2023 FAS Industry Partner Symposium - Policy Landscape

2023 FAS Industry Partner Symposium - Policy Landscape

Show Video

- Thank you so much. Welcome to our third webinar for Policy Landscape. I'm very happy to have the opportunity to share information with you about policy landscape. Next slide. Next one.

Next one. Today, we are gonna be talking multiple, we are gonna have multiple topics, but the idea is to have a conversation with you about what is happening in the policy landscape, what are the different things that are happening? Our presentation will have multiple speakers talking about different topics of interest. Next one.

Protecting The Industrial Base Through Policy. Just wanted to give you a little background about what is happening, and what is the reason why we have seen such a dynamic policy environment lately. As you know, there are multiple industrial-based threats and we have seen them recently in situations like the pandemic and other areas, like budget swings, cyber intrusion, natural disasters, et cetera.

So as a response to all these different threats, there are a lot of different policies and regulations that are in development to help us mitigate those threats in areas such as cybersecurity, climate, and sustainability. Next one. But our objective is to be able to balance the public policy objectives with our customer needs. We in GSA are committed to support our industrial base, sustain a healthy and industrial base, at the same time that we are compliant with new regulations and policies.

So we assure that we can help our customers and provide them what they need when they need it. Next one. This is the third of a series of webinars that our office, the Office of Policy and Compliance, is providing just to share information and provide resources that industry can use to be aware of new policies, new requirements, but also to support all the activities related to the implementation of those requirements. The previous webinars included multiple information about current policies, and you can find them if you look at the GSA Interact, and search for Policy Landscape Webinars, but we also have today a booth as part of the symposium. It's called the Policy Landscape, where you can go and look at previous presentations that we have, and look at the recordings of those presentations. The idea is to keep you informed about the policy landscape and work together to implement those anticipated changes in the future.

Next slide. Before we start the conversation about each of the topics for today, we want to let you know that this presentation is just informational. What this means is that there are no actions required from industry after this information is provided. We are not directing vendors to make any decisions based on the information discussed today. We believe each vendor should make their own decisions regarding the participation in these policy initiatives, and while the data is provided in good faith, we cannot assume responsibility for the usefulness of this information.

Next slide. Our objectives for today, we are going to learn about the 8(a) program partnership between GSA and the Small Business Administration. We will receive updated information about cyber security, and the software attestation initiative. We will be familiar with the processes for policy and how to provide public comments. And we are also going to learn more about the memorandum of understanding between GSA and DoD for Sustainability Technology Evaluation and Development Program. And now I'm gonna introduce Mr. Steven Hutchinson,

who is our next speaker today. Thank you. - [Steven] GSA and SBA signed a revised partnership agreement in 2022. The new partnership agreement reflects on the growth of the 8a program since GSA and SBA's original partnership agreement signed in 2012.

Some of the notable changes this new and improved partnership agreement bring include GSA Schedule specific changes. These will allow for 8(a) set aside, sole source or competitive under scheduled contracts. I'll discuss this in later slides as well. Competition at any threshold, GSA may set aside procurements for competitive 8(a)'s at any dollar value without SBA approval for certain contract vehicles, example schedules in the 8(a) STARS program.

Notification procedures, new requirements and follow-ons using a different 8(a) contract vehicle must provide notification only to SBA. The partnership agreement outlines the documentation required to be provided. Informal escalation process. Informal escalation procedures established prior to the formal process outline in FAR 19.810. Standard review times. The partnership agreement contains SBA standard review times and assumed approvals if no responses are included for most scenarios, including offer and acceptance letters.

Next slide please. Now let's talk more about the benefits of the GSA-SBA Partnership Agreement and GSA Schedules. Implementation of this agreement on GSA Schedules will help small disadvantaged businesses, SDBs, participating in the SBA's 8(a) Business Development Program, gain access to more federal contracts in GSA's Multiple Award Schedule Program, and advance President Biden's goal to increase contracts to SDBs. This agreement will establish a pool of 8(a) firms to make it easier for procurement officials to locate and contract with small disadvantaged businesses across industries.

