Blog

Archive for Uncategorized

Effective Oct. 26, you must be registered in SAM before you submit a federal bid, proposal or quote

Share

It’s official: If you intend to pursue a federal contract, your business must be registered in the System for Award Management (SAM) before you submit a bid, proposal, or quotation. The new rule that makes this clear goes into effect on October 26, 2018.

Any wiggle room that may have existed in the past has been eliminated. SAM registration is now imperative if you are interested in federal contracting.

It used to be that SAM registration was required before a contract could be awarded. The Federal Acquisition Regulation (FAR) at Subpart 4.1102(a) made that clear. But that requirement was always a bit ambiguous since another provision of the FAR (Subpart 52.204-8(d)) said that bidders and proponents had to complete the representations and certifications in SAM as a condition of making their offer. As a matter of practical interpretation, most federal contracting officers simply made sure that an offeror’s SAM registration was complete before awarding the offeror a contract.

That latitude goes away on October 26, 2018. On that date, FAR Subpart 4.1102 is officially amended to require all entities (i.e., vendors, including joint ventures) to be registered in SAM at the time they submit an offer (a bid or proposal) or submit a quotation to a federal agency. In essence, vendors who are not registered in SAM are ineligible to submit offers or quotes – effective October 26, 2018.

Keep in mind that the SAM registration process can take time to complete. If you’re planning to compete for a federal contract in the future, you should complete your SAM registration as far in advance as possible. And, if you are already registered in SAM, remember that your SAM registration must be renewed at least annually – and renewed whenever any part of your registration needs to be updated.

If you need help with your company’s SAM registration, feel free to request counseling with the Virginia Procurement Technical Assistance Program (Virginia PTAP). If you are an existing client and aren’t sure which counselor to reach out to, contact your local office for scheduling: https://virginiaptap.org/contact/.

If you are located outside of the state of Virginia, you can find the procurement technical assistance center (PTAC) nearest you at: http://www.aptac-us.org/contracting-assistance

Remember: There is never a fee to register in SAM as a government contractor. PTACs are available with no-cost help to get you through the process.

SAM is located at: https://sam.gov. But before beginning the SAM registration process, you must first take care of the following:

  1. Obtain a DUNS Number by registering your Legal Business Name and Physical Address with Dun & Bradstreet (D&B). If you don’t already have a DUNS Number, you can request a DUNS Number for FREE from D&B at: http://fedgov.dnb.com/webform
  2. Make sure you have a Taxpayer Identification Number (TIN) associated with the Legal Business Name registered with D&B. To obtain information from the IRS on how to obtain a TIN, visit: https://www.irs.gov/individuals/international-taxpayers/taxpayer-identification-numbers-tin
  3. Have your bank’s routing number handy, including your bank account number and your bank account type (i.e., checking or savings). You’ll need this information to set up Electronic Funds Transfer (EFT) in SAM. The federal government makes virtually all contract payments via EFT.
  4. The first time you log in to SAM.gov, you’ll be asked to create a login.gov user account (if you don’t already have one). Going forward, you will use your login.gov username and password every time you log in to SAM.gov. Existing SAM.gov usernames and passwords no longer work.

Article adapted courtesy of the Georgia Tech Procurement Assistance Center

Posted in: Uncategorized

Leave a Comment (0) →

Department of Defense’s SBIR/STTR online training calendar – free 2018 webinars

Share
The Department of Defense’s SBIR/STTR Program Office has put together an on-line training program catalogue for small businesses for the year. Upcoming SBIR/STTR webinar topics are listed below, along with dates. More information on each title is found on the registration site. All are offered free of charge.
  • How to Use the DOD SBIR/STTR Submission Site / Important Proposal Considerations / Using SITIS – May 24, 2018
  • Managing Intellectual Property – Important Business Considerations for Commercialization – June 5, 2018
  • Understanding the Evaluation Process/What to Do with a Debrief – June 26, 2018
  • Working with Prime Contractors – July 17, 2018
  • The DOD Acquisition Process / Contracting – August 1, 2018
  • Commercialization Assistance Programs and Beyond Phase II Considerations – Sept. 4, 2018
  • Manufacturing / Working with MIBP – September 18, 2018
  • Testing and Evaluation – October 9, 2018
  • Phase III Process – How to Identify Non-SBIR – October 30, 2018

Posted in: Uncategorized, Upcoming Events

Leave a Comment (0) →

CVE Special Alert – VIP Enhancement and 30-Day Suspension Notice

Share

Adapted from the announcement sent by CVE to PTAC counselors and of special interest to any CVE applicants or renewals now through late June 2018: VIP Enhancement and 30-Day Suspension Notice

1. On May 14, 2018, the U.S. Department of Veterans Affairs (VA), Office of Small and Disadvantaged Business Utilization (OSDBU), Center for Verification and Evaluation (CVE) began the rollout of the new Vendor Information Pages (VIP) to support the Vets First Verification Program. OSDBU and CVE are committed to improving customer service and the overall Verification experience. The enhanced VIP will enable OSDBU to manage all aspects of the Vets First Verification Program more effectively, and improve the online experience of Veterans.

