in FAR 52.204-24, which require a new certification in every single offer.
 
President Biden has signed the Secure Equipment Act of 2021, which prohibits the Federal Communications Commission (FCC) from reviewing or issuing licenses to any of the companies mentioned above. This will likely require that any offerors currently relying on exceptions or waivers to use covered equipment or services in their supply chain to rethink their approach. As a best practice, Federal contractors should start phasing out these products and services now and make sure your subcontractors are doing the same.

For more information, please click this link.

Infrastructure Bill Provides More Opportunities for Contractors: On Monday November 15, 2021, President Biden signed into law the roughly $1.2 trillion Infrastructure Investment and Jobs Act. We’ve been following the progress of the bill since it was first announced, and now that it has passed, contractors are going to be looking for opportunities to tap into the additional funding. The bill includes funding for a variety of infrastructure related programs, leading to new opportunities for contractors across multiple industries.
 
The infrastructure bill was a big win for highway contractors, as it includes the Surface Transportation Reauthorization Act, which would spend a record $304 billion over five years for highway, road, and bridge programs. According to the Associated General Contractors of America, this represents a 34 percent increase over the current levels. According to the White House, 173,000 total miles of America’s highways and major roads and 45,000 bridges are in poor condition. The almost $40 billion for bridges is the single largest dedicated bridge investment since the construction of the national highway system, according to the Biden administration.
 
Utility contractors will also see increased opportunities for programs related to broadband, electric grid modernization, and clean water initiatives. For example, the legislation’s $65 billion for broadband access would aim to improve internet services for rural areas, low-income families and tribal communities. To protect against the power outages that have become more frequent in recent years, the bill would spend $65 billion to improve the reliability and resiliency of the power grid, and also boost carbon capture technologies and more environmentally friendly electricity sources like clean hydrogen. For clean water initiatives, the legislation would spend $55 billion on water and wastewater infrastructure, and set aside $15 billion to replace lead pipes and $10 billion to address water contamination from polyfluoroalkyl substances — chemicals that were used in the production of Teflon and have also been used in firefighting foam, water-repellent clothing and many other items.
 
The opportunities above represent only a fraction of the programs and industries that stand to gain from the bill. Interested contractors should keep an eye out for announcements of future awards under the new legislation.

For more information, please click this link and this link.

---

November 15, 2021

New CMMC Model 2.0 Released: Major Changes Ahead: When the original Cybersecurity Maturity Model Certification (CMMC) program was unveiled, there were five measured maturity levels, labeled (ML) 1, 2, 3, 4 and 5. The only certifiable levels in the original program were 1, 3, and 5, leading to some confusion about what purpose levels 2 and 4 served. CMMC didn’t re-invent the wheel, but rather stuck to the original cyber framework inherited from Department of Defense (DoD) Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 – the 110 controlled unclassified information (CUI)-based National Institute of Standards and Technology (NIST) 800-171 controls and added an additional 20 controls on top of CMMC ML3 (totaling 130 controls.) To reach Maturity Level 5, CMMC added NIST 800-172 (providing additional protections for Advanced Persistent Threats) on top of the NIST 800-171 controls. 
 
The DoD started a comprehensive review of the CMMC program in March 2021, and this analysis led to a radically different approach by the DoD in the release of CMMC Model 2.0. The DoD is approaching implementation of all changes through the rulemaking process, via the following Code of Federal Regulations (CFR):  1) title 32, to establish the CMMC 2.0 program and 2) title 48, to implement any needed changes to the CMMC program content in 48 CFR.
 
The new changes proposed are as follows:

• The complete elimination of ML 2 and 4

• Removing CMMC-unique practices (the delta 20 controls on top of NIST 800-171)

• Removing all maturity practices from the CMMC Model (leaving only the processes)

• Allowing annual self-assessments with an annual affirmation by Defense Industrial Base (DIB) company leadership for CMMC ML 1 (read – no certification required for ML 1)

• Splitting CMMC Level 3 (now level 2) requirements between two types of DIB contractors:

  • CMMC Formal Certification: Identify prioritized acquisitions that would require independent assessment (via CMMC C3PAO formal assessment/certification and post to Enterprise Mission Assurance Support Service (eMASS); re-certify every three years)

  • Self-Attest Only: Identify non-prioritized acquisitions that would require annual self-assessment and annual company affirmation (post score to SPRS every year)

• CMMC Level 5 (now level 3) requirements are still under development

• Development of a time-bound and enforceable Plan of Action and Milestone (POAM) process (this is interesting because POAM items were previous disallowed, but now are accepted for package approval, as long as the POAM items are rectified within a set time frame)

• Development of a selective, time-bound waiver process, if needed and approved

Please note that the original requirements of NIST 800-171, as specified by DFARS 252.204-7012, have not changed. In fact, the streamlining of this program to provide three paths for validating a contractor’s compliance to the NIST framework are being solidified. The requirement for the safeguarding of CUI within an approved environment has also not changed and must be fully compliant with the security controls as prescribed in NIST 800-171.
 
While limited information has been released as of the date of publication, BDO anticipates that much more information is to come in the next few days. So, stay tuned.

