The govmates Holiday Bash

/in /by

Picture this… It is the end of November and December is literally knocking at your door. You’ve just returned from a long holiday weekend and a month of business-focused events stares you in the face. Your first assignment is a 5PM call at a local law firm. Great, law firms. “This is going to be typical.” you think. But as you arrive at the 15th floor of the building you walk into a gorgeous space hosted by Womble Bond Dickinson and discover that this networking event is anything but typical. You’re at a govmates event.  

If you’ve never attended a govmates event they stand apart for a variety of reasons. At this, our inaugural Holiday Bash in Tysons Corner, we hosted almost 200 government-contract focused individuals from a variety of verticals across the industry. That’s right, other than our event sponsors, the only attendees in the room are government contractors. We love our service provider friends, but they go to enough events, we want to make sure our attendees are connecting with potential teaming partners. That means other govcons. We had delicious food from La Casa in Alexandria (if swimming in tzatziki were allowed we’d encourage it), an open bar, and a holiday-themed featured drink. This year it was warm (optionally spiked) apple cider.  

The room was packed, and we mean packed, from 5pm until we had to gently remind everyone that “you don’t have to go home, but you can’t stay here.” We even heard that there was an impromptu after party to continue many of the conversations started at the event. Though we had to close the bar, our event went well beyond the 5-7:30 timeframe in that we continued to make needle-moving connections throughout the days following the event. We received several requests for 8a and SDVOSB companies with specific capabilities, technology solutions/IT providers, and more.  

In short, it pays to join govmates, for free. You get access to matchmaking events, inclusion in teaming searches from agencies and primes, and first dibs on tickets to our networking events. In fact, if you missed out on this event, our next event “For the Love of GovCon” is February 8th in Tysons Corner and you can find tickets here.

 

A final big THANK YOU to our event sponsors who helped this event to be an absolute success, Womble Bond Dickinson (your space is amazing), The asbc, BOOST, Fulton Bank, and GovConPay. 

 

Happy Holidays from govmates, and we’ll see you in February!  

National Technology Alliance: Bridging Innovation

/in /by
By Hannah Altman

In an era defined by rapid technological advancements, collaboration is key to driving innovation and progress. The new National Technology Alliance (NTA) may well be a vital player in this landscape, fostering connections and offering a wealth of opportunities for those passionate about technology. The Alliance serves as a nexus for tech enthusiasts, professionals, and organizations, providing a plethora of resources, networking opportunities, and advocacy channels to propel the tech industry forward.  

Use Cases for NTA 

Technology Transfer and Commercialization: Research institutions and universities can collaborate with industry partners through NTA to bring cutting-edge technologies to market, creating a win-win scenario for innovators and businesses. 

Start-up Incubation: NTA’s support for start-ups is invaluable. By offering mentorship, access to funding opportunities, and a network of experienced entrepreneurs and investors, NTA can help nurture and grow the next generation of tech innovators. 

Policy Advocacy: NTA’s commitment to advocating for technology-friendly policies can have a significant impact. It can work with government agencies and policymakers to shape regulations that support tech advancement, promote innovation, and protect intellectual property rights. 

Collaborative Research: Through NTA’s collaborative projects and partnerships, research institutions can work alongside industry leaders on projects with real-world applications. This accelerates the development of groundbreaking technologies and fosters innovation. 

Education and Workforce Development: NTA can play a crucial role in bridging the gap between educational institutions and the tech industry. It can provide resources and support to educational programs that align with industry needs, ensuring a well-prepared workforce for the future. 

Global Networking: With TechConnect’s global reach, NTA opens doors for international collaboration. Tech innovators from different parts of the world can come together through NTA to share ideas, collaborate on research, and explore market opportunities on a global scale. 

Conclusion 

The National Technology Alliance, in partnership with ATI and TechConnect, represents a powerhouse of innovation, collaboration, and progress in the tech industry. As the digital age continues to reshape our world, organizations like NTA are pivotal in driving positive change. Learn more and join for free at nta.org 

Using and Protecting Your Intellectual Property

/in /by

On September 27th, govmates facilitated a webinar with ATI presented by Cy Alba of PilieroMazza PLLC. (The full webinar replay can be found here.) The result was an hour of content packed with relevant and helpful information about Intellectual Property rights including:  

  1. The difference between rights and ownership; 
  2. The types of rights the government can hold and when they apply; 
  3. When and how you can limit the government’s rights in your IP; and 
  4. The biggest mistakes federal contractors make when developing IP. 

