Reporter’s Notebook

jason-miller-original“Reporter’s Notebook” is a weekly dispatch of news tidbits, strongly-sourced buzz, and other items of interest happening in the federal IT and acquisition communities.

Submit ideas, suggestions and news tips  to Jason via email.

 Sign up for our Reporter’s Notebook email alert.

Exclusive

OFPP drafts memo to replace category management circular

Subscribe to Federal Drive’s daily audio interviews on iTunes or PodcastOne.

It’s been a year since the Office of Federal Procurement Policy released and accepted comments on its draft circular around category management.

With little-to-no activity on the draft circular over the past year, it seems OFPP is taking a less permanent route to further institutionalize this approach to buying.

Federal News Radio has learned OFPP sent a draft memo out for comment across the agencies earlier this summer, focusing on demand management and “best-in-class contracts.”

Several sources confirmed agencies submitted comments and OFPP is reviewing them.

Government sources familiar with the draft memo say OFPP wants agencies to set goals for using “best-in-class contracts,” and implement demand management by analyzing procurement data and making decisions on who to buy from and how to buy from those vendors.

One source said the draft memo would require agencies to negotiate with OFPP a percentage of work that would have to go through some of the currently 29 governmentwide, multiple-award contracts that have been designated “best-in-class.” These include several General Services Administration contracts, such as OASIS for professional services and Alliant for IT services, as well as the governmentwide acquisition contracts run by NASA and the National Institutes of Health.

“Each agency’s goal would be different because it would be based on what you buy and what you think you should be buying,” said the source, who requested anonymity in order to speak about the pre-decisional memo. “OFPP will look at what you bought in the past and determine what percentage should be bought through these contracts. You will then negotiate with OFPP, much the same way we do with small business goals.”

Multiple government sources say they have real concerns about the memo and have expressed them to OFPP.

Another government source familiar with the memo said they are not a fan of the “best-in-class” designation because it’s based too much on labor rates or categories, and not based on whether the vendor can do the work the agency needs.

“To be ‘best-in-class,’ you have to demonstrate that the vendor is best in class,” the source said. “I understand using it for some things, like delivery services, but for anything mission-related or more complicated, I’m not sure you can just look at the basic information and decide a contract is ‘best-in-class.’”

Lesley Field, the acting OFPP administrator — who, by the way, has been acting for more than a year— said at the Professional Services Council’s Vision Forecast Conference on Nov. 2 that agencies use rigorous criteria to determine “best-in-class.”

“We developed the requirements with a lot of government agencies in mind. It’s not just one agency, but there were customers at the table helping with the requirements,” Field said. “We want to take advantage of volume pricing. We want to have benchmarks for what industry is driving toward. We want to make sure is there data-driven demand and we have to validate our savings methodologies.”

But the criteria for “best-in-class,” according to GSA’s website, are much less rigorous than what Field described.

GSA says to be “best-in-class” a contract must:

  • Allow acquisition experts to take advantage of pre-vetted, governmentwide contract solutions;
  • Support a governmentwide migration to solutions that are mature and market-proven;
  • Assist in the optimization of spend, within the governmentwide category management framework;
  • Increase the transactional data available for agency level and governmentwide analysis of buying behavior.

Field said OFPP, GSA and other agencies look at those contracts to make sure they meet all these criteria as well as others, such as ensuring they support contracting with small businesses.

Roger Waldron, president of the Coalition for Government Procurement, said his members and others in the federal community are concerned about the impact the “best-in-class” designation could have on the marketplace.

“To the extent that ‘best-in-class’ contracts are selected, it’s like picking winners and losers. It could lead to less competition and higher prices in the long run,” Waldron said. “Industry also is scratching their collective heads about what criteria should be used, and even if it’s the right idea. Best-in-class predisposes that it’s the right way to go, but what if it’s a platform or new idea instead of just a contract?”

Waldron said the Federal Acquisition Regulations already tell agencies there are priority sources of supply, so if OFPP wants to hold agencies accountable for using these “best-in-class” contracts, what does it mean for the small business community?

“Is best-in-class establishing a different framework for priorities?” he said. “We don’t understand why OFPP isn’t going through a typical rulemaking process. The Obama administration put out the circular and asked for some comment on it. We submitted a series of comments and questions, and to date, we’ve received no response from the executive branch. I’m not sure how OFPP can implement category management and best-in-class without addressing industry questions and concerns. It doesn’t demonstrate a real partnership.”

