| |
 ADAM STROUP
| 1 | 6/8/2021 11:21 AM |
[Updated 11 Jun 21] The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)), working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry, developed the Cybersecurity Maturity Model Certification (CMMC) framework.
This announcement is to help you start to navigate the complexities of DFARS, NIST 800-171, and now Cybersecurtiy Maturing Model Certification (CMMC). Is industry in compliance? What does all of this mean? - required cybersecurity controls are found in NIST 800-171 Rev 2 ; it does update frequently - DFARS Clauses that may be on your contract o DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting o 252.204-7020 NIST SP 800-171 DoD Assessment Requirements. o 252.204-7021 Cybersecurity Maturity Model Certification Requirements.
- DoD CMMC web sites
What must indutry do? Perhaps acquire Cyber Compliance as a Service.
– Supply Chain Risk Assessments – Business Unit Readiness Assessment – CMMC Readiness Assessments
– Cyber Compliance Remediation Services
Where to report cybersecurity incidents? Rapidly report cyber incidents to DoD at https://dibnet.dod.mil
Send me outher resources and I will share if appropriate.
| ADAM STROUP | 6/11/2021 9:22 AM | | No | | | | | | |
ADAM STROUP
| 0 | 5/4/2021 11:11 AM | In 2018, the Army solicited for the Software and Systems Engineering Services Next Generation (SSES NEXGEN) for Army Data, Architecture, Content/Knowledge Management Solutions (DACMS) effort under the Unrestricted Suite. Requirements included Data Architecture, Army Data Management Program, Strategic Services Architecture Support, Data Centric Solutions, and Content/ Knowledge Management Solution Services. How's SSES doing? Data at a glace for SSES NGen may be found at GOVTRIBE, but please note that you only get 1 free view per month. It's interesting what you can do with data and worth using that free look! Here's the question. Where can I find info on SSES on a Government (Army) web site? Appreciate your help!
| | 5/4/2021 11:11 AM | | No | | | | | | |
ADAM STROUP
| 1 | 10/9/2020 12:11 PM | First, with the Back to Basics (BtB) memo (also available on the Policy Tab here in the community), things are changing. I think more seats will become available for our non-acquisition personnel performing services acquisition functions. Last year we had 81 Priority 9s graduate from an ACQ265 (38) or ACQ265V (43)--slightly more once ACQ 265 went virtual. Currently, for FY21 there are 14 ACQ265Vs in ATRRS and 4 are just about full. NOTE: the schedule only goes out to 2QFY21, so I expect to see more offerings added after the new year. If you are a non-acquisition workforce member, you're a priority 9. What that means is you will be waitlisted for any of these offerings until 1 month out. At one month out, if there's a seat available, it's filled from those Priority 9s that are on the waitlist. It's your seat now--you won't be bumped. The other trick is to contact DAU and attempt to gain a seat from any no-shows on the first day of class. Ask if you can get access to the ACQ265 pre-classroom work so you are ready for class on day 1. On average, I fill one seat per class this way. So if you are proactive and have some flexibility, you have a much better shot at getting into a class. Here's my Second thought: With the BtB and the six functional areas streamlining the required training, more seats are likely to be available when ACQ265 is no longer required (currenly ACQ265 is on a pick list for Logistics and Contracting). This isn't locked yet, but it's my prediction (Stroup, editor, ACE for Services). Hopefully we still see contractiong and logistics professionals in ACQ265 as they find a need to learn about services acquisitions. Third. Rules for use of credentials are to be written. The BtB memo tasks Human Capital Initiatives (HCI) with revising DoDI 5000.66 and a lot of thought needs to go into the policy about use, prioritization, expiration of credentials. My input on the matter is that re-qualifying ought to be something much more engaging then retaking the current exam (that should keep me busy in the future). You'll find the current rules on the DAU Credentials page. I'd be happy to hear your thoughts! And a reminder that there exists great training for services acquisition that has no waitlist because it's entirely on line. ACQ 1650, ACQ 256 (that's the tools course), CLM 006 (soon to be ACQ 0060) (Cost Estimating), all OLTs, had over 2500 Priority 9 grads last FY. Stop by the training tab here on the ACE for Services home page for more info on DAU Learning Assets. Happy new fiscal year! Ad | ADAM STROUP | 2/19/2021 9:48 AM | | No | | | | | | |