Here we’ll highlight a few of the key takeaways from yesterday’s discussion.  

Copyrights vs. Patents 

As a general rule, the Government can not own a copyright outright, but they CAN own it through assignment. Copyrights do apply to original works of authorship. While a really awesome bit of contract prose might not qualify for copyright, an original webinar could.  Clear as mud, right? This goes to say that there are circumstances and loopholes all around the landscape for IP and Data Rights so it makes the case for having a lawyer who knows the ins and outs.  

When it comes to Patents, there are a few things to remember. Federal agencies CAN hold patents. There are certain clauses that are typically included in contracts that involve R&D. These generally will include one or more of the following clauses: 

  • FAR 52.227-11, Patent Rights – Ownership by the Contractor 
  • FAR 52.227-13, Patent Rights – Ownership by the Government 
  • DFARS 252.227-7038, Patent Rights – Ownership by the Contractor (Large Business) 
  • DFARS 252.227-7039, Patents – Reporting of Subject Inventions 

Baked into these clauses is the understanding that the Government does get license rights if the invention was created during the time of the contract. At the onset of an invention/creation, you must declare and follow through on your decision to retain the title and ownership of a patentable product/service/etc. If you do not follow through within the established guidelines for ownership, you could inadvertently transfer the absolute ownership of your product/service to the government without a successful recourse for gaining it back. Something to note here is that if you are creating new things under an SBIR project, the SBIR does have certain protections for your work BUT if you choose to patent that work, you may lose SBIR protections as you have now made the information available to the public, thus negating the clauses within the SBIR agreements as they pertain to protection. This is the true meaning of a double-edged sword, so you will need to tread lightly.  

Data Rights 

Data rights have many caveats to ownership. The determination of ownership when it comes to technical data or computer software depend the following:  

  • When the item/product was developed – that timing typically depends on when it was make to work or created in a way that pushed the product from a work-in-progress to something that was fully able to be utilized 
  • The source of funding – was it privately funded? Did the creator receive government funds to push the project toward viability? Is there a mix of the two options listed previously? 

Legends 

We talked at length about utilizing legends in your noncommercial work to identify protected IP. When identifying pieces of protected intellectual property, it would seem that more is more when it comes to selecting the portions that need to be kept protected. In the FAR or DFARs, if a section ends with .227 you can bet it probably has something to do with Intellectual Property Protection. This is also where you will find the required legends to include in your documentation based upon the type of product or service you’re providing to your customer. Cy suggested creating a box of legends within your deliverables to specifically and clearly identify your protected IP. For example, if you are writing protected code, place your legend above the specific code and then again after it to create a “legend box” (non-technical term) that will clearly identify the pieces that can not be used outside of the contract license rights.  

Protection Strategies 

While it may seem that everyone is out to get a piece of your uniquely created pie, there are ways that you can protect your creations. The very first and least expensive way is to keep careful track of your data (what was created, when it was created, how it was funded, etc.). The second is to negotiate your license rights before bidding and award as trying to fix them later is often difficult and sometimes unsuccessful. Try to utilize a “work made for hire” provision to help clear the waters for potential license and ownership discrepancies down the line. Finally, know that if you are the limited/restricted license rights holder, you are not beholden to the Prime. You CAN go directly to the government, but that may be at the risk to your Prime-Subcontractor relationship. You’ll want to discuss all of these pieces with your Prime as early as possible to retain good standing of your relationship and protect your interests.  

Conclusion 

This webinar was, as mentioned, jam-packed with information regarding the highlights we shared above. We highly recommend throwing it on in the background or while on a walk to glean all of the truly important nuggets of information shared by Cy and the PilieroMazza team. When in doubt, get in touch with your law partners to demystify your IP opportunities. If you have questions regarding Intellectual Property rights in the Federal space, please don’t hesitate to reach out.  

