Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shelley Hall << Record >>

Published byPercival Singleton Modified over 6 years ago

Similar presentations

Presentation on theme: "Shelley Hall << Record >>"— Presentation transcript:

1 Shelley Hall << Record >>
32 years in Department of Defense (retired Nov 2015) USAF (AFMC and AFSPC) Held unlimited Contracting Officer’s warrant for 23 years Community Relations and Content Manager for Skyway Expertise in services and supplies, Federal Supply Schedules, pre-and post-award, simplified acquisition to large dollar technically complex source selections, Foreign Military Sales, and commercial and non- commercial << Record >>

2 Skyway Insight© Webinar
Training From Contracting Officers Topic: Cyber Compliance Host: Shelley Hall May

3 Agenda What Makes IT Different? FAR Requirements FAR Clause
DFARS Requirement DFARS Clauses Final words

4 What Makes IT Different?

5 What Makes IT Different?
It is constantly changing It cannot be controlled It is everywhere It is vulnerable It is crucial to the government

6 FAR Requirements

7 FAR 39 – Acquisition of Information Technology
There are a LOT of things to consider: Security of resources, protection of privacy, national security and emergency preparedness, accommodations for individuals with disabilities, and energy efficiency; Electronic Product Environmental Assessment Tool (EPEAT®) standards; Policies to enable power management, double-sided printing, and other energy-efficient or environmentally preferable features on all agency electronic products; Best management practices for energy-efficient management of servers and Federal data centers.

8 FAR 39 – Acquisition of Information Technology (cont’d)
There are a LOT of things to consider: When developing an acquisition strategy, COs should consider the rapidly changing nature of information technology through market research and the application of technology refreshment techniques. Must include the appropriate information technology security policies and requirements, including use of common security configurations available from the National Institute of Standards and Technology’s website at When acquiring information technology using Internet Protocol, agencies must include the appropriate Internet Protocol compliance requirements.

9 FAR Requirements - What about Risk?
Agency must analyze risks, benefits, and costs. Reasonable risk taking is appropriate if risks are controlled and mitigated. Contracting and program office officials are jointly responsible for assessing, monitoring and controlling risk. Types of risk may include schedule risk, risk of technical obsolescence, cost risk, risk implicit in a particular contract type, technical feasibility, dependencies between a new project and other projects or systems, the number of simultaneous high risk projects to be monitored, funding availability, and program management risk. Appropriate techniques to manage and mitigate risk include: prudent project management; use of modular contracting; thorough acquisition planning tied to budget planning by the program, finance and contracting offices; continuous collection and evaluation of risk-based assessment data; prototyping prior to implementation; post implementation reviews to determine actual project cost, benefits and returns; and focusing on risks and returns using quantifiable measures.

10 What about IT Services? When acquiring information technology services, solicitations must not describe any minimum experience or educational requirement for proposed contractor personnel unless the CO determines that the needs of the agency— Cannot be met without that requirement; or Require the use of other than a performance-based acquisition.

11 FAR Clause

12 FAR Clause 52.239-1 -- Privacy or Security Safeguards.
As prescribed in , insert a clause substantially the same as the following: Privacy or Security Safeguards (Aug. 1996) (a) The Contractor shall not publish or disclose in any manner, without the Contracting Officer’s written consent, the details of any safeguards either designed or developed by the Contractor under this contract or otherwise provided by the Government. (b) To the extent required to carry out a program of inspection to safeguard against threats and hazards to the security, integrity, and confidentiality of Government data, the Contractor shall afford the Government access to the Contractor’s facilities, installations, technical capabilities, operations, documentation, records, and databases. (c) If new or unanticipated threats or hazards are discovered by either the Government or the Contractor, or if existing safeguards have ceased to function, the discoverer shall immediately bring the situation to the attention of the other party.

13 DFARS Requirements

14 DFARS 239 (where it becomes more complicated)
“Information assurance,” means measures that protect and defend information, that is entered, processed, transmitted, stored, retrieved, displayed, or destroyed, and information systems, by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for the restoration of information systems by incorporating protection, detection, and reaction capabilities.

15 DFARS 239 (where it becomes more complicated) (cont’d)
Agencies shall ensure that information assurance is provided for information technology in accordance with current policies, procedures, and statutes, to include— The National Security Act; The Clinger-Cohen Act; National Security Telecommunications & Information Systems Security Policy No. 11; Federal Information Processing Standards; DoD Directive , Information Assurance; DoD Instruction , Information Assurance Implementation; DoD Directive , Cyberspace Workforce Management; and DoD Manual M, Information Assurance Workforce Improvement Program.

16 DFARS 239 (where it becomes more complicated) (cont’d)
For all acquisitions, the requiring activity is responsible for providing to the contracting officer— Statements of work, specifications, or statements of objectives that meet information assurance requirements as specified in paragraph (a) of this subsection; Inspection and acceptance contract requirements; and A determination as to whether the information technology requires protection against compromising emanations.

17 DFARS 239 (where it becomes more complicated) (cont’d)
For acquisitions requiring information assurance against compromising emanations, the requiring activity is responsible for providing to the contracting officer— The required protections, i.e., an established National TEMPEST standard (e.g., NACSEM 5100, NACSIM 5100A) or a standard used by other authority; The required identification markings to include markings for TEMPEST or other standard, certified equipment (especially if to be reused); Inspection and acceptance requirements addressing the validation of compliance with TEMPEST or other standards; and A date through which the accreditation is considered current for purposes of the proposed contract.

18 Information assurance contractor training and certification
For acquisitions that include information assurance functional services for DoD information systems, or that require any appropriately cleared contractor personnel to access a DoD information system to perform contract duties, the requiring activity is responsible for providing to the contracting officer— A list of information assurance functional responsibilities for DoD information systems by category (e.g., technical or management) and level (e.g., computing environment, network environment, or enclave); and The information assurance training, certification, certification maintenance, and continuing education or sustainment training required for the information assurance functional responsibilities.

19 Information assurance contractor training and certification (cont’d)
After contract award, the requiring activity is responsible for ensuring that the certifications and certification status of all contractor personnel performing information assurance functions as described in DoD M, Information Assurance Workforce Improvement Program, are in compliance with the manual and are identified, documented, and tracked. The responsibilities specified apply to all DoD information assurance duties supported by a contractor, whether performed full-time or part-time as additional or embedded duties, and when using a DoD contract, or a contract or agreement administered by another agency (e.g., under an interagency agreement). See PGI for guidance on documenting and tracking certification status of contractor personnel, and for additional information regarding the requirements of DoD M.

20 DFARS Clauses

21 DFARS Clauses 252.239-7000 Protection Against Compromising Emanations.
Information Assurance Contractor Training and Certification. Access. Reserved. Orders for Facilities and Services. Rates, Charges, and Services. Tariff Information. Cancellation or Termination of Orders. Reuse Arrangements. Representation of Use of Cloud Computing.

22 DFARS Clauses (cont’d)
Cloud Computing Services. Special Construction and Equipment Charges. Title to Telecommunication Facilities and Equipment. Obligation of the Government. Term of Agreement. Continuation of Communication Service Authorizations. Telecommunications Security Equipment, Devices, Techniques, and Services. Notice of Supply Chain Risk. Supply Chain Risk.

23 Cloud Computing “Cloud computing” means a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This includes other commercial terms, such as on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. It also includes commercial offerings for software-as-a-service, infrastructure-as-a-service, and platform-as-a- service.

24 Cloud Computing (cont’d)
DoD shall acquire cloud computing services using commercial terms and conditions that are consistent with Federal law, and an agency’s needs. Some examples of commercial terms and conditions are license agreements, End User License Agreements (EULAs), Terms of Service (TOS), or other similar legal instruments or agreements. Contracting officers shall incorporate any applicable service provider terms and conditions into the contract by attachment or other appropriate mechanism. Contracting officers shall carefully review commercial terms and conditions and consult counsel to ensure these are consistent with Federal law, regulation, and the agency’s needs.

