Blog

Author Archive

Your Elevator Pitch Needs Work

Share

… or you wouldn’t be reading this.

Yes, you. The “small, woman-owned company established in 2008, located in Alexandria, VA, that prides itself on excellent customer service and always striving to do best for our clients“.  Because if that sounds like you, you just wasted 20 seconds of everybody’s time for no good reason.

A truly great elevator pitch takes planning, practice, and precision. Especially in government contracting, where industry events are comprised of many companies of similar industries, you need to stand out, or you may as well be invisible.  Here’s what I mean:

  1. Planning. Know your audience.  Who is going to be in the room? What is the key takeaway you want them to remember? How will your 30-second opportunity set you apart from everyone else?  The point of the elevator pitch is for the listeners to spark an interest. Not to pre-emptively answer all their questions.  Naturally, your elevator pitch will be different in an open forum, in a 1-on-1 with a government agency, a potential teaming partner, or a banker.
  2. Practice. Every time you say “umm” or “you know” or “as I said” – you’re stealing seconds from your allotted time; losing the listeners’ attention; and killing your credibility as an expert.  Know what you will say ahead of time. Run it by a few people – a family member, friend, partner, a PTAP or SBDC counselor.  Be sure to test on people that don’t know the technical specifics of what you do, because if you’re speaking in code (or jargon), your customers may not understand what you’re saying.
  3. Precision. What are the key elements you want to convey that would want your listener to want to ask you more questions?  Look at a few templates for constructing the pitch, You can start  with this guide or this one. A generic, 1-size fits all blurb will fit no one. An appeal targeted specifically for the present audience will be more productive.

 

 

Posted in: Uncategorized

Leave a Comment (0) →

Civilian Agency Micro Purchase Threshold Increased to $10,000

Share

The FY2018 NDAA increases Micro Purchase threshold to $10,000 (from $3,000).  Total Simplified Acquisitions Purchase (SAP) threshold is now $250,000 (from $150,000)

This can be a gamechanger for small businesses trying to get a “foot in the door” with federal agencies; the government customers now have a mechanism to pave the way for a streamlined, simplified way to award contracts.  Micropurchases are small business set-asides by default.

Read the Civilian Agency Acquisition Council memorandum to agencies – Appendix 2 outlines which FAR clauses are affected by the change.

A great summary and explanation by Matthew Moriarty at SmallGovCon Law

Note: the FAR has not been updated yet, so agencies have to use a “class deviation” to avail themselves of the newly adjusted ceilings.

Currently, here’s the summary according to the SBA

 

Posted in: Uncategorized

Leave a Comment (0) →

Are your NIGP Codes valid? (Commonwealth of Virginia Vendors)

Share

Virginia Department of Small Business and Supplier Diversity (SBSD) reviewed the list of certified and pending Small, Women, and/or Minority (SWAM)  companies. They issued a letter to businesses who had an invalid NIGP code (one ending with 000) – the number ending in ‘triple zero’ is a category and not an actual code.  Any invalid code(s)/description(s) will be deleted from your profile by February 23rd.

To locate proper NIGP Codes for your company, click here.

EXISTING SWAM Certified Companies: The letter includes instructions on updating your NIGP Codes.

APPLICATIONS PENDING Companies:  Do NOT to change the NIGP codes in the electronic application at this point.  Doing so will reset the submitted date of their application and result in the  60-business-day waiting period to be reset.  To correct the codes, fill out the SWAM notice of change form and send to SBSD, and the agency will update the codes.

Posted in: Uncategorized

Leave a Comment (0) →

Dept. of Navy Rapid Innovation Fund (RIF) program update

Share

***********************************************

January 2018 update on the Dept. of Navy Rapid Innovation Fund (RIF) program:  Good news especially for small, innovative companies who want to perform final development and testing and sell the resulting product to the DOD:  Section 213 of the FY17 NDAA removed the RIF program sunset clause, providing permanent authority for the program.  While the FY18 defense appropriation is still pending, and a RIF plus up is necessary, OSD is gearing up for an FY18 RIF BAA in the Feb/March 2018 timeframe, which will include topics from all the defense services.  Typical service-wide RIF funding available is $200-250M.  The full BAA schedule and latest info is at http://www.defenseinnovationmarketplace.mil/rif.html.

 

Government TPOCs can talk openly now; communications become restricted upon BAA release.  Historically, about 2/3 of Dept. of Navy RIF awards go to fund projects which derive from the SBIR program.  It’s easy to apply for RIF (three page white paper + quad chart), but the competition is quite fierce (~4% of white papers result in a full proposal invite).  Interested companies may want to review the FY17 BAA-Amendment 2 (Dept. of Navy topics on pages 45-69) now as many of the topics represent persistent Dept. of Navy needs.  This National Defense Magazine article provides sound advice.