Are You Listening? – govmates Next Gen

/in /by

We’re quickly approaching the fiscal year end which also means we’re approaching the start of a brand NEW fiscal year. That typically has those of us in the GovCon space pressed for time. Luckily, you don’t have to forgo your love of learning, listening, and interacting with your govmates team.

We are pleased to announce the kickoff of Season Three of the govmates podcast, Next Gen!

This season kicks off with a discussion on readiness ahead of the new fiscal year. We then roll directly into episode two: Tales from a Contracting Officer with TSA CO Aubrey G (releasing Monday, September 25th) who gives us a unique perspective combining knowledge of industry and government opinions. Join us for the start of season three AND catch up on the past two seasons on your favorite podcast player including Stitcher, Spotify, Amazon Music, and Apple Podcasts.

If you have episode guest suggestions or discussion topics you’d like us to cover, email meg@govmates.com.

We’ll see you in the land of audio!

Key Employment Issues for the C-Suite, What Really Affects Your Bottom Line?

/in /by

On July 19th govmates and ATI co-hosted a webinar presented by PilieroMazza PLLC on the topic of Key Employment Issues for the C-Suite and taking a good hard look at the things that really affect your budget as business owners. Here are a few of the golden nuggets we mined from the discussion. (You can find the full webinar replay here.)

Classifications 

One of the biggest and most costly mistakes that companies make is classifying employees incorrectly. An important thing to note is that classifications are no easy feat and there’s a bit of risk involved. There are well defined boundaries, sure, but the gray area is vast.  When we mean “classify” we’re talking about exempt and non-exempt employees. To break it down in the most simple terms, salaried employees are typically exempt, and hourly employees are typically non-exempt (but of course this isn’t always the case, and that’s why we have good employment lawyer friends). The zinger here is that if you get it wrong, you may have to pay overtime, benefits, other H&W costs, as well as the pieces that go into the correct wage determinations. Oof, sounds like a lot. Luckily, this is where your team comes into play. If you include your HR team, your managers on the ground (their assignment of duties can change exempt/non-exempt status) as well as your pricing team, you’ll have a better chance of getting it right AND having the documentation to back up your determination should you be subjected to an audit. The DOL has well-defined determinations when it comes to W2s vs 1099s as well, and to make your life easier – know that your employees don’t get to decide their status. Just because they “want” to be non-exempt doesn’t mean that they “are” non-exempt. If you follow the letter of the regulations, that should help you avoid the “but my employee asked to be…” conversations. That’s a risk you do NOT need to take.  

While we were talking about 1099s a bit, our first theme of the discussion emerged; differences by state. While GovCons need to follow Federal Regulations when it comes to employment, they also need to comply with specific and often differing state regulations. To spin your head just a little more, cities within some states (say NYC and NY State) there are even MORE differences. So, you’ll need to know exactly where your employees work and the regulations to which you’ll be subjected. As an example, in Maryland to be considered a 1099 the individual must have incorporated business of some sort, a working website, be actively advertising, have a business card, the ability to engage other clients, and more, just to name a few things. If those stipulations are not met, you may well have a full-blown employee on your hands… surprise!

Also, do you have Unionized Workforce Questions? Great! That’s a definite “phone a friend” situation and if you need that type of friend – given the experience from this webinar, we’d definitely recommend the team at PilieroMazza 

Employee Agreements 

Employee agreements are not a “one size fits all” type of document. They will change based upon the type of employee, their duties, as well as where the work is being done (oh hey, theme, welcome back!). Currently, all states apart from Montana, are at-will states. (This differs from “right to work” regulations and should be noted that way.) You CAN have an employment agreement for an executive and probably should. These can include incentive/bonus plans, IP protections, and any post-employment restrictions (such as non-competes or non-solicits). A big nugget here was on the topic of offer letters versus employment agreements. Do not, and we repeat, do not make your cover letter read like a contract. That can come back to bite you in the rear, in a big way. While the employment agreement should be tailored to your employee, the cover letter should be more standard. This is one place you can and probably should have more of a plug and play situation. It should also include contingencies, just in case they end up being a train wreck on day two. If you need something that reads like a contract, create one, don’t try to knock out two birds with an ill placed stone. 

