Shining a Spotlight on the Importance of Supply Chain Cybersecurity

Today Fortress Information Security and govmates, a technology scouting platform, launched a partnership to improve supply chain cybersecurity for companies providing products and services to the federal government.  

Pairing Fortress’ ability to identify, flag, and help remediate supply chain vulnerabilities with govmates’ approach to collaboration and rapid identification of innovative technologies, the partnership will help small and emerging businesses safely and profitably compete in the national security industrial space.

“We merge the best practices of technology and the human element to promote non-traditional defense contractors within the federal community. Given the cyber threats facing contractors and the national security workforce, as well as the speed of regulatory activity to combat these threats, it is critical that we help connect our members and government partners with the best technology available to address and stay ahead of both–Fortress’ Integrated Supply Chain Risk Management Solution does just that.” 

— Stephanie Alexander, govmates 


“New requirements and regulations can be time-consuming and costly without partners that understand both the threat and regulatory environment. By partnering together, we are helping to proactively address pain points that govmates member companies face in navigating this complex landscape. Our partnership will help us quickly and thoughtfully reach federal contractors of all sizes to assist in their security and compliance needs.” 

— Peter Kassabov, Executive Chairman and Co-founder at Fortress Information Security. 


The Challenge:  

​​Presently, the federal government, large integrators, and traditional defense primes rely more and more on partners and subcontractors for critical products and services. Information, communications, and operational technology (ICT/OT) users rely on interconnected systems to provide solutions to business and government challenges alike. The resultant outcome is an increased vulnerability to network intrusions, hacks, and more sophisticated cyber-attacks. When a supply chain is compromised, its security can no longer be trusted. This has become one of the most significant challenges facing government and business leaders in the current market. 


The Solution: 

govmates manages an ecosystem of over 4,000 non-traditional defense contractors, industry partners, academic institutions, and government stakeholders.  Their members represent multiple technology verticals and capabilities in both the federal and commercial sectors. The govmates matchmaking technology enables the federal government and industry primes to rapidly identify desired technologies and solutions.  Utilizing algorithms and relevance scoring, govmates takes a formulaic and methodical approach to facilitating teaming partnerships in the federal contracting community. 


Fortress Information Security is at the leading edge in ensuring the technology businesses and federal agencies use won’t be used against them by adversaries or cybercriminals. Fortress uses its proprietary AI technology to allow companies to quickly assess their digital and physical supply chain for potential vulnerabilities. Traditional security programs consistently operate according to priorities and paradigms from past eras, resulting in antiquated and inadequate security systems. The Fortress Platform addresses the most current supply chain risks integrating and conducting multidimensional risk analysis and remediation of supply chain, manufacturing, IT, InfoSec, corporate governance, and contract risks. The result is a fact-based picture of where vulnerabilities exist and how they can be fixed before they become a contract disqualifier or a threat to national security. 

Subcontracting Compliance

As we previously wrote, the Federal Acquisition Regulation (FAR) limitations on subcontracting (LOS) rule was recently revised to more closely mirror the U.S. Small Business Administration’s (SBA) LOS regulation. However, because the changes to the FAR do not account for more-recent revisions to SBA’s LOS rule, inconsistencies between the two sets of regulations remain. Recognizing this disconnect, the Civilian Agency Acquisition Council has released a memorandum authorizing civilian agencies to issue FAR class deviations to better align the FAR’s and SBA’s LOS. In a welcome step towards regulatory conformity, the Department of Defense (DOD) has also acted to bridge the divide between these regulations. On September 10, 2021, DOD issued a class deviation (Deviation), effective immediately, that recognizes certain exclusions from the LOS for small businesses that are outlined in SBA’s regulations but have not yet been added to the FAR. This Deviation should provide greater clarity for small businesses when measuring compliance with the LOS under DOD set-aside contracts.

SBA’s LOS rule provides that, for service contracts (except construction), prime contractors may not pay more than 50% of the amount paid to them by the government to firms that are not similarly situated. Critically, the SBA rule provides that the following services may be excluded from the 50% limitation: (1) other direct costs (to the extent they are not the principal purpose of the acquisition and small business concerns do not provide the service), such as airline travel, work performed by a transportation or disposal entity under a contract assigned the environmental remediation North American Industry Classification System code (562910), cloud computing services, or mass media purchases; and (2) work performed overseas on awards made pursuant to the Foreign Assistance Act of 1961 or work required to be performed by a local contractor. These exclusions are not in the FAR.