For more information, please click this link.

Federal Task Force Urges Contractors to make a “Good Faith” Effort: The federal vaccine mandate has been challenging for many government contractors to navigate and, to ease the burden, the government has issued new guidance, urging contractors to make a good faith effort to comply. To clarify its requirements, a spokesperson for the Office of Management and Budget (OMB) reassured contractors they will not face contract termination if some employees are still not fully vaccinated by the compliance deadline, if the contractor has a vaccine requirement in effect. This gives contractors and their employees a little more flexibility, and time to get vaccinated/file for exemption, leading up to the Jan. 4, 2022 deadline.  In hopes of further clarifying the regulations surrounding the vaccine mandate for contractors, the Safer Federal Workforce Task Force released an updated version of its FAQs regarding the vaccine mandate and compliance. As part of these FAQs, the task force is urging contractors to make a “good faith” effort to comply with the federal vaccine mandate. If a good faith effort is not made, significant actions, including termination of the contract may be taken, as outlined in the new FAQs.
 
The task force is also trying to help contractors with these new guidelines by outlining potential suggestions for how to handle employee noncompliance, including a three-step process of educating, suspending and terminating violating employees. Additionally, if contractors continue to put forth the effort to comply with the mandate and keep experiencing challenges, the Task Force has stated that the agency contracting officer will work with the contractor to address the challenges. Through these new outlines and FAQs, it is clear that the government is trying to help the contractors that do make a good faith effort by allowing more flexibility and by stepping in to assist where needed.
 
We invite you to join us on Dec. 3 for the Government Contractor 2021 COVID-19 Vaccine Mandate webinar at 1 p.m. EST, where the Government Contracting team will take a deeper dive into the EO, the FAR and agency-specific FAR supplement clauses, and their impact on federal contractors and subcontractors.

For more information, please click this link, this link, and this link.

The Future of Passwords in a Remote World: Your password must be at least 18 characters long, contain both upper- and lower-case letters with at least one special character, and may not be anything that you will ever be able to memorize or find convenient. Oh, and you’ll need you to change it to something completely different every 30 days. We have all been victim to the growing complexities of proving our own identities and, as more functions of our day-to-day lives move to virtual spaces, the problem is compounding. However, these requirements may not be uncalled for. Malicious forces have recognized the opportunities this shift in environment presents for phishing, identity theft and much more.
 
The government has recognized this rising threat and has been working to combat it for years. Further, there has been a move away from complex passwords and using any personal information (Social Security number, address, etc.) to verify your identity, lately. Why? Well, passwords we can’t remember get written down, placed on our desks, put into a password manager, or we are constantly requesting they be reset when we forget them, and personal information is now so heavily compromised that it should not be used as a means for establishing identity virtually.
 
So, how does the government know if it is doing business with a real person on the other side of the screen if we can’t use such identifiers? It has tried to address this in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63-3, Digital Identity Guidelines. This guidance is moving industry toward multifactor authentication (MFA) and identity proofing (IDP). MFA requires you use two or more factors to gain access to an account, and it must be a mix of one of three types of information: (1) things you know (password/PIN); (2) things you have (badge/phone); and (3) things you are (fingerprint/facial or voice recognition). MFA combats fraud because even if someone guesses a password, they should not also have access to something you have on your own person and/or match with any of your own biometric identifiers. IDP is a process where personal information is gathered securely, on a one-time occurrence, and then tied to a hard token which is used from that point forward in place of that more compromising data.
 
While these requirements are currently only mandated in certain instances, as defined in NIST SP 800-63, MFA and IDP requirements are starting to come up more frequently. This may be foreshadowing the death of the complex password and the move toward biometric/possession type verifications. A recent example of this requirement creeping outside of current guidance is the General Services Administration announcing that entities in the System for Award Management appoint a real person as their representative, by the end of the government’s fiscal year 2022. This change may seem more burdensome up front but, in the end, they seem to be prudent efforts to protect our own information and ensure the integrity of others while conducting business in a remote world.

For more information, please click this link and this link.

---

November 8, 2021

From DFARS 7012 to a New Cyber FAR Clause:  Federal Cyber Protections for CUI: The federal government continues to mandate protections for Controlled Unclassified Information (CUI) and other sensitive, but unclassified, information along with cybersecurity best practices down to Department of Defense (DoD) contractors. Many contractors are aware of the DoD Federal Acquisition Regulation Supplement (DFARS) CUI Rule, DFARS 252.204-7012, which was introduced in 2017 and requires the defense industrial base to implement cybersecurity standards on its network, National Institute of Standards and Technology (NIST) SP 800-171, to safeguard CUI.
 
The adoption for CUI protections is becoming more widespread than just DoD contractors. Now, there’s a new regulation being implemented which expands the scope of CUI protection requirements to other federal contractors, including those with contracts awarded by the General Services Administration, the National Aeronautics and Space Administration and many other federal organizations. The release of this new Federal Acquisition Regulation (FAR) CUI Rule has been long anticipated and was initially supposed to go to public comment on Nov. 1, 2021, but the actual date for public comment has yet to be announced. This new FAR clause extends the requirement for contractors to safeguard CUI on their systems to applicable federal contracts.
 