Handbooks 

Let’s get a little into the weeds on handbooks. HRs love them and our presenters were big fans of the 30-50 page handbook instead of a handbook with hundreds of pages that people definitely won’t read. Talk about overkill. Handbooks get a bad rap but they’re actually a great tool when used correctly. If you haven’t revisited yours in the last 15 years, it may be time. Again, our theme emerges here: you may need to include different statues and requirements based on the states in which your employees reside. Things to include are your sick leave and vacation requirements, EEO policies and procedures, required trainings and certifications, drug testing requirements, etc. To get around having a different handbook for each state, our presenters recommended adding addendums to the end of the handbook for the states necessary.   

The Incumbent Rinse and Repeat Risk 

Let’s say you’ve recently won new work that had a previous prime/incumbent. Congratulations! It should be a breeze just to continue what they were doing to remain in compliance, right? W-R-O-N-G. You can’t assume that the incumbent was following everything appropriately nor that their requirements match your new contract. You’ll need to identify working conditions, contract terms, classifications, responsibilities, even going so far as to E-Verify citizenship. It may be a bit of a lift, but it is one that can save you time and penalty money later. Own your contract and your employee management to help ensure compliance and that you followed policy should you be subjected to an audit in later months/years.  

 

We’re lucky to know some really smart people in the GovCon space. Thank you again to Sarah and Nichole for sharing their time and expertise with us. If you have additional questions for the govmates team or our presenters, please email matchmaker@govmates.com. 

Office of Strategic Capital: Funding Critical Technologies

/in /by
-As shared by Katie Bilek

At the recent R&D Capital Summit during TechConnect World, I had the pleasure of hosting a discussion with Jared Evans, Director of the Transition Acceleration Program (TAP) at DoD’s Office of Strategic Capital (OSC).   As a cofounder and former partner at AFVentures, Jared brings an incredible perspective of scaling technology ventures to support the federal mission.

Most important to our conversation was the “why” behind the Office of Strategic Capital.  The office was established in December 2022 with the mission “to develop, integrate, and implement proven partnered capital strategies to shape and scale investment in critical technologies.”   The growing dichotomy between the Defense and commercial R&D markets over the last few decades comes as no surprise – and part of OSC’s driving force is to foster private capital investment like we saw in the era just succeeding WWII.

OSC is taking a methodical approach to sourcing and funding these mission-critical technologies.

First, they work internally with the various military services, combatant commands, stakeholders, program offices and end-users to identify critical technologies in need of investment. 14 critical technology areas have been designated via OUSD R&D under Heidi Shyu’s directive in verticals including advanced materials, microelectronics, directed energy, hypersonics, quantum science, integrated sensing and more. You can read more about the critical technology areas here.

Next, they fund. The primary vehicle they will leverage is the SBIC model – one currently in place at SBA, being replicated and modified for DoD’s deployment in the SBIC Critical Technologies (SBICCT) Initiative. (At the time of this discussion, we’re still awaiting expansion of the existing SBIC program with new proposed SBA regulations. Until that happens, existing SBIC funds may be deployed for these initiatives that qualify in support of national security).

Launched at SXSW in Austin earlier this year, SBICCT Initiative will utilize a new financial product, the Accrual Debenture. Designed to span a longer duration, interest will accumulate and come due once the loan reaches its term. This will address the “patient capital” gaps seen in sectors that require significant up-front investment.

One of the great case studies for SBICs dates back to 1975 in Cray Research – an organization that received private sector funding to develop a technology – the first supercomputer – that the Department of Defense utilized during the Cold War.  On the verge of bankruptcy, Cray’s SBIC investment served as the bridge across the Valley of Death to sustain their development of a mission-critical technology.

As OSC prepares to deploy capital, I applaud their willingness to embrace debt as a source of liquidity. So often in the innovation ecosystem, when we talk about capital, the term “equity” is thrown around loosely as a seemingly all-encompassing solution to financial problems.  While equity capital is an option, it’s not the only one.  Equity can be expensive, dilutive and often introduces a new ownership dynamic to a business that can exhaust the human element. Debt, with the right financial partner, can be more affordable, non-dilutive and patient.