However, as explained in the Deviation, DOD is now requiring that all contracting officers use a revised version of the FAR’s LOS clause that expressly recognizes the foregoing exclusions from the 50% limitation for services contracts. The Deviation will remain in effect until incorporated into the FAR or until otherwise rescinded.

If you have any questions regarding the Deviation or the LOS, please contact Sam Finnerty, the author of this blog, or a member of PilieroMazza’s Government Contracts Group.

Federal Contractors and the COVID-19 Vaccination Mandate

In an effort to curb the spread of COVID-19, on September 9, 2021 President Biden announced an Executive Order (Order) Ensuring Adequate COVID Safety Protocols for Federal Contractors mandating federal contractors’ employees receive a COVID-19 vaccination as a condition of employment. This builds off the President’s announcement back in July where these employees only had to attest to their vaccination status or face restrictions. The President has charged the Safer Federal Workers Taskforce (the Task Force) with ironing out the mandate’s specifics by September 24, 2021. Hopefully, they will answer many outstanding questions.

For now, what we do know is the Order is effective immediately; however it expressly states it applies to a contract or contract-like instrument that is entered into, extended, renewed, or has an option exercised on or after October 15, 2021. A “contract-like instrument” will have the meaning set-forth in the Department of Labor’s proposed-rule, “Increasing the Minimum Wage for Federal Contractors.”

Applicable contracts are:

  • Services, construction, or leasehold interest in real property;
  • Services covered by the Service Contract Act;
  • Concessions; and
  • Work in connection with federal property or lands and related to offering services for federal employees, their dependents, or the general public.


There are some explicitly exempt contracts. Specifically, federal grants, Indian Tribes, those contractors working outside of the United States, contracts equal to or less than the simplified acquisition threshold, and subcontractors solely for the provision of products.

We also know the mandate will apply to “any workplace location as specified by the Taskforce where a worker is working on or in connection with a federal government contract or contract-like instrument.”   With this said, it could be interpreted as requiring remote workers and employees working at the contractor’s facility to have to get the vaccine. We hope this will be one of the items the Task Force addresses in greater detail.

Finally, written in the Order are specifics the Task Force must address:

  • Definitions to relevant terms for contractors and subcontractors,
  • Explanations of the protocol required of contractors and subcontractors to comply with workplace safety guidance, AND
  • Any exceptions to the Task Force that apply to contractor and subcontractor workplace locations and individuals in those locations working on or in connection with a Federal Government contract or contract-like instrument.”

Again, these items will have to be spelled out by September 24. However, this date could be extended.

Some action items to consider:

  • Determine if you are a federal contractor or subcontractor
  • Determine your contract applicability
  • Determine which form of proof of vaccination you will accept
  • Create a COVID-19 Vaccination Requirement Procedure policy


Federal Contractors and Companies Requiring Vaccinations

Recently, the Biden administration announced new measures to encourage vaccinations among Americans. Focusing primarily on increasing vaccinations at the federal level, President Biden stated that all federal government employees and on-site federal contractors are required to attest to their vaccination status. This order only applies to onsite contractors.

At this time, federal or contractor employees can refuse to attest to their vaccination status and still work if they are not yet vaccinated. However, there are implications to this choice. First, all unvaccinated/non-attesting employees and contractors will be required to wear masks while working on location, physically distance themselves while working, and test for COVID one to two times a week. Additionally, unvaccinated federal employees and contractors will be restricted from traveling for work.

As of now, federal contractors only need to attest to their vaccination status. President Biden has not ordered that on-site contractor employees receive the COVID vaccine. However, the stagnant vaccine rate, increasing infection numbers, and the severity of the Delta variant may lead this position to change.

