Despite significant delays to two large, single-award contracts, the Defense Department plans to bid out the next major multibillion IT contract next month.
According to procurement documents, the Defense Enclave Services contract will be a single-award contract valued at up to $11.7 billion over 10 years, with a four-year base period and three two-year options. Through it, the Defense Information Systems Agency, the Defense Department’s IT arm, seeks to acquire “common use IT systems,” including infrastructure, network operations and cybersecurity support services while it integrates and consolidates the Pentagon’s “fourth estate” agencies.
“As threats within the cyberspace domain become increasingly sophisticated, DoD is looking for solutions to eliminate unnecessary complexity within the IT space,” according to slides shared with vendors last month during a virtual industry day.
The Defense Department plans to award the contract in late 2021. While multibillion contracts aren’t uncommon for the Pentagon, DES raised eyebrows among contracting experts due to its single-award nature. Two previous multibillion-dollar single-award IT efforts, the Defense Enterprise Office Solutions and Joint Enterprise Defense Infrastructure contracts, are years behind schedule their original procurement schedules and still have not been awarded. JEDI, which industry criticized early on for its single-award approach, has been fought over in federal court for more than 18 months.
“I’m not sure I understand the logic of doing another single award $10+ billion contract when the last one has been sitting in federal court for the last year and a half,” Bloomberg Government analyst Chris Cornillie told Nextgov.
Cornillie also raised questions regarding the DES requirement that vendors comply with the Cybersecurity Maturity Model Certification—a program that will require contractors get assessed by third parties to ensure they meet certain cybersecurity criteria. Though the department is still hammering out the details of CMMC, the current DES gate criteria guidelines say a vendor’s proposed bid must meet CMMC requirements.
“How is DISA going to be able to ensure that every potential offer is going to get a shot at an assessment?” Cornille said.
Wesley Hallman, senior vice president of strategy and policy for the National Defense Industrial Association, said DES is the first solicitation he’s seen that emphasizes CMMC compliance.
Hallman said the accreditation process to verify vendors’ solutions will be important, and industry awaits a Defense Department rule regarding CMMC implementation. Hallman said the solicitation appears to indicate DISA would assess CMMC capabilities as opposed to vetting by third-party accreditors, perhaps because no initial third-party accreditors have completed training programs yet.
“There are not certified certifiers out there yet to do their thing,” Hallman said. “There is still a lot of dynamism in how this thing is being rolled out, how they’re adjusting and implementations. We’d really like to see a rule and be able to do standard public comments so we know what … implementation looks like. It’s very critical we’re all following the same guidelines.”