2. On May 21, 2018, CVE will suspend incoming case applications to facilitate the transition to the new case VIP interface. The suspension of incoming cases will last for approximately thirty (30) days and include both new applications and reverifications. CVE will continue processing previously submitted applications during the suspension period. As such, any applicants (Veteran businesses) that desire to have their applications begin the verification process before the suspension start date, should strongly consider submitting their applications to VIP prior to May 21, 2018.

3. Major VIP enhancements include:

  • Single Sign-On login process – You must have a DS Logon (Veterans) or create an ID.me Account (Non-Veterans and Representatives) to access the re-designed VIP
    o Enrollment in the Defense Enrollment Eligibility Reporting System (DEERS) is required to obtain a DS Logon
    o DS Logon and ID.me account access instructions are attached DS Logon and ID.me Account Instructions
  • System for Award Management (SAM) registration and Data Universal Numbering System (DUNS) validation:
    o Automatic when the user inputs the DUNS
    o Elimination of Veteran frustration when submitting applications with incorrect DUNS or incomplete SAM registration
  • New user specific dashboard capabilities and Veteran process enhancements:
    o Easier to upload individual and business tax returns
    o Ability to upload or create resume
    o Easier to sign VA Form 0877
    o Ability to designate a representative to serve as proxy for only specific designated owners
    o Ability to track all verification application information in one unified location/view
    o Ability to submit and track the status of Help Tickets
    o New calendar capability to view appointments with Case Analysts
    o Ability to automatically request/receive ten-day extensions for most document requests (not including risk, status protest or cancellation related requests)
    o Application audit submission feature identifying outstanding tasks requiring completion prior to submission

Posted in: Uncategorized

Leave a Comment (0) →

Recent development in the DOD cybersecurity regulations

Share

An update to our December post on implementation of a NIST SP 800-171r: This past Tuesday (April 24th 2018), DOD issued draft regulations on its cybersecurity clause DFARS 252.204-7012.  Attached are pdf copies of the Federal Register notice plus the two documents referenced in the notice.

PTAP has been advised that DOD has implicitly acknowledged that contractor implementation of a NIST SP 800-171r cybersecurity plan is not going as anticipated.  The draft guidance explains three levels of priority within an implemented System Security Plan (“SSP”). The utility of the priority levels is that DOD has identified the priorities on an item-by-item basis per the NIST security requirement.  For example, multifactor authentication (NIST 171, 3.5.3) is a priority 1 (“P1”) while monitoring security controls (NISAT 171, 3.12.3) on an ongoing basis is a priority 3 (“P3”).  DOD is again focusing on the development of SSP as supplemented by a Plan of Action that includes an implementation schedule.

More importantly, and as highlighted during the presentations sponsored by PTAP, DOD has emphasized that SSPs (with or without an accompanying Plan of Action) will be an evaluation factor used to discriminate among offers as a means to evaluate the government’s overall risk of providing “covered Defense information” to contractors who then use or store CDI on their IT systems.  Specifically, the draft guidance states that RFP’s must require delivery of NIST SP 800-171 Security Requirement 3.12.4 – System Security Plan (or specified elements of) and [NIST-171] Security Requirement 3.12.2 – Plans of Action with the contractor’s technical proposal.

Thanks to David B. Dempsey of Dempsey Fontana, PLC of making us aware of these recent developments!

Posted in: Uncategorized

Leave a Comment (0) →

Your Elevator Pitch Needs Work

Share

… or you wouldn’t be reading this.

Yes, you. The “small, woman-owned company established in 2008, located in Alexandria, VA, that prides itself on excellent customer service and always striving to do best for our clients“.  Because if that sounds like you, you just wasted 20 seconds of everybody’s time for no good reason.