If you are a federal contractor, it is important to ensure that all your workers are vaccinated or strictly follow CDC guidelines. These actions will not only protect your workforce, but they will allow you and your employees to avoid these additional burdens placed on unvaccinated employees. Further, there could be real contractual implications if a contractor employee violates CDC guidelines and causes a COVID outbreak.

Vaccination Trends: More Companies Are Considering Mandating (or Have Already Mandated) Vaccines as Delta Variant Spreads

Recently, employers have been showing more interest in required vaccinations. Despite initial ambiguity over the legality of an employer-imposed COVID-19 vaccine mandate in 2020, 2021 has brought a series of decisions and opinions from federal authorities and the judiciary clarifying that an employer vaccine mandate is legal as a condition of employment.

These court decisions and opinions could result in a potential increase of vaccine mandates enacted by private businesses in the wake of the new state and federal government regulations. As the coronavirus pandemic has tightened its grip on the U.S. yet again this summer, more employers are getting onboard with a workplace vaccine mandate.

In the private sector, companies including Morgan Stanley, Saks, Delta Air Lines, The Washington Post, United Airlines, and Facebook have all announced their own vaccine requirements for employees in recent weeks. Recently, Google announced it was delaying its return-to-office plans until October, and that employees must be vaccinated to go back in-person.

In terms of what’s legally allowed, employers do have the right to set the terms and conditions of employment. Employers can require employees be vaccinated against Covid-19, or to submit to mandatory Covid screenings. With that said, employers creating a vaccine requirement must be open to requests for reasonable accommodations as required by law, such as for workers who refuse for religious or medical reasons, including pregnancy. All such requests must be assessed individually, and employers have right to ask for supporting documentation

Vaccination Inquiries: Who Needs to Know?

Vaccination information is confidential medical information and can be disclosed only on a need-to-know basis. Considerations include:

  • Company Policy determines who needs to know. For example, if fully vaccinated employees do not have to wear masks in the office, their direct supervisors might have a need-to-know vaccine status in order to enforce that policy.
  • If an employer has mandated vaccinations and someone is not vaccinated because of an accommodation, that person’s supervisor would need to know this information so that the accommodations (which likely would involve social distancing and some wearing of masks in common areas) would be recognized and enforced.

Mask Guidance & Mandates by State

When it comes to requiring masking or not, it is apparent that things are very much in a state of flux. The Delta variant, CDC guidance, and ever-evolving state and local requirements will have significant impacts on all employers, including those that had recently dropped mask mandates for vaccinated individuals and those planning to reopen their worksites in the fall.

The Centers for Disease Control and Prevention (CDC’s) most updated guidance recommends that fully vaccinated persons in areas with substantial or high rates of COVID-19 transmission resume wearing masks in public indoor settings. The guidance also encourages all fully vaccinated persons who have a known exposure to COVID-19 to take a COVID-19 test three to five days after exposure, and to wear masks in public indoor settings for 14 days or until receiving a negative COVID-19 test.

Possible ‘Next Steps to Consider’ for Employers

At this time, employers may consider varying options to find the best way to implement appropriate safety measures for their businesses. As the CDC continues to advise that the risks of transmission are significantly increased among unvaccinated individuals, employers may want to consider implementing a vaccine mandate for employees working at their establishment, restricting entry only to fully vaccinated individuals, requiring the use of masks and Staying current on changing mask mandates for private employers, which vary by state. All these approaches have different pros and cons, and there is not a one-size-fits-all approach that will work for every employer. Considering current trends, we expect even more changes at state and local levels, and we encourage businesses to monitor these developments closely.

Key Solutions Inc

How to Get the Most Value From SMEs to Write a Winning Proposal

Subject matter experts (SMEs) are necessary to almost every proposal. They are the ones who design and build the product (or provide the service).

They most likely work on contract for your customer, so they know what to do, how to do it, when and where to do it, and who is responsible for it. They can provide lessons learned to improve your methodology, identify reasonable quality metrics and measurements, and make recommendations for continuous process improvements. SMEs often know the real decision-makers and have insight into their preferences.

What SMEs likely can’t do though, is write effectively for your proposal. There are two reasons for that:

1. Because of their deep product knowledge, SMEs “know too much.”

They know there is no simple answer; everything depends on the customer environment, system configurations, SLAs, other vendors involved, and so on. They often struggle to respond only to what the RFP requires.

