CDM Updates to Product Listing Requirements

By Amanda Mull, contract specialist

The federal Continuous Diagnostics and Mitigation (CDM) program includes cybersecurity tools and sensors that are reviewed by the program for conformance with Section 508, federal license users and CDM technical requirements. Manufacturers are encouraged to update, refresh and add new and innovative tools to the CDM Approved Products List (APL).

To maintain currency with federal and requirement and the constant evolution of the cyber/IT landscape, the CDM APL product submission requirements have been revised several times in FY2021.

The most recent updates reflect heightened security policies and protocols required for a more mobile workforce. Others support the full realization of the federal CDM Dashboard expected by year-end. The CDM Dashboard is intended to gauge agency cybersecurity posture. It also monitors the achievement of directives meant to raise the overall level of security and privacy in cyber/IT tools and technology across the federal government.

There have been several recent updates to CDM Common Requirements for Approved Product Listings (APL):

Read more of this post

CDM IPv6 compliance plans due July 6: Why the technology matters

By Amanda Mull, contract specialist

As I mentioned in my previous blog, there have been some changes to CDM. The Cybersecurity and Infrastructure Security Administration (CISA) announced recently that the common requirements for the Continuous Diagnostics and Mitigation (CDM) Program had been updated to align with the extended compliance schedule published in the Office of Management and Budget (OMB) Memorandum 21-07 (M-21-07) – PDF.

By FY2023, all federal information systems must be Internet Protocol version 6 (IPv6) enabled. This is an important policy move for acquiring information technology (IT) products and services contained in Federal Acquisition Regulation (FAR) 11.002.

On June 4, CISA directed suppliers with CDM-approved products suspected of not being natively IPv6 compliant to provide proofs of capability or a plan for becoming compliant by July 6, 2021. CISA will conditionally approve products that are not fully IPv6 compliant, providing applicants submit an acceptable plan detailing how their products will become fully operational in an IPv6-only network by the end of FY2023. CISA intends to perform periodic progress checks on accepted plans.   

Read more of this post

CDM: More relevant than ever

By Amanda Mull, contract specialist

With the recent incidents involving ransomware and other serious data breaches, security remains a top priority in federal IT.

It’s been some time since we published our last blog on CDM, so to keep our channel partners and suppliers up to date on recent changes, in the coming weeks we will be publishing a series of CDM-related blogs.

In this, our first blog, we provide some basic information and discuss a recent leadership change. Future blogs will cover the federal CDM Dashboard, IPv6 compliance, updates to common requirements and the future of the CDM SIN.

Here are some of the basics about the program:

Continuous Diagnostics and Mitigation Program 

The CDM Program was developed in 2012 to support government-wide and agency-specific efforts to provide risk-based, consistent, and cost-effective cybersecurity solutions to protect federal civilian networks across all organizational tiers.

Read more of this post

What is CMMC?

By Jeff Ellinport, Division Counsel

Although CMMC has been around for more than a year, it never hurts to review what it is and why those who sell into DOD and the rest of the federal government should care.

CMMC stands for Cybersecurity Maturity Model Certification and is a new certification process to measure a company’s ability to protect sensitive government data. It is a unified standard for implementing cybersecurity across the defense industrial base. CMMC is a way for DOD — and soon after, probably civilian agencies as well — to address intellectual property theft, cybercrime and national security threats of the type evidenced by the recent SolarWinds attack.

Once fully implemented, CMMC will be an acquisition foundation, required for almost every contractor transacting business with the U.S. government.

CMMC Maturity Levels

CMMC has five maturity levels, with basic cybersecurity hygiene at a Level 1 to very robust requirements at a Level 5. These certification levels reflect the maturity and reliability of a company’s cybersecurity infrastructure to safeguard sensitive government information on contractors’ information systems. The five levels build upon each other’s technical requirements such that each level requires compliance with the lower-level requirements and then implementation and documentation of additional processes employing more rigorous cybersecurity practices.

Read more of this post

2020: A Year of Continued Government Contract Growth for immixGroup

By Adam Hyman, Director, Government Programs

2020 will certainly be a memorable year for the obvious reasons. It was also a busy year for government contractors with a host of new government regulations, initiatives and opportunities for new contract vehicles. At immixGroup, we kept very busy throughout the year acquiring new vehicles – both federal and SLED – to support our suppliers’ and partners’ go-to-market strategies and to enable their efficient revenue growth.

