NIST Issues Draft on Security Controls
Read More

NIST Issues Draft on Security Controls

National Institute of Standards and Technology (NIST) Issues Draft Security Controls for Federal Information Systems

By McKenna Long & Aldridge LLP

As cybersecurity has taken center stage in recent months, with several high profile attacks on commercial and public institutions (including a cybersecurity attack on the Federal Reserve this week), a potentially significant development is in the works regarding the security of Federal information systems, one that could have a substantial effect on government contractors. On February 6, 2013, the National Institute of Standards and Technology (NIST), the agency charged with developing information security standards and guidelines for Federal information systems, announced that it was seeking comments on the final public draft of Security and Privacy Controls for Federal Information Systems and Organizations, Special Publication (SP)800-53, Revision 4. Once finalized, this document, developed by a joint task force of security experts from NIST, the Department of Defense, the Intelligence Community and the Committee on National Security Systems, will provide primary guidance for security safeguards and countermeasures used to protect Federal information systems. NIST notes that the latest draft supports the Federal information strategy of “Build It Right, Then Continuously Monitor.”

A comprehensive analysis of the current draft, which is over 450 pages, is beyond the scope of this alert. However, there are a couple of key points that should be made about the guidelines in their current form. First, as with previous guidelines produced by NIST, these guidelines would apply to all federal information systems, except for those designated as national security systems under 44 U.S.C. § 3542. This means that any system used by an executive agency or the contractor of an executive agency will be subject to the finalized guidelines, unless the system is used for national security purposes, such as intelligence activities, military command and control, or weapons systems. Second, the revised guidelines would provide new security controls and control enhancements addressing a wide range of cybersecurity concerns, including advanced persistent threats, supply chains, insider threats, application security, distributed systems, and mobile and cloud computing. For many government contractors, compliance with these guidelines will require the adoption of extensive new security measures.

Contractors that could be affected by these new guidelines can offer comments on the current draft through March 1, 2013. McKenna will continue to monitor the NIST’s efforts to promulgate new guidelines and other cybersecurity related developments relevant to government contractors.

For additional information, please contact:

Elizabeth “Beth” Ferrell
202.496.7544

Patrick J. Stanton
202.496.7316

McKenna Long & Aldridge LLP (MLA) is an international law firm with more than 575 attorneys and public policy advisors in 13 offices and 11 markets. The firm is uniquely positioned at the intersection of law, business and government, representing clients in the areas of complex litigation, corporate law, energy, environment, finance, government contracts, health care, infrastructure, insurance, intellectual property, private client services, public policy, real estate, and technology. To further explore the firm and its services, go to mckennalong.com.

© 2013 MCKENNA LONG & ALDRIDGE LLP, 303 PEACHTREE STREET NE, ATLANTA, GA, 30308. All Rights Reserved.

*This Advisory is for informational purposes only and does not constitute specific legal advice or opinions. Such advice and opinions are provided by the firm only upon engagement with respect to specific factual situations. This communication is considered Attorney Advertising.

Executive Order on Cyber: What it Means to You
Read More

Executive Order on Cyber: What it Means to You

Improving Critical Infrastructure Cybersecurity Executive Order: Impact on Corporate America

By Brian Finch, Partner, Dickstein Shapiro LLP

Released during President Obama’s State of the Union Address, the long-awaited Executive Order (EO) addressing the federal government’s response to the ongoing menace of cyber attacks has made its formal appearance. The EO contains many ideas that had been previewed in previous drafts, as well as some interesting new twists that should have an immediate impact on corporate America and the nation as a whole. More than anything else, the EO represents another step in the U.S. government’s ongoing response to the ever more extensive and expensive threat posed by cyber attacks.Below are seven key takeaways for businesses, followed by an in-depth analysis of the EO which addresses these key points and identifies next steps to be taken by the parties involved.

Key Takeaways: What’s in the EO, What’s Missing, and What’s Next?

1)     The EO dramatically expands existing information sharing programs and provides mechanisms for sharing of unclassified threat data. But will the information be useful to many companies, will it be provided in a timely manner, and most importantly will companies have liability protection for sharing information or choosing not to act on information provided to it?

2)     How quickly will the National Institutes of Standards and Technology (NIST) develop the “Cybersecurity Framework”? And will it be able to adequately tailor a framework that accounts for the great variability amongst the yet-to-be-defined “critical infrastructure” facilities?

3)     What will be deemed “critical infrastructure” and what won’t be?  The nation has been through this exercise many times before, and it has yet to go smoothly. And will it be easy to seek a redetermination of whether a facility constitutes critical infrastructure?

4)     Will the “voluntary” cybersecurity program actually be voluntary? History has shown that such programs either (a) are dramatically underutilized or (b) are a precursor to mandatory regulations.

5)     What incentives will be recommended for participation in the voluntary cybersecurity program? Will the government promote only those incentives and discourage the use of incentives that are not tied to the voluntary program (for example Terrorism Reinsurance Act (TRIA) coverage or the SAFETY Act?)

6)     The portion of the EO that is the most immediate and has the greatest impact is also the simplest to implement – procurement reform. One can easily anticipate that government contractors will soon face much stricter cybersecurity requirements as a result of the EO. What will this look like?  Will it mirror the Defense Department’s new breach notification requirements? Will it cover only contractors working on classified or sensitive programs, or will it touch on almost every procurement?

7)     The EO sets in motion a formal review of existing cybersecurity authorities to see what additional legislation is needed. This is yet another signal that cybersecurity legislation will be a top priority for the President and the Congress over the next two years.

“Critical Infrastructure”

The eight-page EO contains some themes that are familiar to cyber watchers.  First, the EO is in large part limited to “critical infrastructure.” As defined in Section 2 of the EO, that means “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters.” Not surprisingly, many of those terms (“vital,” “debilitating,” “national economic security”) are undefined, meaning that much of the spade work on identifying “critical infrastructure”-or in some cases arguing that a system or asset is NOT critical infrastructure, is yet to be done. The debate over what is defined as “critical infrastructure” is certain to be  significant, and based on past experience with efforts to define “critical infrastructure,” it is likely to be a lengthy process rife with errors and confusion.

Cyber Information-Sharing Program Expanded

Section 4 sets forth an expanded cyber information-sharing program. The goal of Section 4 is to set up a framework that allows for the “timely production” of unclassified reports of cyber threats to an entity that has been specifically targeted. In addition, Section 4 also gives the Secretary of Homeland Security, the Attorney General, and the Director of National Intelligence the ability to share classified information in certain circumstances. Perhaps most striking is that Section 4 of the EO directs the Secretary of Defense to establish a process by which its Enhanced Cybersecurity Services program (an existing cyber threat information sharing program) can be dramatically enhanced to allow any entity in “critical infrastructure sectors” to join that program. This represents a dramatic expansion of a program that heretofore was limited to specific companies in the so-called “Defense Industrial Base.”

The question remains, however, whether the information shared as part of this program will actually be useful and timely. Such information often is transmitted weeks after malware is discovered and the harm has been done, creating a situation akin to reading in the newspaper that your house is on fire. The EO also leaves unanswered whether liability protection will be available to participants in the information-sharing program. Liability protections are critical because, without them, many companies will not participate in information-sharing programs for fear of exposing themselves to liability.

Impact on Corporate America

Sections 7 and 8 of the EO may give many in the private sector pause, as they direct portions of the U.S. government to establish baselines to reduce cyber risks and create voluntary critical infrastructure protection programs. These sections could be worrisome, as some will argue that they will lead to regulation at a later date.

I.                New Cybersecurity Framework

Section 7 gives the Secretary of Commerce, through the Director of the National Institutes of Standards and Technology, approximately one year to develop a framework to reduce cyber risks (the so-called “Cybersecurity Framework.”) That Framework is to include a set of standards, methodologies, procedures, and processes designed to address cyber risks. The Cybersecurity Framework is supposed to incorporate voluntary consensus standards and industry best practices “to the fullest extent possible.” The goal is to create a framework that is “prioritized, flexible, repeatable, performance-based, and cost-effective” that will help owners and operators of critical infrastructure identify, assess, and manage cyber risk.  Areas of improvement are to be identified, the framework is supposed to be “technology neutral,” and it is supposed to include guidance for measuring performance in implementing the framework. All of this is also to be done using an open public review along with operational feedback from actual owners and operators of critical infrastructure. It remains to be seen if NIST can meet those timelines, and whether the framework established will be flexible enough to address the varied cyber security needs of the vastly different “critical infrastructure” sectors.

II.              Voluntary Support Program

In conjunction with the Cybersecurity Framework, the Secretary of Homeland Security is directed in Section 8 of the EO to establish a “voluntary program” to support the adoption of the framework by owners of critical infrastructure owners and operations and, interestingly, “any other interested entities.” The U.S. Department of Homeland Security (DHS) will work with other federal agencies to review the framework and, “if necessary,” develop implementation guidance and supplemental materials to address sector-specific risks and operating environments. The various federal agencies are also required to report to the President annually on the extent to which specific critical infrastructure owners and operators are participating in the “voluntary” program.  Just how “voluntary” this program is remains to be determined. These “voluntary” programs often become de facto mandatory programs as companies feel compelled to participate lest they open themselves to litigation for not taking identified security measures. This has led to many voluntary infrastructure programs either being severely delayed in their deployment or being dramatically underutilized by the private sector.

Section 8 also directs the Secretary of Homeland Security to coordinate the establishment of “incentives” designed to promote participation in the voluntary program. Such report is supposed to be made within 120 days of the issuance of the EO, and the Secretaries of Commerce and Treasury are required to submit their own reports on incentives. The report is to identify the relative benefits of identified incentives, and if additional legislation is needed to implement them. What these incentives will look like is unknown. Possible incentives could include greater use of the SAFETY Act (which offers liability protection), an expansion of the TRIA, or other novel ideas.

Another requirement of Section 8 of the EO is that within 120 days of its signature, the Secretary of Defense and the Administrator of the General Services Administration are to make recommendations on the “feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.” In other words, a comprehensive review of existing procurement regulations will be conducted to see if cybersecurity requirements can be embedded therein.

This portion of the EO may indeed have the most immediate impact on cybersecurity. One can easily anticipate that government contractors will soon face much stricter cyber security requirements as a result of the EO. These requirements could take any number of forms, including minimum security standards and data breach notification requirements. It also remains to be seen whether these requirements will cover only contractors working on classified or sensitive programs, or if they will touch almost every government vendor. It is certain that government contractors should be prepared for increased cybersecurity requirements and should be proactive in discussing what requirements are realistic.

Critical Infrastructure Identification 

Interestingly, Section 9 takes the identification of “critical infrastructure” a step further by directing that within 150 days “critical infrastructure” must be identified by the Secretary of Homeland Security using a “risk-based” approach.  This list is supposed to be developed using a “consultative process” and is to use “consistent, objective” criteria. The list is to be reviewed and updated annually and (somewhat unusually) is to include a process by which identified “critical infrastructure” entities may request reconsideration of such a determination. The ease or difficulty of successfully appealing a “critical infrastructure” designation remains to be seen.

Cybersecurity Framework Final Approval

Section 10 is the catch-all of the EO, stating that once the Cybersecurity Framework has been preliminarily finalized, the Secretary of Homeland Security in consultation with the Office of Management and Budget and the National Security Staff shall review it to determine if current cybersecurity regulatory requirements are sufficient given current and projected risks. Those entities are then directed to submit a report to the President stating whether clear authority to establish requirements based on the Cybersecurity Framework exists and any additional authority required.

Summary and Conclusion

So what does all of this mean?  In its simplest form, the EO is a data collection exercise and a blueprint for legislative and regulatory cybersecurity mandates. As has been done in the past, the federal government will now go about identifying what it considers to be “critical infrastructure” and then will prepare for those entities (and others) “voluntary” measures it believes will help increase security. Moreover, the EO explicitly directs the U.S. government to begin planning for the determination that a voluntary program is insufficient, and thus that existing regulatory authority plus new statutory authority will be used to implement mandatory cybersecurity measures. Of course, that is all aspirational and assumes that Congress will grant the Executive Branch the authority to carry out such mandatory programs, which is far from certain.

It seems that the portion of the EO with the greatest impact is the one section that is easy to overlook-the section requiring incorporation of security standards into federal procurements. Considering the volume of business conducted by the federal government, it is easy to foresee that mandatory cybersecurity requirements for entities contracting with the federal government will have be quickly implemented, causing a radical shift in the cybersecurity posture of large portions of the U.S. economy.

It is quite clear from the EO that legislation is still a vital part of this process. Many of the aspirational elements of the EO cannot happen without congressional action, and specific issues such as liability protection were left relatively unaddressed by the EO. Therefore, Congress will continue to play a critical role in how exactly the nation addresses cybersecurity going forward.

Overall, the CyberSecurity EO is the starting signal for a long race involving multiple administrative processes, any of which could result in genuine improvement in the nation’s cybersecurity posture, or something akin to large game of cybersecurity theater, where seemingly powerful directives and plans result in little actual benefit.  It is another critical milestone in the ongoing and increasingly complex effort to combat cyber threats. We will continue to monitor the progress of this initiative and provide key updates and analysis of its impacts on the business sector as developments occur.

Brian Finch is a partner at Dickstein Shapiro LLP, where he heads the firm’s Global Security Practice. He can be reached at [email protected] or 202-420-4823.

Feb. 7: The View from Appropriations: Timeline for Sequester with Charles Kieffer (Senate Appropriations) & Ben Nicholson (House Appropriations)
Read More

Feb. 7: The View from Appropriations: Timeline for Sequester with Charles Kieffer (Senate Appropriations) & Ben Nicholson (House Appropriations)

U.S. Senate seal
Charles Kieffer
Staff Director
Homeland Security Appropriations Subcommittee
U.S. Senate
U.S. House of Representatives
Ben Nicholson
Majority Clerk
House Apprpriations Committee
Subcommittee on Homeland Security
U.S. House of Representatives
 
Join us for a bi-partisan, bi-cameral discussion of the timeline and budget appropriations for the U.S. Department of Homeland Security including the upcoming sequester, Continuing Resolution (CR) and a detailed outlook for FY 2014.
PARKING IS DIFFICULT.  METRO AT UNION STATION OR PARK AT UNION STATION.  SOME STREET PARKING.  ALLOW MORE TIME FOR PARKING.  WE WILL START PROMPTLY AT 1:30 PM.

About the Senate Homeland Security Appropriations Committee

The Senate Appropriations Committee is the largest committee in the U.S. Senate, consisting of 30 members in the 111th Congress.  Its role is defined by the U.S. Constitution, which requires “appropriations made by law” prior to the expenditure of any money from the Federal Treasurey.  The Committee, Chaired by Barbara Mikulski (D-MD), wries the legislation htat allocates federal funds to the numerous government agencies, departments and organizations on an annual basis.  Appropriations are limited to the levels set by a Budget Resolution, drafted by the Senate Budget Committee.  Twelve subcommittees are tasked with drafting legislation to allocate funds to government agencies within their jurisdictions. These subcommittees are responsible for reviewing the President’s budget request, hearing testimony from government officials, and drafting the spending plans for the coming fiscal year. Their work is passed on to the full Senate Appropriations Committee, which may review and modify the bills and forward them to the full Senate for consideration.

The Committee is also responsible for supplemental spending bills, which are sometimes needed in the middle of a fiscal year to compensate for emergency expenses.

The Homeland Security Subcommittee’s  Jurisdiction includes:
Agricultural Quarantine Inspection (USDA)
Chief Medical Officer (DHS)
Customs and Border Protection (DHS)
Disaster Relief (DHS)
Disaster Assistance Direct Loan Program (DHS)
Domestic Nuclear Detection Office (DHS)
Emergency Food and Shelter (DHS)
Federal Emergency Management Agency
Federal Law Enforcement Training Center (DHS)
Flood Map Modernization Fund (DHS)
Homeland Security, Department of (DHS)
Immigration and Customs Enforcement (DHS)
Infrastructure Protection and Information Security (DHS)
Intelligence and Analysis (DHS)
National Capital Region Coordination Office
National Flood Insurance Fund (DHS)
Office of Grants and Training
Pre-disaster Mitigation Fund
Preparedness Directorate
Science and Technology (DHS)
Strategic Border Initiative (DHS)
Transportation Security Administration (DHS)
U.S. Citizenship and Immigration Services (DHS)
U.S. Coast Guard (DHS)
U.S. Fire Administration
U.S. Secret Service (DHS)
US VISIT (DHS)
About the House Appropriations Committee, Sucommittee on Homeland Security On March 2, 1865, the House of Representatives separated the appropriating and banking and currency duties from the Committee on Ways and Means, which was first established in 1789, and assigned them to two new committees – the Committee on Appropriations and the Committee on Banking and Currency. Until 1865, all “general” appropriations bills had been controlled in the House by the Committee on Ways and Means – also in charge of revenue measures and some other classes of substantive legislation.Membership of the Committee. The new Committee on Appropriations – six Republicans and three Democrats – was appointed on December 11, 1865, in the 1st session of the 39th Congress, and first reported the general appropriations bills for the fiscal year 1867. By 1920, the number of members had grown to 21. It was changed that year to 35 and gradually increased to 50 by 1951. Until recently, the Committee numbered 66 members, but has since reduced its ranks to 50 members.   Continued
Its jurisdiction is the U.S. Department of Homeland Security.
Feb. 25: Capacity Building Workshop
Read More

Feb. 25: Capacity Building Workshop

SUCCESS INSIDE & OUT: ALIGNING YOUR INTERNAL RESOURCES TO REFLECT THE SUCCESSES OF YOUR COMPANY

Sequestration, budget cuts and the Continuing Resolution (CR) have frozen contract awards and new work. GTSC invites you to take this opportunity to prepare for the fall — when the allocations will flow again – and you’ll need to be primed and ready!

Through the GTSC’s work with all the companies and officials involved in the Federal homeland and national security market, we’ve learned a number of lessons and best practices to mitigate some of the traditional “thorns” in a small business’ side.  When implemented, these practices assure your success with your Federal clients, large business primes and other partners. Join GTSC to shore up your resolutions to focus on your strategic plan, your marketing strategy and your legal, human resources and insurance needs. In Part I of this two-part series about building your internal capacity, the sessions will give you an in-depth look at strategic planning, marketing, talent acquisition, legal issues and ethics to expand your company’s reach in the Federal homeland and national security sector. Part II on Tuesday, March 12 will focus on every stage of the proposal process — from the RFI to your response to an RFP. Register today!

Part I Agenda: 

8:00AM: Networking/Coffee Hour 

8:30AM: Welcome & Opening Comments with Kristina Tanasichuk, President & CEO, Government Technology & Services Coalition

8:40-9:10 AM: KEYNOTE MENTOR SESSION

There are several unique attributes that make certain small businesses repeat partners for large primes. Ms. Petera will provide a “Top 5” list based on her experience as both an appointed official and as the client lead for one of the most prestigious IT companies in the country, Harris IT Services.

Anne Petera, former Assistant Secretary for Intergovernmental Affairs, U.S. Department of Homeland Security and DHS Client Executive, Harris IT Services,

9:15 AM – 10:30 AM: Session #1

WORKING WITH THE BIG GUYS: HOW TO MANAGE YOUR RESOURCES FOR BOTH STRATEGIC AND TACTICAL PLANNING

Large Federal contractors want — and need — to partner with small businesses to be successful in today’s Federal market.  This session will show you how your strategic plan — or lack thereof — can impact how potential partners and clients view you.  Are you a good partner? Is your organization able to deliver on its promises from beginning to end? How do your partners see and assess you, your company and your capabilities? Learn how to integrate your strategy and strategic plan into your thinking to improve your capabilities in all of your business relationships.

Mary-Claire Burick, CEO, MC Strategy and Strategic Advisor, GTSC

Chris Lawrence, Vice President, Engility and Mentor, GTSC

Josh Kussman, Sr. Vice President, The Sentinel HS Group

10:30 AM – 11:45 AM: Session #2

MARKETING: YOU’VE GOT THE PLAN, HOW DOES THAT TRANSLATE TO YOUR FEDERAL CLIENTS?

How do you sell yourself in the market? Are you showcasing your core capabilities in the best ways possible? Keep your company’s “name on the brain” of larger Federal contractors with these marketing tips. It is simpler than you think to maximize your relationships with them. Don’t forget to maintain an updated profile on the GTSC website – a large company’s database resource for finding subcontractors.

Mary Ann Stoops, Principal, Savvy Marketing Partners LLC

Victoria Laing, Senior Account Manager, Gotham Government Solutions

Earl Holland, President, Growth Strategy Consultants and Strategic Advisor, GTSC

11:45 AM – 1:00 PM: LUNCH KEYNOTE PANEL: WHY DOES THIS MATTER?

Join us for this discussion by several of GTSC’s mentor companies on how and why a lack of strategic planning can impact your success with both your Federal clients with your other partners, how they view and evaluate potential partners and what attributes draw them to repeat partnerships.

Wayne Pizer, Vice President Small Business Programs, L3 STRATIS

Andrea Marsh, Senior Market Manager and DHS Lead, Battelle

Mike Kelly, Senior Director, Infrastructure Protection & Security, TASC

1:00 PM – 2:15 PM: Session #3

GOT TALENT? HUMAN RESOURCES FOR SMALL BUSINESSES

Carrying out a contract is contingent on having the right talent for the project. How does a small to medium-sized company market themselves to potential talent? How can you find the right people and staff your project with high quality individuals?

Kathleen Smith, Chief Marketing Officer, ClearedJobs.Net

Jen Fritz, Director, Federal Government Solutions, CareerBuilder

Rob Edmonds, Director, Sales and Marketing, Uniplus and Chair, GTSC Small Business Collaboration Group (SBCG)

2:15 PM – 3:30 PM: Session #4

YOUR LEGAL, INSURANCE AND ETHICAL RESPONSIBILTIES: AN UPDATE

The landscape of legal, insurance and ethical requirements is constantly changing. Each “mistake” made by contractors or by government officials results in a slew of new requirements that can impact your responsibilities.  Join us for a look at the latest changes in these areas from some of the foremost experts in their fields.

Richard Conway, Partner, Dickstein Shapiro

P. Allen Haney, CEO, P. Allen Haney Company

Amy Hutchens, General Counsel, Vice President Compliance & Ethics Services, Watermark Risk Management International, LLC. 

Register now

 

January 30: Charles Armstrong, CIO, CBP
Read More

January 30: Charles Armstrong, CIO, CBP

Charles Armstrong

Charles Armstrong,
Assistant Commissioner & Chief Information Officer
CBP

This roundtable with CBP’s Charlie Armstrong will focus on how CBP’s priorities are unfolding given the fiscal cliff and lack of clarity on sequestration. We will discuss his assessment of future opportunities, current initiatives and his thoughts on progress toward the integration of applied technology and acquisition efforts to complement CBP’s mission and support their frontline personnel.

REGISTER*

**This event is for GTSC members and FIRST TIME guests to GTSC only.  Thank you for your understanding.

About Mr. Armstrong

Mr. Charles R. Armstrong is the Assistant Commissioner and CIO for the Office of Information and Technology, U.S. Customs and Border Protection, Department of Homeland Security. Functional responsibilities include software development, infrastructure services and support, tactical communications, the laboratory system and research and development functions, and IT modernization initiatives supporting CBP’s core business processes. Additionally, as the Department of Homeland Security (DHS) Steward for network services, Mr. Armstrong is accountable for supporting the agency’s requirements for secure, reliable communications.

Mr. Armstrong served as the DHS Deputy CIO where he was a champion of the Department’s IT initiatives for improving the agency’s secure information sharing capabilities through the consolidation of infrastructure and strengthened security. Mr. Armstrong brings with him over 26 years of leadership and technology experience in the operations and management of IT. After starting his career with the Navy Department, he worked for the legacy U.S. Customs Service and CBP in various capacities. He also served as the CIO for the DHS Border and Transportation Security prior to assuming the position of DHS Deputy CIO in October 2005. Mr. Armstrong graduated from Old Dominion University with a Bachelor of Science in Information Systems and obtained a Master’s Certificate in Management from National Louis University. He is a Harvard Senior Executive Fellow, and was recognized by Federal Computer Week’s Federal 100 as one of the top executives from government, industry, and academia who had the greatest impact on the government information systems community in 2001.

NDAA Authorizes Mentor-Protege Programs for all Small Businesses and more…
Read More

NDAA Authorizes Mentor-Protege Programs for all Small Businesses and more…

by McKenna, Long & Aldridge, LLP
The Fiscal Year 2013 National Defense Authorization Act (“NDAA”), signed by President Obama on January 2, 2013, makes numerous significant changes in the federal government’s small business contracting programs. Most importantly, the NDAA authorizes the Small Business Administration (“SBA”) to establish a mentor-protégé program for all small business concerns. Among other changes, the NDAA revises the rules for limits on subcontracting for small business set-asides, eliminates the dollar limitations for set-aside contracts for women-owned small businesses, and creates a small business Ombudsman to serve at DCAA.

By authorizing the use of the mentor-protégé program for all small business concerns, NDAA section 1641 effectively alters the SBA’s affiliation rules, at least for SBA-approved mentors. According to the NDAA, this new mentor-protégé program generally should be identical to the 8(a) mentor-protégé program. Under the current 8(a) program, a mentor and protégé can form multiple joint ventures that are allowed to submit proposals as a small business. In a joint venture, the mentor can have a larger role in supporting the protégé and performing the contract without concern about the application of the SBA’s ostensible subcontractor rule. A mentor also may own up to 40 percent of the protégé. Finally, a company may have up to three protégés, allowing a large business to have a much larger role in the performance of small business set-aside contracts.

Previously, the Small Business Jobs Act of 2010 authorized the SBA to establish a mentor-protégé program for Service Disabled, Veteran Owned small business concerns, Women-Owned small business concerns and HUBZone small business concerns. However, the SBA did not issue regulations to establish these programs. Apparently to avoid a repeat of this problem, NDAA section 1641 requires the SBA to issue regulations to establish the mentor-protégé program for all small business concerns within 270 days.

NDAA section 1651 changes the rule for calculating the limits on subcontracting by a small business prime contractor that apply to contracts awarded via small business set-asides. Previously, to ensure that the small business prime contractor was actually performing a substantial share of each set-aside contract, the small business prime contractor was required to incur at least 50 percent of the labor costs for service or supply contracts and 25 or 15 percent of the labor costs for general or specialty construction contracts, respectively. It was difficult for agencies to enforce this subcontracting limitation during the evaluation of proposals, because for most competitive contracts, the offerors were not required to provide such cost information as part of their proposals or bids.

NDAA section 1651 seeks to address this problem by requiring the comparison of the prime contract price and the subcontract prices, rather than the amounts of labor costs. For service contracts, the small business prime contractor may not expend more than 50 percent of the prime contract price on subcontractors. Similarly, for supply contracts, the small business prime contractor may not expend more than 50 percent of the prime contract price, less the cost of materials, on subcontractors. Regarding the subcontracting limit for construction contracts, the SBA is tasked to determine the subcontracting limits by obtaining public comments during formal rulemaking.

NDAA Section 1697 removes the dollar limitations for set-asides for Women-Owned small business concerns. Under previous law, agencies were only allowed to set-aside acquisitions for Women-Owned small business concerns if the expected value of the contract did not exceed $6.5 million for manufacturing contracts and $4 million for all other types of contracts. Section 1697 allows agencies to set-aside procurements of any dollar amount for Women-Owned small business concerns.

Section 1612 of the NDAA creates the position of Small Business Ombudsman for the defense audit agencies. The Ombudsman will: (1) advise the DCAA Director on policy issues related to small business concerns; (2) serve as the DCAA’s primary point of contact and source of information for small business concerns; and (3) collect and monitor relevant data concerning the timeliness of DCAA’s audit closeouts for small business concerns and responsiveness to small business issues. However, the Ombudsman role is significantly limited, because the NDAA provides that the Ombudsman shall be segregated from ongoing audits in the field and shall not engage in activities regarding particular audits that could compromise the independence of the DCAA.

These NDAA revisions to the Small Business Act will significantly affect small business contracting. We will keep you informed as the SBA issues proposed regulations and regulations to implement these changes.

For additional information, please contact:

Richard B. Oliver
213.243.6169

John W. Heath
202.496.7224

J. Matthew Carter
213.243.6137

McKenna Long & Aldridge LLP (MLA) is an international law firm with more than 575 attorneys and public policy advisors in 13 offices and 11 markets. The firm is uniquely positioned at the intersection of law, business and government, representing clients in the areas of complex litigation, corporate law, energy, environment, finance, government contracts, health care, infrastructure, insurance, intellectual property, private client services, public policy, real estate, and technology. To further explore the firm and its services, go to mckennalong.com.

© 2013 MCKENNA LONG & ALDRIDGE LLP, 303 PEACHTREE STREET NE, ATLANTA, GA, 30308. All Rights Reserved.

*This Advisory is for informational purposes only and does not constitute specific legal advice or opinions. Such advice and opinions are provided by the firm only upon engagement with respect to specific factual situations. This communication is considered Attorney Advertising.

CYBER SBIR Opportunity
Read More

CYBER SBIR Opportunity

The National Strategy for Trusted Identities in Cyberspace (NSTIC) National Program Office (NPO) recently funded three pilots that will be testing privacy-enhancing cryptography in different use cases and settings as well as two pilots that use alternative non-cryptographic based privacy features. In addition, the NPO has been involved in the development of a project to pilot a Federal Cloud Credential Exchange (FCCX) which also will leverage privacy-enhancing cryptography. A key unmet need is an independent and objective assessment of these pilots that compares and contrasts the usability and privacy performance of the different approaches taken in each pilot, as well as the successes and difficulties each pilot faced in its tests in the marketplace.

The NIST Small Business Innovation Research (SBIR) program is offering small businesses the opportunity to apply for a contract to perform this assessment of the NSTIC pilots and of the FCCX. The goals of this activity are to:

Perform an independent analysis and comparison of each of the pilots, looking at the usability and privacy performance of the different approaches taken in each pilot;
Perform an independent analysis and comparison of each of the pilots, looking at the successes and difficulties each pilot faced in its tests in the marketplace;
Design and, if feasible, conduct usability and performance tests for privacy technologies and features for selected pilots;
Perform a gap analysis of existing standards and research, in order to help identify requirements for identity management efforts (e.g., standards and research work in security, interoperability, usability, etc.).
This assessment will help maximize the lessons learned by the pilots on usable security and privacy in the Identity Ecosystem and provide valuable data to the Identity Ecosystem Steering Group (IDESG) as it engages in developing the Identity Ecosystem Framework, including components related to usability. Additionally, the assessment can help guide the NSTIC NPO in evaluating the usability of project proposals for potential additional pilot grant funding in 2013.

For information on the NSTIC SBIR opportunity, how to apply, and for contact information, click here. The NSTIC opportunity on “Comparison of Privacy-enhancing Technologies and Features” may be found on pages 40-43 of the solicitation document. All questions about the solicitation and subtopics should be directed to the Q&A function on the NIST SBIR website (www.nist.gov/sbir).

For more information on the NSTIC, click here.

Background on the SBIR Program

The SBIR program (http://www.sbir.gov/) was originally established in 1982 by the Small Business Innovation Development Act (P.L. 97-219). Subsequent legislation has extended the program until September 30, 2017. Eleven federal agencies set aside a portion of their extramural research and development budget each year to fund research proposals from small science and technology-based firms.

The SBIR Program goals are:

To increase private sector commercialization of innovations derived from federal R&D;
To use small business to meet federal research and development (R&D) needs;
To stimulate small business innovation in technology; and
To foster and encourage participation by minority and disadvantaged persons in technological innovation.

DHS’ Under Secretary Borras & Dr. Nayak Win Federal Small Business Champions of the Year
Read More

DHS’ Under Secretary Borras & Dr. Nayak Win Federal Small Business Champions of the Year

At GTSC’s holiday awards celebration, we thanked and honored some of the heroes of 2012.

