In 2016, the Small Business Administration (SBA) established a new government wide mentor-protégé program for small businesses called the All Small Mentor-Protégé Program (ASMPP). The purpose of the program was for established government contractors to serve as mentors to protégé small businesses by providing business development assistance and to improve the protégé’s ability to successfully compete for federal contracts.

This relationship between the two companies is intended to be mutually beneficial. For protégés, the program creates a framework under which firms obtain valuable technical, management, financial, and contracting assistance from established government contractors. For mentors, one of the benefits was the ability to form a joint venture with their protégé to pursue small business set aside contracts without the two companies being considered affiliated for purposes of SBA’s small business size standards.

Three Findings from SBA’s OIG Review of ASMPP

The SBA’s Office of Inspector General (OIG) reviewed the ASMPP with the objectives of determining whether SBA implemented effective controls to ensure that it conducted initial application reviews and annual evaluations in accordance with the program regulations and if the SBA successfully measured program success.


Continue Reading

A major shift in cybersecurity requirements for Department of Defense (DoD) contractors is about to come into effect—earlier this month the DoD released for public comment the long-anticipated Version 0.4 of the draft Cybersecurity Maturity Model Certification (CMMC). This new framework to safeguarding controlled unclassified information (CUI), which includes a certification requirement by a third-party auditor, presents both significant opportunities and challenges for DoD contractors.

In an overview briefing on the new model, DoD emphasized that the new framework will impose a unified cybersecurity standard for all DoD acquisitions and, in so doing, “reduce exfiltration of [CUI] from the Defense Industrial base.” To achieve this goal, the new model significantly bolsters the existing compliance regime around cybersecurity—which currently, for the most part, requires compliance with the security standards set forth in NIST SP 800-171 through DFARS 252.204-7012.


Continue Reading

I am looking forward to presenting at ETEBA’s 2019 Business Opportunities & Technical Conference (BOTC) which takes place at the Knoxville Convention Center on October 8-10, 2019. More than 400 participants will gather at the 20th annual BOTC to learn about upcoming opportunities with prime contractors and government procurement officials in the energy, environmental and

A recent decision in Sotera Defense Solutions, Inc. v. Department of Agriculture, CBCA 6029, 6030, by the United States Civilian Board of Contract Appeals (CBCA), upheld a contract provision that imposed greater obligations on the government than required by the Service Contract Act (SCA). The validity of this contract provision ultimately proved dispositive in the outcome of the case with the CBCA holding the government liable for costs.

In 2012, the National Institutes of Health (NIH) awarded Sotera a contract for the provision of information technology (IT) services. The contract stated that the positions in the contract were exempt from the SCA but advised that a contracting officer would have to determine whether the SCA applied to any positions requested within the task order. The Department of Agriculture (USDA) issued three task orders against the NIH contract to Sotera in which the USDA sought IT operations and maintenance support for offices located throughout the United States.


Continue Reading

In an article published by Law360, we examined a report issued by the U.S. Department of Defense (DoD) Inspector General on July 23, which summarizes the findings of an audit into the protection of controlled unclassified information (CUI) on contractor networks.

The DoD reviewed nine contractors’ information systems and revealed some deficiencies that do not meet the standards set forth in National Institute of Standards and Technology (NIST) Special Publication 800-171. The exposed deficiencies include: not mitigating vulnerabilities on their networks and systems, not scanning their network for vulnerabilities, not mitigating high vulnerabilities identified in the contractor’s management programs and more.


Continue Reading

The Department of Defense (DoD) Inspector General recently issued a report summarizing the findings of an audit into the protection of Controlled Unclassified Information (CUI) on contractor networks.  Based on an in-depth review into nine contractors, the audit uncovered some common practices that fall short of meeting the standards set forth in NIST SP 800-171, which contractors are obligated to follow under DFARS 252.204-7012.

Shortcomings Discovered in DoD Audit

These common lapses include the following, among others:

  • Inconsistent tracking of cybersecurity threats
  • Failure to consistently mitigate network vulnerabilities
  • Uneven use of strong passwords
  • Inconsistent use of multifactor identification


Continue Reading

Bass, Berry & Sims attorneys Todd Overman and Sylvia Yi will be presenting on key government contracting issues for small businesses.

We are excited to be presenting on key government contracting issues for small businesses on July 17, 2019 at The Tower at Peabody Place in Memphis, Tennessee. The presentation, titled, “Government Contracting Law Overview,” will discuss the pros and cons of business entity types, requirements of the SBA’s All Small Mentor Protégé Program, protecting partnerships

In an article published on April 9, 2019 in CO—, a new digital platform by the U.S. Chamber of Commerce, I provided insight on the process of securing federal contracts for small businesses.

Once a business has searched for contracting opportunities and has completed all the necessary registration requirements, it can begin bidding on contracts. Though before bidding, it is important that the company can handle the job the contract requires and that it can meet all of the regulatory requirements – otherwise the contract could ultimately be terminated. “Don’t overpromise in your technical proposal, that becomes part of your contract and you’re going to have to deliver to those technical specs,” I explained.

Additionally, the proposal should include pricing information and according to Todd, the company will want to be realistic and not overcharge while also keeping in mind that the government sometimes chooses the best value over the lowest price.


Continue Reading