Skip to content

Commit

Permalink
Update procurement page. Fixes #38 #39
Browse files Browse the repository at this point in the history
  • Loading branch information
krusynth committed Nov 11, 2024
1 parent 08a2ce6 commit 8eb485e
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 20 deletions.
1 change: 1 addition & 0 deletions content/_info/software-development.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ Building a pilot project is easy, but the long-term costs to sustain a piece of

It's not too late to turn back from this dark path - but if you must proceed, here are a few guideposts.

Since most software development is performed by contractors, also refer to the [procurement page](/policies/procurement/).

## Getting Software Tools

Expand Down
47 changes: 27 additions & 20 deletions content/_policies/procurement.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,23 +11,30 @@ Purchasing _anything_ in government can be especially daunting. There are an ast
**@WARNING This is a massive topic, impossible to cover in a single article. You should consult with your acquisition team well in advance of any potential purchase. For very large contracts, you may need to start a year or more in advance!**
{:.notes}

The @18F team at @GSA maintains [a blog that is an excellent source of information on good procurement practices](https://18f.gsa.gov/blog/).
{:.notes}
## Successful Procurements

There is extensive research on how large government IT investments consistently fail. Notably, the Standish Group's [CHAOS](https://www.standishgroup.com/news/45) and [HAZE](https://www.standishgroup.com/haze) reports give a shocking perspective on waste in IT projects in general, stating that only 13% of large government software projects are successful.

The secret to a successful IT investment is simple: keep the projects small under $2 million, [deliver a working tool in under six months](https://sboots.ca/2022/08/09/shrink-projects-to-fit-leadership-turnover-rates/) and use [incremental (Agile) software development](/info/software-development/#agile). Larger projects should be broken into smaller pieces.

The @GSA [18F De-risking Guide](https://guides.18f.gov/derisking-government-tech/), provides detailed best practices for improving the IT procurement process for agencies. They also maintain [a blog that is an excellent source of information on good procurement practices](https://18f.gsa.gov/blog/).

## Procurement Process

The steps below maybe called different things at different agencies. The following descriptions are using the [CDC's nomenclature](https://www.cdc.gov/contracts/process/index.html).

## Phase 1: Planning and Forecasting
### Phase 1: Planning and Forecasting
{:#planning}

Whether it's a single pair of headphones, or a multi-billion dollar cloud contract, approval must be given by the proper authorities within an agency. Of course, the level of scrutiny increases as the dollar value goes up.

### Micro-Purchases
#### Micro-Purchases

For small items or cheap services, there is a limit known as the [Micro-Purchase Threshold](https://www.acquisition.gov/far/subpart-13.2), below which only minimum reporting is required, and usually there is not much need for official purchase approval. In many cases, the agency will issue credit cards to specific agency officials to allow them to purchase small items, but receipts must still be submitted; these are generally known as **P-cards** or **GPCs** (Government Purchase Cards).

However, any hardware, software, or technology services are **still required** to meet any cybersecurity or enterprise architecture requirements, such as the items being on the [approved software or hardware list](/policies/cybersecurity/#approved-software-list). Due to the very low introductory cost of buying software licenses or cloud services, these have become a large source of "shadow IT" - unapproved and unregulated systems that can cause major security and support issues. It's generally best to go through the official routes - usually by contacting the IT Help desk – for requesting small devices or software.

### Major Investments
#### Major Investments

Above that, agencies divide investments into **Major** and **Non-Major**, and set a dollar threshold for the dividing line. Major investments trigger a series of approval and reporting processes, including reporting to @OMB via the @CPIC process and other means. As agency budgets differ, the threshold amount here will vary from agency to agency. Similarly, the specific pre-approval processes involved will vary, but it usually looks something like this:

Expand All @@ -38,12 +45,11 @@ Above that, agencies divide investments into **Major** and **Non-Major**, and se
There are often additional steps, make sure to consult with your procurement and @CPIC teams!
{:.notes}

### Non-Major Investments
#### Non-Major Investments

Non-Major investments will often feature a subset of reviews from the Major Investment process. Again, this will vary from agency to agency.