***********************************************

Brenda Pickett
Director, Office of Small Business Programs
Office of Naval Research
875 North Randolph St.
ONR Code: 00SB
Attention: Brenda Pickett
Arlington, VA 22203-1995
Tele: 703-696-2607
Email: brenda.pickett@navy.mil

Posted in: Press Releases

Leave a Comment (0) →

Should You Bother with a Capabilities Statement?

Share

Spend enough time at matchmaking events, industry days, networking events and conferences in the #GovCon world, and one could amass quite a collection of Capabilities Statements.  If one were into collecting them.  Which I am:

The capabilities (or capability) statement is your business’s resume; as such, it needs to combine the technical skillset you’re offering with an attractive format that would cause a neutral third party to pick it up and glance at it.  There are plenty of resources (APTAC, HHS, SAP&DC) who will tell you what to put in it.  ISI Federal lays it out in a graphical format. FDIC has a whole slide deck.  I’d like to take you through a slightly different analysis:

“Who [or what] is it for?”

  1. Fitting in. I have seen more than one Small Business professional, representing government and prime contractors, ask for a capabilities statement right at the start of a conversation at a matchmaking event.  If you don’t have that, it looks like the dog ate your homework.  Not the first impression you were going for
  2. Benefits and Features. A quick glance at a well-constructed capabilities statement will give your reader an understanding of how your services or products will help them solve a problem in their organization. As such, it should highlight the results of your work, defining what you do with enough specificity to enable an informed buyer to be impressed.  If you can’t think of any way to impress or stand out, you probably shouldn’t be competing in the first place.
  3. Category box-checker. All the socio-economic and small business statuses and certification need to be there for easy reference. As well as your location, contact info, vendor (SAM / CAGE) numbers, NAICS codes, and any contract numbers that your customer may care about.  Sometimes capabilities statements are a component of market research – help your customers make the case of a set-aside (without repeatedly bashing them over the head with your status).
  4. Conversation re-starter. It’s on you to follow up to any great meeting to grow a relationship and turn a spark of interest into a true business lead. As such, a solid capabilities statement could be a good follow-up email attachment, for reference & recollection.  An electronic document, properly labeled and formatted, also makes it easier for your customer to store it and refer to it as necessary.

Is your one-pager ready for prime time?  Make sure you’re not guilty of any egregious “Don’ts“. Keep your customer paramount in your mind when you’re writing and designing: will she want to pick it up? Read it? share it?  Do you even know who your customer is? If not, do your homework first.

And if you would like some help, contact your local PTAP / PTAC. We’ve got our red pens at the ready.

 

Posted in: Resources

Leave a Comment (0) →

NIST and DFARS and Cyber Compliance! (oh my)

Share

You have doubtless heard and read all about the looming requirement for all Department of Defense government contractors to become compliant with Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards derived from NIST SP 800-171 Rev 1 by Dec 31, 2017- or else risk losing their contracts.  DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, will be a mandatory clause in all contracts except for contracts solely for the acquisition of COTS items.

This requirement applies to any DoD Contractor, subcontractor, and supplier ALL THE WAY DOWN THE SUPPLY CHAIN that processes, stores, or transmits Controlled Unclassified Information (CUI). Not just security contractors. Not just companies that have clearances. Not even just IT contractors.  If you have a landscaping business and you are performing work at a DOD facility, and have access to blueprints that are or may be considered CUI, you’re subject to this requirement.  CUI includes the categories outlined in the NARA CUI Registry, but as you can probably imagine, is not limited to that. your government customer can identify additional categories and data, and you as a contractor, should err on the safe side and identify potential CUI so that you can protect and segregate it just in case.

Note: civilian contractors are not subject to this requirement (there are only 15 security controls outlined in FAR part 52.204-21 compared to 109 in the DFARS clause), but that may be changing to synthesize the compliance requirements to the more complete set that the DOD/DFARS adopted.

Ultimately, it is the contractor’s responsibility to determine whether it is has implemented the NIST SP 800-171 (as well as any other security measures necessary to provide adequate security for covered defense information).   Third party assessments or certifications of compliance are not required, authorized, or recognized by DoD, nor will DoD certify that a contractor is compliant with the NIST SP 800-171 security requirements.

The protections required to protect government information are dependent on the information DoD is protecting and the kind of system on which the information is processed or stored.

