What is CMMC?

By Jeff Ellinport, Division Counsel

Although CMMC has been around for more than a year, it never hurts to review what it is and why those who sell into DOD and the rest of the federal government should care.

CMMC stands for Cybersecurity Maturity Model Certification and is a new certification process to measure a company’s ability to protect sensitive government data. It is a unified standard for implementing cybersecurity across the defense industrial base. CMMC is a way for DOD — and soon after, probably civilian agencies as well — to address intellectual property theft, cybercrime and national security threats of the type evidenced by the recent SolarWinds attack.

Once fully implemented, CMMC will be an acquisition foundation, required for almost every contractor transacting business with the U.S. government.

CMMC Maturity Levels

CMMC has five maturity levels, with basic cybersecurity hygiene at a Level 1 to very robust requirements at a Level 5. These certification levels reflect the maturity and reliability of a company’s cybersecurity infrastructure to safeguard sensitive government information on contractors’ information systems. The five levels build upon each other’s technical requirements such that each level requires compliance with the lower-level requirements and then implementation and documentation of additional processes employing more rigorous cybersecurity practices.

Read more of this post

2020: A Year of Continued Government Contract Growth for immixGroup

By Adam Hyman, Director, Government Programs

2020 will certainly be a memorable year for the obvious reasons. It was also a busy year for government contractors with a host of new government regulations, initiatives and opportunities for new contract vehicles. At immixGroup, we kept very busy throughout the year acquiring new vehicles – both federal and SLED – to support our suppliers’ and partners’ go-to-market strategies and to enable their efficient revenue growth.

Protecting Our Base

During this past year, immixGroup first ensured that we maintained the contracts we currently hold, which are critical to our suppliers’ and partners’ success. On the federal side, immixGroup finalized an extension to one of its largest contracts, NASA SEWP V, for an additional, and final, 5-year period.

Additionally, immixGroup executed extensions to its Army ITES-SW contract to avoid lapse in coverage while the Army finalized awards for its follow-on contract. immixGroup also executed extensions to some of its various DoD ESI Agreements and several SLED contracts, including Pennsylvania COSTARS, State of Oklahoma, and one of its CMAS contracts.

Read more of this post

GSA Unpriced Schedules – A Welcome Change Is Coming

By Jeff Ellinport, Division Counsel

The General Services Administration (GSA) might soon make a shift in federal procurement from contract-level pricing to order-level competition. That’s good for vendors because it could reduce the time it takes to get products on contract.

The Advanced Notice of Proposed Rulemaking for Section 876 of the 2019 National Defense Authorization Act (Pub. L. 115-232) was issued by GSA on August 19. It allows GSA to implement “unpriced schedules.” On Oct. 20, GSA kicked off the first of several industry “listening sessions” on how to best implement this authority.

Currently, before a GSA Schedule contract is awarded or new items added to an existing one, GSA contracting officers determine fair and reasonable prices of supplies or services (fixed price or hourly). Negotiation follows after offerors submit various data, information and documentation to support their pricing.

Read more of this post

2020 Federal Contracts: A Busy Year for New Regulations and Initiatives

By Hollie Kapos, Corporate Counsel

With all that happened in 2020, it was easy to miss some of the new regulations and initiatives impacting government contractors. This blog summarizes the key updates immixGroup has been tracking that are particularly relevant to commercial item contracting.

January-Current

GSA MAS Consolidation. Twenty-four former GSA Schedules, each for different supplies and services, were consolidated into a single schedule. We started the year in Phase II of the GSA MAS Consolidation, which was the process of updating terms and conditions to reflect the new solicitation. Phase II was completed in July, with 99% of contractors signing the mass modification. Under Phase III, which began in August, multiple vendor contracts will be consolidated into single contracts. Read more of this post

CMMC Interim Rule Includes New Compliance Requirements

By Hollie Kapos, Corporate Counsel

You never know what surprises will pop up in the last few days of the government’s fiscal year, and this year there was a big one with the Interim Rule implementing DOD’s Cybersecurity Maturity Model Certification (CMMC).

The Interim Rule (“IR”), published on September 29, 2020 and effective as of November 30, 2020, adds the widely anticipated new DFARS clause for inclusion in DOD contracts implementing CMMC: 252.204-7021 (Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement). No surprise there.