A truly great elevator pitch takes planning, practice, and precision. Especially in government contracting, where industry events are comprised of many companies of similar industries, you need to stand out, or you may as well be invisible.  Here’s what I mean:

  1. Planning. Know your audience.  Who is going to be in the room? What is the key takeaway you want them to remember? How will your 30-second opportunity set you apart from everyone else?  The point of the elevator pitch is for the listeners to spark an interest. Not to pre-emptively answer all their questions.  Naturally, your elevator pitch will be different in an open forum, in a 1-on-1 with a government agency, a potential teaming partner, or a banker.
  2. Practice. Every time you say “umm” or “you know” or “as I said” – you’re stealing seconds from your allotted time; losing the listeners’ attention; and killing your credibility as an expert.  Know what you will say ahead of time. Run it by a few people – a family member, friend, partner, a PTAP or SBDC counselor.  Be sure to test on people that don’t know the technical specifics of what you do, because if you’re speaking in code (or jargon), your customers may not understand what you’re saying.
  3. Precision. What are the key elements you want to convey that would want your listener to want to ask you more questions?  Look at a few templates for constructing the pitch, You can start  with this guide or this one. A generic, 1-size fits all blurb will fit no one. An appeal targeted specifically for the present audience will be more productive.

 

 

Posted in: Uncategorized

Leave a Comment (0) →

Civilian Agency Micro Purchase Threshold Increased to $10,000

Share

The FY2018 NDAA increases Micro Purchase threshold to $10,000 (from $3,000).  Total Simplified Acquisitions Purchase (SAP) threshold is now $250,000 (from $150,000)

This can be a gamechanger for small businesses trying to get a “foot in the door” with federal agencies; the government customers now have a mechanism to pave the way for a streamlined, simplified way to award contracts.  Micropurchases are small business set-asides by default.

Read the Civilian Agency Acquisition Council memorandum to agencies – Appendix 2 outlines which FAR clauses are affected by the change.

A great summary and explanation by Matthew Moriarty at SmallGovCon Law

Note: the FAR has not been updated yet, so agencies have to use a “class deviation” to avail themselves of the newly adjusted ceilings.

Currently, here’s the summary according to the SBA

 

Posted in: Uncategorized

Leave a Comment (0) →

Are your NIGP Codes valid? (Commonwealth of Virginia Vendors)

Share

Virginia Department of Small Business and Supplier Diversity (SBSD) reviewed the list of certified and pending Small, Women, and/or Minority (SWAM)  companies. They issued a letter to businesses who had an invalid NIGP code (one ending with 000) – the number ending in ‘triple zero’ is a category and not an actual code.  Any invalid code(s)/description(s) will be deleted from your profile by February 23rd.

To locate proper NIGP Codes for your company, click here.

EXISTING SWAM Certified Companies: The letter includes instructions on updating your NIGP Codes.

APPLICATIONS PENDING Companies:  Do NOT to change the NIGP codes in the electronic application at this point.  Doing so will reset the submitted date of their application and result in the  60-business-day waiting period to be reset.  To correct the codes, fill out the SWAM notice of change form and send to SBSD, and the agency will update the codes.

Posted in: Uncategorized

Leave a Comment (0) →

NIST and DFARS and Cyber Compliance! (oh my)

Share

You have doubtless heard and read all about the looming requirement for all Department of Defense government contractors to become compliant with Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards derived from NIST SP 800-171 Rev 1 by Dec 31, 2017- or else risk losing their contracts.  DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, will be a mandatory clause in all contracts except for contracts solely for the acquisition of COTS items.

This requirement applies to any DoD Contractor, subcontractor, and supplier ALL THE WAY DOWN THE SUPPLY CHAIN that processes, stores, or transmits Controlled Unclassified Information (CUI). Not just security contractors. Not just companies that have clearances. Not even just IT contractors.  If you have a landscaping business and you are performing work at a DOD facility, and have access to blueprints that are or may be considered CUI, you’re subject to this requirement.  CUI includes the categories outlined in the NARA CUI Registry, but as you can probably imagine, is not limited to that. your government customer can identify additional categories and data, and you as a contractor, should err on the safe side and identify potential CUI so that you can protect and segregate it just in case.

Note: civilian contractors are not subject to this requirement (there are only 15 security controls outlined in FAR part 52.204-21 compared to 109 in the DFARS clause), but that may be changing to synthesize the compliance requirements to the more complete set that the DOD/DFARS adopted.

Ultimately, it is the contractor’s responsibility to determine whether it is has implemented the NIST SP 800-171 (as well as any other security measures necessary to provide adequate security for covered defense information).   Third party assessments or certifications of compliance are not required, authorized, or recognized by DoD, nor will DoD certify that a contractor is compliant with the NIST SP 800-171 security requirements.

The protections required to protect government information are dependent on the information DoD is protecting and the kind of system on which the information is processed or stored.