WASHINGTON, Dec. 20, 2012 /PRNewswire/ — The Government Technology & Services Coalition (GTSC), the premier organization for small and mid-sized companies in the Federal homeland and national security market, honored Under Secretary Rafael Borras and Dr. Nick Nayak, Chief Procurement Officer, U.S. Department of Homeland Security, with the Federal Small Business Champions of the Year award. They were awarded yesterday for their work to assure that the innovation, creativity and effectiveness of small businesses is brought to the homeland security mission.

“We believe that Under Secretary Borras and Dr. Nayak have clearly demonstrated their commitment to assuring that the innovation of small companies is constantly applied to the homeland security mission,” said CEO of the GTSC, Kristina Tanasichuk. “We believe that the leadership of DHS has recognized that we must have a mechanism to infuse our current system with new ideas, cutting edge technologies and actual solutions — and small businesses are the source of that.”
The award of Federal Small Business Champion of the Year is awarded annually to the Federal official(s) who show a distinct commitment and tangible results toward improving the environment and success for small businesses in the Federal market. “We are proud of what DHS has collaboratively accomplished with small businesses and are committed to continuing our support to the small companies that are so vital to our nation’s economy and our department’s missions,” said Rafael Borras, Under Secretary for Management at the Department of Homeland Security.

The GTSC also awarded its Member of the Year Award to Hassett Willis and Company. “After working at the Department of Homeland Security and forming my own woman-owned small business to continue to affect positive change at DHS, Hassett Willis and Company is committed to improving the small business market environment,” said Managing Partner Julie Hassett. “It is critical that leading small businesses work on behalf of our community to improve the contracting process, encourage and nurture small companies and assure the homeland security market’s success.” The award is presented annually to the GTSC Member that exemplifies exceptional quality and ethics for the Federal government, a commitment to GTSC’s small business members and advocacy on behalf of our community.
L3 STRATIS won the award for Mentor of the Year. “We recognized immediately the value of GTSC as a place where big, mid- and small-sized companies collaborate to solve challenges and move the market forward,” said Les Rose, president of L-3 National Security Solutions, of which STRATIS is a part. “We are all committed to the mission of homeland and national security and want to continue to mentor and contribute to an environment that brings the best of the market to DHS and our other Federal partners.” Mentor of the Year is awarded annually to the GTSC Mentor who has worked to increase members’ understanding of the homeland and national security market, increased business opportunities for small companies through formal and informal mentoring and engages with GTSC to promote an innovative, robust, fair market for all.
The four were honored at the GTSC’s annual holiday award reception at the U.S. Navy League in Arlington, VA. For more information on these awardees and the Government & Technology Coalition, please visit www.GTSCoalition.com.

DHS SBIR Pre-Solicitation — Ask now!!
Read More

DHS SBIR Pre-Solicitation — Ask now!!

The Department of Homeland Security (DHS) has issued the FY13.1 Pre-Solicitation pursuant to the Small Business Innovation Development Act of 1982 (Public Law 97-219), the Small Business Research and Development Act of 1992 (Public Law 102-564), and the SBIR/STTR Reauthorization Act of 2011 (Public Law 112-81). The purpose of this letter is to invite small business concerns especially women and minority owned to submit Phase I proposals to the DHS Science and Technology (S&T) Directorate’s Small Business Innovation Research (SBIR) Program. Small businesses must have the capability to conduct research or research and development (R/R&D) in any of the homeland security-related topic areas included in the solicitation.

The FY13.1 solicitation includes the following five topics for which Phase I proposals are sought at this time.
· Radio Frequency (RF) Sensing of Personnel in Wooded Areas
· Hybrid Analysis Mapping (HAM)
· Burn-Saver Device
· GPS Disruption Detection and Localization
· Quick Disconnect Cables for Utility Power Distribution Systems

During the period December 4 through December 19, 2012, proposers have an opportunity to have direct contact (by telephone or email) with the technical points of contact listed for each topic to ask technical questions about specific technical topics contained in the solicitation. No further direct contact between proposers and the technical points of contact shall occur from December 20, 2012 through January 23, 2013 for reasons of competitive fairness. Proposals may be submitted from December 20, 2012 through January 23, 2013 at 2:00 p.m., Eastern Time.

The solicitation is available on the Federal Business Opportunities https://www.fbo.gov website, quick search using “HSHQDC-13-R-00009”. Each concern submitting a proposal must qualify as a small business in accordance with SBA’s regulations (13 CFR 121.701 through 121.705). Interested parties will need to register if they do not already have an established account at: https://sbir2.st.dhs.gov/portal/public/Menu.action?page=sbir_submission_login prior to submitting its proposal. We recommend that this be done in advance of the proposal submission.

If you have any questions, or would like to learn more about the DHS S&T Directorate’s SBIR Program, please feel free to contact me at 202-254-6966 or via email at [email protected].