The Pentagon’s plan to fix its decades-old material weaknesses — its inability to reliably track government property in the possession of contractors — is failing, a new inspector general evaluation finds.

The Pentagon IG concluded that the department’s corrective action plan — which calls on DoD components to use a software application called the Government Furnished Property Module within the Procurement Integrated Enterprise Environment — has stalled due to a lack of enforcement from the Office of the Secretary of Defense and slow adoption by the military services.

Auditors warn that if DoD components don’t implement the GFP module, the department risks missing its goal of achieving a clean audit opinion by 2028.

“The implementation of that GFP module is the key to getting this to work,” Mark Thomas, DoD IG’s supervisory auditor, told Federal News Network.

One of the technical challenges, Thomas said, is that each military service uses its own accountable property system of record, or APSR, to track government assets in the hands of contractors. The office of the secretary of defense, however, wants the services to connect their systems to the GFP module.  

“That is something that the components have not been able to do yet. They’re still working to implement that. Each of the components has corrective action dates for that that are still into the future,” Thomas said. 

“The goal would be to complete everything by 2028, preferably before 2028 so that the auditors, as they come in to do the work, that control environment has been established and been working before the auditors come in and start to do some of the work. That would be the best way to do it,” he added.

But some of the timelines to remediate this weakness stretch beyond the 2028 deadline. 

“Unless there’s a change in those dates, then they’ll be at risk for missing the deadline,” Thomas said. 

Each military service has its own reasons for lagging in implementing the department-wide solution, but most of those reasons center around the same issue — every component is grappling with its own longstanding material weakness in accounting for government property in the possession of contractors. 

“They have their own systems which differ from component to component. So they have their own technical challenges and how their particular system in the Air Force functions and how it accounts for property versus how the Navy does it. Each group is kind of working on their own technical challenges and how they’re going to report this into their own APSR — they are busy doing that and they’re actively trying to clean that up so that they can all get opinions on their financial statements,” Thomas said. 

But the IG found that this component-level focus has come at the expense of the broader, department-wide effort. 

Thomas said the services have been receptive to adapting the department-wide solution, but each faces a number of technical challenges connecting their systems to the GFP module. 

“They understand the importance of it, and they understand what this really would give us if there is a functioning GFP module across the department. This would really give the department a larger bird’s eye view of all of the property that they have in the possession of contractors. And it would provide that enterprise level look and ability to tell we have so much property at contractor x,” Thomas said. 

Meanwhile, DoD leaders have not mandated the use of the GFP module, which is stalling the department’s efforts to remediate this material weakness. The audit found that the OSD could be “more forceful” in recommending and implementing the department-wide solution.

“They need to be more direct in saying that we will use this module, all the components will use this module. That was one of the areas that we thought was weak, that the department could improve their messaging, and they could improve to be more direct and require the use of this module,” Thomas said.

The post DoD’s plan to track contractor-held property is failing, putting 2028 audit goal at risk first appeared on Federal News Network.

Two sibling contractors convicted a decade ago for hacking into US State Department systems have once again been charged, this time for a comically hamfisted attempt to steal and destroy government records just minutes after being fired from their contractor jobs.

The Department of Justice on Thursday said that Muneeb Akhter and Sohaib Akhter, both 34, of Alexandria, Virginia, deleted databases and documents maintained and belonging to three government agencies. The brothers were federal contractors working for an undisclosed company in Washington, DC, that provides software and services to 45 US agencies. Prosecutors said the men coordinated the crimes and began carrying them out just minutes after being fired.

Using AI to cover up an alleged crime—what could go wrong?

On February 18 at roughly 4:55 pm, the men were fired from the company, according to an indictment unsealed on Thursday. Five minutes later, they allegedly began trying to access their employer’s system and access federal government databases. By then, access to one of the brothers’ accounts had already been terminated. The other brother, however, allegedly accessed a government agency’s database stored on the employer’s server and issued commands to prevent other users from connecting or making changes to the database. Then, prosecutors said, he issued a command to delete 96 databases, many of which contained sensitive investigative files and records related to Freedom of Information Act matters.