25 Cloud Computing (cont’d)
Required storage of data within the United States or outlying areas. Cloud computing service providers are required to maintain within the 50 states, the District of Columbia, or outlying areas of the United States, all Government data that is not physically located on DoD premises, unless otherwise authorized by the authorizing official. The contracting officer shall provide written notification to the contractor when the contractor is permitted to maintain Government data at a location outside the 50 States, the District of Columbia, and outlying areas of the United States.

26 Recent Updates

27 Recent Updates Opportunities for Improving Acquisitions and Operations (GAO Report released April 17, 2017) Recommendation included: Strengthen the Federal Information Technology Acquisition Reform Act (FITARA) Improving CIO authorities Budget formulation Governance Workforce Operations Transition planning

28 Final Words

29 Final Words The Federal Government does not like things it can’t control – like IT Expect more and more emphasis on regulations that further restrict IT products and services IT products and services are NORMALLY purchased using mandatory source IDIQs, GWACs, MACs, GSA (is this the best way to purchase them?) Fight the good fight. If you are providing IT products or services, protest procurements that unfairly restrict true competition (you may not win, but your voice will be heard).

30 Skyway Acquisition Solutions, LLC
       Shelley Hall

Download ppt "Shelley Hall << Record >>"

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Acquisition Planning and Adequate Market Research National Oceanic and Atmospheric Administration Acquisition and Grants Office Oversight and Compliance.

Acquisition Planning and Adequate Market Research National Oceanic and Atmospheric Administration Acquisition and Grants Office Oversight and Compliance.
BENEFITS OF SUCCESSFUL IT MODERNIZATION

BENEFITS OF SUCCESSFUL IT MODERNIZATION
CENTRAL CONTRACTOR REGISTRATION (CAGE CODES) DFARS Case 2003-D040 DFARS Parts 204, 212, 213 and 252 are amended to remove policy on Central Contractor.

CENTRAL CONTRACTOR REGISTRATION (CAGE CODES) DFARS Case 2003-D040 DFARS Parts 204, 212, 213 and 252 are amended to remove policy on Central Contractor.
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.

Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
Unlawful Internet Gambling Enforcement Act Final Rule Joseph Baressi June 3, 2009.

Unlawful Internet Gambling Enforcement Act Final Rule Joseph Baressi June 3, 2009.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.

Introduction to the State-Level Mitigation 20/20 TM Software for Management of State-Level Hazard Mitigation Planning and Programming A software program.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
A SOUND INVESTMENT IN SUCCESSFUL VR OUTCOMES FINANCIAL MANAGEMENT FINANCIAL MANAGEMENT.

A SOUND INVESTMENT IN SUCCESSFUL VR OUTCOMES FINANCIAL MANAGEMENT FINANCIAL MANAGEMENT.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.

1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.
CONTRACTUAL FLOW DOWN OF DPAS PRIORITY RATINGS

CONTRACTUAL FLOW DOWN OF DPAS PRIORITY RATINGS
1 Building and Maintaining Information Systems. 2 Opening Case: Yahoo! Store Allows small businesses to create their own online store – No programming.

1 Building and Maintaining Information Systems. 2 Opening Case: Yahoo! Store Allows small businesses to create their own online store – No programming.
DFARS 204.73 & 252.204-7012 What is Unclassified Controlled Technical Information (UCTI)?

DFARS & What is Unclassified Controlled Technical Information (UCTI)?
FAR Part 2 Definitions of Words and Terms. FAR 2.000 Scope of part (a)This part – (1) Defines words and terms that are frequently used in the FAR; (2)

FAR Part 2 Definitions of Words and Terms. FAR Scope of part (a)This part – (1) Defines words and terms that are frequently used in the FAR; (2)
Just In Time Training (JITT): How Not to Jump from the Frying Pan into the Fire.

Just In Time Training (JITT): How Not to Jump from the Frying Pan into the Fire.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Similar presentations

Ads by Google