Reporter’s Notebook

jason-miller-original“Reporter’s Notebook” is a weekly dispatch of news tidbits, strongly-sourced buzz, and other items of interest happening in the federal IT and acquisition communities.

Submit ideas, suggestions and news tips  to Jason via email.

 Sign up for our Reporter’s Notebook email alert.

Banned serial protester chose wrong forum to change small business policies

The Government Accountability Office’s decision to ban Latvian Connection, a service-disabled veteran owned small business, from submitting any new bid protests for a year was both surprising and, at least to some, well deserved.

In case you aren’t familiar with the story, Latvian Connection has filed more than 500 bid protests over the last few years, claiming agencies are routinely and knowingly violating the Small Business Act and other small business provisions. In 2016 alone, the company filed 150 bid protests.

GAO decided on Aug. 18 that enough was enough, and said it would no longer entertain any new bid protests from Latvian Connection for one year.

“Of the 131 protests closed to date this fiscal year, one was denied on the merits. The remaining protests were dismissed, the most common reason being that Latvian Connection was not an interested party,” GAO said in its decision over yet another protest Defense Information Systems Agency task order that was worth $1.3 million and therefore below the legal protest threshold. “[B]ecause of these abusive litigation practices, and to protect the integrity of our bid protest forum and provide for the orderly and expedited resolution of protests, we are suspending Latvian Connection from protesting to our office for a period of one year as of the date of this decision. We are taking this action to conserve limited government resources that would otherwise be expended to respond to meritless protests filed by an entity with no direct economic interest in the outcome (as required by our statute and regulations). We are also taking this action because we have seen no evidence that Latvian Connection is prepared to engage constructively on the issues raised by the protests it files.”

Keven Barnes, the CEO of Latvian and an Air Force veteran, said in 18 separate emails to Federal News Radio that he is fighting the government’s intentional and illegal actions.


An existing solution to the government’s cyber problems

The cyber situation “is not getting demonstrably better over time and will have a debilitating long-term effect on both the economic and national security interests of the United States.”

Ron Ross, NIST

“Every (indeed every) technical approach to the cybersecurity crisis, to date, has come up short due to the failure to understand” the concept of security must be baked in, not bolted on.

Bob Bigman, former CIA CISO

Stunning and depressing words from two cybersecurity leaders in the federal community, both of whom presented Aug. 23 to the Commission on Enhancing National Cybersecurity.

Ron Ross, a fellow at the National Institute of Standards and Technology, and Bob Bigman, a retired CIA chief information security officer and now president of 2BSecure, a consulting firm, dropped these warnings on the 12 individuals expected to deliver recommendations to President Barack Obama, Congress and the next President later this fall.

The President named these experts in April and the commission is part of the Cybersecurity National Action Plan (CNAP). The White House issued the CNAP along with its request for a $19 billion increase in cyber spending in fiscal 2017.

The fact that Ross and Bigman went before the commission and offered such striking and honest assessments of public and private sector cyber efforts surely is a sign of frustration.


$11.5B HR training contract creeps toward freedom from protests

Slowly but surely, the General Services Administration and the Office of Personnel Management are getting closer to unleashing the Human Capital and Training Solutions (HCaTS) contract.

After awarding the $11.5 billion HCaTS contract to 109 large and small firms in May, 26 unsuccessful vendors protested to the Government Accountability Office and put the awards on hold for the summer.

But over the last three months, the number of remaining protesters dwindled to 14 from 26 as GAO has dismissed five and denied one.

GAO has two more weeks to decide six of the final eight vendors’ complaints. Two vendors submitted protests in July, which puts GAO on schedule to decide their complaints in mid-October.

It’s not clear what happened to the remaining 12 vendors who protested back in May. They likely voluntarily withdrew their protests, but GAO doesn’t provide details on its bid-protest docket.

