FAQ
ERP Software for GovCon, A/E, and Project Management
Frequently Asked Questions (FAQ)
Unanet provides user-friendly ERP software that helps project-driven organizations turn information into actionable insights and optimize their processes. We’re dedicated to our customers’ success and providing all the information they need to understand and maximize their use of their ERP solution.
Please see below a list of frequently asked questions about our software, government compliance, and architecture and engineering.
Don’t see what you’re looking for? We’re here to help. Please contact us and we will get back to you as soon as possible.
FAQs about Government Contracts (GovCon) and Compliance
NIST stands for the National Institute of Standards and Technology. This is the federal agency that sets standards for technology, measurements and, increasingly, cyber-security. The NIST also works to promote U.S. industrial and economic competitiveness by the advancement of technology and science standards.
NIST controls are guidelines that enhance cybersecurity, information protection, and security standards. Most commercial and private sector companies are encouraged to follow these protocols, but it is not required. Federal agencies and government contractors are required to follow these standards.
As a non-regulatory body, the NIST is responsible for setting standards for security and technology for federal government agencies and American companies. The standards they promulgate and maintain are cited by government agencies in their own regulations. Their standards also work to encourage U.S. competitiveness in the world economy.
All government contractors must be compliant with the NIST standards on cyber-security (NIST 800-171 and NIST 800-53). If your organization is not a government contractor, you may or may not be required to maintain compliance with those standards. To learn more about the standards and whether your company needs to be compliant, visit the NIST website.
NIST 800-171 and NIST 800-53 are standards for requirements that certain systems must follow to access and store controlled unclassified information (CUI). These are a crucial part of the NIST compliance risk management assessment (below).
Examples of CUI would include any personally identifiable information such as legal material or health documents, technical drawings and blueprints, intellectual property, as well as many other types of data. The purpose of the rules around CUI is to make sure that all organizations are handling the information in a secure and uniform way.
To become compliant, you must first create a NIST cyber-security compliance risk management assessment. When doing this, meeting NIST 800-171 and NIST 800-53 requirements (described above) will be of the utmost importance. Once you have started a risk assessment, you need to create NIST compliant access controls for your company and then set out to manage audit documentation. After doing all this, the government will perform an audit of your organization to determine if you have met all requirements and protocols and if you are compliant with the NIST cyber-security standards.
While the Defense Contract Audit Agency (DCAA) and the Defense Contract Management Agency (DCMA) both monitor government contracts and contractors, they have different missions. The DCMA monitors defense contractors for compliance with contract terms during the period of performance of the contract. DCMA also reviews business systems such as Purchasing, Government Property Management and Earned Value Management for compliance with DOD’s business systems requirements. The DCAA audits defense contractors’ financial business systems such as Accounting, Estimating, and Material Management Accounting for adherence with the DOD business systems requirements. DCAA’s primary mission, however, is to audit defense contractors’ accounting practices and contract costs. DCAA also audits contractors on behalf of some civilian agencies on a reimbursable basis.
Defense Contract Audit Agency (DCAA) audits are performed to ensure that government contractors’ cost accounting practices adhere to the cost principles of the Federal Acquisition Regulation (FAR) and, where applicable, the Cost Accounting Standards (CAS).
The DCAA does not certify contractors as “compliant,” but “DCAA compliant” is a widely-used industry term that refers to an organization that adheres to the standards, guidance, and recommendations of the DCAA with respect to their financial business systems and cost accounting practices.
DCAA compliance is when a company’s business systems, in particular the accounting system, has been reviewed or audited and found to be acceptable for use in accounting for government contracts. If you expect a near-term system audit, conducting your own an internal review before DCAA comes in is a really good idea. DCAA’s audit programs for approval of an accounting system are available to the public on its web site.
CPSR stands for Contractor Purchasing System Review. The CPSR is conducted by DCMA to ensure that all purchases made by government contractors comply with all the FAR procurement rules. A company’s Administrative Contracting Officer (ACO) at DCMA will normally “flag” a company for a CPSR when the annual volume of their purchases charged to government cost-type and T&M contracts approaches $50 million.
A CSPR is a very detailed review of the documentation associated with purchases and subcontracts to ensure that they are compliant with all the FAR procurement rules.
To prepare for a CSPR, review your purchasing policies and procedures to ensure they are well documented and, when followed, result in purchases that adhere to all the regulations. Also, pay close attention to the purchasing and subcontract files to ensure that each step of the purchasing process is clearly documented to show that all required actions were taken and that the files are organized and easy to access. Contractors subject to a CPSR should also perform periodic internal file reviews to assure a good result when DCMA comes in. DCMA’s own review checklists are available on its website.