2. SMEs may not actually write frequently, but if they do, it’s probably in a style very different from what proposals require.

For example, user manuals are dry, short, and to the point, providing precise, logically organized instructions. Technical specifications are heavy on jargon and metrics with little prose. Conversely, scientific and research papers provide heavily detailed theories, methodologies, rationales, and results leading up to conclusions.

These experts are ill-prepared to work within a stringent compliance-driven proposal outline, which makes a hash of any lengthy technical discussion and imposes ridiculous page limits. Closely related material may defy logical order and be split into multiple sections, with seemingly unrelated material stuck in the middle. Asking your SME to learn to write in this fashion will be frustrating at best, and is not the best use of their time or expertise.


Still, there is another, even more germane reason not to task SMEs with writing proposal responses: a proposal is not a technical document. It is a customer-oriented response to specific requirements. SOWs and SLAs and technical volumes notwithstanding, a proposal must above all persuade the evaluator that your solution is the best combination of not only technical, but also management, security, customer support, cost, and other relevant factors.

Precisely because SMEs are experts on product design, features and benefits, they write from that perspective. They often “push their product across the table,” trying to sell what they already have. Proposals, meanwhile, are all about solving the customer’s problem. The product is merely part of the solution, and may need substantial modifications to meet requirements. A well written proposal inspires the customer to “pull the solution to their side of the table.”

So how do you get the most value from your SMEs?

Bring in a seasoned proposal writer to turn your SME’s data into “proposalese.” Proposal writers start with the RFP requirements to understand what the proposal must provide. They absorb or even help develop win themes, discriminators, and value propositions. Then they work with the SMEs through interviews, Q&A sessions, and read/review/edit cycles, to craft a compliant, compelling response to the convoluted RFP requirements.

So what is “proposal style” writing, and why does it require dedicated proposal writers?

Essentially, it’s very much like what I learned a lifetime ago in Journalism 101. In that class the basic assumptions were:

  • Few people read past the headlines
  • Even fewer people read past the third paragraph
  • Only diehards ever read to the end

To satisfy a newspaper audience then, a journalist must put the most important points up front. Backup data comes later. Think of a triangle, point down, or a funnel: at the top, the broadest point, is where your conclusion goes – the most important material that you want the reader to remember. After that come the proof points or substantiation for those who continue reading. Additional details and background information follow, to satisfy the diehards who want the whole story.

This is pretty much exactly what you need to do in proposals: assume the audience (evaluator) will spend very little time with your proposal, so put all the most important information right up front so the evaluator can find it with little effort.

Proof points, like references to similar successful efforts, should follow, as validation for your approach. Extensive details can bolster your argument, especially when summarized effectively with a features/benefits table or similar device to reinforce your solution.

This article was originally published in June 2013 and updated in August 2021.


This article was originally created and published for the Key Solutions blog. Key Solutions, Inc. (KSI) is full-service bid and proposal consulting firm that helps companies win government contracts.

General Data Protection Regulation: The 10 Key Developments You Should Know

#1: GDPR: It’s here to stay, and it’s never going to go away!

There’s been some debate around the need to reform the GDPR. However, it is unlikely that this reform is going to happen in the short term if we take into consideration that the European Commission noted in its 2020 evaluation report of the GDPR that it considers the GDPR has met its objectives. For the European Commission, the GDPR has given stronger rights to individuals while businesses are developing a compliance culture and using data protection as a competitive advantage, among others.

#2: Playtime seems to be over (both for companies and DPAs)

Looking at the past three years of enforcement by the national data protection authorities, we have seen some kind of evolution in the enforcement area:

  • From June to the end of 2018: National authorities were setting up and reorganizing their teams to align their internal structure and resources with their new roles under the GDPR. This resulted in very few enforcements
  • Year 2019: The enforcement increased in 2019, but it consisted mainly of small fines and small companies being targeted
  • Year 2020: National data protection authorities started imposing very high monetary penalties, but many of these were appealed
  • Year 2021: This year, we have started to see more mature and sophisticated enforcement decisions

#3: GDPR: the global ripple effect

GDPR has been a great inspiration around the globe. Some countries have started to implement new data protection frameworks that are aligned with the GDPR, such as the United States with the California Consumer Privacy Act and Brazil with the General Law for the Protection of Personal Data (LGPD). India is following closely, and a law is expected to be finalized at the end of this year.