There is no single or prescribed manner in which a contractor may choose to implement the requirements of NIST SP 800-171, or to assess their own compliance with those requirements.  For companies new to the requirements, a reasonable first step may be for company personnel with knowledge of their information systems security practices to read through the publication, examining each requirement to determine if it may require a change to company policy or processes, a configuration change for existing company information technology (IT), or if it requires an additional software or hardware solution.

Some resources and tools to help you determine whether you’re subject to the requirement, and what you can do next:

  1. DOD Office of Small Business Cyber resources and news – especially the 49-minute video and the presentation slides
  2. DOD Procurement Toolbox – Cyber security section (including how to approach evaluating each requirement)
  3. Georgia Tech PTAC 20-min Instructional Video
  4. A handy presentation [from a law firm] that translates the major requirements into easy-to-understand terms
  5. The Safeguarding Covered Defense Information one-pager to ease you into the basics.
  6. The Cybersecurity Evaluation Tool (CSET) that provides a systematic approach for evaluating an organization’s security posture through a step-by-step process to evaluate their control system and information technology network security practices.  The tool will allow you to select a standard (e.g. NIST SP 800-171) – and CSET will generate specific questions to those requirements and present you with assessment results.
  7. A  Self-assessment guide when you’re ready for the deep dive
  8. OSD Memorandum: DPAP Guidance for DoD Acquisition Personnel that instructs DOD buyers how to implement and evaluate vendor cyber compliance (and since it’s going to be an evaluation factor in source selection, you need to know what your customers expect).
  9. For subcontractor and supplier reference – Lockheed Martin’s notice to its supply chain that you may find informative and applicable regardless of who your prime is.
  10. And if you heard the rumors of possible delay and were wondering if they have merit — sadly, no.

PTAP counselors can help you walk through these steps. While we’re not technical experts on network security, we could help you walk through the self-assessment and determine what steps you need to take to bring your business up to compliance.

Update (submitted by David Dempsey, Dempsey Fontana, PLLC): This past Tuesday (April 24th 2018), DOD issued draft regulations on its cybersecurity clause DFARS 252.204-7012.  Attached are pdf copies of the Federal Register notice plus the two documents referenced in the notice.

PTAP has been advised that DOD has implicitly acknowledged that contractor implementation of a NIST SP 800-171r cybersecurity plan is not going as anticipated.  The draft guidance explains three levels of priority within an implemented System Security Plan (“SSP”). The utility of the priority levels is that DOD has identified the priorities on an item-by-item basis per the NIST security requirement.  For example, multifactor authentication (NIST 171, 3.5.3) is a priority 1 (“P1”) while monitoring security controls (NISAT 171, 3.12.3) on an ongoing basis is a priority 3 (“P3”).  DOD is again focusing on the development of SSP as supplemented by a Plan of Action that includes an implementation schedule.

More importantly, and as highlighted during the presentations sponsored by PTAP, DOD has emphasized that SSPs (with or without an accompanying Plan of Action) will be an evaluation factor used to discriminate among offers as a means to evaluate the government’s overall risk of providing “covered Defense information” to contractors who then use or store CDI on their IT systems.  Specifically, the draft guidance states that RFP’s must require delivery of NIST SP 800-171 Security Requirement 3.12.4 – System Security Plan (or specified elements of) and [NIST-171] Security Requirement 3.12.2 – Plans of Action with the contractor’s technical proposal.

Update (submitted by David Dempsey, Dempsey Fontana, PLLC) : Earlier this morning (June 7th, 2018), NIST’s Computer Security Resource Center (“CSRC”) distributed its fourth revision of NIST SP 800-171 (second one for 2018). See https://csrc.nist.gov/ publications/detail/sp/800-171/rev-1/final). As of today, the proper reference to “NIST-171” is NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, rev. 1 (December 2016) (updated June 7, 2018) or “NIST SP 800-171, r1 (updated through June 7, 2018).” According to the “errata sheet” the CSRC has made approximately 72 “substantive” changes to NIST-171.  Presumably, DOD will revise the link currently set forth in DFARS 252.202-7012 and bring the DFARS clause up to date.

The CSRC also published today three supplemental documents to NIST-171 (available at the above link):

All previous attendees should also be made aware of DOD’s proposed priorities for NIST-171 implementation (see 83 Fed. Reg. 17807 (April 24, 2018) and follow instructions on p. 17808) and the NIST requirements (identified by ¶ number in an Attachment to the slides presented at those seminars.  Moreover, DOD’s updated FAQs on NIST-171 implementation (dated April 2, 2108) should be reviewed in the context of today’s revised NIST-171 – see FAQs updated April 2, 2018.

