FEHBP Open Season Countdown. Check out our Open Season Resource Center. Open Season is over!
Sponsored By

Reporter’s Notebook

jason-miller-original“Reporter’s Notebook” is a weekly dispatch of news tidbits, strongly-sourced buzz, and other items of interest happening in the federal IT and acquisition communities.

Submit ideas, suggestions and news tips  to Jason via email.

 Sign up for our Reporter’s Notebook email alert.

What message does GSA’s decision to outsource its HR systems send to rest of government?

The General Services Administration’s decision to award IBM a $149 million contract to modernize its human resources systems and create a private-sector shared services provider is a head scratcher.

It’s not so much that GSA is choosing to upgrade legacy technology, nor is it the size of the deal. What is confounding is the decision to go to the private sector instead of a federal shared services providers and the message that sends to the rest of government.

First, let’s get some of the basics out of the way. GSA is replacing the Comprehensive Human Resources Integrated System (CHRIS) as well as its time and attendance system and its authorized leave and overtime help application (ALOHA). GSA wrote in its fiscal 2016 business case on the IT Dashboard for its HR systems that “Legacy CHRIS is likely approaching obsolescence due to lack of integration of the various tools, limited hardware scalability, high customization and functionality of applications. Note: additionally CHRIS, PAR, ETAMS, and ALOHA are not integrated causing delays, handoffs, and possible errors.”

Additionally, GSA decided in September 2013 to get out of the HR Line of Business as a shared service provider for other agencies. GSA was one of the original federal providers, offering payroll and other HR services at one point to 40 agencies and about 25,000 employees of which 12,500 are its own employees.

GSA’s decision to get out of the HR Line of Business makes sense. It told the Office of Management and Budget in its 2016 business case that it’s facing consistent losses, doesn’t have a competitive rate structure to allow for full cost recovery and has a declining customer base.

So this leads us back to the 10-year deal with IBM to outsource its HR systems.

It’s unclear why GSA went with a private sector provider, given all the emphasis on using federal providers, especially for financial management.


Breaking the ‘institutional density’ of industry, government communications

Two mythbusters memos from the Office of Federal Procurement Policy; the reestablishment of the Frontline Forum for contracting officers; a host of Web and in-person educational sessions over the last five years, and still the idea that government and industry can communicate about contracts is hard for many acquisition workers to grasp.

Someone called it a matter of breaking through the “institutional density” of an organization.

The latest attempt to break through that historic blockage is a proposed rule by the Federal Acquisition Regulatory Council in Nov. 29’s Federal Register.

The proposed rule says “government acquisition personnel are permitted and encouraged to engage in responsible and constructive exchanges with industry, so long as those exchanges are consistent with existing laws and regulations, and promote a fair competitive environment.”

The council says they hope this change “will better equip federal acquisition officials with the information needed to issue high-quality solicitations.”

Seems simple enough. No?

But for a variety of reasons, most agencies — and there are few true exceptions — continue to struggle with how frequent, when and why they should talk to contractors.


DHS’ hiring fair is a product of leadership, innovation

The Homeland Security Department’s hiring fair in July was such a success, it’s having another one.

In fact, it’s happening this week — virtually — and focused on interns and recent college graduates under the Pathways program.

Angie Bailey, the DHS chief human capital officer, said the goal is not just to hire cybersecurity positions like the last one. DHS now is looking for an assortment of skills from IT to acquisition to financial management to human resources to readiness and to security.

“We are doing it again to bring the power of DHS together,” Bailey said at the recent Human Capital Management Government conference in Alexandria, Virginia. “What we’ve decided … is if we just hire one person then it’s a success. It’s more about the intangible benefits of DHS acting as one agency. Some of the things was so cool down in the room was we had these set ups so if a manager from Immigration and Customs Enforcement got a resume and didn’t have a job, they could walk over to Customs and Border Protection, to Transportation Security Administration or to FEMA, and introduce you to the hiring manager because the person would’ve been a really good fit there. That never, ever would’ve happened without these guys being together, sitting side-by-side and seeing the value of helping each other out to place people.”

Bailey, DHS Chief Information Officer Luke McCormack and Deputy Undersecretary for Management Chip Fulghum deserve a lot of credit for making the first hiring event happen and bringing the components together.

So often in many large organizations, good ideas fall victim to a lack of leadership or broad support.


