Shelley Hall << Record >> 32 years in Department of Defense (retired Nov 2015) USAF (AFMC and AFSPC) Held unlimited Contracting Officer’s warrant for 23 years Community Relations and Content Manager for Skyway Expertise in services and supplies, Federal Supply Schedules, pre-and post-award, simplified acquisition to large dollar technically complex source selections, Foreign Military Sales, and commercial and non- commercial << Record >>
Skyway Insight© Webinar Training From Contracting Officers Topic: Cyber Compliance Host: Shelley Hall May 11 2017
Agenda What Makes IT Different? FAR Requirements FAR Clause DFARS Requirement DFARS Clauses Final words
What Makes IT Different?
What Makes IT Different? It is constantly changing It cannot be controlled It is everywhere It is vulnerable It is crucial to the government
FAR Requirements
FAR 39 – Acquisition of Information Technology There are a LOT of things to consider: Security of resources, protection of privacy, national security and emergency preparedness, accommodations for individuals with disabilities, and energy efficiency; Electronic Product Environmental Assessment Tool (EPEAT®) standards; Policies to enable power management, double-sided printing, and other energy-efficient or environmentally preferable features on all agency electronic products; Best management practices for energy-efficient management of servers and Federal data centers.
FAR 39 – Acquisition of Information Technology (cont’d) There are a LOT of things to consider: When developing an acquisition strategy, COs should consider the rapidly changing nature of information technology through market research and the application of technology refreshment techniques. Must include the appropriate information technology security policies and requirements, including use of common security configurations available from the National Institute of Standards and Technology’s website at http://checklists.nist.gov. When acquiring information technology using Internet Protocol, agencies must include the appropriate Internet Protocol compliance requirements.
FAR Requirements - What about Risk? Agency must analyze risks, benefits, and costs. Reasonable risk taking is appropriate if risks are controlled and mitigated. Contracting and program office officials are jointly responsible for assessing, monitoring and controlling risk. Types of risk may include schedule risk, risk of technical obsolescence, cost risk, risk implicit in a particular contract type, technical feasibility, dependencies between a new project and other projects or systems, the number of simultaneous high risk projects to be monitored, funding availability, and program management risk. Appropriate techniques to manage and mitigate risk include: prudent project management; use of modular contracting; thorough acquisition planning tied to budget planning by the program, finance and contracting offices; continuous collection and evaluation of risk-based assessment data; prototyping prior to implementation; post implementation reviews to determine actual project cost, benefits and returns; and focusing on risks and returns using quantifiable measures.
What about IT Services? When acquiring information technology services, solicitations must not describe any minimum experience or educational requirement for proposed contractor personnel unless the CO determines that the needs of the agency— Cannot be met without that requirement; or Require the use of other than a performance-based acquisition.
FAR Clause
FAR Clause 52.239-1 -- Privacy or Security Safeguards. As prescribed in 39.106, insert a clause substantially the same as the following: Privacy or Security Safeguards (Aug. 1996) (a) The Contractor shall not publish or disclose in any manner, without the Contracting Officer’s written consent, the details of any safeguards either designed or developed by the Contractor under this contract or otherwise provided by the Government. (b) To the extent required to carry out a program of inspection to safeguard against threats and hazards to the security, integrity, and confidentiality of Government data, the Contractor shall afford the Government access to the Contractor’s facilities, installations, technical capabilities, operations, documentation, records, and databases. (c) If new or unanticipated threats or hazards are discovered by either the Government or the Contractor, or if existing safeguards have ceased to function, the discoverer shall immediately bring the situation to the attention of the other party.
DFARS Requirements
DFARS 239 (where it becomes more complicated) “Information assurance,” means measures that protect and defend information, that is entered, processed, transmitted, stored, retrieved, displayed, or destroyed, and information systems, by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for the restoration of information systems by incorporating protection, detection, and reaction capabilities.
DFARS 239 (where it becomes more complicated) (cont’d) Agencies shall ensure that information assurance is provided for information technology in accordance with current policies, procedures, and statutes, to include— The National Security Act; The Clinger-Cohen Act; National Security Telecommunications & Information Systems Security Policy No. 11; Federal Information Processing Standards; DoD Directive 8500.1, Information Assurance; DoD Instruction 8500.2, Information Assurance Implementation; DoD Directive 8140.01, Cyberspace Workforce Management; and DoD Manual 8570.01-M, Information Assurance Workforce Improvement Program.
DFARS 239 (where it becomes more complicated) (cont’d) For all acquisitions, the requiring activity is responsible for providing to the contracting officer— Statements of work, specifications, or statements of objectives that meet information assurance requirements as specified in paragraph (a) of this subsection; Inspection and acceptance contract requirements; and A determination as to whether the information technology requires protection against compromising emanations.