Also included with today’s CSRC announcement regarding NIST-171 is the second draft of NIST SP 800-171A entitled “Assessing Security Requirements for Controlled Unclassified Information (Final Draft)(February 2018).  (This document is also available at https://csrc.nist. gov/publications/ detail/sp/800-171/rev-1/final.) The introduction to CSRC’s “assessment” document states that it “is intended to help organizations develop assessment plans and conduct efficient, effective, and cost-effective assessments of the security requirements in NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”

Posted in: Uncategorized

Leave a Comment (0) →

Passing along a message from FEMA

Share

Greetings,

Thank you for the Federal Emergency Management Agency (FEMA) regarding your interest in doing business with FEMA.  If you are contacting FEMA seeking to do business in support of a disaster recovery effort, please be aware that in accordance with the Robert T. Stafford Act, FEMA’s goal is to seek local companies within the disaster area for services related to a specific disaster when practical and feasible.  The ILP establishes strategic relationships with suppliers and stakeholders; serves as an information provider for suppliers seeking to do business with FEMA; and connects suppliers with program offices in support of FEMA’s mission.  The ILP encourages your business to review the information referenced below.

  1. Register with the System for Award Management (SAM)

Official Federal Government registration is processed within SAM www.sam.gov .  Direct all questions regarding the SAM registration process to the Federal Service Desk at1-866-606-8220.

To get started with your SAM registration, you must have the following:

  1. Voluntary submission of the Vendor Profile Form

The Vendor Profile Form can serve as supplemental market research for the agency.  Information supplied should not be proprietary or sensitive in nature. Please be specific about how your products and/or services can support FEMA’s mission. Submission of the Vendor Profile Form does not imply a guaranteed meeting or contract award. 

*Please click on the following link to access the vendor profile form:Indusry Liaison Program Vendor Profile Form < Caution-https://www.fema.gov/media-library/assets/documents/29748 >  and submit the form toFEMA-Industry@fema.dhs.gov < Caution-mailto:FEMA-Industry@fema.dhs.gov > 

*NOTE: FEMA does not charge any company a basic registration fee.  There are companies that replicate services of Federal Government entities and there are typically fees associated with their services.  Most Federal Government services, if not all, are free of charge.  Always make it a practice to reach out to the appropriate Federal agency first to inquire about the validity of the service, specifically if a fee is associated with it.

All meeting requests are at the discretion and availability of the FEMA Contracting Officer, Program Office, and FEMA representatives.  If the agency identifies the need to meet to further discuss your company and its capabilities you will be contacted. 

Types of Meetings Currently Offered:
  • Face-to-Face Meetings
  • Conference Calls
  • Topical Educational Sessions (TES) – These sessions will be periodically offered virtually to provide mission specific information relative to various FEMA programs
  • Industry Days – Will be posted onFBO.gov < Caution-http://FBO.gov >  as applicable to program requirements
Learn More About:
  • Donation and Volunteering – Please visit FEMA’s Volunteer & Donate Responsibly page https://www.fema.gov/volunteer-donate-responsibly .
  • Debris Removal – Become a member of the Corps of Engineers Contractor Registry if you are interested in performing disaster response and recovery work; e.g. debris removal.  Follow this link to access their website// www.usace.army.mil/Missions.aspx
  • FEMA Industry Liaison Program –http://www.fema.gov/about-industry-liaison-program
  • FEMA – https://fema.gov
  • FEMA Small Business Program –All Small Business inquiries should be directed to FEMA-SB@fema.dhs.gov
  • Department of Homeland Security Vendor Outreach Session – www.dhsvoms.moriassociates.com
  • Contracting Opportunities –You are encouraged to visit the following websites to identify such opportunities:
  • Federal Business Opportunities –Free web-based portal which allows vendors to review Federal Procurement Opportunities www.fbo.gov
  • DHS Advance Acquisition Planning System: Monitor the forecast of DHS contract opportunities at DHS Advance Acquisition Planning System http://www.dhs.gov/xopnbiz/opportunities/gc_1300288340710.shtm  .

We trust that this information will prove helpful.  If we may be of further assistance, please contact us at the email address or phone number listed below.

Regards,

Industry Liaison Program
Business Relations Branch
Acquisition Program and Policy Division
Office of the Chief Procurement Officer
Email:    FEMA-Industry@fema.dhs.gov < Caution-mailto:FEMA-Industry@fema.dhs.gov >
Phone:    (202) 646-1895
Website: Caution-http://www.fema.gov/about-industry-liaison-program

Posted in: Uncategorized

Leave a Comment (0) →