DoD about to revamp its processes for buying business IT systems

If all goes according to plan, the Defense Department is a few weeks away from releasing new guidance on how it buys and builds business IT systems.

Those systems — think logistics, pay and personnel and medical IT  — often have costs ranging into the billions of dollars, have been a frequent target of criticism from Capitol Hill and are on the Government Accountability Office’s current list of high-risk federal programs. In last year’s Defense authorization bill, lawmakers told the Defense secretary to prioritize off-the-shelf software, reduce the use of customized code and streamline the department’s own business processes before it makes new IT investments.

Guidance to that effect is now headed toward Undersecretary of Defense for Acquisition, Technology and Logistics Frank Kendall’s desk after a study group spent nearly a year drawing up the recommended practices, said Jane Rathbun, Kendall’s deputy director for Defense business systems.

“What I’ve discovered since taking this position in January is that the department has a long history in weapons system acquisition, but we haven’t focused on IT acquisition with the same fervor,” she told the Federal IT Acquisition Summit in Washington last week.

The draft plan of attack will include an insistence that the Defense communities who develop requirements for business systems and the acquisition professionals in charge of buying them work much more closely together, Rathbun said.


Who are the CIOs that soon will need new jobs?

Ten federal chief information officers are working on their resignation letters. Sometime over the next 70 days, CIOs from the departments of Veterans Affairs to Commerce to Homeland Security to the federal CIO will notify the incoming Trump administration of their plans to leave their posts.

These 10 are politically appointed CIOs, and unlike most of their colleagues, they are out of a job after Jan. 20 — unless President Donald Trump asks them to stay on.

There isn’t anything surprising here. These 10 executives knew their fate when they took the job. But the question we come back to every four years is whether the CIO position should be politically appointed and/or Senate confirmed.

If you ask a CIO who was politically appointed, they likely will tell you having that title is a difference-maker in many regards. Roger Baker, the former VA CIO, has said over the years that being a CIO is less about technology and more about running a large company, so being a political appointee has its benefits.

Others will tell you it’s not about the title, but the person in the position.

“If I was in charge, I’d ask those CIOs to stay on who accomplished the most results because there is very little about the IT domain in government that is truly political, therefore there should be little differentiation who a Republican and Democrat President would appoint,” said Tim Young, a former deputy federal CIO under the administration of President George W. Bush and now a principal with Deloitte Consulting. “Agnostic of whether or not the CIO is politically appointed or Senate confirmed or a career civil servant, in order for them to be successful as a federal CIO, they have to be able to build authentic alliances with individuals across political affiliations, agency boundaries and ideologies to include career civil servants, the Office of Management and Budget, Congress, industry and media.”

House lawmakers under early versions of the Federal IT Acquisition Reform Act (FITARA) tried to make all CIOs political appointees but that didn’t make it in the final bill.

But with a new President and a Congress spending more time on technology and cyber issues, the question is sure to come up again.

Under the Obama administration, the number of these positions ebbed and flowed, but overall grew to the 10 today.


OMB tries again to define a major cyber incident

What is a major cyber incident? Seems like a simple enough question to answer. But the Office of Management and Budget has been refining the definition for the better part of a decade.

It first defined a cyber incident in a 2007 memo, defining a category 1 event where a hacker gets access to systems, data or a breach of physical security controls.

In 2015, OMB honed the definition as part of the Federal Information Security Management Act (FISMA) guidance to agencies, meeting the requirement Congress laid out in the 2014 FISMA updates law.

But for whatever reason, that year-old definition just wasn’t quite perfect enough. So now the administration took another swing at the definition of a major cyber incident on Nov. 8 in the 2017 FISMA guidance to agencies.

OMB says a major cyber incident is one that “is any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”

It’s pulled from the Homeland Security Department’s U.S. Computer Emergency Readiness Team (US-CERT) Cyber Incident Severity Schema, which details level 3 (orange) or higher.

OMB also says a major incident would include an attack where personal information of 100,000 people or more is taken, modified, deleted or otherwise harmed, or personal data that would impact national security, public safety, public health or civil liberties.


GSA, DHS make $102M cyber award to kick off busy 2017

One of the biggest holes in cybersecurity has been understanding the who — as in, who is on the network and what data and information are they allowed to see, change and share.

This is commonly referred to identity and access management, and it’s one of the most important pieces to any cyber system trying to stop the ever-growing threats and attack surface.