#4: Data transfers have become a key challenge

Data transfers have become a key challenge for global organizations. Following the European Court of Justice Schrems II case, companies need to complete a Data Transfer Impact Assessment before transferring any data outside of the EEA, assessing the law and practice of the country of the data importer.

Although the European Court of Justice didn’t invalidate the SCCs, companies now also have to supplement them with additional contractual and technical measures following the European Data Protection Board guidance.

#5: Brexit has added an additional level of complexity

Following Brexit, we now have two GDPRs – a UK one and an EU one. Although currently both frameworks are basically identical, we may expect that there will be some deviations in the future. Brexit has also brought some duplications in relation to appointments of DPOs, representatives and BCRs.

#6: EU countries make use of the possibility to finetune by national laws

The GDPR has brought a fair amount of harmonization into the EU data protection framework, however, it’s important to note that EU Member States still have the possibility to finetune the GDPR locally by imposing additional requirements in areas such as the appointment of DPOs, processing activities that require a Data Protection Impact Assessment, or the age under which parental consent is needed to provide online services to children.

#7: To consent or not to consent, that’s the question

GDPR raises the bar for consent: pre-ticked boxes are not valid, and companies shall be able to demonstrate that individuals were totally free when they gave consent. Also, consent can be withdrawn at any time. All of this makes consent a difficult legal basis to rely on.

#8: Regulator guidance: creating clarity or more confusion? (Thankfully it’s black and white…. No grey areas to cause confusion)

The EDPB and the national data protection authorities have issued a lot of guidance since 2018 on multiple matters such as virtual voice assistants, data breach notifications, international data transfers and the concepts of controller and processor. In most cases the guidance is more restrictive than the GDPR.

The European Court of Justice has also had an active role in defining the GDPR through cases such as Fashion ID, Orange and Schrems II.

#9: Much more sophisticated and balanced data processing/sharing agreements

The relationship between data processors and controllers has become more mature and sophisticated. All steps of the relationship – from the onboarding phase, following with the contract execution and during the whole contractual relationship – have been impacted by the GDPR.

#10: And more is yet to come: what about 2022?

The EU Commission is quite active on data protection. There’s new legislation on the horizon mirroring GDPR, such as the Artificial Intelligence Regulation. Another area where we expect changes is e-privacy.

From the United States’ perspective, there is a lot of activity and, as mentioned earlier, the GDPR has inspired it. Apart from the CCPA, in 2018, Alabama enacted a data breach notification law, and other states such as Washington, Virginia and New York have begun to introduce legislation of baseline privacy laws.

How To Mitigate Risk In Buying A Distressed Gov’t Contractor

The COVID-19 pandemic is creating challenges for many contractors, and for those already struggling with legal and/or financial issues before the pandemic, the risk of crisis is even more real today.

The pandemic, however, is also creating acquisition opportunities. Buying a government contractor in financial or legal distress can be lucrative if appropriate due diligence is conducted and the buyer proceeds with a clear understanding of the target company’s liabilities and potential exposure.

Through our collaborative work together as government contracts counsel, we periodically learn of sophisticated companies acquiring government contractors without appropriate due diligence only later to be surprised with a formal notice of proposed debarment, notice of suspension or show cause letter stemming from the alleged past misconduct of the target, or its former management or owners.

Now that promising acquisition has turned into a crisis and requires the immediate attention of leadership, a diversion of resources to this crisis and a significant investment of capital to address. Upon receipt of that debarment notice, immediately company leadership and its board of directors find themselves asking could we have done more diligence to avoid this situation.

In most of these cases, that debarment notice was avoidable had the buyer conducted more rigorous due diligence to better understand the risks involved and thereafter taken appropriate risk-mitigation measures to reduce, if not eliminate, the risk of debarment.

