Cyber Defense eMagazine December Edition for 2021

More documents

Recommendations

Info

Understanding OCIs Contracting officers are required to determine whether a potential or actual OCI will arise as early in an acquisition as possible. 3 If the award to a particular offeror would result in an actual or potential OCI, and the OCI cannot be mitigated or avoided, the offeror will likely be deemed ineligible for the award. There are three types of OCIs: • Unequal Access to Information: This type of OCI arises in situations in which a contractor has access to non-public information as part of its performance of one government contract and that information may provide the firm with a competitive advantage in a later competition for another government contract. • Biased Ground Rules: This type of OCI issue arises in situations when a contractor, as part of its performance of a government contract, has, in some sense, set the ground rules for government procurement, for example, by preparing the statement of work or the specifications. The concern with a biased ground rules OCI is that the contractor may have skewed the procurement in the contractor’s favor – even if unintentionally. • Impaired Objectivity: This type of OCI issue arises in cases when a contractor’s work under one government contract could entail it evaluating itself, an affiliate, or a competitor, either through an assessment of performance under another contract or an evaluation of proposals as part of another contract. This type of OCI occurs when the contractor may not be able to provide the government with impartial advice or assessments. It is important to recognize that a single contract may give rise to more than one type of OCI. For example, if a contractor was performing a contract that involved independent verification and validation (IV&V) tasks related to IT systems used by an agency, the contractor could have both an equal access to information OCI and an impaired objectivity OCI. The unequal access to information OCI would result from the contractor having access to nonpublic information about the IT systems provided to the agency by other contractors. And, an impaired objectivity OCI could arise because the IV&V tasks would likely require the contractor to assess the services or products provided by other contractors. OCI Risks for Cybersecurity and IT Services The type of tasks common to contracts involving cybersecurity or IT services can increase the risk of an OCI. Namely, providing these types of services to the government often puts a contractor in a position where it has access to nonpublic government or competitor information – an unequal access to information OCI – or requires the contractor to assess the services or products provided by competitors or affiliates – an impaired objectivity OCI. 3 48 C.F.R. 9.504(a)(1). Cyber Defense eMagazine – December 2021 Edition 88 Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.
The U.S. Government Accountability Office’s (GAO) bid protest decision in Steel Point Solutions, LLC 4 , provides an instructive example of how an impaired objectivity OCI can come about while providing IT services to the government. The protest involved a solicitation to design, build, and operate a corporate automation implementation center for the National Geospatial-Intelligence Agency (NGA). The scope of work included recommending, designing, deploying, monitoring, and maintaining robotic process automation solutions for the NGA. Deloitte Consulting, LLP (Deloitte) was selected for the award, and a protester challenged the award, arguing Deloitte had task orders with the NGA that created an impaired objectivity OCI. Under one of the task orders, Deloitte supported the NGA in determining what products to purchase to maintain NGA’s IT portfolio. At the same time, under the protested contract, Deloitte would be deploying and maintaining IT systems if the contract award was upheld. Stated differently, under the task order, Deloitte would be making recommendations to the NGA about what products to purchase to maintain the IT systems under the protested contract – which could include Deloitte’s own offerings. GAO characterized the situation as a “textbook example” of an impaired objectivity OCI because Deloitte would be “in a position to make judgments or recommendations that would have the effect of directly influencing its own well-being.” GAO also found a separated Deloitte task order presented an impaired objectivity OCI. Under the second task order, Deloitte facilitates the review and approval of all NGA information systems. In its proposal for the protested contract, Deloitte recognized there was a potential OCI because its work under the task order could require Deloitte to determine whether to approve systems to be used under other contracts, and Deloitte attempted to address the potential OCI using the template mitigation plan that was provided with the solicitation. GAO found the mitigation