## Phase 2: Contract Initiation
### Phase 2: Contract Initiation
{:#contract-initiation}

Once all approvals have been made, the actual purchasing process begins. Although requirements have probably been gathered and documented as part of the budget and planning, these will usually need to be translated by the [Contracting Officer (CO)](#co) into formal contract language. There are several different types of contracts that can be generated, but the @SOO, @SOW, or @PWS are the most commonly-used ones in government.
Expand All @@ -54,8 +60,7 @@ In most cases, agencies should perform [market research](https://www.acquisition
As part of any contract, the government must come up with an initial cost estimate, which is called the **Independent Government Cost Estimate (IGCE)**. For labor contracts, it can be useful to refer to the General Services Administration's published rates ([GSA Pricing Tool](https://buy.gsa.gov/pricing/)).
{:#igce}


## Phase 3: Contract Solicitation
### Phase 3: Contract Solicitation
{:#contract-solicitation}

Once the agency has the proper language for what they want to buy, the request is sent to the vendor community. If the agency knows that they want to buy a specific item or well-defined service - say, software licenses - they will release a **Request for Quotation**, just asking for prices. For other contracts – such as orders for software development or other labor – they will instead issue a **Request for Proposal**, asking for a full recommendation of how the vendor will fulfill the agency's need.
Expand All @@ -64,28 +69,31 @@ These requests are posted for a fixed amount of time, during which companies may

Usually these contracts are posted on [SAM.gov](https://sam.gov/content/home), but there are a number of methods to procure things through standard acquisition processes – see [Acquisition Vehicles](#acquisition-vehicles) and [Shared Services](#shared-services) below.

The solicitation can be published to either the general vendor community, or a subset of vendors. Most agencies are expected to award a percentage of their contracts to [small businesses](https://www.sba.gov/federal-contracting/contracting-guide), for instance most contracts with large cloud companies (such as Amazon or Microsoft) are passed through a **value-added reseller (VAR)**.
The solicitation can be published to either the general vendor community, or a subset of vendors. Most agencies are expected to award a large percentage of their contracts to [small businesses](https://www.sba.gov/federal-contracting/contracting-guide), for instance most contracts with large cloud companies (such as Amazon or Microsoft) are passed through a **value-added reseller (VAR)**.
{:#vendors}

It is possible for an agency to skip the evaluation process entirely and make a [**Direct Award** to a small, minority-owned business](https://www.acquisition.gov/far/subpart-19.8) that has [8(a) status](https://www.sba.gov/federal-contracting/contracting-assistance-programs/8a-business-development-program), but only with @SBA's explicit approval. However, the entire value of the contract [with options](#contract-extension) cannot exceed $4.5 million dollars, making this path only suitable for small contracts.

### Contract Types
#### Contract Types

There are many different types of contracts that can be used particularly for labor & service contracts, depending on _how_ the government wants to buy things. It's best to consult with your Contracting Officer for recommendations. The [FAR has an exhaustive list](https://www.acquisition.gov/far/part-16) but a few common ones used in IT include:

* Firm Fixed Price (FFP) - A type of contract that covers the entire cost of the work being done, regardless of labor hours.
* Time & Materials (T&M) - A type of contract where a vendor is paid based on labor hours.

The government also has the ability to create multi-award contracts, where they award to a pool of vendors, and then add **Task Orders** on the contract as new requirements emerge. These individual task orders are then competed among only the selected pool. These include:

* Indefinite Delivery, Indefinite Quantity (IDIQ) - A type of contract for services that does not have a value limit, only a time limit. Especially useful for agency-wide service contracts that might be used by different programs.
* Blanket Purchasing Agreement (BPA) - A type of _purchasing agreement_ where multiple orders can be made over time for recurring requests, avoiding the need for multiple small contracts. (Sometimes called a Bulk Purchasing Agreement.)

## Phase 4: Contract Evaluation
### Phase 4: Contract Evaluation
{:#contract-evaluation}

Once the submission window for proposals has closed, the agency must compare and evaluate the potential offerings. Again, there are a variety of methods to do this, which much be decided in advance. For instance, an agency may decide to reject offerings that do not meet their explicit requirements, or they may only choose to compare a few of the lowest-price proposals, or both (such as ["lowest price technically acceptable"](https://www.acquisition.gov/far/15.101-2)).

It is important to make sure there are no [conflicts of interest](https://www.acquisition.gov/far/subpart-9.5) among the staff evaluating any proposals. The evaluation process must also be documented, in case there are any questions later - particularly to prepare for any potential [Protests](#protests).

## Phase 5: Contract Award
### Phase 5: Contract Award
{:#contract-award}

After a vendor is selected, the award is announced and contracts are finalized. If the new contract is to replace an old one with a new vendor, there is typically a transition period of overlap across both contracts, usually at least a month for labor contracts but often much longer. During this time, it is typical for the old contract to "ramp down" and reduce staff while the other contract gets employees onboarded.
Expand All @@ -94,27 +102,26 @@ It's important to note that most small business vendors do not keep a large grou

Also note that all government IT contracts, whether labor or licenses, will have agency-specific cybersecurity language.

### Protests
#### Protests

Vendors are legally allowed to protest awards for any number of reasons. If they can provide evidence that things were handled improperly, or that conflicts of interest exist. In these circumstances, @GAO is responsible for [adjudicating the protest](https://www.gao.gov/legal/bid-protests).

There have been several high-visibility protests in recent years, including @DOD's massive cloud contract, the Joint Enterprise Defense Infrastructure [(JEDI)](https://federalnewsnetwork.com/reporters-notebook-jason-miller/2018/09/10b-and-other-reasons-why-there-is-so-much-angst-around-dods-jedi-program/)

## Phase 6: Administration
### Phase 6: Administration
{:#administration}

After the contract has been awarded, the administration phase begins. It is the responsibility of the @COR to evaluate the performance of the vendor, and ensure that they meet any requirements in the contract. The @CO may also assist with any disputes.

Their performance is also reported officially and publicly. As "previous performance" is often a criteria element for contract evaluation in the acquisition process, vendors sometimes protest the evaluation they've been given.

## Extending the Contract
### Extending the Contract
{:#contract-extension}

Since the [Antideficiency Act](/laws/antideficiency-act/) generally only allows agencies to spend money for the current fiscal year, contracts typically span only a single year. However, the procurement process is so labor-intensive and time-consuming, so it's not cost-effective to go through this process on every contract every year.

As a result, most contracts include **Option Periods**, allowing for agencies to _optionally_ extend the contract. For larger contracts, these usually are a series of extra years, which individually can be activated. For smaller contracts - or to get through a transition that is not going well - option periods of months are also common.


## Federal Acquisition Regulations (FAR)
{:#far}

Expand Down Expand Up @@ -169,8 +176,8 @@ As one would expect, GSA provides many shared technology services across the gov
* [cloud.gov](https://cloud.gov/) (GSA) - a fully-managed Amazon AWS platform.
* [login.gov](https://login.gov/) (GSA) - a government-run identity verification service used by many agencies
* [eRegulations](https://eregs.github.io/) (GSA) - a public platform for hosting regulations and rulemaking as part of the oversight process
* [CDM](https://www.cisa.gov/cdm) (@CISA) - a monitoring tool for government networks (**required**)
* [webTA](https://www.doi.gov/ibc/services/human-resources) (@DOI) - personnel time tracking used by most HR departments
* [CDM](https://www.cisa.gov/cdm) (@CISA) - a monitoring tool for government networks. Federally mandated, but some agencies opt-out by using other tools that feed data back to CISA
* [Quicktime](https://www.doi.gov/ibc/services/human-resources/quicktime) (@DOI) - personnel time tracking used by most HR departments
* [SOC-as-a-Service](https://www.justice.gov/jmd/cybersecurity-services) (@DOJ) - a managed Security Operations Center solution.

@SOAPBOX Technically, the Intergovernmental Cooperation Act also allows these providers, once designated by OMB, to provide services to state, tribal, and local governments as well. However, there has been much reluctance to do so for political reasons. Specifically there has been lots of enthusiasm recently for GSA allowing cities and states to use Login.gov, but as of today they will only do so if the requesting department is funded by federal grant money, a provision not explicitly included in this law.
Expand Down

0 comments on commit 8eb485e

Please sign in to comment.