Let’s pretend you have not yet acquired that government contractor and there is still time to mitigate the risk of debarment. Imagine a scenario where you are evaluating the acquisition of a government contractor in financial or legal distress.

You are interested because that contractor offers some incredible synergies to your existing business and contract portfolio. You are also interested in several of the target’s significant government contracts and see opportunities for growth and expansion.

However, during the due diligence phase, you are informed that one or more of the company’s former management personnel are under criminal investigation by the U.S. Department of Justice for alleged misconduct relating to their prior roles in performing government contracts for the company. That information is quickly followed by the representation that such should not be a concern because the government has declined to pursue the company criminally.
Upon hearing this news, some may conclude that the matter is resolved, and the company is free and clear of any financial or legal exposure.

While it is certainly favorable news that the company is not being pursued criminally, the company is not necessarily free and clear from the other remedies in the government’s arsenal.

Indeed, the company could still face contractual remedies, civil False Claims Act exposure, including treble damages and penalties, and, as addressed herein, the risk of suspension and debarment under Federal Acquisition Regulation, or FAR, Subpart 9.4 looms large.
For buyers desiring to eliminate the risk of debarment for the alleged past misconduct, there’s some hope. This is truly one of those situations where an ounce of prevention is worth a pound of the cure.
Prior to acquiring the target or its assets, we want to ensure that the target has conducted an appropriate investigation and prepared an investigative report laying out the factual findings.

Without such a baseline level of knowledge, you are truly taking a gamble, much like walking into a casino and laying your entire investment on a hand of blackjack. Do you feel lucky? Do you know the dealer’s hand? Do you know how those ahead of you in the dealing line are going to play their hands? Unless you are clairvoyant, you are gambling. The risk is total loss.

Buying a distressed contractor can cost you far more than your investment including, the debarment of the target company, treble damages and penalties under the FCA, the risk that the government imputes the target company’s debarment to the buyer and other affiliates as defined in FAR 9.403, reputational harm to the target company and buyer, and, of course, substantial legal fees and costs, among others.

With a clear accounting of what happened, you can negotiate terms for the acquisition or asset purchase that protect you financially from exposure, including provisions providing for representations and warranties, indemnification, advancement of legal fees and holdbacks, among other protections.

These facts will enable you to evaluate whether appropriate corrective actions and remedial measures have been implemented to mitigate significantly the risk of reoccurrence. For example, assume the misconduct involved kickbacks. Here’s a few questions that come to mind:

  • Does the target have a values-based ethics and compliance program satisfying FAR 52.203-13, Contractor Code of Business Ethics & Conduct?
  • Does the target have a code of business ethics and conduct?
  • Does the target have an anti-kickback compliance policy?
  • Does the target have a gift policy and a conflict-of-interest policy?
  • Does the target provide live compliance training to personnel addressing these subjects?
  • How does the target evaluate the responsibility and ethics of its vendors and suppliers?
  • Does the target maintain financial controls requiring employees to document and memorialize any gifts they have provided or accepted involving customers, vendors, and suppliers? Same for business development expenditures?
  • What type of financial controls are in place?

These are just some of the questions that should be asked in evaluating the state of the target’s response to the events and its overall ethics and compliance program.

Once you understand what happened and how the company responded, if at all, to mitigate reoccurrence, you can begin assessing how the company, if acquired by you, would fare under a present responsibility assessment using the mitigating factors and remedial measures set forth at FAR 9.406-1. Explore the types of targeted remedial measures that you would need to undertake to show the government that you have done all you can to mitigate reoccurrence.

Additionally, you will want to be in a position to demonstrate that the company’s ethics and compliance program satisfies FAR Section 52.2013-13 and includes the following components: core values; an ethics and compliance officer to manage the day-to-day operations of the program; an ethics helpline allowing for anonymous reporting; an investigations policy; compliance policies and procedures; effective training programs and testing of such programs to gauge effectiveness; a disciplinary program; and a disclosure policy.

Once you have completed your due diligence on the target and assuming you decide to proceed with the acquisition, consider requiring as a condition to closing that you have the opportunity to proactively engage with and disclose the facts to the lead agency suspension and debarment official, or SDO, and ideally to receive comfort from the SDO’s office that they are satisfied with the company’s response to the events and do not intend to take administrative action (i.e., debarment) against the entity.