Once participants are accepted into the newly established 8(a) MAS pool, they will receive a designation that indicates to agency buyers that a business is eligible for 8(a) sole source awards, and, or a competitive set asides. Federal agencies will be able to leverage the size and scale of the mass marketplace to achieve their SDB contracting goals while they make smart purchasing decisions. Next slide, please. How can industry participate in this great opportunity? Keep up to date on GSA Interact.

Go to the MAS page, that is the best location for the latest news on the implementation. As of now, we are aiming to launch with Refresh #17, hopefully very soon, so please be on the lookout. If you are an existing 8(a) vendor on MAS, GSA intends to issue modifications to existing 8(a) approved firms who have received offer and acceptance, and who are active 8(a) participants to enter into the MAS 8(a) pool.

If you are an SBA approved 8(a) firm, but not a scheduled contract holder, we encourage you to consider joining the GSA Schedule program. For information on how to become a GSA Schedule holder, please go to gsa.gov/schedules for more information. Next slide. How does the partnership agreement benefit industry? We believe that by joining together, GSA and SBA can leverage the strengths of the SBA's 8(a) Business Development Program by matching it with the strengths of the GSA Schedule program. For example, many federal buyers are familiar with the GSA Schedule program, and are trained to access opportunities through its diverse supplier base.

These federal buyers are used to accessing these opportunities through GSA E-tools. By joining these two programs together, we expect more usage for MAS 8(a)'s by the GSA schedule customer base. In addition, once these 8(a)'s have graduated from the 8(a) program, they'll hopefully become more successful MAS contractors, and be ready to compete and succeed on GSA Schedules outside of the 8(a) program.

Next slide. Here on this slide are the GSA E-tools I just mentioned. Thank you again for your continued interest and support of the GSA Schedules program.

And now I will turn over to our next presenter to discuss cyber security. Thank you again and have a great day. - Good morning. My name is Kelley Artz. The next slide, please. I'll be here to talk about several cybersecurity initiatives.

As Lirio mentioned, this is our third webinar for the policy landscape. In the previous webinars I described the EO, which is lovingly referred to as a Cybersecurity EO. You may know it as 14028. So as a result of that major executive order for cybersecurity, several other supporting regulations and guidance have come out. The two that I'll be focused on most today are M-22-18 and M-23-16, which is an update, and clarification of M-22-18, as well as two other FAR cases, FAR cases that relate to cybersecurity.

Next slide please. First, the CISA's, what we call the Common Attestation Form, which was called out in the cybersecurity executive order. CISA's come up with a form that's out for public comment. They refer liberally to NIST 802-18, which lays out the Secure Software Development Framework. It has a specific software security practice, and it maps that to the Cybersecurity EO, so that it shows that when CEOs, who are called CEOs from software producers are required to sign these Common Attestation Forms, and make those available to the government prior to purchase of that software product.

The CEO will sign these forms to attest that that product follows those best practices for the Secure Software Development Framework outlined by NIST. So right now the form is out for public comment. We invite you to go to the link that's at the back in the reference, and make any comments as you desire. This form, when it's finalized, the government has three months to make sure that they have this form for every piece of software that the government uses internal to its infrastructure. So it's a major muscle movement for us to work with you, our vendor partners and the software producers, to make sure that this guidance is being followed.

M-23-16 extended the deadline. The government needed more time to work out what's on the Common Form, and then as you'll see later in the presentation, OMB is also working to follow the guidelines for the Paperwork Reduction Act. Next slide please. So following the issuance of the MMO from the White House, GSA Senior Procurement Executive, together with our CIO, issued additional guidance for GSA, and this slide works to show you the way the guidance has come to the Federal Acquisition Service, and to those who are purchasing software on behalf of GSA for use in GSA's internal infrastructure.

So on the column to my left, this is what is happening according to the CIO's guidance, they have an IT security policy for buying IT and software that's for use in GSA's internal infrastructure. That's a process that's been in place for a while. What, GSA IT is doing is working to update that process, so that anyone buying software for GSA use has to follow that updated guidance.