Read full article

Comments

Interview transcript:

 

Travis Mack Over the years, you know, growing a small business is kind of an iterative process. You learn a lot of things along the way. And we had done very well in the small business vertical, but when we got to that point where we were trying to make that inflection, that turn to trying to be a large business, there were a couple things that we were considering. Were we going to remain a small business or were we just going to blow right through it? And we decided to kind of blow right through the small business threshold. And with that, we had to do a few things differently. We certainly had to upgrade our talent, which was really important, right? We had to also look at trying to drive additional revenue streams, trying to create additional value for the federal government. And so we decided on, not only were we going to grow organically, we were going to grow inorganically as well, which kind of led to our strategy of mergers and acquisitions and incorporating that into our organic growth.

Terry Gerton Well as you say, growing past that small business to large business zone can be really, really challenging. But you’ve kept Saalex as an employee-owned company. How did that decision factor in to your growth strategy?

Travis Mack It factored in because as we were making the transition, we had to figure out how we were going to attract the best and the brightest. And it was actually one of our core strategic decisions on us trying to go and become a large business. It has been the kind of the pillar of us trying to grow. So us becoming and transitioning into an employee-owned organization was really something that I thought of and I said to myself, “if you were going to be asked to work 80, 90 hours a week, what would you want, Travis?” I said I’d probably want equity. And hence, you know, the employee-owned building blocks that we utilize today in order to attract the best and the brightest for Saalex.

Terry Gerton Is that a strategy that you think is sustainable as you continue to grow the company?

Travis Mack Absolutely. We’ve seen it demonstrated before. We think it’s an excellent strategy for us to continue to scale and for those who are willing to put in that work, put in that extra effort. We think it’s something that … because it’s not only the top of the spectrum that’s gaining, it’s the entire organization, because everyone at Saalex has equity and we want that community.

Terry Gerton So you mentioned a little bit about your growth through acquisition strategy. You’re clearly not trying to blend in, you really want to set yourself apart. How do you set yourself apart from the other big primes in the defense and federal space?

Travis Mack We think it’s part of certainly, you know, being an ESOP, having that equity component. We also think it’s from us being unique. We’ve really embraced automation, we’ve really embraced AI, we’ve really embraced security in order to give ourselves a differentiating feel to the organization. And so we think, at our size, being agile than maybe some of the larger primes, being more efficient than maybe some of the larger primes, and really just trying to understand what the core problem is and then solving for that, we think that is a differentiating vertical for us, and we’ve leaned into that. So, you know, we’re an AI-first organization building in automation and AI through every single business system, every single component, and then that efficiency, that effectiveness really translates very seamlessly to the federal customer.

Terry Gerton So that strategy through mergers and acquisitions can really shake up company culture as you’re bringing in different organizations. How have you managed to build an organic Saalex culture and hold on to that through that growth cycle?

Travis Mack It’s a process. And you know, it takes time. It really does, especially now with all the new changes, with how you implement artificial intelligence efficiently, bringing in different organizations within one culture. We’ve launched an initiative called One Saalex, really just trying to focus everyone on — it’s one infrastructure, which is backed by an AI-first mindset, and bringing everybody in and just trying to demonstrate the efficiencies of the platform and how we are supporting our end customers. So we take it day by day. We try to talk about what the benefits are; and it’s a lot of training, Terry. It is truly a lot of training and a lot of — I kid, every single day, half of my battle is changing hearts and minds. And I’ve got to show up every day changing hearts and minds and showing the innovation and showing how, at the end of the day, it’s actually better.

Terry Gerton And you’re bringing in folks with some really amazing technical talent, clearance capability, high-tech roles. How are you finding the job market, and then how do you find the integration once you get them on board?