There is no single or prescribed manner in which a contractor may choose to implement the requirements of NIST SP 800-171, or to assess their own compliance with those requirements.  For companies new to the requirements, a reasonable first step may be for company personnel with knowledge of their information systems security practices to read through the publication, examining each requirement to determine if it may require a change to company policy or processes, a configuration change for existing company information technology (IT), or if it requires an additional software or hardware solution.

Some resources and tools to help you determine whether you’re subject to the requirement, and what you can do next:

  1. DOD Office of Small Business Cyber resources and news – especially the 49-minute video and the presentation slides
  2. DOD Procurement Toolbox – Cyber security section (including how to approach evaluating each requirement)
  3. Georgia Tech PTAC 20-min Instructional Video
  4. A handy presentation [from a law firm] that translates the major requirements into easy-to-understand terms
  5. The Safeguarding Covered Defense Information one-pager to ease you into the basics.
  6. The Cybersecurity Evaluation Tool (CSET) that provides a systematic approach for evaluating an organization’s security posture through a step-by-step process to evaluate their control system and information technology network security practices.  The tool will allow you to select a standard (e.g. NIST SP 800-171) – and CSET will generate specific questions to those requirements and present you with assessment results.
  7. A  Self-assessment guide when you’re ready for the deep dive
  8. OSD Memorandum: DPAP Guidance for DoD Acquisition Personnel that instructs DOD buyers how to implement and evaluate vendor cyber compliance (and since it’s going to be an evaluation factor in source selection, you need to know what your customers expect).
  9. For subcontractor and supplier reference – Lockheed Martin’s notice to its supply chain that you may find informative and applicable regardless of who your prime is.
  10. And if you heard the rumors of possible delay and were wondering if they have merit — sadly, no.

PTAP counselors can help you walk through these steps. While we’re not technical experts on network security, we could help you walk through the self-assessment and determine what steps you need to take to bring your business up to compliance.

Update (submitted by David Dempsey, Dempsey Fontana, PLLC): This past Tuesday (April 24th 2018), DOD issued draft regulations on its cybersecurity clause DFARS 252.204-7012.  Attached are pdf copies of the Federal Register notice plus the two documents referenced in the notice.

PTAP has been advised that DOD has implicitly acknowledged that contractor implementation of a NIST SP 800-171r cybersecurity plan is not going as anticipated.  The draft guidance explains three levels of priority within an implemented System Security Plan (“SSP”). The utility of the priority levels is that DOD has identified the priorities on an item-by-item basis per the NIST security requirement.  For example, multifactor authentication (NIST 171, 3.5.3) is a priority 1 (“P1”) while monitoring security controls (NISAT 171, 3.12.3) on an ongoing basis is a priority 3 (“P3”).  DOD is again focusing on the development of SSP as supplemented by a Plan of Action that includes an implementation schedule.

More importantly, and as highlighted during the presentations sponsored by PTAP, DOD has emphasized that SSPs (with or without an accompanying Plan of Action) will be an evaluation factor used to discriminate among offers as a means to evaluate the government’s overall risk of providing “covered Defense information” to contractors who then use or store CDI on their IT systems.  Specifically, the draft guidance states that RFP’s must require delivery of NIST SP 800-171 Security Requirement 3.12.4 – System Security Plan (or specified elements of) and [NIST-171] Security Requirement 3.12.2 – Plans of Action with the contractor’s technical proposal.

Update (submitted by David Dempsey, Dempsey Fontana, PLLC) : Earlier this morning (June 7th, 2018), NIST’s Computer Security Resource Center (“CSRC”) distributed its fourth revision of NIST SP 800-171 (second one for 2018). See https://csrc.nist.gov/ publications/detail/sp/800-171/rev-1/final). As of today, the proper reference to “NIST-171” is NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, rev. 1 (December 2016) (updated June 7, 2018) or “NIST SP 800-171, r1 (updated through June 7, 2018).” According to the “errata sheet” the CSRC has made approximately 72 “substantive” changes to NIST-171.  Presumably, DOD will revise the link currently set forth in DFARS 252.202-7012 and bring the DFARS clause up to date.

The CSRC also published today three supplemental documents to NIST-171 (available at the above link):

All previous attendees should also be made aware of DOD’s proposed priorities for NIST-171 implementation (see 83 Fed. Reg. 17807 (April 24, 2018) and follow instructions on p. 17808) and the NIST requirements (identified by ¶ number in an Attachment to the slides presented at those seminars.  Moreover, DOD’s updated FAQs on NIST-171 implementation (dated April 2, 2108) should be reviewed in the context of today’s revised NIST-171 – see FAQs updated April 2, 2018.

Also included with today’s CSRC announcement regarding NIST-171 is the second draft of NIST SP 800-171A entitled “Assessing Security Requirements for Controlled Unclassified Information (Final Draft)(February 2018).  (This document is also available at https://csrc.nist. gov/publications/ detail/sp/800-171/rev-1/final.) The introduction to CSRC’s “assessment” document states that it “is intended to help organizations develop assessment plans and conduct efficient, effective, and cost-effective assessments of the security requirements in NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”

Posted in: Uncategorized

Leave a Comment (0) →

Department of Defense Waiving SAM registration requirements for emergency response vendors

Share

Due to the emergency situation caused by the hurricanes, contracting offices are using authority to waive the requirement for SAM registration in purchases that directly support the emergency response.  If you’re helping a vendor who is not yet registered in SAM but needs a CAGE code, the expedited process instructions are below. 

(information on selling to disaster response agencies)

Subject: Obtaining CAGE codes for vendors responding to the Hurricanes

Hello everyone – obviously we expect that there will be many offices responding to the hurricanes with emergency purchases where SAM registration is waived per FAR 4.1102(a)(3)(iii) and part 18.102.  We want to get the below instructions out for how you can still help your vendors obtain CAGE codes (if they don’t already have one) that are required per FAR 4.1804 for other than micro-purchase actions:

1 – Go to https://cage.dla.mil

2 – Choose ‘Request or Update a CAGE Code’ and hit Begin on the next page

The user will then be taken through a series of pages where they provide the data necessary to set up a CAGE code, but before they get to those elements, they have to answer a few more questions.  In order for the CAGE website not to just direct them to go register in SAM, the users need to answer exactly as follows:

  1. Question – Do you have a registration for this same entity in process at System for Award Management (SAM)?  Answer – No
  2. Question – Do you plan to receive contract payments or grants from the U.S. Government?  Answer – No
  3. Question – Are you a NON-U.S. entity (government or commercial)?  Answer  No (note – if the entity really is foreign, answer Yes, but realize that the user will be directed to contact his/her home country codification bureau)
  4. Question – Are you requesting a new CAGE Code?  Answer – Yes
  5. Question – Do you have a previous business?  Answer – No
  6. Question – Please choose your Entity Type   Answer either – (1) U.S Commercial Company/Firm, Organization or Government Entity (non-federal) OR (2) Sole Proprietor Business
  7. Question – Please choose a Primary Purpose for this CAGE   Answer -Other
  8. Question – Please describe the primary purpose for this CAGE  Answer – Provide Urgent Hurricane Irma Support (or Harvey or Jose as appropriate)

From here on, the user is just providing their name, address, etc.information.  Should be simple from here.

Be aware – when a user requests a CAGE code be established via this method (instead of through registering in SAM), it goes into manual processing at DLA in Battle Creek.  It’s very important that the user enter ‘hurricane’ in the purpose field after they choose other.  The CAGE team is going to search for that term in each request that comes in and move those to the top to be worked.

For non-GPC actions, it’s important that the vendor get a CAGE code assigned and it be included in the contract when its distributed to ensure that their eventual payment is streamlined and not held up for manual action.  Note also that without a valid CAGE code, an action will fail Procurement Data Standard (PDS) validations.

If these are going to be on-going contracts (such as reconstruction), it would behoove the vendors to eventually actually get registered in SAM (they can use the CAGE code that will be assigned in this process when they do so) even if they’re not technically required to do so because the contract was initially exempted due to the emergency.  Being registered in SAM will just make the whole invoicing and payment processes run a bit smoother if the contract lasts for a while.

Lisa Romney, Defense Procurement and Acquisition Policy Office of Acquisition Technology and Logistics

 

Posted in: Resources

Leave a Comment (0) →

Why Am I Here? (At this conference)

Share

I am lucky to attend many a procurement conference.  The piles of business cards, and the expansive collection of branded grocery shopping bags in my car will attest to that.

I go to learn the content, sometimes to speak, and to meet people (and depending on the content of the conference, not necessarily in that order). In fact, defining the business goals for attending – including sponsoring or exhibiting – is essential if you want to avoid wasting your time and money at events that aren’t right for your business. The process goes something like this:

  • Will my customers be there?

there’s nothing more frustrating than going to an event marketed as “Special event for government contractors” and there are 2 government contracting businesses in the room.  Look at past events, peruse the sponsor information, if published. Talk to the organizers. Ask your industry contacts if they think this is a good event.

  • Will my industry influencers be there?