It will include the Common Attestation Form when that is finalized. So any vendor that's among us today that is selling software to GSA, this will impact you. So please make yourself familiar with the Common Form that CISA has put out for public comment that will have to be in place before GSA is allowed to continue to use your software product in our internal network. The Common Form itself and the MMO associated requires that not only is the form filled out by the CEO of the software producer initially, but it also has to be maintained, so that at any time there's a major update, and there's clarity in the MMO itself, the Attestation Form, again, needs to be made available. For FAS, the Federal Acquisition Service, because we make products available to our customer agencies on our government-wide vehicles, this guidance to FAS requires that FAS make available your vendor attestation, so that you are allowed to give us your attestation, and we make that available for view by customers or potential customers, but you can't put a POAM or any kind of SBOM with it. It's only the Attestation Form itself, and we anticipate that there will be a FAR rule that will make it more codified, and you'll be allowed to participate in the comment period of that upcoming FAR rule.

Next slide, please. So after 22-18 was issued, we received 23-16, which provides further clarification on the scope, and this memo speaks specifically to attestations of that, sorry, I should say what is not included. So what's not required is government produced software, where it's out of scope, and then any items that are freely obtained, like publicly available that is not, we're not required to get attestations from those two sources. However, for software producers, you're required, at the end product level, you're required to do a complete attestation that includes all the components that you have in your software package that's made available for government consideration for purchase. The memo also goes into POA&Ms. POA&Ms will be allowed at the discretion of the buying agency, and at the approval of OMB.

Now, the POA&M, for those of you that aren't familiar, a Plan of Action and Milestone. That'll be when the CEOs reviewing that Common Attestation Form, and sees the best practice for the Secure Software Development Framework. If he identifies that somewhere in his build environment, he's not able to fully attest that all the product produced is in that secure software build and development environment, then he could work to create POA&M to give to the buying agency, in this case, GSA, and allow GSA to consider whether that POA&M is sufficient.

If GSA approved, they can also work with OMB to get that approved. That will require not just the formal approval, but also a a specific period when the waiver, the exception is in place. So we'd have to track that POAM along with our vendor partners to make sure that we can continue to use that software. Next slide, please.

This table is designed to show you the different timelines that agencies are required to follow. The PRA is the Paperwork Reduction Act. So once the Common Form is cleared through OMB and the Paperwork Reduction Act, the government has three months to have attestations of critical software. And critical software is defined by NIST. You can find it referenced in a previous MMO, 21-30, and critical software, there's specific characteristics that fall in this definition.

It's elevated privilege, or software that has the ability to manage privileges. It performs a function critical to trust, and it has direct or privilege access to data or operational technology. Now, that's a big point for our vendor partners to understand when we think about the scope of what this critical software is for the three months on the timeline, that's operational technology, so that speaks to critical infrastructure as well. Then we have the, as a government agency, we have six months to get the rest of the software attested and fully attested. So there on this slide, you'll see the definition for the rest of the software. Next slide, please.

I also wanna take a minute to explain an upcoming FAR case that's associated with the Federal Acquisition Security Council. Some of you who've participated in our previous webinars might be familiar with the Federal Acquisition Security Council. It was created by an order we call the Secure Technology Act in 2018. This upcoming FAR case, which is expected to come out as an interim rule, will codify the authority of the three, what we call, issuing officials. There are three secretaries that are called out in the Secure Technology Act. It's the Secretary of the Department of Homeland Security, who has responsibility over civilian information systems, the Secretary of Defense, which is national security systems, and then the National Director, the Director of National Intelligence, which is SEI systems for the intelligence community.

Those three issuing issuing officials have authority to decide exclusion and removal orders for certain banned items, or products, or sources. So the FASC, the Federal Acquisition Security Council, makes the recommendation to the three issuing officials, and then three issuing officials have authority to make exclusion or removal orders for their respective domains. So what you'll see in this next interim rule is further classification of the authority of the issuing officials, it'll provide guidance to the acquisition workforce, all the contractor's offers, all the contract officers across government, as well as guidance for you or vendor partners as to where to go to find these lists that the issuing officials will create, and orders that they issue. Next slide, please. The final FAR regulatory case that I I'd like to discuss is referred to as our TikTok ban.