Travis Mack The job market right now is something that we focus a lot on, right? I mean, the lifeblood of what we do is with individuals, with people. And true enough, we’re trying to scale that with AI and things of that nature. But really it’s about us being out there in in the community. It’s about us being active. It’s about us defining and identifying roles that, you know, we can fit individuals into very, very seamlessly. I think we’ve been certainly very forward-leaning with the mechanisms by which we hire. Traditional ways of hiring isn’t necessarily something that is at the top of the mind these days. So we try to be flexible, we try to be nimble, we try to be innovative, we try to do all those things that we think will entice individuals to come and work with Saalex.

Terry Gerton And one of those things, as you already mentioned, is being an AI-first company. So how do you deploy that kind of fast-moving technology, both in Saalex and then for your customers to keep them on the cutting edge?

Travis Mack Well, we’re not going out building large language models for the federal government. That’s not what we’re doing. We’re going to let them handle that. You know, ours had to be from a services perspective, right? And so we had to figure out, how do we engage and utilize AI from a services perspective? First we thought about, hey, okay, what does that look like? Our journey with AI actually started about two years ago and we really started to focus on AI functionality within all of our business systems. We took that and then we put in the digital connectors with RPA, with robotic process automation, you’ve got to have that digital connection, and then at the end of the day, trying to deploy that from a federal perspective and integrating that with the customers and the uses and creating digital workforce agents and the whole nine yards. And so we’ve tried to be innovative. We think that utilizing AI gives us an agile advantage, you know, than some of the larger competitors that we have. We’re able to move a little bit quicker as a mid-market federal contractor, and so we’re excited about, what are those new use cases, what are those new concepts that we’re delivering? We’re thinking about the work differently, Terry, every single day, and that requires a total mind shift.

Terry Gerton Well speaking about thinking about the work differently, we’ve talked about your growth strategy, we’ve talked about your workforce culture and training, we’ve talked about your tech approach. But the world of federal contracting and defense contracting is changing very, very rapidly. So as you look forward, say five years, what do you see for Saalex, and how are you positioning them to take advantage of the opportunities you see?

Travis Mack I’m going to try to pull out my magic ball here, put my Nostradamus hat on. Difficult question because of how fast things are changing. And what we’re trying to do is just be iterative. What we don’t want to be, Terry, is late. That is the thing. And we know we’re going to have some false starts. We know we’re going to not get it right as we implement automation and AI and efficiency throughout the organization. Government agencies right now want speed, they want agility, they want efficiency, they want security, the whole nine yards, as they are trying to change how they do the work as well. Five years out, we really think that it is about the iterative process, it is about changing how we do the work, it’s about identifying where we can drive efficiencies, and it’s about how we can, in my thoughts, do more with less, honestly. Because that’s where we’re headed to. So we’re excited about building an infrastructure, building a capability that the federal government and government agencies can utilize with some of our technical services, right? We’re supplying software development, we’re doing test range management, a whole bunch of technical stuff with the Department of War. So we’re excited about, how do we deliver those services differently? And what does that look like? Because I think that’s what everyone is struggling with. What does that look like? We’re trying to help get some visibility and we know it’s iterative. We know it’s going to innovate, we know it’s going to continue to expand, but we just didn’t want to be late.

The post From small business roots to mid-tier powerhouse, this firm is using employee ownership and AI to stay ahead in federal contracting first appeared on Federal News Network.

Interview transcript:

Terry Gerton: ERT works on, I guess, some of the most complex space and earth science missions. Tell us about maybe one breakthrough that’s really changed the game for how you support your defense clients.

