Government contracts 2022 — Year in review

By Hollie Kapos, Legal Counsel Director, immixGroup

2022 was a busy year, and it was easy to miss some big changes in commercial item government contracting. Below are some key updates from 2022 and what immixGroup is keeping an eye on in 2023 and beyond.

GSA Ascend BPA for Cloud
Ascend is a multiple-award blanket purchase agreement (BPA) under the cloud and professional services Multiple Award Schedule SINs intended to simplify acquisition of secure cloud solutions. Task orders under the BPA will be placed under one or more of three pools: (1) infrastructure- and platform-as-a-service, (2) software-as-a-service, and (3) cloud IT professional services. The BPA will also establish minimum cybersecurity requirements, including cybersecurity supply chain risk management (C-SCRM) and zero trust architecture (ZTA). GSA released a draft performance work statement in May, followed by a market research request for information in July. Using feedback it obtained from industry, GSA plans to release a draft request for quotations in 2Q2023. Suppliers looking to add products to the Ascend BPA should start preparing now; products will need to be on SIN 518210C for eligibility. Read Tara Franzonello’s Washington Technology article for more information.

Updated CDM Requirements for EDR
As part of its implementation of Executive Order 14028, Improving the Nation’s Cybersecurity, the Cybersecurity and Infrastructure Security Agency (CISA) expanded and revised the technical capability definition for Endpoint Detection and Response (EDR) tools and updated requirements for adding EDR items to the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) Program’s Approved Product List (APL). While federal EDR initiatives create great sales opportunities, EDR vendors should be prepared for evolving requirements, such as this change to the CDM APL. For more details, read this blog post from immixGroup’s resident CDM expert, Amanda Mull.

NIST 800-218 Requirements for Software Deliverables
Another step in implementing EO 14028 was OMB’s issuance of memorandum M-22-18, requiring agencies to obtain attestation that software deliverables conform to the NIST Secure Software Development Framework (SSDF), SP 800- 218, and the NIST Software Supply Chain Security Guidance. Self-attestations or conformance statements must come directly from the software producer or an agency-approved, third-party assessor. This requirement applies to software currently in use and for future acquisitions; failure to comply could result in disqualification from contract award or displacement or non-renewal of current software. Agencies must develop a vendor communication process by January 12, 2023, and obtain attestation for critical software by June 11, 2023, and for all other software by September 14, 2023. Read Skyler Handl’s blog for more details.

Software Bill of Materials (SBOM) Requirements
Proposed language in the FY2023 NDAA requiring bills of materials for Department of Homeland Security contracts was removed from the latest version approved by the House. However, OMB’s memorandum M-22-18 also allows agencies to require a Software Bill of Materials (SBOM) in solicitations based on software criticality, “or as determined by the agency.” Such SBOMs must conform to “The Minimum Elements for a Software Bill of Materials (SBOM)” published by the National Telecommunications and Information Administration (NTIA). We expect to see continued regulatory efforts to require SBOMs on a broader scale, as directed by EO 14028.

CMMC 2.0
While there were no updates to the Cybersecurity Maturity Model Certification program in 2022 (latest version is CMMC 2.0, released in November 2021), DoD did announce the expected publication of an interim final rule in March 2023, followed by a 60-day comment period.

CHIPS and Science Act
The “CHIPS” part of the CHIPS and Science Act received a lot of media attention, and for good reason – it allocates $50 billion in incentives to develop domestic semiconductor R&D, manufacturing, and workforce development, and provides for substantial tax credits for investments in semiconductor manufacturing. The lesser covered “Science” part of the Act, formally “Division B: Research and Development, Competition, and Innovation Act,” may create interesting opportunities for software providers. Among other things, Division B directs NIST to establish a program for AI-enabled defense research and provides for various initiatives in government cybersecurity and privacy R&D. We’ll be looking out for solicitations that support these efforts.

Codifying FedRAMP
As of drafting this post, the FY2023 NDAA has been approved by Congress and awaits President Biden’s signature. Included in the bill is the FedRAMP Authorization Act, which codifies FedRAMP into federal law and instructs the General Services Administration (GSA) to standardize and improve the FedRAMP process. To that effect, GSA is directed to: enhance transparency between agencies, automate processes, establish a FedRAMP Board and a Federal Secure Cloud Advisory Committee, and provide annual efficiency metrics to Congress. Further, the Act creates a “presumption of adequacy” that would obviate additional agency assessments of FedRAMP-authorized products and services.

StateRAMP Participation Increased
As we’ve previously reported, SLED agency participation in StateRAMP and similar state-specific frameworks has been steadily increasing. States that joined the StateRAMP program in 2022 include Arkansas, Colorado, Maine, Nebraska, North Dakota, Vermont, and West Virginia. Also, as of January 1, 2022, Texas mandated TX-RAMP compliance for new and renewed cloud offerings. We expect to see further expansion of StateRAMP in 2023, especially given its new strategic partnership with NASPO.

SLED BEAD Program
The Broadband, Equity Access and Deployment (BEAD) grant program, which kicked off earlier this year, is part of the Biden Administration’s “Internet for All” initiative. The program provides $42.45 billion in federal funding to expand high-speed internet access in all 50 states and U.S. territories, with a focus on unserved and underserved locations. There are currently 56 participating states and territories, with over $210 Million awarded to date. For more information on federal funding for SLED procurements, read this blog by Lisa Kilgore.

With the nation’s continued focus on IT modernization, cybersecurity, accessibility, and global competitiveness, we expect to see more significant initiatives and opportunities in 2023 and beyond.

---

Want to keep up with trends in public sector IT? Subscribe to immixGroup’s Government Sales Insider blog now!

Download our SLED 2022 Intelligence Overview to gain deeper insights into the SLED marketplace.