The coupling of private investment with federal funding is needed to fully realize a robust R&D development pipeline that is vital to our nation’s security.  The Office of Strategic Capital is building out the financial toolset that so many innovators need – I’m looking forward to the continued collaboration between the federal and financial communities, and the ultimate success of the program.

Out-of-Office, GovCon Style

/in /by
As shared by Meg O’Hara.

Managing your small business while still finding time for summer activities with your family can be challenging. The summer season is often slower for many businesses, GovCon included. However, with careful planning and effective management strategies, you can maintain and even encourage growth during this period. Today, we will explore some essential tips to help you strike a balance between work and family, ensuring that you make the most of both.

  1. Plan Ahead and Set Clear Priorities:

Effective time management starts with planning. Before the summer season begins, assess your workload and identify any potential gaps or slowdowns. Use this time to plan strategically for the coming months and set clear priorities. Determine which projects or tasks require immediate attention and focus your energy on completing them efficiently. By having a well-structured plan, you can optimize your productivity while creating space for family activities.

  1. Delegate and Outsource:

One of the keys to managing your small business effectively is learning to delegate tasks that can be handled by others. Identify non-critical activities that can be outsourced to freelancers, virtual assistants, or subcontractors. Delegating such tasks not only frees up your time but also allows you to concentrate on core business activities that require your expertise. By sharing the workload, you can ensure that your business remains operational while you enjoy quality time with your family. If you need outsourcing recommendations, don’t hesitate to ask *matchmaker@govmates.com*, we know people.

  1. Embrace Technology:

Leveraging technology can significantly enhance your productivity and efficiency as a government contractor. Invest in project management tools (we use HeyOrca for social planning), time-tracking software, and collaboration platforms that streamline your workflow. These digital solutions enable you to monitor project progress, communicate with your team, and manage tasks remotely. By embracing technology, you can remain connected to your business while enjoying the flexibility to participate in summer activities with your loved ones.

  1. Nurture Relationships with Existing Clients:

During slower periods, focus on nurturing your relationships with existing clients. Check in with them, provide updates on ongoing projects, and explore opportunities for future collaboration. By maintaining regular communication, you demonstrate your commitment to their success and foster loyalty. Additionally, satisfied clients are more likely to recommend your services to others, expanding your network and potential business opportunities. Additionally, we’d also recommend checking out local summer industry and networking events. Attending the ones you can will help to keep you top of mind with industry partners, as well as current, and potential clients. Shameless plug here: if you’re a government contractor we’d love to have you at our June 14th Prime Another Day Networking Event in Virginia. You can find the details to register here. 

  1. Diversify Your Services or Seek New Contracts:

Summer can present an opportunity to diversify your service offerings or explore new contracts. Analyze current market trends and identify areas where your expertise can be leveraged beyond your current projects. Research government agencies or sectors that are in high demand during the summer months and align your business accordingly. By expanding your services or exploring new contracts, you can minimize the impact of the slower season and stimulate growth.

  1. Invest in Professional Development:

Use the relatively slower period to invest in your professional development for you and your team. Attend industry conferences, workshops, or training programs that can enhance your skills and knowledge. By staying up-to-date with the latest developments in your field, you position yourself as an expert and open doors to new business opportunities. Additionally, ongoing learning can provide fresh perspectives and innovative ideas that contribute to the growth and success of your small business.

  1. Take Time for Yourself and Your Family:

Remember that a healthy work-life balance is crucial for your overall well-being and the success of your small business. Schedule regular time for yourself and your family to relax and recharge. Unplug (no really, mute teams and your email) from work and engage in activities that bring you joy and strengthen your personal relationships. By prioritizing quality time with your loved ones, you not only create cherished memories but also return to your business with renewed energy and focus.

 

Managing a small business as a government contractor while enjoying summer activities with your family requires effective planning, delegation, and embracing technology. By setting clear priorities, nurturing client relationships, diversifying services, and investing in professional development, you can maintain and encourage growth even during slower business seasons. Remember to find a healthy balance between work and family, as taking time for yourself and your loved ones is essential for long-term success and happiness.

CEOs You Should Know

/in /by
-As shared by M&T Bank on iHeart Radio

 

What is CUI: Controlled Unclassified Information

/in /by
-As shared by Derek White, Chief Product Officer, Cuick Trac

Controlled Unclassified Information (CUI) is information that requires special handling, protection and dissemination controls even though it isn’t classified information.