Protecting Our Base

During this past year, immixGroup first ensured that we maintained the contracts we currently hold, which are critical to our suppliers’ and partners’ success. On the federal side, immixGroup finalized an extension to one of its largest contracts, NASA SEWP V, for an additional, and final, 5-year period.

Additionally, immixGroup executed extensions to its Army ITES-SW contract to avoid lapse in coverage while the Army finalized awards for its follow-on contract. immixGroup also executed extensions to some of its various DoD ESI Agreements and several SLED contracts, including Pennsylvania COSTARS, State of Oklahoma, and one of its CMAS contracts.

Read more of this post

GSA Unpriced Schedules – A Welcome Change Is Coming

By Jeff Ellinport, Division Counsel

The General Services Administration (GSA) might soon make a shift in federal procurement from contract-level pricing to order-level competition. That’s good for vendors because it could reduce the time it takes to get products on contract.

The Advanced Notice of Proposed Rulemaking for Section 876 of the 2019 National Defense Authorization Act (Pub. L. 115-232) was issued by GSA on August 19. It allows GSA to implement “unpriced schedules.” On Oct. 20, GSA kicked off the first of several industry “listening sessions” on how to best implement this authority.

Currently, before a GSA Schedule contract is awarded or new items added to an existing one, GSA contracting officers determine fair and reasonable prices of supplies or services (fixed price or hourly). Negotiation follows after offerors submit various data, information and documentation to support their pricing.

Read more of this post

2020 Federal Contracts: A Busy Year for New Regulations and Initiatives

By Hollie Kapos, Corporate Counsel

With all that happened in 2020, it was easy to miss some of the new regulations and initiatives impacting government contractors. This blog summarizes the key updates immixGroup has been tracking that are particularly relevant to commercial item contracting.

January-Current

GSA MAS Consolidation. Twenty-four former GSA Schedules, each for different supplies and services, were consolidated into a single schedule. We started the year in Phase II of the GSA MAS Consolidation, which was the process of updating terms and conditions to reflect the new solicitation. Phase II was completed in July, with 99% of contractors signing the mass modification. Under Phase III, which began in August, multiple vendor contracts will be consolidated into single contracts. Read more of this post

CMMC Interim Rule Includes New Compliance Requirements

By Hollie Kapos, Corporate Counsel

You never know what surprises will pop up in the last few days of the government’s fiscal year, and this year there was a big one with the Interim Rule implementing DOD’s Cybersecurity Maturity Model Certification (CMMC).

The Interim Rule (“IR”), published on September 29, 2020 and effective as of November 30, 2020, adds the widely anticipated new DFARS clause for inclusion in DOD contracts implementing CMMC: 252.204-7021 (Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement). No surprise there.

But, the IR unexpectedly came with two additional clauses, DFARS 252.204-7019 (Notice of NIST SP 800-171 DOD Assessment Requirements) and DFARS 252.204-7020 (NIST SP 800-171 DOD Assessment Requirements), which require the immediate attention of federal contractors and their subs.  Read more of this post

GSA’s VPP: Why You Should Care

By Tara Franzonello, GSA Programs Consultant

GSA is beginning Phase I of its Verified Products Portal (VPP), targeting OEMs and wholesalers, with a goal to have the portal up and running in 2021. Why should OEMs, distributors or resellers care? Simple: If you don’t do VPP right, you could cause problems both for you and your supply chain.

The VPP is intended to host authoritative product content — standardized manufacturer names and part numbers, for example – to improve GSA’s supply chain risk management, as well as the customer experience. This information ideally would be provided directly by OEMs, although resellers and distributors can also create VPP profiles.

Besides product specifications, the VPP will accommodate other information such as photos and pricing data. OEMs will be able to use the portal to authorize and deauthorize products and resellers in real-time, which could eliminate the need for resellers to provide letters of supply.  Read more of this post

CMMC – Will the COTS Exception Apply to Me?

By Jeff Ellinport, Division Counsel

CMMC, DOD’s Capability Maturity Model Certification, will require almost all government contractors doing business with the Department of Defense to be independently certified by a third party as meeting one of five cyber security standards. This requirement will apply to every link in the government’s supply chain – including OEMs, distributors and resellers.

To the relief of many contractors, DOD updated its CMMC FAQs a few months ago to provide this exception (the only one so far): CMMC certification will not be required for companies that only provide commercial off-the-shelf (COTS) items. 

Under NIST SP 800-161, COTS is defined as “Software and hardware that already exists and is available from commercial sources.” Under FAR 2.101, COTS means any item of supply, other than real property, that is: Read more of this post

%d bloggers like this: