Small Business Wins in the House's FY2022 National Defense Authorization Act Amendments

On September 23, the House passed H.R. 4350, the FY2022 National Defense Authorization Act (NDAA). Accompanying the 1,362 pages of legislation were  476 amendments offered by lawmakers. Included in the amendments were several wins for MSGI clients: HUBZone Contractors National Council, GovEvolve, and Montgomery County Chamber of Commerce (MCCC). These amendments are huge win for the small business community and are the result of months of advocacy. 

• Floor #352 - Transfers decisions for HUBZones to OHA. 
• Floor #314 – Clarifies that the HUBZone price preference applies to task orders. 
• Floor #365 – Raises sole source thresholds for all socioeconomic programs from $4/$7.5 to $8/$10 million (does not eliminate option years, this is total over the life of the contract). 
• Floor #26– Raises small business contracting goals. 
• Floor #186 – Creates category management exemptions for tier 0 contracts. 
• Floor #412 –Requires a company to update their small business status in SAM/notify KO’s if status changes within 2 days. 
• Floor #149–Adds cyber counseling capability to SBDCs. 
• Floor #337 – Requires DoD Report impact of CMMC on small businesses. 

Considering the ongoing hardships resulting from the COVID-19 pandemic, adoption of these changes would assist small businesses seeking to succeed in the federal marketplace. In October, MSGI pushed for these amendments to be included in the Senate’s version of the FY2022 NDAA by writing a letter to Senate Small Business Committee Chair, Ben Cardin of Maryland and Ranking Member, Rand Paul of Kentucky. The letter was supported by MSGI clients listed above, as well as the Women Veterans Business Coalition (WVBC), the Small and Emerging Contractors Advisory Forum (SECAF), the Women Construction Owners and Executives (WCOE), and hundreds of independent small businesses across the country. 

Read the Small Business Amendments Support Letter here. 

Access a detailed list of small business amendments in the House FY2022 NDAA here. 

HUBZone Contractors National Council - Cyber Maturity Model Certification (CMMC)

Madison Services Group, on behalf of the HUBZone Contractors National Council, is pleased to announce a huge win for small business contractors, the result of months of advocacy. The Department of Defense (DoD) has released the “Cybersecurity Maturity Model Certification (CMMC) 2.0” – the updated version of the Department’s effort to enhance cybersecurity practices of its federal contractors. Many of the changes made by the DoD come as a result of the Council’s efforts over the past two years to highlight challenges/propose solutions to increase compliance and affordability for small contractors.

Michael Dunbar, President of Ryzhka International, testified on behalf of the Council in a June hearing on CMMC implementation and what it means for small businesses. He highlighted the need for cost transparency, streamlined standards and establishing clear communication on CMMC efforts, amongst others. In response to the hearing, the Small Business Committee Members introduced a bipartisan amendment that was included in the House-passed FY2022 House National Defense Authorization Act (NDAA) that exempts contracts awarded to small businesses classified as tier 0 from category management or successor strategies for contract consolidation.

• Floor #337 – Requires DoD Report impact of CMMC on small businesses. Requires DoD to submit a report on the impact of the Cybersecurity Maturity Model Certification (CMMC) on small businesses within 120 days. The report must include estimated cost burden for each CMMC level, anticipated decrease in number of small businesses as a result of CMMC and how the DoD plans to mitigate the negative effects to small businesses resulting from CMMC. [Reps Phillips (D-MN), Van Duyne (R-TX)] 

Our efforts in elevating the voice of defense industrial base resulted in changes in CMMC 2.0, specifically laid out by DoD to “reduce the burden for small businesses by: streamlining requirements at all levels, eliminating CMMC-unique practices and maturity processes; allowing companies associated with the new Level 1 (Foundational) and some Level 2 (Advanced) acquisition programs that do not involve information critical to national security to perform self-assessments rather than third-party assessments; and providing additional flexibility through the allowance of plan of actions and milestones (POA&Ms) and a waiver process.”

Thank you to all of our members and strategic partners that have added their voice to our efforts, and we look forward to continuing this important policy work through our new Secure Supply Chain Consortium.