DFARS 239 (where it becomes more complicated) (cont’d) For acquisitions requiring information assurance against compromising emanations, the requiring activity is responsible for providing to the contracting officer— The required protections, i.e., an established National TEMPEST standard (e.g., NACSEM 5100, NACSIM 5100A) or a standard used by other authority; The required identification markings to include markings for TEMPEST or other standard, certified equipment (especially if to be reused); Inspection and acceptance requirements addressing the validation of compliance with TEMPEST or other standards; and A date through which the accreditation is considered current for purposes of the proposed contract.
Information assurance contractor training and certification For acquisitions that include information assurance functional services for DoD information systems, or that require any appropriately cleared contractor personnel to access a DoD information system to perform contract duties, the requiring activity is responsible for providing to the contracting officer— A list of information assurance functional responsibilities for DoD information systems by category (e.g., technical or management) and level (e.g., computing environment, network environment, or enclave); and The information assurance training, certification, certification maintenance, and continuing education or sustainment training required for the information assurance functional responsibilities.
Information assurance contractor training and certification (cont’d) After contract award, the requiring activity is responsible for ensuring that the certifications and certification status of all contractor personnel performing information assurance functions as described in DoD 8570.01-M, Information Assurance Workforce Improvement Program, are in compliance with the manual and are identified, documented, and tracked. The responsibilities specified apply to all DoD information assurance duties supported by a contractor, whether performed full-time or part-time as additional or embedded duties, and when using a DoD contract, or a contract or agreement administered by another agency (e.g., under an interagency agreement). See PGI 239.7102-3 for guidance on documenting and tracking certification status of contractor personnel, and for additional information regarding the requirements of DoD 8570.01-M.
DFARS Clauses
DFARS Clauses 252.239-7000 Protection Against Compromising Emanations. 252.239-7001 Information Assurance Contractor Training and Certification. 252.239-7002 Access. 252.239-7003 Reserved. 252.239-7004 Orders for Facilities and Services. 252.239-7005 Rates, Charges, and Services. 252.239-7006 Tariff Information. 252.239-7007 Cancellation or Termination of Orders. 252.239-7008 Reuse Arrangements. 252.239-7009 Representation of Use of Cloud Computing.
DFARS Clauses (cont’d) 252.239-7010 Cloud Computing Services. 252.239-7011 Special Construction and Equipment Charges. 252.239-7012 Title to Telecommunication Facilities and Equipment. 252.239-7013 Obligation of the Government. 252.239-7014 Term of Agreement. 252.239-7015 Continuation of Communication Service Authorizations. 252.239-7016 Telecommunications Security Equipment, Devices, Techniques, and Services. 252.239-7017 Notice of Supply Chain Risk. 252.239-7018 Supply Chain Risk.
Cloud Computing “Cloud computing” means a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This includes other commercial terms, such as on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. It also includes commercial offerings for software-as-a-service, infrastructure-as-a-service, and platform-as-a- service.
Cloud Computing (cont’d) DoD shall acquire cloud computing services using commercial terms and conditions that are consistent with Federal law, and an agency’s needs. Some examples of commercial terms and conditions are license agreements, End User License Agreements (EULAs), Terms of Service (TOS), or other similar legal instruments or agreements. Contracting officers shall incorporate any applicable service provider terms and conditions into the contract by attachment or other appropriate mechanism. Contracting officers shall carefully review commercial terms and conditions and consult counsel to ensure these are consistent with Federal law, regulation, and the agency’s needs.
Cloud Computing (cont’d) Required storage of data within the United States or outlying areas. Cloud computing service providers are required to maintain within the 50 states, the District of Columbia, or outlying areas of the United States, all Government data that is not physically located on DoD premises, unless otherwise authorized by the authorizing official. The contracting officer shall provide written notification to the contractor when the contractor is permitted to maintain Government data at a location outside the 50 States, the District of Columbia, and outlying areas of the United States.
Recent Updates
Recent Updates Opportunities for Improving Acquisitions and Operations (GAO Report released April 17, 2017) Recommendation included: Strengthen the Federal Information Technology Acquisition Reform Act (FITARA) Improving CIO authorities Budget formulation Governance Workforce Operations Transition planning
Final Words
Final Words The Federal Government does not like things it can’t control – like IT Expect more and more emphasis on regulations that further restrict IT products and services IT products and services are NORMALLY purchased using mandatory source IDIQs, GWACs, MACs, GSA (is this the best way to purchase them?) Fight the good fight. If you are providing IT products or services, protest procurements that unfairly restrict true competition (you may not win, but your voice will be heard).
Skyway Acquisition Solutions, LLC Shelley Hall Email: shelley.hall@skywayacquisition.com www.skywayacq.com