“Inside the Reporter’s Notebook” is a biweekly dispatch of news and information you may have missed or that slipped through the cracks at conferences, hearings and the like.
This is not a column nor commentary — it’s news tidbits, strongly sourced buzz, and other items of interest that have happened or are happening in the federal IT and acquisition communities.
As always, I encourage you to submit ideas, suggestions and, of course, news to me at firstname.lastname@example.org.
GSA takes 18F on a magical mystery tour
The mystery of what really is 18F is solved.
The General Services Administration hosted a “meet up” or was it a “poolza” of sorts Friday to introduce agencies, the media and vendors to its mysterious new startup.
“18F is all about the way we transform how we deliver services, and the way we work with agencies and vendors,” said GSA Administrator Dan Tangherlini. “Mobile devices and other things like cloud have transformed the way services are delivered and we must recognize it’s happening. We need to look inward and see how we can deal with these disruptions through creative ways.”
“The technology disruption we’ve seen is a factor, but it’s also we need to show that technology programs need to be done in a reasonable timeframe,” said Dave McClure, the associate administrator in the Office of Citizen Services and Innovative Technologies, who is retiring as of May 30. “They still take too long. There still are too many failures. 18F is a different approach to get faster results and gain confidence in the government.”
GSA detailed eight projects on everything from usability testing of application programming interfaces (APIs) to business process reengineering of software development and the hiring process to a new way to track vendor progress in becoming a government contractor like you order a pizza from Dominos.
With several of the programs, such as FBOpen, it reminded me of an updated attempt at what the Quicksilver e-government initiatives tried to do — consolidate websites and data. In fact, Mark Forman’s mantra quickly ran through my head: Say it with me: “Three clicks to service … don’t pave the cow paths … don’t put lipstick on a pig” and so on and so forth.
FBOpen is trying to make it easier for small businesses to find potential contract opportunities. It takes all the data that’s already out there and using a “thin API” searches, indexes and filters the information and puts it on a public website.
These technologies didn’t exist in the early aughts, but the concept is the same. So is what’s missing? Finding data is great, but if you can’t bid or apply, then what’s the point, especially in light of the fact that we already have Google, Bing and Yahoo!, which are all a lot better than anything the government can build.
In fact, most of the time when I’m looking for a specific procurement, one of these search engines is my go to, and if I’m just searching on FedBizOpps.gov- which by the way is one of the worst websites in government, hint, hint to the 18F folks-its search engine is more than passable.
To be fair, FBOpen is all of about a month old so there are more capabilities coming and once the APIs are out there developers can improve upon the initial site.
One of the more impressive projects 18F is sponsoring is called MIDAS. It’s an internal crowdsourcing program currently run by the State Department and the Department of Health and Human Services to connect employees across their respective agencies to help on projects.
Matt Chessen, a foreign service officer, said many junior foreign service officers begin their careers processing visas at consulates around the world, but have requirements and desires to do more creative and innovative work.
He said through MIDAS, they can find micro-projects to work on a few hours a week or a total of a few days a month.
Chessen said MIDAS is about to launch into a four-week pilot in a yet to be determined country, and then if all goes well, expand it to other parts of State.
GSA plans on holding this type of event every three months to educate and update agencies on their progress and plans.
Now even with the mystery of 18F solved, industry remains concerned about the organization and what its impact will be on contracting.
The Coalition for Government Procurement wrote a letter to McClure on May 5 asking for assurance that 18F will promote an open and competitive procurement process.
“Finally at the commencement of an acquisition of a system or capability, the government should understand the existence of any fees, costs or charges attendant to that acquisition in order to protect the government’s financial interests and to avoid violations of appropriations laws,” writes Roger Waldron, president of the coalition. “The government should assess costs of a technology or system over time, rather than focus solely on upfront acquisition costs (price alone). The time and resources to maintain technology or a system substantially may exceed the upfront acquisition costs.”
Waldron is a bit cryptic on what CGP’s concerns are. But industry, generally speaking, is worried that 18F will offer competing, less costly development services that will be unfair competition.
Now 18F must work as a cost recovery center so as not to violate the Economy Act of 1932, but how much it will charge customer agencies for its services is unclear right now.
And one government official associated with 18F said industry’s long list of failures are part of the reason why GSA decided to go in this direction, but at the same time they shouldn’t be too concerned either as the office is focused on iterative, low cost proofs of concepts
PTO’s sequestration recovery time is 18 months
One of the best examples of the impact of sequestration on the government comes from the Patent and Trademark Office.
Despite the fact PTO is funded almost solely from user fees, the Office of Management and Budget decided it had to cut PTO’s budget by $148 million last year.
Tony Scardino, the PTO chief financial officer, said executives had six months to figure it out and wouldn’t and couldn’t cut anything that brought in money such as overtime hours for patent and trademark reviewers.
Well, that didn’t leave much for PTO to cut, so it started with back office and administrative projects, such as technology.
Scardino, who spoke at the Government Performance Summit in Washington Wednesday, said they cut travel and training and froze hiring, but that was piddly compared to technology programs.
Scardino said PTO cut $80 million from its IT projects, and let go of about 500 vendor employees from contracts, including 300 from the patent end-to-end program. You remember that one, it was called out by President Barack Obama in his 2011 State of the Union address.
PTO kept a skeleton crew of about 10 contractors and, during the sequestration and shutdown, four of those 10 left to take new, more stable jobs.
Scardino said in the six months it took to cut the $80 million, it will take 18 months for PTO to fully staff back up and get back on track.
“We need to rehire the vendors. We had to look at new contracts or current vendors had to find new employees, because they were moved to a new project or left the company,” he said. “There’s also a huge learning curve to get us back to full force.”
Scardino’s description of sequestration’s impact likely isn’t unusual, but it’s interesting he talked so openly about it and it’s one of the few concrete examples we’ve heard of over the last few months.
HSPD-12 turns 10, agency progress a 6.7
August will be the 10-year anniversary of Homeland Security Presidential Directive-12. At the time of the policy issuance, it wasn’t one of those seminal moments in federal IT history. But over the years, the smart identity card program has come to resemble all that is good and bad with government.
First the good: HSPD-12 was ahead of its time. OMB recognized both the threats agency networks face and the potential physical security benefits of having a single, standardized identity card that uses — at the time — cutting edge technology.
Now the bad: A decade later, only 67 percent of the agencies have deployed the logical access capability to secure their computer networks. This is more than just disappointing, but borderline dereliction of duties given the Defense Department’s proof that smart identity cards reduce cyber risks and attacks by more than 50 percent.
OMB rolled out the latest progress report on HSPD-12 and a host of other cybersecurity initiatives as part of its annual Federal Information Security Management Act (FISMA) report to Congress.
Agencies are making progress against the HSPD-12 mandate, which OMB reset for a third time in 2011. Agencies had until the beginning of fiscal 2012 to make all logical and physical systems HSPD-12 compatible. As this latest report shows, most agencies haven’t achieved the mandate.
“In FY 2013, mandatory PIV use increased to 13 agencies reporting 6 percent or better, three agencies reporting 30 percent, and five agencies reporting 66 percent or better,” OMB stated in the report. “Of the remaining 11 agencies, two reported between 1 percent and 4 percent of employees were required to use their PIV cards to authenticate to the agency network, and nine reported 0 percent.”
GSA has made the most progress with 94 percent of employees required to use their smart cards for logical access while with the Social Security Administration at 85 percent and DoD at 89 percent are in good shape.
But the list of agencies not using their cards for what really matters the most, computer network access, is too long. The departments of Housing and Urban Development, Interior and Labor and the Small Business Administration, the Office of Personnel Management, the Environmental Protection Agency, the Nuclear Regulatory Commission, the Agency for International Development and the National Science Foundation have made little to no real progress after almost a decade.
There is plenty of blame to go around. OMB hasn’t used the power of its purse to require investments in the identity management technology. Agency leadership, including CIOs, either don’t understand or accept the benefits of logical network access because if they did, given DoD’s experience, it would be done by now and we would be talking about the next generation of HSPD-12 requirements.
Two other major cyber priorities are showing better progress.
The Trusted Internet Connection, which has a goal of consolidating Internet access points and implementing software tools to monitor the health of those connections, is further along than ever before.
“The consolidation of external network traffic increased from 81 percent in FY 2012 to 86 percent in FY 2013 for the 24 CFO agencies (excluding DOD),” OMB stated, adding DoD is exempt from TIC because it implemented an equivalent initiative. “The implementation of TIC Reference Architecture Version 2.0 critical security capabilities also increased from 84 percent in FY 2012 to 87 percent in FY 2013.”
Agencies also saw an uptick with its implementation of continuous diagnostics and mitigation of their network and software going to 83 percent from 81 percent.
OMB reported most of the increase came in the area of configuration management, while asset and vulnerability management saw overall declines mainly because agencies reported more than a million additional assets last year and only three- quarters of them are under automated asset inventory or vulnerability management.
Finally, the Einstein 3 Accelerated program is on tap to have a break out 2014.
Phyllis Schneck, the DHS deputy undersecretary for Cybersecurity and Communications at DHS, told the House Appropriations Committee in late April that DHS would like $378 million in fiscal 2015 to get E3A up to full operational capability by 2016.
Schneck told lawmakers that only one agency, through the only Internet Service Provider (ISP) approved to offer E3A services, is taking advantage of the intrusion prevention capabilities. As of February 2014, seven departments and agencies are using the Domain Name System and/or email protection services under Einstein 3.
“The initial deployment of E3A is focused on countermeasures that will address 85 percent of the cybersecurity threats affecting the Executive Branch civilian networks,” OMB stated in its report. “For FY 2014, the DHS Office of Cybersecurity and Communications will continue with the rollout of E3A and securing memorandums of agreement with all departments and agencies.”
All of this data and effort comes as agencies face an increasing number of cyber attacks. In 2013, departments reported a total of 218,886 incidents reported to DHS U.S. Computer Emergency Readiness Team-a 26 percent increase over 2012.
“Phishing, a type of social engineering attack, continues to be the most widely reported incident type across total incidents reported. [P]hishing accounted for 71.9 percent of total incidents reported, followed by non-cyber incidents at 6.9 percent and policy violations at 5.4 percent,” OMB stated. “It should be noted that federal agencies are not required to report attempted phishing incidents and primarily report incidents that involve the actual compromise of IT assets and/or spillage of sensitive information.”
IT Job of the Week: One of the hardest and most cutting edge CIO jobs is open. The Indian Health Service in HHS is looking for a director of IT. This Senior Executive Service position will oversee the typical CIO duties of managing the acquisition, development, enhancement, deployment, support and training of technology. The person also will have to know the ins and outs of electronic health records (EHR), clinical decision support, health information exchange, and related technologies to IHS customers. Here’s the most recent interview we did with acting CIO Howard Hays back in October 2012. Act quickly, the job closes May 16.