ADAM STROUP
| 1 | 2/1/2021 10:15 AM | An insightful article by Nash published February 2021 on Westlaw, a Thomson Reuters website [requires a subscription] details the trials and tribulations of using a performance work statement for services acquisition. The title of the article is "11. PERFORMANCE WORK STATEMENTS: The Policymakers' Monster—Where Is Our Theseus?" and as this title suggests, historically the definitions of a PWS, what constitutes a service and a result of a service, and even what does measurable imply is tracked historically from today back to US Air Force regulations a few decades ago. Are these terms archaic? On ACQuipedia you will find a performance work statement (PWS) defined as a statement of work for performance-based acquisitions (PBAs) that describes the required results in clear, specific and objective terms with measurable outcomes. We need to tell the offerors what those measurable outcomes are and those are standards, possibly accompanied by Acceptable Quality Levels (AQLs) which are deviations to those standards that the Government can tolerate. But who hasn't seen contracts with task statements to the contractor that lack AQLs let alone standards? [for more info on Standards and AQLs, see Sample Performance Standards on SAM] Nash highlights a few glaring examples. For a knowledge based service, it's very difficult for a task where we ask for a contractor's analysis to then apply a standard to get at how good an analysis was done. I rely on insight into the contractor's staffing and management and even their Quality Controls before selecting them to (hopefully) get that good analysis. (This will be a key feature in Relational Contracting--see below) Now, that analysis ought to be in a document and there I can apply standards and AQLs to a written document such as free of errors (Standard) with less than 1 error per 100 words (AQL). Sometimes we do have a standard for an analysis task and let me compare that to the peer review process before your solicitation leaves your office. [Do you get good comments back? If not, you need better reviewers!] We could implement peer review as a standard. Something like the Government will review [all, random sample] analyses and any faults found will be corrected by the contractor at no cost to the Goverment. The problem is I don't have reviewers standing by nor do I have a definition of a fault that's likely to survive first contact with corporate legal.
The summary of Nash's article proposes we (Government) do away with the PWS and performance based acquisitions. Nash has been of this opinion (with good reasoning) for over a decade now (see: A Proposal for a New Approach to Performance‐Based Services Acquisition, Def. Acquisition Rev. J. 353 (Sept. 2007). In the 2007 article, the authors state "the main reason that PBSA has not been more successful is that it is not a practical approach to buying long-term and complex services." The why behind that statement is that it's "... unrealistic to ask agencies to specify services at the time of contract award in clear, specific, objective, and measurable terms when future needs are not fully known or understood, requirements and priorities are expected to change during performance, and the circumstances and conditions of performance are not reliably foreseeable." The authors propose Relational Contracting or Relational PBSA and outline key features and conditions for use. It is worth a read of the ARJ article and perhaps a discussion here! | RICHARD FOWLER | 2/2/2021 4:24 PM | | No | | | | | | |
ADAM STROUP
| 0 | 1/11/2021 8:16 AM | The Government Accountability Office (GAO) recently released an important new report entitled “GAO-21-171 Information Technology: Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks.” This is particularly timely given the December 2020 discovery of a breach of SolarWinds Worldwide LLC’s network-management software Orion, which is widely used by U.S. agencies and companies.
This blog by Bill Kobren will connect you to the report and provides additional blogs on Supply Chain Management Risks. To go directly to the GAO report select GAO-21-171. [NOTE: you may have to click on the title of this article to access the two links.]
| | 1/11/2021 8:16 AM | | No | | | | |
|