Mark Lee: It’s actually a variety of defense and civilian clients. But a lot of what we have been focused on is this pivot to more focused on solutions. And a lot of the business that we work in, services has been sort of the name of the game. And that’s sort of, at this point, has connotations of just people in seats, just sort of staff augmentation. And there’s been a shift that’s happening in the industry, really shifting to more of a solution focus. And that’s really driven how we’re thinking about driving innovation, even reworking a lot of the processes in the company to be around a solution orientation, so making sure that when we’re thinking about what tools make sense to bring to a problem, everybody’s talking about AI and machine learning and all these things, those are extremely valuable tools and still sort of maturing and coming into their own. We’re really starting with the customer’s needs first because I think there’s a risk of so the tail wagging the dog, you see this set of tools and you want to apply it everywhere you can and we really want to come out the other way, like what are our clients’ problems? What tools are the most appropriate to those problems? And that’s really led us into addition to thinking about artificial intelligence, a lot around digital engineering, because in the areas that we work in, there’s all these applications, and by applying some of those principles, you can accelerate how quickly things can be done. You don’t have to wait. In the old days, they would build like two copies of a satellite so they could use one to test and one to launch. But you can now do that within a computer and that extends to the whole IT system to support the satellites and all that. So that’s really a place that we’ve been leaning in a much bigger way. And I think it really flowed directly from this focus on really our client’s problems and focus on what solutions to those problems will be most appropriate.

Terry Gerton: As you think about and build out that solutions approach, is there a particular move that’s helped you achieve scale without losing your technical edge or your mission focus?

Mark Lee: Coming into a company, when I joined ERT, they had been around for around 30 years, founder-owned, founder-led, and we had investment from Macquarie Capital, and that was when they brought me in. And we had a great team already at ERT, but I also had the opportunity to bring in a few leaders and, to me, building for scale is all about having the right people in the right seats and making sure that the new people understood the role. The existing people sort of knew where we were wanting to head and then building out processes. I’ve been in a much larger company and have kind of seen how they operate. Well, all right, well, what can I do to get ERT ready for that kind of scale? So it’s building in new business development processes, new operational processes, those types of things. That’s really been what we’ve been doing to sort of build so that you kind of want to build the infrastructure for where you want to be because if you get there and you don’t have it, then that’s when delivery can suffer and you put a lot of pressure on your staff to sort of make the impossible happen and there’s so many times you can go back to that well.

Terry Gerton: You talked about having the right people in the right seats. Your work requires some seriously specialized talent and often those folks need security clearances. What’s your strategy for finding and keeping those right people?

Mark Lee: I think some of it is my leadership style is a certain type of person that I want to have and it’s really finding the right people for the organization. I am not a command and control leader, which it sounds great, all that. But there’s actually different implications of that where if there are folks that are expecting to be told, ‘All right, here are the next five things exactly as you need to do,’ that’s not the way it’s going to happen. I will more lay out, ‘OK, what’s the output? What’s the result that we need?’ And you’re a professional, you sort of figure out how we’ll get that done. So making sure that’s clearly communicated and you’re hiring the people that are going to want to do that. Now, the people that like that kind of management style are really drawn to that and I really try to be super approachable. And I think when that all that drives the culture. And I, for example, we have these town halls that we do once a quarter. And I want staff to ask anything. I said, ‘No, don’t give me any questions ahead of time. No prepared remarks.’ And the harder the question, the better. And I’ve learned over time that type of approach, when you’re willing to be vulnerable and actually sometimes be, ‘Well, I’m not really sure,’ and being able to say that you might not have the answer or it may be a question that is a little bit sensitive. Watching me navigate that, I have found the staff trust you more and you build a culture that really, they’re telling their friends, ‘Hey, look, you should look at this opening.’ And certainly, where we always want to start is referrals. But you also have to be doing really cool work. And if you’re seen as a commoditized player, then the top-down are a little less excited. So I think some of it also is about the work that we pursue. You want to pursue the type of work that will attract the staff that you really want to have.

Terry Gerton: So let’s follow up on that because you’re in a space where you have a lot of competition. So beyond your culture and your people and the type of work that you do, what really makes ERT stand out to your clients?

Mark Lee: Our competition tends to fall into two big buckets. I kind of see there’s the much larger, multi-billion dollar firms that we go up against and then there’s companies that are more our size or even smaller. I think we try to do the sort of the best of both worlds approach. I think relative to the bigger companies, we offer more customer intimacy, we can offer more flexibility and a little bit more ability to adapt quickly because we don’t have this big, huge infrastructure that has to adapt with the customer. So I think that gives us some advantages. I think relative to companies that are our size or maybe smaller, we’ve got a lot of executives that have been at big places and been successful at big places and we’ve the backing of a really good private equity firm, we got a great banking group led by JPMorgan so that we can be much more able to respond to big challenges, ‘Oh they’ve got this huge project that they want to launch.’ I think we should have a little more faith that we can pull it off, given kind of the leadership we have and the kind of backing that we have. And I think you’re trying to find that balance, like I’ll come back to solutions, that really plays a key role. If you can be flexible and you have the client intimacy, but then you also have the heft behind it, you can really drive some outstanding results. And I think given where we are, that’s really where the team is really aimed at.

Terry Gerton: So those are three really important topics: the relationship, your own team and then the solutions-based approach. So tell us more about how you bring those three threads together to really deliver modernization of technology or the solutions that matter for your clients and you still help them stay compliant and secure.

Mark Lee: Yeah, I see technology as a key to making those things happen. I think some people think about all this technology modernization, all this great risk. Well, the risk is trying to keep doing things the way you’ve always done it. So part of what we’ve tried to do is to build teams that are encouraged and actually incentivized to constantly push the envelope. We’ve got a innovation team where their whole job is figure out what are the newest tools that out there, how can they be applied to our clients’ problems and then what are the implications of applying them or are there other risks? Does it create cyber concerns? Does it address cyber concerns? How scalable is it? Is it going to lock us in or lock our client into a single vendor? So we’ve really had, and those folks are not sort of bogged down the day-to-day client, so they can sort of be a little bit more creative and focused, but at the same time, and we joke about it all the time, is that we don’t do science fair experiments here. So they know that whatever they’re working on has to be practical, has to be applicable and has to be really client-driven. And we’ve worked really hard to build a really close connection between that solutions team and our business development team so that all the things that they’re doing are being informed by what we’re seeing in the market, what things we’re chasing so that then we’re arming our business development team with really great solutions that just put them in a much more competitive position to win the work.

Terry Gerton: And as you look ahead, say, five years, how do you see your competition space changing, and how are you preparing ERT to meet those challenges?

Mark Lee: Well, I think there’s two different sides. I think on the overall federal landscape, I think you’re already seeing it happen, that this shift from people talking about services to talking about solutions. We’re not the only ones thinking that way. And with the government talking about rewriting the FAR, I think that there will be some incentives in that in terms of less of the cost-based pricing and more of fixed price, things like that, which provide the contractors an incentive to drive innovation. So I think you’ll see that happening. Within the space market, we couldn’t be more excited about all that’s happening there. I think it will be much larger. You’ll continue to have the big folks that have been there a long time. I think they’re sort of almost an extension of the government in a lot of ways. They’re critical to how things happen. But I think there’s going to be some non-traditional players that are going to come in. Within civilian space, you’re seeing a big push to commercialization, using more commercial services. And I think that opens the door to new entrants. We’re looking at those as really good teaming partners. And I think part of what makes ERT special as well is that we’re all about the best solution for our customer. Sometimes we can do that all ourselves, but sometimes there’s somebody that does a part of that better than us. And we’re not going undermine our customer by trying to do the things that we are not great at. We’re going to go bring in the best in breed and being able to bring in some of these non-traditionals puts us in a much more competitive position, but it also is really fun because they’re doing some really interesting stuff. And I think you’ll see more of that over the next five years.

Terry Gerton: Lots of opportunities ahead then.

Mark Lee: Absolutely.

The post This federal contractor is reinventing itself by shifting from services to solutions first appeared on Federal News Network.

Interview transcript:

Jared Serbu: Dan, we now have a final rule, actually multiple final rules, telling us where the Defense Department is headed with CMMC. It’s been a long time coming. As we sit here in the fall of 2025, I mean, generally, how would you assess the level of clarity that folks have about how this is going to play out once we start really moving into the implementation stage here?

Dan Ramish: Well, Jared, I would say there are some questions about how the rollout will take place and the final rule included in Title 48 actually created some new questions. So one of the big questions, there are two central pieces of the CMMC program, really. One of them is that over time, these verification requirements will be implemented and that’ll include for most contractors that have contracts involving CUI, a certified third-party assessment, but the other piece of CMMC is that contractors are actually going to have to have a passing score that they are implementing cybersecurity requirements whereas currently, they only need to do an assessment and report the summary scores of that assessment without reference to having a particular passing score, having implemented a certain number of the security requirements. So this is going to be a big deal starting November 10th. Some contracts will require contractors to have a certain level of cybersecurity implementation with regard to the 110 cybersecurity requirements in this data 171. The question is which contracts will have the CMMC clause and which won’t. And it’s going to matter so much because again it’s going to be an issue of eligibility for award. So you could lose out on a contract if you don’t have sufficient cybersecurity compliance. And the uncertainty here stems from the fact that there is language in the Title 32 rule and the Title 48 rule that is different. So the Title 32 rule suggests that DoD, as of Phase 1, which begins on November 10th, 2025, intended to include the CMMC statuses in clauses in all contracts and solicitations. Whereas the Title 48 rule, that came out in September, says that during the first three years the CMMC requirement will be included in only certain contracts. So it’s unclear which contracts will or won’t have it, or whether all contracts will have the CMMC clause or not.

Jared Serbu: But I think part of the take-home message there is you as a potential bidder or potential offer on any of these contracts have no control over what DoD ends up doing on any particular contract and whether the clauses are going to be included or not. So that probably means it’s time to be ready no matter what.

Dan Ramish: That’s right. Contractors shouldn’t be rolling the dice and potentially losing out on an important contract opportunity that may include the CMMC clause.

Jared Serbu: And so what do we know about, as you just did a great job of taking us through, there’s a lot of murkiness about which contracts are going to include this or not. But what do we know about sort of the process DoD is going to use to decide whether those clauses are going end up going into those contracts, at least during this first phase where they’re leaving themselves quite a bit of discretion?

Dan Ramish: So the Title 48 rule basically says that it’ll be up to the requiring activity to make the determination of CMMC that the CMMC program office will direct the component program offices as to inclusion of the requirement. The other issue, besides whether the clause will be in the contract at all, is whether self-assessment will be included or whether some contracts may include certification assessment for CMMC Level 2 and there’s discretion in that as well. There is a little bit more guidance as to that piece of it, when the decision might be made to include a certification assessment requirement. DoD’s frequently asked questions says that PMs should only make use of the discretion to include C3PAO assessment during Phase 1. When informed by adequate market research, there’s reason to believe there are enough qualified offerors, including their subcontractors, to provide adequate competition. So if there are enough contractors that have a certification assessment for a particular requirement, then there’s a greater chance that DoD might decide to include a certification assessment and you could lose out even if you have self-assessed and are compliant, either conditionally or fully compliant.

Jared Serbu: Yeah and one of the things that comes to mind here is it may be an incentive against over-classification in some cases here, of course, a problem that has been existent in the government for a long time. If you run into a situation now where whether you’re designating things as CUI or not could determine whether or not you need to have CMMC in a contract, that could be a fairly powerful force on the government side to at least make you take a second look at the requirements in your contract and say, ‘Hey, is this really CUI or not?’