Industry isn’t the only place where collaboration may be falling short.

The second government source said OFPP has talked — but not to the acquisition community — about category management and the use of “best-in-class” contracts.

“I’ve been told our comments will be addressed,” the source said. “This is a leftover initiative from the last administration and they are just keeping it going without taking a new look at the effort.”

Sources said OFPP should bring the Chief Acquisition Officer’s Council together to discuss category management and what “best-in-class” really means before creating what some may view as a mandate to use these designated contracts.

Government and industry experts say OFPP should reconsider what “best-in-class” really means.

The government source said maybe it’s around acquisition practices and not contracts.

Waldron said maybe OFPP should consider identifying key characteristics of contracts to drive the best value.

“The only thing we have is criteria that were identified in the draft circular that are all process-driven, not outcome-driven,” he said. “Plus, the definition of best-in-class in government seems to be different than best-in-class in the private sector.”

Sources say one problem with the entire category management effort is it’s being driven by GSA and they stand to gain from the effort.

The first government source said OFPP needs to be more flexible in how it requires agencies to use these contracts. The source said they can’t understand how the GSA Schedules are considered “best-in-class,” given how many vendors there are and the fact that the prices aren’t great to start.

“The way GSA negotiates them means you are not getting the best price, because anyone can get on it as long as you are a legitimate company, you don’t have any failed past performance and can offer a decent price,” the source said. “To me, ‘best-in-class’ means you negotiated and are getting a good deal. Best-in-class should minimize my work and Schedule 70 doesn’t do that, and that’s where I get a little nervous because OFPP is going to an extreme. Best-in-class should be contracts that are products or services that are proven, efficient and cost-effective. You are after quality, timely delivery and cost-effective buying. Right now, the criteria is too loosely written.”

Return to the Reporter’s Notebook


How ‘Amazon,’ 5 other acquisition provisions changed in final defense bill

CORRECTION: An earlier version of this story incorrectly stated the changes to the Simplified Acquisition Threshold and the Micro-purchase threshold. The story was updated on Nov. 16. 

If you are keeping score at home, chalk one up for industry in the battle to keep Amazon from dominating how agencies buy commercial products. But don’t expect this to be the final score by far.

The Senate convinced the House to modify the so-called “Amazon” amendment in the 2018 National Defense Authorization bill during the conference negotiations. And industry is pleased.

The NDAA includes the provision to set up more than one online marketplace for agencies to buy commercial products using a two-year phased-in approach.

The bill would require the General Services Administration to develop an implementation plan and schedule within 90 days of the act becoming law. Then a year later, GSA and the Office of Management and Budget should recommend changes to laws to ensure the effective implementation of the online marketplaces, as well as what products should be included in the pilot, a review of standard terms and conditions, including small business and other similar requirements, and what security features are needed to protect data.

Finally, two years after the bill becomes law, GSA and OMB will issue guidance to create the marketplace.

This is a much different approach than what the House initially wrote in the NDAA.

Trey Hodgkins, the senior vice president for the IT Alliance for Public Sector, said lawmakers addressed many of the questions about how the use of online commercial marketplaces would work.

“This establishes a thoughtful approach to creating this capability while ensuring that risks for the government and vendors are fully assessed,” Hodgkins said in an email to Federal News Radio. “Though the provision affords ample time to make these assessments and establish a viable contract, we view these deadlines as caps and we will be encouraging the administrator at GSA to put this option in place expeditiously.”

ITAPS recommended to the Senate Armed Services Committee staff members that technology and communications products be exempted from the initial pilot in the online marketplace.

And because the NDAA now calls on GSA to assess what products would make sense for the online marketplace, ITAPS will have time to continue to drive home its concerns.

Roger Waldron, president of the Coalition for Government Procurement, said the thoughtful and phased-in approach to the online marketplace effort makes more sense than launching it immediately.

“It’s important to see how the government can leverage commercial technologies like e-commerce but also understand how it can be effectively leveraged in a balanced way given all the different stakeholders and touch points when you are dealing with the government. Something like this approach was imperative and Congress recognized that,” he said. “The need to balance the government’s requirements with commercial buying desires requires a thoughtful process to figure it out. They also recognized the critical role data plays. The new provision prohibits commercial providers from using the data for any competitive advantage, and it recognizes there could be an inherent conflict of interest between the marketplace provider and the product provider.”