But, the IR unexpectedly came with two additional clauses, DFARS 252.204-7019 (Notice of NIST SP 800-171 DOD Assessment Requirements) and DFARS 252.204-7020 (NIST SP 800-171 DOD Assessment Requirements), which require the immediate attention of federal contractors and their subs.  Read more of this post

GSA’s VPP: Why You Should Care

By Tara Franzonello, GSA Programs Consultant

GSA is beginning Phase I of its Verified Products Portal (VPP), targeting OEMs and wholesalers, with a goal to have the portal up and running in 2021. Why should OEMs, distributors or resellers care? Simple: If you don’t do VPP right, you could cause problems both for you and your supply chain.

The VPP is intended to host authoritative product content — standardized manufacturer names and part numbers, for example – to improve GSA’s supply chain risk management, as well as the customer experience. This information ideally would be provided directly by OEMs, although resellers and distributors can also create VPP profiles.

Besides product specifications, the VPP will accommodate other information such as photos and pricing data. OEMs will be able to use the portal to authorize and deauthorize products and resellers in real-time, which could eliminate the need for resellers to provide letters of supply.  Read more of this post

CMMC – Will the COTS Exception Apply to Me?

By Jeff Ellinport, Division Counsel

CMMC, DOD’s Capability Maturity Model Certification, will require almost all government contractors doing business with the Department of Defense to be independently certified by a third party as meeting one of five cyber security standards. This requirement will apply to every link in the government’s supply chain – including OEMs, distributors and resellers.

To the relief of many contractors, DOD updated its CMMC FAQs a few months ago to provide this exception (the only one so far): CMMC certification will not be required for companies that only provide commercial off-the-shelf (COTS) items. 

Under NIST SP 800-161, COTS is defined as “Software and hardware that already exists and is available from commercial sources.” Under FAR 2.101, COTS means any item of supply, other than real property, that is: Read more of this post

Getting Started With OTAs (Part 2 of 2)

By Troy Fortune, VP and General Manager

In my previous blog I talked about how OTAs can offer real advantages to both government agencies and suppliers. This blog provides more information about the types of OTAs and when they should be used. We also provide tips on how to assist your potential customers in the process.

There are three categories of OTAs and it’s important for you to know how and when they’re used.

  1. Research OTAs (also known as “original” or science and technology OTAs) are for basic, applied and advanced research projects. These OTs are intended to spur dual-use research and development. Companies can take advantage of economies of scale without the burden of government regulatory overhead.
  2. Prototype OTAs are authorized for acquiring prototype capabilities and allowing those prototypes to transition into Production OTAs. Both dual-use and defense-specific projects are encouraged. Successful Prototype OTAs streamline the transition into follow-on production without competition. They also reduce the possibility of a future protest.
  3. Production OTAs are authorized as noncompetitive, follow-on OTAs to a Prototype OT agreement that was competitively awarded and successfully completed. Under this statute, advanced consideration is required, and notice is to be made of the potential for a project to go into production.

Read more of this post

Getting Started With OTAs (Part 1 of 2)

By Troy Fortune, VP and General Manager

An OTA (Other Transaction Authority) can be a powerful alternative to a traditional contract vehicle. OTAs have been in use for years but they have become more popular since Congress relaxed rules and restrictions. In fact, Bloomberg reports that government spending on OTAs increased almost eight-fold from FY15-FY19, from $1B to $7.8B. This includes all OTAs, not just for information technology solutions.

OTAs can provide a rapid way to deliver solutions the government needs. This can be an especially valuable tool for government to acquire technology from companies that may offer cutting edge or emerging technologies but are not set up to do business with the government.

The speed with which OTAs can be executed is a real benefit. On its website, DOD cited  the example of how the Air Mobility Command was able to “take a requirement and turn it into a product in just 95 days, when the process might normally take more than a year to complete.”

Many of our suppliers have asked for our help in understanding how OTAs work and how to navigate the process. Here is some basic information to get you thinking about whether or not this might be something your company should pursue. Read more of this post

DOD ESI BPAs: What CETA Is and Why It Is Important

By Derek Giarratana, Supplier Manager

Many of you are familiar with DOD ESI BPAs, but you’re probably not as familiar with the CETA designation and what it means.

Only one vendor has received the CETA designation thus far. Recently, the Navy PEO-EIS designated the Tanium DOD ESI BPA, held by immixGroup, as the first DOD Core Enterprise Technology Agreement (CETA). The CETA designation means that this purchasing vehicle is mandatory for all DOD customers who want to procure Tanium products and services.

DOD Enterprise Software Initiative

Before we dive into CETA and what it means for DOD procurement, let’s briefly talk about the DOD ESI program, managed by the PMW 290 Project Office. Read more of this post

%d bloggers like this: