2024 has already seen some big government contracting policy updates
8 minute read
Cybersecurity Maturity Model Certification (CMMC) Program
With a new target set for compliance in 2025, things are heating up for CMMC. Once the rules are finalized (as I expect them to be in late 2024 or early 2025), there is a three-year period for compliance achievement to be phased in. The aggressive implementation timeline underscores the Department of Defense’s (DOD) impatience with the delayed execution of the CMMC program.
Everyone we’ve discussed the timeline with recognizes the fact that there are approximately 80,000 entities requiring certification assessments from either a CMMC Third Party Assessment Organization (C3PAO) or a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
As of February 2024, only 242 authorized C3APOs exist, implying that each C3APO must conduct around 300 assessments. Estimating each C3PAO’s capacity to conduct 50 assessments annually results in a six-year timeframe to complete all mandatory assessments. So, we’ve got a little bit of a mismatch to figure out.
- The DoD wants to reduce costs for companies by allowing them to conduct self-assessments for level 1 and some level 2 with qualifications.
- The standards align with NIST 800-171 and 800-172 cybersecurity requirements, which are available and achievable now.
The National Defense Industrial Strategy
The 2023 National Defense Industrial Strategy (NDIS) was designed to modernize and strengthen the defense industrial ecosystem in line with national security objectives. It seeks to counter challenges posed by underutilization of multi-use technologies, inadequate workforce and domestic production, non-competitive practices, and limited visibility into international ally requirements.
- Resilient supply chains. Ensuring production of critical products and technologies at speed, scale, and cost through resilient and secure supply chains.
- Workforce readiness. Preparing a skilled workforce for future technological innovations and defense production demand.
- Flexible acquisition. Enhancing acquisition processes to balance customization, efficiency, and maintainability in defense platforms.
- Economic deterrence. Strengthening economic security through international agreements, interoperability standards, alliances, and policy enforcement against cyber threats.
This strategy signifies a departure from 20th-century policies and builds an industrial ecosystem encompassing traditional defense contractors, non-traditional companies, academia, research labs, and diversified funding streams. It underlines the criticality of collaboration between government, private industry, and global allies.
The NDIS is the first strategy of its kind from the DOD, prioritizing modernization, inclusive collaboration, and effective resilience against adversarial threats. There's a reorientation toward advanced manufacturing technologies and readiness for crises. It also emphasizes strengthened economic security agreements, enforcement against adversarial ownership, and cyber threats.
In the FY2024 President's Budget, a new contract and financing strategy called Large Lot Procurement (LLP) was introduced with a budget of approximately $15.1 billion. This is designed to address munitions requirements and implement acquisition reforms. The NDIS also includes various initiatives and programs to strengthen the defense ecosystem and enhance national security.
Executive memorandum for chief acquisition officers
The Office of Management and Budget (OMB) released a memorandum on January 24 titled “Increasing Small Business Participation on Multiple-Award Contracts.” The memo has a few interesting directives that directly impact GovCons, especially smaller companies. It’s not a long read, so it’s probably worth it to scan it yourself – but here are the highlights:
- Engage small business offices earlier in the planning if multiple award contracts (MACs) are not proposed to have set-aside funds for small businesses or if the percentage is expected to be less than 30% - this represents a lot of them.
- Allow for on-ramps for small and medium-sized businesses (SMB), especially in contracts over 5 years in duration.
- Promote resilience by allowing SMBs to stay on contract vehicles after their protected status expires.
- Apply the “rule of two” to task orders – meaning that agencies should set aside some orders for SMBs whenever two or more of them meet the qualifications
- Maximize orders to SMBs under the simplified acquisition threshold as much as possible
Overall, it was a pretty exciting month! We are interested to see how this plays out for you all, so please reach out and let us know if you have any questions or if you see something different happening out there.