In some instances, the SDO’s office may desire a long-term compliance agreement, referred to as an “administrative agreement,” which has significant cost considerations and compliance obligations, including possible independent monitoring by a third party, quarterly reporting and enhancements to the existing compliance program, among other terms.

Administrative agreements are manageable, however, and often strengthen the company and make it even more valuable, but they do come at a cost that needs to be factored into the acquisition. If time does not exist before the closing of the transaction to eliminate the risk of debarment, make sure the acquisition agreement offers you appropriate financial protections to guard against a significant investment in remediation, an administrative agreement, independent monitoring, or debarment and loss of revenues for a period of time.

By engaging with the lead agency SDO’s office proactively, you are walking into the proverbial lion’s den, so it is important to be prepared.

In our experience, typically SDOs welcome proactive engagement by contractors and view such as an indication that the contractor is responsible and can be trusted. Moreover, if done prior to the acquisition, the SDO’s office is likely to be impressed with the buyer’s preacquisition due diligence.

Conversely, SDOs look less favorably upon buyers who proceed with an acquisition without appropriate due diligence. And, in most instances, the benefit of engaging with the SDO’s office proactively, whether before or after closing, is that you eliminate the risk of a surprise debarment notice at the most inopportune time and typically can resolve the SDO’s concerns.

By proactively engaging with the lead agency SDO’s office, you are investing in the future, mitigating the risk of debarment and gaining peace of mind. Otherwise, each day in front of you could bring an unfortunate surprise and one that will be far more costly to address in a crisis. Buying a distressed government contractor can be lucrative as long as you take appropriate measures to ensure you understand the risks and are protected.

What is an OTA

What is an OTA?

Stephanie Alexander and Katie Bilek explain what an Other Transaction Authority (OTA) is and how it helps government agencies find and attract innovative contractors.


Deltek Clarity Report

Each year, Deltek surveys how government contracting firms of all sizes conduct business – address day-to-day business needs and functions, measure performance, identify tools and resources, overcome challenges and compliance hurdles – to formulate a baseline for the Clarity Government Contracting Study. The resulting report is a unique and trusted resource that helps performance-minded businesses identify areas to improve operational efficiency and effectiveness, help set business goals, inform business development strategy, and better understand how they compare to their competition.

The survey collects information on the functional areas of:

  • Business Development
  • Finance and Financial Compliance
  • Project and Risk Management
  • Human Capital Management (HCM)
  • Contract Management and Procurement
  • Information Technology (IT) and Cybersecurity.

2020 Was an Eye-Opening Year

Like so many other markets and industries, those in government contracting had to reevaluate their businesses to adapt to the needs of a country dealing with the COVID-19 global pandemic. A record amount of discretionary appropriations were released in 2020, and of this overall increase in federal spending, 53% was due to the U.S.’s COVID response.

Though some companies found themselves directly benefiting from the spending increase with fast revenue growth during this time, others found themselves in deemphasized areas, which put a premium on strong pre-existing customer relationships to keep operations solvent. New strategies for networking and diversifying products, services and markets were crucial to keep afloat, as were investments in operational capabilities and information security to support a fully remote workforce.

All in all, contractors reported only a slight dip in confidence that they can grow their public sector sales over the next 12 months. As seen in the Government Contractor Confidence Index illustrated within this year’s Study. Also highlighted are the more specific ways the pandemic impacted the day to day and long-term function of businesses.

Data Governance & the CMMC Framework

Data governance is the process of managing the availability, usability, integrity, and security of the data in enterprise systems, based on internal data standards and policies that also control data usage. Effective data governance ensures data is consistent, trustworthy, and doesn’t get misused. Before we explore it’s role in CMMC, let’s explore the basics.


Data governance is a set of principles and practices that ensure high quality through the complete lifecycle of your data. According to the Data Governance Institute (DGI), it is a practical and actionable framework to help a variety of data stakeholders across any organization identify and meet their information needs.

How important is data governance for your company?

Data governance is a set of processes ensuring important data assets are formally managed throughout the enterprise. It also ensures that trusted information is used for critical business processes, decision making, and accounting.

What are some core principles of data governance?

There are certain core principles which drive a successful data governance implementation:

Recognizing data as an asset – In any organization, data is the most important asset.

Data classification – The process of organizing data into categories making it is easy to retrieve, sort, and store for future use. A well-planned data classification system makes essential data easy to find and retrieve. This can be of particular importance for risk management, legal discovery, and compliance.

Data ownership and accountability – In a successful data governance process, ownership and accountability of data must be clearly defined.

Data retention – Data retention is an important step in helping protect an organization’s data and avoid financial, civil, and criminal penalties that increasingly accompany poor data management practices.

What are the business drivers for data governance?

Regulatory compliance – This is affecting all organizations. And, at the lowest denominator, all organizations need to comply with their own country’s financial regulations. Then there are region specific data privacy regulations, some stricter than others, but noncompliance to those can also end up costing the organization large sums of money, as well as bad publicity. This tends to score high in the list of data governance drivers because of the high risks and costs associated with noncompliance.

Data driven decision making – This is an umbrella for a few drivers, so sometimes you might see this stated simply as “implementing a Business Intelligence (BI) program.” Other times you hear about “starting data analytics” or “big data adoption;” even improving overall efficiency and customer satisfaction. You should consider all of these under one driver because they all fall into the idea of knowing the best decisions to make based on your company’s data.

The quality of your data – It all boils down to data quality (the reason why a lot of organizations point to this as the main driver). Even those who want to start a BI program, ensure regulatory compliance, become more efficient, increase customer satisfaction, and so on – need to ensure the data is clean and accurate, as well as in agreement with the data quality dimensions that matter to the business. If you don’t have good data quality, then you won’t accurately know that the right customer unsubscribed from your newsletters and you’re still continuing to send to them. You might overcharge someone, send inaccurate financials to the IRS, mislabel ingredients on a product, incorrectly categorize those medical lab tests, or draw inaccurate conclusions from revenue projections. The state of quality of your data can make or break everything –and for this you need a good data governance.


The concept of Data Governance is a focal point in the CMMC world. Identifying information as FCI, CUI, or CTI is crucial in knowing how to handle the information at hand and to be able to classify and label it accordingly.

Knowing how to classify your data is key in managing Access Control (AC); as an example, AC.2.16, a level 2 practice, talks explicitly about controlling the flow of CUI in accordance with approved authorizations. Knowing how to classify your data is key in knowing who in your organization is authorized to access CUI to manage their access accordingly.

Example 1: When it comes to Data Classification, companies should know in advance whether a Team or SharePoint site will contain CUI data when it is provisioned. The Community Service Team should be open to all personnel and data about the unit’s volunteer opportunities should be free to be widely shared. However, the unit’s readiness report is probably sensitive information. As such, it needs to be labeled “CUI” and live in a Team site that is clearly marked as such. In other words, the Community Service Team can be labeled “public” while the Readiness Team should be labeled “Readiness – Restricted – CUI.”

Example 2: When it comes to Lifecycle Management, a good Data Governance policy includes a Lifecycle Management plan. Periodic reviews or certain events (for example, the end of a contract) should initiate an archiving process that may even include the deletion of the workspace. This eliminates sprawl and can reduce clutter, which in turn also reduces the attack surface of the environment.

Data is a critical asset for every business, and it is a powerful asset when well-governed. Remember, ad-hoc approaches to how to handle your business data are likely to come back to haunt you. Data governance has to become systematic, as big data multiplies in type and volume and people seek to answer more complex business questions. That means setting up standards and processes for acquiring and handling data, as well as procedures to make sure those processes are being followed. That said, achieving enterprise-wide Data Governance is a not trivial task. It makes sense to break that initiative down into more manageable steps.

Some things you should consider:

  • Identifying current and desired data governance levels
  • Focusing on strategic quick wins to build support
  • Building toward the facets of a sound data governance framework/program

Most organizations do not have the people, nor do they have the expertise, to tackle such an important program. Involving a third-party is often critical for success; an organization with the expertise to help you map out a Data Governance framework specific to your business and industry and let you decide how mature you would like that program to be over time.