These security controls protect the data’s integrity privacy, and are essential practices for contractors handling this type of information.

Possible consequences of failing to protect CUI include fines, losing the opportunity to win new Department of Defense (DoD) contracts and loss of current contracts.

These penalties can occur when a contractor fails to show proof of compliance during independent third party audits from the likes of customers, the Defense Contracting Management Agency (DCMA) DIBCAC team and eventually Cybersecurity Maturity Model Certification (CMMC) assessment from Certified 3rd Party Organizations (C3PAOs), which have requirements that continue to evolve.

Contractors who say they are compliant, but haven’t fully implemented NIST SP 800-171 requirements may not be in compliance with DFARS 252.204-7012, which regulates the treatment of CUI by contractors.

Schedule a free consultation with our cybersecurity experts if you need to be DFARS 252.204-7012, 7019 and 7020 compliant.

Avoid fines or the loss of contract by implementing all the NIST 800-171 controls.

A brief history of Controlled Unclassified Information (CUI)

 

The DoD released DoD Instruction (DoDI) 5200.48 on March 6, 2020, which includes the requirements for DoD contractors for CUI in section 5.3. This section describes the following activities with respect to CUI:

  • Identification
  • Protection
  • Monitoring
  • Review
  • Disposition

The DoD must identify whether the information it provides to contractors is CUI through the contracting vehicle.

It must also mark these documents, media or other material in accordance with DoD Instruction 5200.48.

Any contract, grant or other legal agreement between the DOD and non-DOD entity must specify the dissemination controls and other measures needed to protect CUI related to the contract.

This requirement applies to CUI that the DoD provides to the contractor and CUI that the contractor generates to meet the terms of the contract.

DoD contractors must monitor their aggregation and compilation of CUI based on its potential for generating classified information. This requirement is pursuant to existing security guidance on the accumulation of unclassified information.

DoD contracts must require contractors to report the potential classification of the CUI they handle to a DoD representative.

DoD personnel and contractors must un-classify information for review and approval prior to release according to required contract provisions.

These reviews must be in accordance with DoDI 5230.09 and standard DoD component processes.

The disposition of CUI must be in accordance with the appropriate disposition authority.

This requirement applies whether the DoD provides the CUI to the contractor or the contractor generates it, as specified by Sections 1220 to 1236 of Title 36, CFR, Section 3301a of Title 44, U.S.C.

What is CUI/CDI/CTI?

 

CUI is an umbrella term that includes both Covered Defense Information (CDI) and Control Technical Information (CTI).

These markings all apply to unclassified information that requires specific protection in and out of a government information system.

Previous markings, used to identify this type of information, information include For Official Use Only (FOUO), Law Enforcement Sensitive (LES), Sensitive but Unclassified (SBU) and Unclassified Controlled Technical Information (UCTI). The CUI marking now encompasses all of these terms.

The CUI program was originally developed for agencies within the executive branch of the US federal government.

Each of these agencies initially used their own set of rules, markings and classifications to manage and control this information before the current CUI program was implemented, which greatly simplified this process.

CTI is technical information with a military or space application, and must be marked with a distribution statement in accordance with DoDI 5230.24 (Distribution Statements on Technical Documents). This information requires the same level of protection as any other CUI content, although it does have specific requirements for marking and tracking.

The controlling DOD office is generally responsible for determining when information is CTI and appropriately marking it before allowing contractors access to it.

In a case where the contractor develops unclassified CTI during the course of working on the contract, the contractor must work with its contracting officer to complete the steps required for properly protecting this information.

These steps include completing appropriate forms such as distribution and work statements for each piece of content.

Hundreds of laws and regulations specify the required procedures for controlling CUI. DoD contractors should begin their education on this topic by reviewing the government’s marking guidance to ensure they properly identify CUI.

The best way to determine the requirements for a specific type of CUI is to search the CUI Registry, which contains a complete list of the CUI categories.

This document contains 24 categories and 83 sub categories, each of which is defined as CUI Basic or CUI Specified.