This is a case that's come out as an interim role in June, and we've been required to update all the contracts in GSA to add language that's about a page long, and the language basically prevents TikTok or any of the ByteDance subsequent products from being used on government devices or in contracts that support the government. So you'll see this, hopefully you've already seen this from your contract officer. We'll be completing the modifications at the end of this month and we appreciate your partnership as we get those all signed and completed in time for us to report up compliance. If you have any questions, I'll be glad to take them in the chat. The next slide is a list of references that gives you lots of homework material to read and understand more detail than I've presented here.

Next, I'd like to welcome Julie Green who'll continue our webinar. Thank you. - Hi, and thank you, Kelley. Good morning, I'm Julie Green from the Office of Policy and Compliance Acquisition Policy Division. Today I'm going to take you through the rulemaking process and how to provide public comments.

Next slide, please. Next slide. Laws often don't include all the details needed to explain how an individual business or others might follow the laws. So in order to make laws work on a day-to-day level, Congress authorizes certain government agencies to create regulations through rulemaking. For example, the Small Business Administration interprets small business statutes, Department of Labor interprets labor statutes, then updates to the FAR or agency regulations such as the GSAR are pursued. The Federal Acquisition Regulatory Council is comprised of OFPP, GSA, NASA, and DoD, and they're responsible for issuing and maintaining the FAR.

GSA is also authorized to implement regulations for GSA through the General Services Acquisition Regulation or GSAR, and it also has responsibility for the Federal Management Regulation, and Federal Travel Regulation. Next slide, please. When agencies issue regulations to make change or delete a rule, they'll generally first publish the rule in the Federal Register. Next, agencies will seek public comments. They do this so the public is informed of proposed rules before they take effect, and the public can comment on proposed rules and provide additional data to the agency.

The comment period is generally 60 days. Finally, agencies will consider the public's comment, it may change the rule if necessary. Then the agency publishes the final version in the Federal Register, along with a description of comments received, the agency's response to those comments, and the date the rules go into effect. The rulemaking process could span several months to years.

Next slide, please. There are three types of rules. Under a proposed rule, the public gets to weigh in on the rule.

Most rules are published as proposed rules, and these are issued for complex cases that require subjective judgment to implement. This is also your best opportunity to shape a rule. Under an interim rule, the rule takes effect upon publication in the Federal Register, and the public can comment following the interim rule.

Agencies use this type when there's an urgent and compelling circumstance that requires immediate implementation, or in response to a statute, EO, or court decision that mandates an effective date. A final rule typically doesn't have a comment period, and takes effect after publication in the Federal Register. Next slide, please. Public comments are encouraged to strengthen the rulemaking process. It's best to read the rule completely, and understand why the agency is carrying out an action in order to inform your public comment.

Many regulatory actions are required by law or other executive action, like an executive order. Comments should identify the issue, explain why it's problematic, and preferably offer a solution. You should use real world examples when possible and support your claims with sound reasoning. Comments on the economic effects that include quantitative and qualitative data are especially helpful. Next slide, please.

You can view rules in the Federal Register. The easiest way is to type the rule or case number in the search box. Next slide, please. To make comments, follow the instructions in the rule. Comments are made at regulations.gov, and you can access this through a link in the Federal Register by clicking the green button that reads, "Submit A Formal Comment," as shown on the slide, and this will take you to regulations.gov.

Directly underneath the Submit button, you can also read public comments that are submitted by others. Next slide, please. Comments submitted are publicly available, so don't include confidential, sensitive or proprietary information. You can submit comments as an individual, an organization, or anonymously. You can enter comments directly in the text box, or attach supporting documentation for your comments, and comments generally appear two or three days after submission. So check regulations.gov

to verify that your comments were posted. Next slide, please. To make comments directly through regulations.gov, simply type in the FAR or GSAR case number to search the docket that's associated with the rule. Once in the docket, you can click on the blue comment button in the upper left as shown on this slide. Next slide, please.

Now turning to GSA Regulations. Rulemaking at GSA often begins with a policy issued through the Senior Procurement Executive. That includes acquisition letters and class deviations. The GSAR contains agency acquisition regulations, policies and practices, contract clauses, solicitation provisions that control the relationship between the GSA and contractors and prospective contractors.

The GSAR also follows the rulemaking process, and its rules are published in the Federal Register. The General Services Acquisition Manual incorporates the GSAR as well as Internal Agency Acquisition Policy on how to acquire goods and services. Shading distinguishes regulatory from non-regulatory material that applies internally to GSA. GSAR material is shaded and non shaded material is non-regulatory. You can learn more about cases affecting GSA procurements at the Open GSAM and GSAR case report. Next slide, please.

The best way to share your perspectives on policymaking is to participate in engagement activities. There are ways to engage early in the process by working with Congress on draft legislation. You can also follow the work of federal advisory committees, such as GSA's Acquisition Policy, Federal Advisory Committee known as the GAP FAC, which was established under FACA rules. A few months ago, GSA announced a series of web-based meetings for three subcommittees through the GAP FAC. Now, once agencies enter the rulemaking phase, industry can engage in the rulemaking process by submitting comments, and for certain high impact rules, agencies may conduct public meetings, and other agency industry engagement activities, such as industry days and reverse industry days that are specific to rulemaking.

The Unified Agenda is another way that the public can track rulemaking activities as they move through the process. The Unified Agenda was developed by the Office of Management and Budget, and they published two agendas annually, one in the spring and one in the fall. They identified rulemaking policies for an agency as well as an estimated timeline for publication of each rule. You can view the Unified Agenda at reginfo.gov. Next slide, please. And I wanted to highlight an interim rule that you heard Kelley talk about just a few moments ago.

This is open for public comments currently, it's FAR case 2023-010 that implements the prohibition on TikTok. And this interim rule is currently accepting comments through August 1st. Next slide, please. And lastly, I provided a list of policy resources that you may find helpful. Thank you, and now I'll turn it over to John Barnicle.

- Thank you, Julie. Congratulations folks, you've made it to the home stretch of these presentations. I know we've squeezed a lot of information into a short time period, but we appreciate your interest and your patience.

This slide lists a couple of the key points that we'll cover in the brief presentation here. Next slide, please. I represent the General Supplies and Services portfolio, that portion of the Federal Acquisition Service that through a variety of channels offers commonly used products to federal agencies, office products, furniture, tools, et cetera. And my counterparts are from DoD's STED Program, a Sustainable Technology Evaluation and Demonstration program. And we formalized our partnership earlier this spring with a signed MOU effective March 20th of this year.

And what it boils down to is our shared interest on behalf of our own agencies and the entire federal government in streamlining the process for agencies to acquire sustainable products and technology to meet their green goals. Next slide, please. Very briefly, this MOU leverages what we both do independently and what we both do best.

On the GSA side, as you've heard in this presentation already, and know already, we manage a wide spectrum of multiple award schedule contracts. We wanna make it easy for vendors to get on board and for agencies to take advantage of those products and services. Where the demand is sufficiently high, we will take an additional step of assigning a national stock number, and adding an item or series of items to our GSA Global Supply Wholesale program that delivers products to military and civilian customers across the country and around the world. In the context of this STED partnership, we work with our colleagues at DoD and the manufacturers they represent to identify green products, sustainable products, and add them to our Schedules program, add them to our Global Supply program, in the most efficient and effective way. We coordinate with those folks. We had a test pilot, or test project, so to speak, last fall with a new absorbent material, and that has worked extremely well.

We're now working on a wider array of products. I wanna mention at the outset that we do not represent the entire spectrum of product availability. Our counterparts instead work closely with the Defense Logistics Agency on items that are military specific. So with that, let me summarize very briefly the STED approach.

They work with a variety of manufacturers on new products that are sustainable. They test those products at a wide variety of military installations across multiple services in various parts of the country to gather feedback on multiple aspects. One, is the product functioning the way it's intended to? Are the instructions where they're needed clear and relevant? Is it packaged in the most effective way? Is it something that should be sold individually or in a case of 12, or in a pallet stack of 40 cases, et cetera? As they gather all that information and hear from users on the front line or the flight line, they consolidate all that information, and share it with us. When a product is deemed to be ready for the market, GSA steps in to streamline that contracting process and quickly bring those products to the market. With that, let me hand the ball over to my colleague at DoD, Reginald Mack, to tell you a little bit more specifically about what the STED program is and does. Thank you.

- Okay. All right. Good morning, my name is Reginald Mack, I'm with the office of the Deputy Assistant Secretary of Defense for Environment Energy Resilience. A little bit about the STED program. Thank you, John, great introduction and background in the STED program.

So the STED program was established in our office with the support of Congress and the White House to demonstrate sustainable technologies and products in DoD operations. We work directly with the services, commands and installations. We identify need areas and candidates for sustainable alternatives. We demonstrate sustainable alternatives to government requirements with end users at DoD installations, we validate performance with war fighters, and civilian workforce, and we verify our cost effectiveness. The program increases awareness, and the use of sustainable alternatives across the federal government. We have federal partners as well, and assists with the transition and availability in the federal procurement system, such as what John had covered.

A few additional notes. Congress has funded and now made STED program of record. Of course, we demonstrate sustainable technology effectiveness, A DoD program that includes federal agencies I just mentioned. We validate sustainable technology performance in operational environments.

In other words, you know, we kick the tires, we put it out there in the field with our men and women in uniform, and see how well the product comes up. And in most cases, it does very well, even better than what they're currently using. The program provides military and civilian users with hands-on access to sustainable technologies for use in their daily operations, provides validated return on investment information, increases awareness of DoD and federal agency staff on sustainable procurement opportunities, increases awareness in the performance and availability of sustainable technologies, and assists in meeting federal procurement mandates, and finally reduces redundant efforts at installations and federal agencies. Just real quick, that picture on the top right, that's at a US Army Sniper School, we demonstrated a bio-based CLP, Cleaning Lubricant Preservative. So it's put on weapons, and also that bio-based universal pad that you see under that weapon as well prevents, it absorbs the CLP that drips off, and of course prevents the little screws from falling off the table and so forth.

The bottom picture there is a training exercise we've done at Joint Base Lewis-McChord is a airdrop of pallet with a LED chemlight attached to validate the performance against conventional single-use chemlights. I know some of you're probably familiar with the old style chemlights. Unlike conventional single-use chemlights, L E D chem lights can be turned off if airdrop aborted and can be reused hundreds of times on original batteries, reducing the logistics footprint and waste stream on single-use chemlights. Next slide, please. Oh, expos, okay, the expos conducted with these, do these twice a year.

It creates awareness of availability and performance of the currently available sustainable technologies and identify additional sustainable technology needs areas, provides an opportunity for sustainable technology manufacturers, meaning you all, to showcase your technologies at DoD installations to the end users. They see it in action. When you all come to the installations, they see your product in action.

And also the procurement and leadership at those installations. Interact with installation personnel and discuss need areas and challenges to the implementation of additional sustainable technologies. The picture on the side there, just an example of where we did one in the Mojave Desert Region Sustainability Expo at Barstow. And my boss there on the right, can hardly see him in the background there. He's given a briefing there at that installation.

Some additional notes for this slide is we work installation leadership to schedule host expos, installation wide invite to all tenants and surrounding federal agencies. Typically, one half day is like from 10 to 14:00, and provide opportunity for share of sustainable technology information with leadership and end users to discuss current need areas, future sustainable technology demonstrations. So it's all over to you all to join these expos. Turn it back over to Lirio at this time. I appreciate your time.

(uptempo cheery music)

2023-08-25 04:29

Show Video

Other news