Dan Ramish: Yes. Well, and the backdrop to that is that a significant portion of the defense industrial base isn’t at the full passing score as yet for CMMC Level 2. And there have been a number of studies, one of them fairly recently from a company called CyberSheath, that suggested that the median SPRS score based on 300 survey respondents was 60, whereas the full compliance score is 110. So a lot of contractors have work to do and DoD requiring activities, of course, want to get their products and services from the contractors. And so on the one hand, the cybersecurity concerns are real, the national security implications of cybersecurity are real. But on the other hand, the Department of Defense needs to get their stuff. And so this has always been the tension all along. And I hope that you’re right that as the stakes increase with the CMMC clause that the government will take a more serious look at what really needs to be marked as CUI and be more discerning in that. But part of the challenge is that there isn’t at this stage a standardized method for indicating, identifying what CUI will be involved in the given contract. That’s something that’s addressed in the FAR CUI proposed rule. But that is kind of on hold with the whole Revolutionary FAR Overhaul that’s taking place. So there’s still going to be some challenge and some need for informal communication between prime contractors and the government or between subcontractors and prime contractors to figure out even what is going to be CUI under a contract.

Jared Serbu: Yeah, I want to make sure I’ve got my head around that last piece. So you as a vendor, when you see an RFP, you may not necessarily know just based on those solicitation documents whether or not there’s going to be CUI involved in performance of the work. And you may not know at the outset whether or at what level you need to be compliant with CMMC. Is that the upshot of all that?

Dan Ramish: Well, so there will be a designation of what CMMC level is required. The clause will designate which CMMCs level is required, but just because CMMC Level 2 is designated for a given solicitation or contract, doesn’t mean that all information that is provided by the government or that’s generated in performance is going to be controlled on classified information and it’s important to know what specific information is subject to handling and dissemination controls because contractors need to take appropriate precautions and they may have CUI on some information systems and not on others. And so ensuring that they are properly directing the flow of materials that are actually CUI is critical for compliance with the cybersecurity requirements. And so if they don’t have that information, if that’s not clearly indicated in the contract because there is no standardized form for that to happen, as yet, that creates a challenge.

Jared Serbu: Yeah, and you mentioned earlier that this is not the time to roll the dice anymore. But are there some areas or windows where, depending on the type of work you do, you can get away with completely avoiding CMMC altogether? Are there places where contractors really can still play and not worry about anything that we’ve been talking about the last 10 minutes?

Dan Ramish: So this is a big point of debate because, so CMMC Level 1 is actually going to apply to the largest portion of the Defense Industrial Base. And CMMC Level 1 corresponds to the basic safeguarding requirements that are currently in the FAR and those requirements are intended to be less onerous, but they are government-unique requirements. And to get out of even CMMC Level 1, there are really two ways around it. One of them is, there is an exception for COTS items. So if a contract is solely for a COT, commercially available off the shelf, that’s one exception. There’s going to maybe be greater need to drill down on what specifically is COTS. Of course, we live in an age where if you’re buying something off the shelf, there may be different options, and if the same options are available to the government as are available in the commercial marketplace, does that still make it COTS? There are questions like that where there could be gray areas. The other piece is federal contract information. If there’s no federal contract information, then CMMC Level 1 isn’t going to be required, assuming there also is CUI. Federal contract information is just non-public government information that’s involved in the contract. And the way that is interpreted by the government is going to important because, of course, a lot of the information that is involved in contract performance is going to be accessible through the Freedom of Information Act. But the Department of Defense declined to say that anything that’s foible is not FCI. So it may be challenging to demonstrate that you don’t have any non-public federal information. There are going to be some exceptions if the government makes the information publicly available like on a public website or certain financial payment information isn’t going to be FCI. But short of that, I think it will be interesting to see whether there are questions about getting out of CMMC altogether based on the lack of FCI.

The post New CMMC rules take effect Monday, with contractors facing uncertainties first appeared on Federal News Network.