CUI Basic specifies the baseline controls for handling and disseminating CUI. The National Archives and Records Administration (NARA) issued the Final Rule on November 14, 2016, which describes CUI Basic.

The Federal Information Systems Modernization Act (FISMA) requires CUI Basic to be protected at FISMA’s Moderate level.

It may be marked as either CUI or Controlled. Agencies can’t increase the external impact of CUI Basic above this level without an agreement with the external agency or contracting organization operating an information system on their behalf.

CUI Specified is a CUI subset that places more restrictive controls on the handling and control of CUI.

The underlying authority maintains the controls for handling CUI Specified content, but only the designating agency may apply limited dissemination controls to any CUI content. Common categories for the CUI Specified subsets include the following:

  • Agriculture
  • Critical Infrastructure
  • Emergency Management
  • Export Control
  • Financial
  • Geodetic Product Information
  • Immigration
  • Information Systems Vulnerability Information
  • Intelligence
  • International Agreements
  • Law Enforcement
  • Legal
  • Natural and Cultural Resources
  • NATO Controlled
  • Nuclear
  • Patent
  • Privacy
  • Procurement and Acquisition
  • Proprietary Business Information
  • SAFETY Act Information
  • Statistical
  • Tax
  • Transportation

CUI agreements may take a variety of specific forms, including contracts, grants, information-sharing agreements, licenses and memoranda of agreement.

It’s essential for contractors to understand the data they may create and its implication before entering any agreement to perform work for the government.

In particular, contractors need to know the requirements for protecting the data they’ll be creating and handling, along with the costs of that protection.

Why am I required to protect CUI/CDI/CTI as a defense contractor?

 

Contractors who are new to working for the DoD often wonder who is responsible for CUI and why they’re required to protect it.

The short answer is that many malicious actors such as countries, companies and individuals have incentives to obtain this information, which can harm national security.

The rate of corporate and state espionage is at an all-time high, so these incidents make headlines regularly. Basic hacking also occurs routinely, resulting in compromise of sensitive information.

CUI doesn’t exist only on government systems, as it can be found on many IT infrastructures across the entire Defense Industrial Base (DIB).

Many of these infrastructures aren’t up to the task of properly managing the CUI that the government has entrusted them with, and government investigations have identified the lack of security as a primary factor in many security breaches.

The CUI/DFARS 7012 programs were thus established to standardize security controls across the DIB, improving the protection of information security for both government and commercial infrastructures.

Contractors need to properly identify and classify data already on their systems before they bid on a government contract.

This practice helps contractors ensure they have allowed enough profit margin in their calculations to implement the controls in their information systems that will be needed to protect CUI to the required standards.

The introduction of the DFARS rule is in the process of establishing a new form of accuracy that will provide a numerical score indicating the contractor’s compliance when protecting CUI.

This score will help determine if the contractor will be able to win new DoD contracts. (Learn more about the DFARS Interim Rule & Supplier Performance Risk System (SPRS) Score here).

Do I have CUI/CDI/CTI data in my IT System?

 

Contractors need to know if they have CUI data on their information systems due to the strong requirements for protecting this type of data. The DoD routinely includes a DFARS 7012 clause in its contract, which states that contractor being awarded that contract, is going to be handling CUI, and therefore needs to meeting the cybersecurity requirements in order to do so.

However, in many cases, the contractor may have CUI due to its broad definition, which includes information that the contractor stores, processes, or transmits on behalf of the government as part of fulfilling a contract.

In practice, all DoD contractors with a DFARS 252.204-7012 clause in their contract should expect to have some CUI in their infrastructure.

Common types of CUI include data about information systems’ vulnerabilities. Personally Identifiable Information (PII) is another type of CUI, provided the government owns the data.

Assume for this example that the contract is to process benefits for government customers, requiring them to maintain PII on those customers. In this case, the PII would qualify as CUI.

CUI also includes technical information, research data, drawings, specifications, standards, process sheets and reports. Information on specific parts or materials such as orders, identification numbers and analyses are also CTI.

Additional forms of CTI include executable and source code for software. This explanation should make clear that any technical work that results in the creation or transmission of information potentially qualifies as CTI.

How do I protect CUI/CDI/CTI data?

 

DFARS 252.204-7012 provides lane markers that specify the types of controls needed to protect CUI/CDI content.