It is unclear what requirements will be suggested in the FAR CUI rule, but it is anticipated that the DFARS 7012 requirements, like the Federal Risk and Authorization Management Program moderate baseline and reporting, will be included in the FAR CUI Rule. It is not yet known if this clause will mean the extension of the NIST SP 800-171 prescribed security controls that we see in DFARS 252.204-7012, but stay tuned for more information as this regulation drops.

For more information, please click this link.

COVID-19 Government Contractor Vaccine Mandate: The White House issued Executive Order (EO) 14042, “Ensuring Adequate COVID Safety Protocols for Federal Contractors” on Sept. 9, 2021. On Sept. 24, 2021, the Safer Federal Workforce Task Force issued guidelines and FAQs for federal contractors and subcontractors on safety protocols that are intended to decrease worker absences, reduce labor costs and improve efficiency at sites where they are performing work for the federal government.
 
Federal contractors and subcontractors with contracts and contract-like agreements, including Cooperative Research and Development Agreements (CRADAs) and Other Transaction Authority (OTA) agreements for services in excess of $250,000, will need to ensure that employees performing work directly covered by the federal agreement and those who indirectly support performance of the agreement, including Accounting, Legal, Project / Program Management, IT, etc., are fully vaccinated by Dec. 8, 2021 for agreements awarded on or after Nov. 14, 2021. The requirements for fully vaccinated employees will also apply to new solicitations issued and options exercised on or after Oct. 15, 2021, and the compliance requirements will take effect the date that the agreement is signed.
 
The Federal Acquisition Regulatory Council (FARC) issued its class deviation, dated Sept. 30, 2021, which is effective immediately and remains in effect until the Federal Acquisition Regulation (FAR) is amended, or the class deviation is cancelled. FAR 52.223-99 and/or similar agency-specific FAR supplement clauses will likely be added to existing agreements when an option is exercised or an extension is granted, and requires the contractors to:

• Review a copy of the vaccination record for each employee discussed above, including remote employees and those who previously contracted COVID-19.

• Flow down the FAR and/or agency-specific FAR supplement clauses to every tier of the agreement, with the exception of “subcontracts solely for the provision of products” and lower tier agreements below $250,000.

• Determine if accommodations for employees based on disability or closely held religious beliefs will be granted.

• Implement / continue social distancing and face masks at work sites.

• Assign or designate an individual to coordinate implementation of the safety protocols for each work site.

Employees’ homes are not generally considered to be work sites and social distancing and masks won’t be required at home, but this does not exempt remote employees from the requirement to be fully vaccinated, unless there is a requirement to provide accommodations.
 
Federal contractors and subcontractors should also be prepared to implement the following actions:

• Develop policies and procedures to implement the EO and associated guidance and monitor the guidance as it evolves.

• Establish a standardized form or method for employees to communicate or request for an exception to the mandate and formalize a consistent manner to evaluate the requests and to assess the potential impact for employees legally entitled to an accommodation.

• Consider identifying and tracking expenses associated with the cost of complying with these requirements for potential future Requests for Equitable Adjustment.

Our readers should reach out to their friendly BDO point of contact or Aaron Raddock, Partner & National Co-Leader, Government Contracting, at [email protected],for more information. Additionally, we invite you to join us on Dec. 3, 2021 for the "Government Contractor 2021 COVID-19 Vaccine Mandate" webinar at 1 p.m. EST, where our professionals will take a deeper dive into the EO, the FAR and agency-specific FAR supplement clauses, and their impact on federal contractors and subcontractors.

For more information, please click this link, this link, and this link.

Intelligence Community Continues Cloud Journey: Following the multibillion-dollar Commercial Cloud Enterprise (C2E) contract awarded in late 2020, the Intelligence Community (IC) is now set to issue a solicitation for another cloud contract, in order to best integrate its newly purchased cloud-based services.  Acting IC Chief Information Officer Mike Waschull, said the Central Intelligence Agency “is approaching the release of the request for proposals” for its Cloud Investment Multi-Cloud Management (CIMM) effort. The selected systems integrator will work with the IC to determine which commercial cloud solutions, under the C2E contract, best meet each intelligence agency’s needs. It’s “a revolutionary approach to making the best possible decisions from a technical perspective and business perspective, on which attributes of which cloud will meet the intelligence community’s needs most effectively.”
 
From a contract perspective, CIMM is structured under a cost-plus incentive fee or award fee approach, and the winning awardee will be prohibited from participating as a subcontractor in any work undertaken by the five C2E providers. Waschull said that the approach incentivizes “deep creativity and collaboration, which is one of our core values here… When you're dealing with five formerly pure competitors that viewed each other as essentially jockeying for market share, if you will, in an environment of cost-plus fixed fee, it doesn't lend itself to building collaboration.” You have a built-in motivator” that “promotes the kind of thinking that will allow these former competitors to work together as a team.”
 
Interested contractors should continue to follow the status of the solicitation, here in the GovCon Week Ahead, as well as on SAM.gov.

For more information, please click this link.