plan was vague and nonspecific, and the separate mitigation plan Deloitte submitted for the task order was ultimately of no help because the plan depended on Deloitte not pursuing work that would give rise to an OCI – which clearly did not work because of Deloitte’s decision to compete for the protested contract. GAO sustained the protest and recommended that the NGA reconsider its OCI analysis. One can easily imagine how the task order discussed above could give rise to an unequal access to information OCI. For example, advising an agency about the types of IT services and products to procure could provide a contractor with information about the agency’s budget forecasts, future requirements, and acquisition plans – all competitively useful nonpublic information. Likewise, facilitating the review and approval of an agency’s information systems would provide a contractor with information about competitors’ systems and the agency’s requirements – also competitively useful nonpublic information. At this point, the significance of OCIs for contractors working in the IT and cybersecurity sectors should be clear. OCIs Caused by Subcontractors Contractors should also be mindful of the fact that a subcontractor can introduce an OCI into a procurement. If a subcontractor would have an OCI as a prime contractor for a given opportunity, performing as a subcontractor does not remove the OCI. 4 Steel Point Solutions, LLC, B- 419709, B-419709.2, July 7, 2021, 2021 CPD 254. Cyber Defense eMagazine – December 2021 Edition 89 Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.
Page 1 and 2:
9 Ways Social Media Sabotages Your
Page 3 and 4:
How Do You Secure the Modern Supply
Page 5 and 6:
@CYBERDEFENSEMAG CYBER DEFENSE eMAG
Page 7 and 8:
Cyber Defense eMagazine - December
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28:
Page 29 and 30:
Page 31 and 32:
Page 33 and 34:
Page 35 and 36:
Page 37 and 38: Cyber Defense eMagazine - December
Page 39 and 40: With over 4 billion users, social m
Page 41 and 42: Unsecure Mobile Networks When using
Page 43 and 44: However, as concerning as these pra
Page 45 and 46: Danny Lopez, CEO, Glasswall “Duri
Page 47 and 48: estoring data. Modern organizations
Page 49 and 50: When Diplomacy, Finance and Tech Co
Page 51 and 52: Another way leaders can take initia
Page 53 and 54: How Covid-19 Changed Advertising Fo
Page 55 and 56: However, this shift might not be su
Page 57 and 58: Why MFA Alone Isn’t Enough for Tr
Page 59 and 60: just highlights how vulnerable most
Page 61 and 62: on channels like email. This starts
Page 63 and 64: 3 Best Practices to Avoid Inevitabl
Page 65 and 66: For example, an employee may become
Page 67 and 68: and outcomes is essential for proje
Page 69 and 70: Electric Vehicle Charging: The Next
Page 71 and 72: Going forward, EV dealers, charging
Page 73 and 74: How does this relate to MFA? Well,
Page 75 and 76: constant exposure of countries to a
Page 77 and 78: Why do you need a malware sandbox?
Page 79 and 80: Multi-Cloud Security and Compliance
Page 81 and 82: If security controls are not consol
Page 83 and 84: How Do You Secure the Modern Supply
Page 85 and 86: The case for isolation Supply chain
Page 87: Don’t Take Yourself Out of The Ga
Page 91 and 92: assessment criteria for the tasks f
Page 93 and 94: the file. This was a great techniqu
Page 95 and 96: the wake of the pandemic where the
Page 97 and 98: Certain communications are protecte
Page 99 and 100: At Salt Communications we work with
Page 101 and 102: And it’s only getting worse. If y
Page 103 and 104: The benefits are great When HDOs ha
Page 105 and 106: 4 Pillars of Privacy-Preserving AI
Page 107 and 108: concern and a desire to be cautious
Page 109 and 110: and stay safe online. That’s why
Page 111 and 112: 2. Enabling over-the-horizon threat
Page 113 and 114: Techniques Used by Hackers to Bypas
Page 115 and 116: Phishing scams avoid email security
Page 117 and 118: ATO Detection Account takeover bene
Page 119 and 120: How To Protect Your Digital Legacy
Page 121 and 122: I worked with cybersecurity experts
Page 123 and 124: Sextortion Email Scams What to Do a
Page 125 and 126: Sextortion attacks are a type of cy
Page 127 and 128: How to respond to a sextortion emai
Page 129 and 130: Example 2:'You've been hacked' emai
Page 131 and 132: How can this strategy be implemente
Page 133 and 134: Surviving The New Era of Terabit-Cl
Page 135 and 136: accompanying shift toward more digi
Page 137 and 138: Survey results show businesses are
Page 139 and 140:
Enterprises Cannot Achieve Zero Tru
Page 141 and 142:
Capital One breach back in 2019. Ad
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Page 155 and 156:
Page 157 and 158:
Page 159 and 160:
Page 161 and 162:
CyberDefense.TV now has 200 hotseat
Page 163 and 164:
Books by our Publisher: https://www
Page 165 and 166:
Page 167 and 168:
show all

Cyber Defense eMagazine December Edition for 2021

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?