MSGI Congressional Hearing Recap - House Small Business Committee Hearing "CMMC Implementation: What It Means for Small Businesses"

 MSGI Congressional Hearing Recap

Committee: House Small Business Committee, Subcommittee on Oversight, Investigations, and Regulations

Hearing Title: CMMC Implementation: What It Means for Small Businesses

Subcommittee Chair: Representative Dean Phillips (D-MN)

Ranking Member: Representative Beth Van Duyne (R-TX)

Date: June 24, 2021

Witnesses

Mr. Jonathan T. Williams
Partner
PilieroMazza PLLC
Testimony

Mr. Scott Singer
President
CyberNINES
Testimony 

Ms. Tina Wilson
Chief Executive Officer
T47 International, Inc.
Testimony 

Mr. Michael Dunbar
President
Ryzhka International LLC
*Testifying on behalf of the HUBZone Contractors National Council
Testimony 

Main Issues Discussed

Cost of CMMC Implementation

• Chair Phillips (D-MN) Questions:
• Mr. Williams, the cost of CMMC can be burdensome, how can we strike a balance with cost and protecting cybersecurity?
• Response: Keep as many small businesses as possible at Level 1. The businesses will have adequate protections but will avoid the costs of Level 3. We need a controlled approach where small businesses don’t have to take on Level 3 information.
• Are there funding streams to help small businesses?
• Response: I am not aware of any, but it is a great idea. Smaller firms cannot afford the investment up front. Existing mentor protégé programs work very well, mentors can help with CMMC.  
• Ms. Wilson, what is your experience with CMMC?
• Response: I learned about it when attending an industry day, I understand how it works in a broader perspective. T-47, my business, must secure a specialist because CMMC is very complex.  

Overlapping Requirements

• Ranking Member Van Duyne (R-TX) Question:
• Mr. Dunbar, do you believe the CMMC duplicates any standards that are already present?
• Response: Yes, it is built on an existing standard. The reason behind CMMC is there was no third-party assessment. Why create an existing standard? Why not add on the third-party assessment to an existing standard?
• Rep. Evans (D-PA) Question:
• Ms. Wilson, can you mention just a few other certifications you have to comply with?
• Response: We have invested in the ISO certifications, SBA’s annual 8(a) certification, WOSB certification, defense counterintelligence security certification. The CMMC process has been the most challenging because there is no transparency.

Lack of Transparent Information on CMMC

• Ranking Member Van Duyne (R-TX) Questions:
• Mr. Dunbar, where do you get the information on CMMC? How can we make it easier?
• Response: We get the information from LinkedIn. There is no consistent message or method coming from the Department of Defense (DOD). Even the CMMC FAQ page is not streamlined. 
• Is there a role for the SBA?
• Response: There should be a role for the SBA. I think the DOD has sidelined them in the same way that small businesses have been ignored.
• Mr. Singer, what is the penalty if a business doesn’t comply?
• Response: You are out of business with the DOD.
• Can you point to one or two things that would make understanding this easier for small businesses?
• Response from Mr. Singer: The prime contractors need to step up and play a bigger role, they have the resources and the teams to do so. There needs to be more support for the whole supply chain.
• Response from Ms. Wilson: To ensure that everyone has the same information there needs to be a concerted effort across all industries. 
• Response from Mr. Williams: Regarding the flow down of information, the prime contractor has a lot of power. The challenge is that the questions are not being answered on the main issues. 
• Response from Mr. Dunbar: A lot of small businesses work from home now. Small businesses will be subject to home inspections, the risk of this is incalculable. Small businesses need the ability to protect themselves. 
• Rep. Evans (D-PA) Question: 
• Mr. Dunbar, what is your recommendation to businesses just learning about CMMC?
• Response: I don’t have an answer. We are trying to find the information, which has not been clear.
• Response from Mr. Singer: It is important for companies to find reputable partners to help them through the process. I think Level 3 businesses, such as small manufactures, are just now starting to understand this. Businesses that qualify as Level 1's may not understand that CMMC will affect them yet.

Determining Levels for Small Businesses 

• Rep Evans (D-PA) Question: 
• Mr. Wilson, what would be the ideal way for small businesses to be taken care of?
• Response: Offer up costs to pay for Level 1 and Level 2 certifications. This way, DOD has some level of comfort. The other businesses can go out and secure other levels if needed. 
• Rep. Meuser (R-PA) Questions: 
• Mr. Dunbar, what is the DOD’s feedback on if Level 1 is satisfactory? What do they say about you, and suppliers like you, regarding Level 1?
• Response: Part of the problem is that we aren’t hearing a lot. We don’t know if we will we need to keep chasing technology as we go along. 
• What is the cost difference from Level 1 to Level 3?
• Response: 10 to 20-fold cost difference.
• How much more secure is Level 1 to Level 3?
• Response: From where I am currently, I am secure. 
• Rep. Hagedorn (R-MN) Question:
• Mr. Dunbar, wouldn’t it make more sense if the government imposed reasonable standards?
• Response: I agree, the key word is the definition of reasonable, DOD believes that these numbers are reasonable. My company has 6 people, this is not reasonable. 
• Chair Phillips (D-MN) Question:
• Mr. Singer, how likely is full CMMC implementation by 2026 when there is such a lack of assessors?
• Response: It will be very difficult to get there with the current progress of 100 provisional assessors and 2 C3PAOs. The timeline is very stretched, we need more than 8,000 assessment team members to make this happen. There needs to be flexibility for the third-party assessors. Not everyone needs to be at Level 3. There needs to be an understanding of risk to the supply chain. 
• Mr. Williams, how concerned are you that the CMMC initiative will be adopted by civilian agencies and become a baseline?
• Response: It is certainly a possibility. I would view what is happening at DOD as a trial.  

Amidst the continuing pandemic one thing remains the same for all federal contractors– Section 889 implementation.

By Elizabeth Sullivan

Disclaimer: This is longer than our usual blog posts – the rule was 86 pages, so bear with me through this one.  

 

Section 889 – a name that does not mean much to the average person, but carries a lot of weight for contractors. This is a section in the FY2019 National Defense Authorization Act (NDAA) that seeks to eradicate Chinese telecom from the entire U.S. government supply chain. Why write about it now? The part that impacts federal contractors of all sizes (Part B) goes into effect in less than a month.

 

Earlier this year, the Department of Defense (DoD) held a public meeting to hear from industry. Of the salient points made, one resounding theme was that definitions will mean everything for implementation. However, industry hasn’t been able to share any definitional clarity because of the rule release delay. The FAR Council published their interim rule last week – Part B goes into effect before the comment period is over, which means contractors will have to comply with the rule starting on August 13, 2020. Public comments can be submitted until September 14. 

 

Here are the five key components for small/midsize business contractors to pay attention to.

 

You’ll have a new box to check in SAM. Contractors will need to annually check a box in SAM verifying that they do not use any covered telecommunications equipment or services. A contractor can choose to say yes, they do use some of these banned equipment/services, which would require an offer-by-offer representation for contracts and task/delivery orders under IDIQs. It is important to know this ban applies toany equipment, system, or service that uses the covered equipment or services as a substantial or essential component of any system, or as critical technology as part of any of a contractor’s systems. Think this rule does not apply to you? Think again – acquisitions of commercial items (including COTS) and contracts at or below the simplified acquisition threshold (SAT) must also adhere to this prohibition. 

 

Definitions are key. Definitions are critical to the implementation of this rule, which defines words such as “backhaul” and “roaming,” but leaves contractors with uncertainty over what constitutes a covered technology. FAR 4.2101 covers some of these definitions, however there was no further clarity in the rule regarding who is considered “any subsidiary or affiliate of such entities” of the five listed companies (Huawei, ZTE, Hytera, Hikvision and Dahua). It seems problematic that a small business contractor is expected to research all of the subsidiaries and affiliates of these companies to make sure they are not utilizing any prohibited components. Note to government: why not just provide a list? 

 

Another definitional bone I have to pick is the meaning of “reasonable inquiry.” The rule says that a company is compliant if a “reasonable inquiry” by the company does not show any use of the prohibited equipment or services. So, what exactly does that mean? According to the rule, a reasonable inquiry is something that is designed to uncover any use of these covered telecommunications equipment or services and does not need to be an internal or third-party audit. While I am not a lawyer, I can imagine that every procurement attorney would advise contractors to have some type of legitimate audit of systems in case compliance risks arise.

 

The waiver process is laborious. Although a waiver sounds reasonable and gives contractors added time to comply (until August 13, 2022), it doesn’t seem designed for small or midsize contractors. In order to get a one-time waiver, the head of an agency has to grant it. Before this happens, a senior agency official for supply chain risk management has to discuss the waiver with the Federal Acquisition Security Council (FASC). And consult with the Office of the Director of National Intelligence (ODNI) to make sure conditions are met. And provide notice to the ODNI and FASC 15 days before granting the waiver. And notify appropriate Congressional committees within 30 days. The FAR Council does acknowledge that this process could take a few weeks and advises to enter at your own risk because “agencies may reasonably choose not to initiate one and to move forward and make award to an offeror that does not require a waiver.” A quick data point: there are 387,967 companies registered is SAM, 74% of which are small. That would mean if every small company decided to submit an offer for a federal award and sought a waiver, that would be 287,096 waivers. 

 

Six contractor actions are necessary for compliance. A chunk of the rule outlines contractor compliance recommendations. After reading and re-reading these six actions in the rule, I’m left with the same feeling: small contractors need something more detailed than just general guidelines. Generalities like “read and understand the rule and necessary actions for compliance” and “corporate enterprise tracking” sound great, what exactly does that entail? During more normal times – let alone a pandemic – building out a compliance program can be complicated, not to mention costly. It is important contractors have the detailed information to get it right.

 

Finally, I see dollar signs. The rule completely underestimates the time it will take contractors to implement and remain compliant with this rule. A whole section is dedicated to this analysis – and quite a few estimates left me scratching my head (you can find these in Section III, Part D). Companies aware of the rule have been spending months trying to prepare and continue to evaluate the components in their government offerings. An important part of complying with the rule to highlight is that a company cannot use any of these prohibited systems/equipment, even if they are not used in its federal contracts. That means no split networks or having one system for U.S. federal business and a difference one for commercial or contracts with other countries. I see more dollar signs.

 

The FAR Council is seeking public comment on the rule – and federal contractors should respond. In Section IV of the rule you can find a list of questions the Council wants industry to answer, and it is worth taking a look at them. One that is also found in the beginning of the rule is whether an expansion of the prohibition should be made to include all company subsidiaries and affiliates. Feedback is also requested on subjects like challenges, costs and insight into existing systems.

 

One thing all contractors, regardless of size have in common – they want to be compliant so they can compete. Given the uphill battle small and midsize contractors face when it comes to compliance with Section 889 and many other contracting requirements, advocacy on this issue is critical. 

Hey Defense Contractors: DoD’s CMMC is Moving Full Steam Ahead With or Without You

WIPP Works in Washington, March 2020

By Elizabeth Sullivan, WIPP's Advocacy Team

If you need a quick refresher on CMMC before reading this, you can find it here and here.

The final model for the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) came out earlier this year. So, what’s next for businesses? 

Let’s talk certification. Now that version 1.0 of CMMC was released – the final version– DoD is moving full steam ahead. The “accreditation body” has been formed, which is an independent, non-profit group that is responsible for developing the training and assessment standards for the certification. The next step in the certification journey for DoD is forming a Memoranda of Understanding (MOU) with the accreditation body, which will outline the roles and responsibilities of each of the parties. Finally, “accreditors” – of which there are none currently – will be responsible for evaluating businesses and assigning them a CMMC certification level. If all of this third-party stuff leaves you scratching your head, just know that DoD is outsourcing the accreditation of over 300,000 contractors with plans for substantial oversight.

Substantial questions remain for contractors. One of the biggest is the timing of the certification rollout. The Department has said that they will issue 10 “pathfinder” solicitations that require various CMMC levels, including a few that will require level 4 or 5 certifications. Since these will be substantial contracts, if you are a small business tapped to subcontract on one of these – when will you get certified? Will there be some type of cue, where the biggest companies go first? Or will it be ranked by the amount of anticipated work? This remains to be determined.