That is why the General Services Administration and the Homeland Security Department’s award to CGI Federal for the Credentials and Authentication Management (CRED) task order under phase 2 of the Continuous Diagnostics and Mitigation (CDM) program is so important.

First, let’s talk about the basics of CRED. GSA, which acts as the procurement arm for the DHS program, awarded CGI a $102 million contract on Nov. 1.

“Under this agreement, CGI will provide the participating agencies with tools, sensors, and services to implement certain aspects of credential management, a key activity of the CDM Phase 2 Program that will strengthen policies and practices for all authorized users at participating agencies,” said a CGI spokeswoman. “CGI will also help federal agencies working to comply with the White House’s Cybersecurity Strategy and Implementation Plan (CSIP), which requires strong authentication for network accounts of unprivileged users. We are proud to provide this vital support to the Department of Homeland Security and provide our identity management solutions for all federal agencies involved in the task order.”

To add a finer point to what CGI will do under the task order, DHS wrote in a webinar presentation earlier this year that “CRED binds a type of credential or authentication mechanism to an identity established in TRUST with a level of assurance and is used to grant access (physical and logical).”

DHS offered further discussion in a recent presentation to CDM prime contract holders, saying CRED “addresses regular users, and ensures that they have the appropriate suitability, clearance, security training to access only the information they need to accomplish their duties and no more.”


A reorg every agency should know about

Agency reorganizations tend not to make a lot of news. They tend to impact only that agency or bureau or office, but rarely do the changes matter to a wide audience. But the General Services Administration’s Federal Acquisition Service (FAS) turns both of these conventional thoughts on their head.

For one, every agency uses FAS to spend more than $35 billion through GSA’s schedules, governmentwide acquisition contracts and assisted acquisition services programs. Second, FAS’ shuffle is directly related to the Obama administration’s category management initiative, which it’s codifying in a new circular — comments on the draft are due Nov. 7.

Both of these reasons make it important for federal employees and contractors to take notice.
While GSA still is working out all the specific details, here is what we do know. There are four “orders” that are mainly focused on improving FAS’ key business processes.

GSA says the overall changes to the FAS structure are minimal, with the majority of FAS organizational units remaining unchanged and employees will not be moving duty stations or changing functions. GSA says the majority of current FAS organizational units will remain as they are, and those that are moving are primarily “lifts and shifts,” with the teams remaining intact.


DoD climbs the cyber reciprocity hill

Reciprocity has been a hill the government has tried to climb for decades. From security clearances to cybersecurity to financial management systems, the “review once and use many” mantra has been as popular as a bear at a picnic —everyone runs in different directions, yelling and screaming.

The Federal Risk Authorization and Management Program (FedRAMP) cloud cybersecurity program has probably come the closest to successfully taking on this issue of “trust but verify” across the government. But even FedRAMP hasn’t made climbed the Mount Everest of federal culture change.

So the Defense Department is taking a different approach specifically around cybersecurity.

Terry Halvorsen, the DoD chief information officer, signed a memo on Oct. 18 mandating reciprocity of all authorization and accreditations of systems in use across the military.

“Components will maximize reuse of assessment and authorization evidence developed by prior system authorization and deployments within sister DoD components,” the memo stated. “Any such cybersecurity assessment, authorization and testing conducted by another component shall be evaluated before additional assessment or testing is undertaken. Assessments, authorizations and tests by another DoD component shall be presumed to have been correctly completed, and that assessment, authorization and testing, and the resultant test evidence, will be accepted by all DoD components as a basis for assessment and authorization.”

In a nutshell, Halvorsen is strongly encouraging trust and speed over doubt and protracted reviews.


FedRAMP’s plans in 2017 continue evolution of cloud cyber program

It’s easy to poke holes in the cloud security effort known as the Federal Risk Authorization and Management Program (FedRAMP). Few, if really any, governmentwide programs don’t go through growing pains, including learning how to meet the needs of its customers.

FedRAMP is no different. No one would argue that it was perfect from the start. But many agency chief information officers and vendors will tell you Matt Goodrich, the director of the FedRAMP program management office, and his team are making real progress.

And FedRAMP’s 2016 accomplishments and 2017 goals are more evidence of the office’s efforts to listen, learn and evolve.

Federal News Radio got a sneak peek at FedRAMP’s 2017 plans and they are focused around three main areas:

  • Bringing on more cloud service providers for agencies to choose from
  • Continuing to transform the security authorization process
  • Maintaining and improving communications with industry and government partners


« Older Entries