These include an on-premises data center for all of a contractor’s internal IT systems.

A cloud service provider (CSP) can also meet this requirement, as long as it can demonstrate that it meets the requirements the contractor is inheriting from them.

A hybrid or private cloud solution that uses both on-premises and CSP solutions can also fulfill the requirements of DFARS 252.204-7012.

All of these solutions require the contractor to address the 110 security controls, along with the practice objectives, in NIST SP 800-171, which requires a Plan of Actions and Milestones (POAM) and a System Security Plan (SSP).

Contractors that serve the DIB historically used local data centers to manage their data. At that time, a local data center was considered to be more physically secure than one in a remote location.

The physical proximity of a local data center may provide a false sense of security since modern infrastructure requires multiple layers of physical and logical security with greater responsibilities of administrators to maintain firewalls and software patches.

Enterprises typically have the staff and training needed to maintain the security of an on-premise data center to meet the needs of government contracts in controlling data.

However, smaller contractors are typically unable to afford the capital expenditure needed to replace hardware that doesn’t meet the needs of CUI.

Contractors should also review the operational expenses of maintaining a data center that meets the increasing needs of CUI for each new contract.

Outsourced enclaves are an option for organizations of all sizes, since it allows them to offload the responsibility for administration and physical security of the infrastructure storing and processing CUI, onto the provider.

Compliance with CUI requirements may also be more affordable with an enclave or MSSPs since it eliminates the need for the capital investment in hardware and physical security of the system containing CUI.

Regardless of the type of infrastructure contractors use, they still need to ensure that their operating environment is meeting FedRAMP Moderate or equivalent requirements. Furthermore, they must protect that environment with the 110 security controls in NIST SP 800-171.

The decision to protect CUI with an on-premises data center, outsourced enclave, or MSSPs should be part of a contractor’s overall strategy when proposing a DoD contract, whether it’s as a prime contractor or subcontractor.

Compliance with the requirements of DFARS 7012 and NIST SP 800-171 will ensure that the contractor understands both the short-term capital investments and long-term operational expenses of its proposed business strategy for ensuring the security of CUI.

The Cuick Trac secure virtual environment was purpose-built, to align with and build upon the compliance strategy of your business.

Whether DoD contracts are 100% of your business revenues or 5%, Cuick Trac is the practical solution for your business.

Make Cuick Trac part of your strategy for protecting CUI.

Schedule your free consultation today to learn more about how you can become DFARS 252.204-7012, 7019 and 7020 compliant.

You can reach Cuick Trac at 612-428-3008 or by filling out a contact form online.

Sources:

https://www.archives.gov/cui/registry/category-list

https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final

https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final

https://csrc.nist.gov/publications/detail/sp/800-171a/final

Sea, Air, Space | Conference Matchmaking Report

/in /by

It’s a bird, it’s a plane, it’s a govmates matchmaking in DC! The Sea Air Space 2023 matchmaking event brought together 23 large systems integrators, defense primes, and government agencies and 84 small businesses, non-traditional defense contractors, and academia to discuss their capabilities and explore potential partnerships. The event was held over two hours and featured 152 meetings between companies specializing in a wide range of areas, including artificial intelligence, MBSE, advanced manufacturing, precision machining, enterprise IT, simulation, hardware components, and more. 

The matchmaking event was a great success, with many organizations finding opportunities to collaborate to pursue federal contracts. The participating defense primes were particularly interested in the advanced manufacturing capabilities of the small businesses, with many exploring ways to incorporate precision machining and hardware components into their production processes. 

Artificial intelligence and MBSE were also hot topics, with many buyers looking for innovative ways to incorporate these technologies into their existing systems. The sellers were able to showcase their expertise in these areas and provide valuable insights into how their solutions could be integrated into the buyers’ operations. We love to see collaborative discussions.  

Overall, the Sea Air Space 2023 matchmaking event provided a valuable platform for organizations to connect and explore potential partnerships. The high number of meetings and the diverse range of capabilities on display demonstrated the significant interest in these areas and the potential for exciting new collaborations to emerge. The event was a resounding success, and we look forward to seeing the partnerships and innovations that will emerge as a result of these connections.