Let’s talk levels. While the CMMC levels have been refined throughout the DoD’s drafting process, it is important to know that there are five levels. Any contractor, regardless of the type of work they do that wants to do business with DoD will need at least a level one. Level one is the most basic cyber hygiene, which has some noteworthy differences from NIST 800-171. The Defense Department has said that most small businesses only need a level one. But I wouldn’t take that assessment at face value. It is important for small/midsize companies to determine the appropriate level they want to prepare for based on the work they do, or plan to do, for the DoD. For example, if your company handles any Controlled Unclassified Information (CUI) you will need at least a level three. By the way, these levels will also apply to subcontracts. Which brings me into the next section of this article – unknowns. 

Let's talk unknowns. I was recently on a panel at the Women Leaders in Defense & Aerospace Law & Compliance Conference, where I shared the stage with the other two sides of the CMMC equation – a lawyer and prime. One of the things that I learned is that concerns span all business sizes—small businesses aren’t the only ones with questions. First and foremost is how the DoD will handle CMMC certification levels for subcontracted work. There has been a lot of conflicting information about this component flying around, but the latest and greatest (as of the time this is published) is that the program managers for both the DoD and prime contractor will work together to determine the appropriate CMMC levels for the components of subcontracted work.

Another unknown is how a company can dispute an assigned level by an accreditor. While the accreditation body will have some sort of mechanism to address this, DoD’s involvement in this process is unclear. This is an important question because certification levels will be assigned for a three-year period. Finally – and this is a big one – the total cost for contractors remains to be seen. DoD has not yet provided any specific information on the cost of obtaining the certification. Some good news is that something that is known (and has been for a while) is that DoD will not seek levels retroactively – meaning that no current contracts will be modified to require a certain certification level. All of this is to say, stay tuned.

Moral of the story is – as a federal contractor, it is time to pay attention if you aren’t already. WIPP recently offered a webinar on this issue, and we intend to continue to provide the most updated education on this certification roll-out. Although CMMC is only for the DoD supply chain, in the future it could impact civilian agencies as well. So, get ready – it’s moving full steam ahead, with or without you. 

New Year’s Resolutions from WIPP’s Advocacy Team

By Elizabeth Sullivan

It has been two weeks since New Year's Day and you’re not alone if you have you broken most or all of your New Year's resolutions. While we put our personal resolutions aside, when it comes to advocacy, our team has made some we are committed to keeping.  

1.     Untangle the web of new federal cybersecurity requirements for WOSBs. 

2020 is shaping up to be the year of securing the federal supply chain. This may sound dry or mundane, but recent changes truly impact every federal contractor of every size. While we did a deeper dive last year, let me provide some context. Our work does not stop when a bill becomes a law. In fact, the devil is in the details, so providing input during the regulatory process is just as important as the passage of the law (a refresher on the regulatory process can be found here). In addition, remember that a proposed or new regulation is called a “rule.” Major agency actions – all regulatory – require our attention. 

·       Cybersecurity Maturity Model Certification (CMMC) – The final version of this requirement should be published later this month. The CMMC is expected to designate maturity levels ranging from “Basic Cybersecurity Hygiene” to “Advanced.”  While contractors will be required to be certified by an accrediting body, it has not yet been determined. This body is expected to enter into an MOU with the DoD sometime this month. The government has indicated that contractors will be reimbursed for the certification fee through their pricing on contracts to the federal government. However, the current cost is remains unclear. CMMC will eventually be required for anyone doing business with DoD – the certification levels will begin to be included in RFIs starting in June and RFPs sometime in the fall. One important point made by Katie Arrington, DoD’s Chief Information Security Officer for Acquisition and Sustainment, was to never post your CMMC level certification on your website, as hackers will then know the types of security you are employing and target accordingly. Although there are still some factors to be determined, this certification is moving full steam ahead – and compliance strategies will be an important exercise for every federal contractor in 2020.

·       Section 889: Prohibition on Certain Telecommunications and Video Surveillance Services or Equipment– Commonly referred to as “Section 889,” this rule seems like it would have nothing to do with small businesses or most contractors, however, it does. It broadly prohibits federal agencies from using telecommunications or surveillance equipment or services from six Chinese companies or their subsidiaries. Ann took a closer look at the rule here. In step two of implementation, a rule is expected to go into effect sometime this year that prohibits any government contractor from using any components or services from these companies. If you are renewing your SAM profile, you will notice a new question asking if you provide covered telecommunications equipment or services in the performance of any contract or subcontract. This action impacts the entire supply chain, covering all contracts. 

Additionally, WIPP members have aired their frustrations for years on the government’s security clearance processes, both in civilian agencies and at DoD. This “chicken and egg” issue continues to hamper WOSBs and other small contractors from reaching their full potential. We hear you and are working to create policy solutions on these issues.

2.     Urge the Senate to pass the SBA Reauthorization bill. 

WIPP has been working closely with the Senate Committee on Small Business and Entrepreneurship to make necessary changes to programs benefitting entrepreneurs through the Small Business Administration (SBA). The Chairman’s draft contains fifteen changes that, if passed, will be game-changers for women business owners. This includes positive sole source changes for federal contractors and increasing the ability for WOSBs to access capital. Unfortunately, the Committee postponed action on a comprehensive reauthorization bill after failing to agree on proposed regulatory changes contained in the draft legislation. Despite this setback, you should still contact your Senators, urging action. We even have a letter you can easily download and send here. This bill has enormous implications for small and midsize businesses around the country – we’ll be keeping up the drumbeat. One detail to know about this effort is that while it is a new year, it is not a new Congress. The 116^th Congress is in its second session, which means that bills introduced in 2019 are still active in 2020. 

3.     Celebrate and build upon our FY2020 NDAA wins. 

The National Defense Authorization Act (NDAA) is a must-pass bill by Congress – authorizing all of the DoD programs on an annual basis. The 2020 NDAA, passed in December 2019, contained three WIPP supported provisions that positively impact WOSBs. The first is the prompt payment for small business prime contractors and subsequently their subcontractors. WIPP has supported permanently establishing an accelerated payment date since the Office of Management and Budget (OMB) directive expired in 2017, and this provision establishes a goal of 15 days after proper invoice. The second is uncovering small business participation on multiple award contracts that are designated as best-in-class vehicles. As the spend through these vehicles increases, it is critical to have data on WOSB participation. Therefore, the provision requires the SBA to report the dollar amount of contracts awarded to small businesses. WIPP’s third win was to strengthen accountability for subcontractors. The provision implements a new dispute process allowing small subcontractors to bring nonpayment issues to the agency’s Office of Small and Disadvantaged Business Utilization (OSDBU), as well as strengthen the agency’s ability to collect and review data regarding prime contractors' achievement of their subcontracting plans.

4.     Support Congressional women. 

As we all know, it is a Presidential election year. However, the entire House of Representatives and a third of the seats in the Senate are also up for grabs. Electing women to Congress is important, no matter your party affiliation. Currently, 127 women serve in the U.S. Congress – 26 in the Senate and 101 in the House. The women in the Senate have long been a model for avoiding legislative gridlock. They are often the negotiators who are willing to reach across the aisle to find common ground on major pieces of legislation. Women Members are also the cosponsors on legislation important to women entrepreneurs. For example, our bill to increase investment in women-owned federal contractors, The Women and Minority Equity Investment Act of 2019, is championed in the Senate by Senator Maria Cantwell (D-WA) with Chair Marco Rubio (R-FL) and in the House by Representative Robin Kelly (D-IL). 

It is also important to note that the Senate just confirmed a new Administrator to the Small Business Administration, current U.S. Treasurer Jovita Carranza. We are thrilled to work with her again, as she was formerly an SBA Deputy Administrator and championed issues important to women-owned businesses during her tenure. No doubt, other policy priorities will arise as the year moves forward. Although there are many political pressures that threaten to derail our efforts, we remain committed to the bipartisan mission of empowering women entrepreneurs. From the policy team for Women Impacting Public Policy, Happy New Year. Let’s get to work.

Regulatory Rigmarole: Advocacy Comes in All Forms

By: Ann Sullivan 

As a member of WIPP, you already know more than the average person about regulations that impact small business owners – regardless of whether they are proposed, interim-final, or final rules. But, you probably don’t know exactly what that means or how they get to those stages in the first place.

The first thing to know is that proposed regulations are known as “rules” and the rulemaking process is lengthier than you might expect. When Congress passes a law, the agency then gets to work to implement it. The final product is a new regulation. To get from passage of a law to a new regulation involves a number of steps by the agencies. 

An agency’s first step is to develop a draft regulation known as a proposed rule. Then, the agency sends the draft to the Office of Information and Regulatory Affairs (OIRA) for review. OIRA is tasked with circulating this regulation among other government agencies, taking into account this feedback. OIRA is a Federal office that was created by Congress 1980. In 1991, an Executive Order directed that the office would formally review all draft proposed and final rules before they were published in the Federal Register.

OIRA makes suggested changes and sends the proposed rule back to the agency. The agency then issues a proposed rule which it publishes on www.regulations.gov  for public comment. The comment period is usually open for 60 days, although some only accept comments for 30 days. Comments are not limited to organizations like WIPP – anyone or any entity can provide comments on a proposed rule.

The agency reviews the public input to revise a final product which typically takes another 60 –90 days and summarizes its findings and issues a final rule. Done, right? Not quite. The final rule once again goes to OIRA for review – only when this approval process is complete can the new regulation be published as a final rule.

Given this process, you now know why WIPP is very active in the regulatory space. By commenting on proposed rules, we have the ability to shape the outcome of the regulation. The devil is in the details, so this stage of advocacy is, in many cases, as important as passage of the law. WIPP has commented on a number of important proposed rules on a variety of issues. In 2019, WIPP submitted comments to SBA on a number of small business contracting rules ranging from the proposed WOSB/EDWOSB certification rule, to the rule implementing the Small Business Runway Extension Act. WIPP also submitted comments to the Department of Defense (DoD) on its proposed Cybersecurity Maturity Model Certification—a far reaching cyber certification which will affect every federal contractor and subcontractor.

The Federal Acquisition Regulation (FAR) Council recently proposed an interim final rule that will amend the FAR to prohibit the federal government from procuring or obtaining, or extending or renewing a contract to procure or obtain, “any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system” in order to combat the national security and intellectual property threats that face the United States. The definition of “covered telecommunications equipment or services” are components from: Huawei, ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, and Dahua Technology Company. 

The rule prohibits contractors from providing covered telecommunications equipment or services unless the agency confirms that an exception applies or a waiver is granted; requires every offeror for a contract or order to represent whether or not it will provide covered telecommunications equipment or services as part of its offer and, if so, to furnish additional detail about the covered equipment or services; and mandates that contractors report any covered equipment or services if discovered during the course of contract performance. 

It is important to note that the interim rule impacts ALL contractors — not just those that offer information and communication technology. Each contractor is responsible for determining whether telecommunications equipment and services will be provided under both new and existing contracts and orders. WIPP recognized the wide-reaching importance of this rule and jointly submitted comments in response.

On another note, Lowest Price Technically Acceptable (LPTA) has been a long hated acquisition pricing policy in the small business community. Seen as a “race to the bottom,” the FAR Council has issued a proposed rule to avoid using Lowest Price Technically Acceptable (LPTA) source selection criteria in circumstances that would deny the government the benefits of cost and technical tradeoffs in the source selection process. This rule also states specifically that LPTA source selection criteria should be avoided for procurements for IT services, cyber security, systems engineering services, and others. One part of the regulatory process to note— when the FAR Council issues a proposed rule it is listed with a “FAR Case” number instead of a “Regulatory Identification Number” (RIN).

Advocacy comes in all forms. While our team focuses much of our attention on Congressional action, our work with agencies, especially SBA, is every bit as important. Staying vigilant on all fronts is critical to all businesses, large and small. It’s tough to keep up with everything as a small business – I know – I am one.  That’s why membership in WIPP is critical to your bottom line – we follow and initiate the actions important to women-owned businesses. Your job is to get active.