Sometimes you have to see and be seen. If a preeminent industry event is happening and all your competitors are showing up and your absence would loudly proclaim that you’re not paying attention — then you better put on that suit and register before it’s all sold out.  If a customer tells you that they’re putting on an event and expending effort to bring you a program, get their folks to agree to speak, those should all be good signs that your absence won’t go unnoticed.

  • Will my resources /vendors be there?

Some of the events may not be all about you making a sale. Sometimes, you may want to learn about trends in the industry or resources that you can use in your business.  Looking for a legal pro? An event featuring attorney speakers on a particular subject matter may be a quick way to get a question answered – and perhaps a lead on a good attorney you can retain.  Same thing goes for any resource you need: the people putting on events, appearing as subject matter experts tend to be well connected, and may be great resources for your business.

  • Will I learn something useful for my business?

You’re there to learn – so engage, participate, ask questions, take the opportunity to have a word with a speaker (or at least get their card).  You can also make a good impression from the audience if you post / tweet about the event in progress, linking to the speakers’ and organizers’ Twitter handles can get you a few “likes” and “retweets” – building your name recognition and notoriety even as you’re in the audience.

  • Will I do “better” by exhibiting / sponsoring?

If your customers and partners are walking around and you want to get noticed, having an exhibit table is a quick way for them to find you. If you have something that catches their eye and gets them to your table – all the better.  At many conferences, sponsors get advanced marketing, such as social media, print, and website recognition. Bigger events even pre-print giveaways with all the sponsor logos.  Word of caution: if you do decide to exhibit or sponsor an event – make sure you’re ready. Do you have something to give away? (even a capabilities statement and some candy). Do you have a professional-looking presence? Logo, tablecloth, banner…. You don’t want to be over- or under- dressed for the occasion. If you’ve gone to an event before, you know what all the other exhibitors will have. You don’t want to look like you didn’t prepare.  If you’re a first-time attendee to a particular conference, it’s perfectly fine to just attend and make a decision if it’s worth exhibiting the following year.

 

  • Here’s what NOT to do:

  1. Look at your phone the whole time.  You’re there to meet people, right?
  2. Leave your business cards at home.  [I keep a stash in my car for emergencies.]
  3. Leave early.  I know you want to beat the traffic, but I can honestly tell you that government agencies that put a lot of work into the industry days and conferences – and find it disappointing that contractors who claim want to work with them dissipate from the room. I know everyone has multiple commitments; if this event / customer is a priority, commit to it.
  4. Forget to follow up.
  5. Follow up as a mass email to everyone – the best I can assume is that you weren’t paying attention when we spoke. The worst I’m going to assume is that you don’t care that much.
  6. Have unrealistic expectations.  Read the information about the event, the speakers, the sponsors.  Understand their roles and responsibilities with respect to the subject matter, and what kind of information you can learn through the agenda topics, as well as conversations you can engage in.
  7. Fail to read instructions and prepare. Read the registration page carefully. Review driving directions & traffic. Add the event to your calendar. If payment is required, take care of it.
  8. No-show. If you can’t make it, let the organizers know. They would like to have an accurate count for food orders, room capacity, and possibly waitlisted folks.
  9. Take it out on the registration desk.  If there’s a problem, ask to speak to an organizer. the folks at the desk doing check-in probably weren’t at fault for mis-printing your name. Yelling at them is not going to get you the answer you want – but being nice to them can get you what you need.
  • What SHOULD you do?

  1. Participate – strike up conversations, invest in an exhibit opportunity if it makes sense, ask questions in the sessions, if you see a staff person struggling with a heavy object, lend a hand.  There are a myriad ways to make a good impression.
  2. Show up on time.  Early-birds: that means you, too.  There are no gold stars for folks that want to register while the organizers are trying to set up. They’re even more anxious to get started than you are, promise.
  3. Dress professionally for the tone of the conference.  Logo shirts are usually a good idea — but you may want to check to see if attire is “business” – that is, suits required.
  4. If you have special needs, let the organizer know in advance so that we can accommodate you to the fullest extent possible.
  5. Share the love on social media. Post to LinkedIn, Twitter, Facebook any insights or photos. Not only will it give you content, but it will be picked up and shared by organizers and speakers! and you may get a few more followers in the process.
  6. Follow up with folks you want to start building relationships.  Invite them to connect on LinkedIn, invite them out for coffee, ask them a follow-up question about the topic you discussed, bring up a tidbit from a conversation that shows you were genuinely interested in what they had to say.

What have you done at events you attended that made a difference in your business?

Posted in: Resources

Leave a Comment (0) →
Page 1 of 2 12