So far, GAO has dismissed protests from Censeo Consulting, Fors Marsh Group, Human Resource Research Organization and Cherokee National Technology Solutions all on June 3, and then from NTT DATA Federal Services Inc., on July 13.

GAO doesn’t make public why it dismissed the five vendors’ complaints.

Then on Aug. 24, GAO dismissed a protest from Sevatec.



NASA’s ‘act of desperation’ demonstrates continued cyber deficiencies

One of NASA’s main networks used by almost every employee and contractor and managed by Hewlett Packard Enterprise is in such bad shape, the agency’s chief information officer could no longer accept the risk and let the cybersecurity authorization expire.

Renee Wynn, NASA’s new CIO, didn’t sign off on the authority to operate (ATO) for systems and tools under the $2.5 billion Agency Consolidated End-user Services (ACES) contract, which HPE won in 2010. Under the 10-year contract, HPE provides and manages most of NASA’s personal computing hardware, agency-standard software, mobile information technology services, peripherals and accessories, associated end-user services and supporting infrastructure.

A NASA spokeswoman confirmed the ATO expired on July 24. She said Wynn signed a “conditional” ATO for the systems under ACES, but internal NASA sources said the authorization is just for the management tools and not for the desktops, laptops and other end user devices.

“NASA continues to work with HPE to remediate vulnerabilities,” the spokeswoman said. “As required by NASA policy, system owners must accomplish this remediation within a specified period of time. For those vulnerabilities that cannot be fully remediated within the established time frame, a Plan of Actions and Milestones (POAM) must be developed, approved, and tracked to closure.”

Letting an ATO expire on a major agency network is unheard of in government.

Multiple federal cyber experts said agencies know at least a year in advance when an authorization and accreditation needs to be renewed.


GSA’s 4th quarter buying event turns category management talk into action

Over the last few years, there has been a lot of talk about the goals of the Obama administration’s category management initiative, particularly around getting agencies to buy as one entity.

The first real demonstration of that concept happened earlier this month when the General Services Administration conducted a reverse auction to set up three blanket purchase agreements for five agencies to potentially buy more than 45,000 laptops and desktops. The customers for this fourth quarter buying event were GSA’s Chief Information Office, the Department of Veterans Affairs, the Defense Health Agency, the U.S. Holocaust Memorial Museum and the Defense Logistics Agency.

“The discounts offered by industry from the GSA schedule price list was an average up to 18.97 percent from the initial eBuy submission,” said a GSA spokeswoman. “Participating agencies provided estimates of future purchases for the fourth quarter buying event. The breakdown of how many laptops versus desktops were purchased will be available once participating agencies place their actual orders against the BPAs that are awarded.”

GSA finalized two of three BPAs on Aug. 17 and is expected to complete the third one later this week.

Impress Technologies Solutions Inc. will provide Dell computers under one contract, and ABM Federal Sales will provide Hewlett-Packard PCs and laptops on another BPA. GSA’s spokeswoman said the agency will publish all final prices on GSA Advantage later this week as well.


VA doesn’t waste time in implementing Supreme Court decision

The Veterans Affairs Department acted unusually quickly to comply with the U.S. Supreme Court’s “rule of two” decision in the Kingdomware case.

So much so that it both surprised observers and had them wondering if VA was acting too hastily.

VA issued new acquisition regulations July 25, just more than a month after the decision, which found VA’s interpretation of a law requiring the agency to set-aside all procurements if at least two veteran-owned small businesses are qualified was flawed. The nation’s highest court reversed the lower court’s decision on June 16 by an 8-0 vote, finding VA must use the “rule of two” for supply schedule contracts even if it has met its statutory contracting goals.

“We expect to set aside a greater volume of VA contracts to service disabled veteran-owned small business and veteran-owned small business suppliers,” said a VA spokesman in response to questions from Federal News Radio. “VA senior officials will be developing market research principles during a two-day integrated process team meeting Aug. 10-11. These principles will be transformed into a comprehensive policy, which will be used by all VA requirements personnel in the conduct of market research. In addition, a training course is currently being developed by the VA Acquisition Academy, and training will be conducted for required VA personnel during August 2016. The Office of Small Disadvantaged Business Utilization (OSDBU) is improving its existing market research platform to provide more robust research and analysis capability.”

Additionally, it said it completed training of its acquisition workforce by Aug. 5 through its VA Acquisition Academy.


A-130 finally gives identity management a much needed policy boost

Of all the changes Circular A-130 brought forth, maybe the most significant is catching federal policy up with reality.

The fact the Office of Management and Budget hadn’t done a full update of A-130 in 16 years gave some agencies the ability to slow-roll unfunded mandates, because they said those requirements weren’t in the overarching policy document.

Identity management is a great of example of where this happened.

Judy Spencer, the policy management authority chairwoman of the Certipath bridge and a former General Services Administration official who oversaw many of the identity management initiatives across government, said the A-130 update creates that one place for leaders to point to and move government and industry toward a more complete use of identity management. CertiPath is a trusted authority for interoperable identities for collaboration in the aerospace and defense industry.


HHS IT executives finding new homes

Dave Nelson and Frank Baitman are taking what they learned at the Department of Health and Human Services and applying it to other organizations.

Nelson, the former chief information officer and the director of the Office of Enterprise Information at the Centers for Medicare and Medicaid Services, took a new job as the Nuclear Regulatory Commission’s CIO. His first day will be Aug. 22.

Baitman, the former HHS CIO who left the agency Nov. 30, is working as a part-time advisory fellow with Cisco.

“I’ll be working with Alan Balutis, senior director at Cisco, along with Martha Dorris, who has also joined the Cisco team as a fellow,” Baitman told me via email.

Nelson replaces Darren Ash, who left NRC in February to be the CIO of the Agriculture Department’s Farm Service Bureau.


Agile contracting craze is taking government by storm

The Homeland Security Department and its components have jumped fully on the agile or dev/ops bandwagon. You could possibly blame Mark Schwartz, the chief information officer at the U.S. Citizen and Immigration Services, for his success in using this approach for both contracting and project management.

Or you could blame the Office of Management and Budget for its push to change the culture of government and stop the struggles of IT projects.

And, of course, it would be easy to blame industry for its recognition of the “next great IT advancement” for pushing DHS and almost every other agency toward the concept of iterative development. Let’s say the common refrain heard at so many conferences together, “If it’s good enough for Netflix, Uber and every other startup, then why not the federal government?”

So no matter who you blame, questions arise:

Has DHS, and really almost all of government, gone overboard with agile? Is the government heading down the same contracting rat hole it did with IT services where every agency and their brother and sister had an IT services contract, which cost agencies and vendors hundreds of millions of dollars to bid, protest and run?


Cyber checklist is dead, long-live the new A-130

One of the last vestiges of the old way of thinking about cybersecurity is dead.

The requirement to reevaluate the security of IT systems every three years has been flushed from the governmentwide policy that for so long stood in front of agencies and inspector generals moving toward a continuous monitoring approach.

The Office of Management and Budget July 28 issued the update to Circular A-130.

“The revised circular consolidates in one guidance document a wide range of policy updates in information governance, acquisitions, records management, open data, workforce, security, and privacy. In particular, the revisions highlight requirements from the Federal Information Technology Acquisition Reform Act (FITARA) to improve the acquisition and management of information resources,” OMB said in a fact sheet about A-130. “The revised circular also emphasizes and clarifies the role of both privacy and security in the federal information lifecycle. Importantly, the revised circular represents a shift from viewing security and privacy requirements as compliance exercises to understanding security and privacy as crucial components of a comprehensive, strategic, and continuous risk-based program.”

OMB last updated A-130 in 2000 so it was due for a refresh. The White House released the draft update in October and received 67 comments from companies, industry organizations and several others.


« Older Entries