Experts say over the next few years, House lawmakers and/or Amazon will try to change the 2018 NDAA to speed up the timeline or push through wholesale changes to the online marketplace to get it stood up much more quickly.

This is an estimated $5 billion market, so the lobbyists probably already are working the 2019 NDAA process.

Along with the so-called “Amazon” provision, the conference report included several other interesting acquisition provisions:

  • Simplified acquisition threshold and micro-purchase threshold get raises. One provision would increase the SAT to $250,000 from $150,000 for the entire govenrment. Another provision would increase the micro-purchase limit to $10,000 from $3,500 for only civilian agencies. In the NDAA report, the conferees say the increase in the SAT will help small businesses, especially those new and innovative firms, win work at DoD.

 

  • Unsuccessful bid protests costs going up, for some. The NDAA calls for a three-year pilot program to test out the concept of unsuccessful vendors who protested a contract award to the Government Accountability Office to pay the Defense Department’s costs incurred for processing a protest. The pilot program will be for companies with revenues more than $250 million. DoD has two years to get the test program implemented. Eric Crusius, a senior counsel with Holland & Knight in Washington, D.C, said the provision leaves more questions than answers about how the pilot would work. He asked does “costs incurred” refer to DoD’s attorneys responding to protests, administrative costs or what? He also asked how do you determine the hourly rate of a government attorney? Additionally, Crusius asked how will the government determine the revenues of the company that protested. Would it include federal and commercial work, or just federal earnings? All of these questions will have to be answered by DoD in a new acquisition regulation.

 

  • Post-award debriefings to improve. The Senate won another provision to limit delays because of bid-protests. This provision would require DoD to conduct post-award debriefings and provide details and comprehensive statements about the agency’s overall award decision —basically all the information that would typically come out during a bid protest trial. The House added language to increase the threshold of mandatory release for all contracts worth more than $100 million instead of the Senate’s plan for $10 million. The House also added an option for small businesses or nontraditional contractors with contracts in excess of $10 million, but less than $100 million to request such disclosure. Holland and Knight’s Crusius said in some ways, this provision builds on an effort the Air Force already is doing. He said the service has been running a voluntary program with extended debriefings for unsuccessful bidders. “All parties, including the awardee, must consent to the extended debriefing. Following a review of the source selection documents, a bidder’s outside counsel then engages in a question and answer session with the contracting agency,” he said. “It was the Air Force’s belief that an earlier disclosure of source selection information prevented some protests that may have been filed for the primary purpose of understanding the rationale of an award to a different bidder.”

 

  • Kaspersky Lab prohibition sticks. Sen. Jeanne Shaheen’s (D-N.H.) effort to ban products made by Kaspersky Lab because of cybersecurity threats came to fruition. The NDAA adopts Shaheen’s provision, along with a requirement to “review and report on the procedures for removing suspect products or services from the information technology networks of the federal government.” This is something the Homeland Security Department already is doing.
    Additionally, the House Science, Space and Technology Committee is holding a hearing Tuesday to see how agencies are doing in removing Kaspersky Lab products from their networks under the DHS Binding Operational Directive from October.

 

  • DoD chief information officer changes. The Senate’s desire to raise the authority and power of the CIO won out over the House. But the House added language requiring the CIO position to be presidentially-appointed and Senate-confirmed, bringing it back to the pre-2010 time when it was the CIO and assistant secretary of defense for networks and information integration (NII). In May 2010, then-Secretary Robert Gates eliminated the AS(NII) office, thus not requiring Senate confirmation of the DoD CIO. But the 2018 NDAA would elevate the CIO’s role and realign its authorities. “This provision would establish a Chief Information Warfare Officer (CIWO), who would assume responsibility for Defensewide information warfighting functions. The roles and responsibilities of the current CIO concerning business systems and statutory requirements not specified within the CIWO’s purview would fall to the Chief Management Officer (CMO) of the Department of Defense,” the Senate provision stated. Meanwhile, the House added an amendment to “designate additional responsibilities related to budgets and standards and would authorize the CIO to evaluate and certify that Department of Defense budgets are sufficient in meeting departmentwide requirements for the functional areas it oversees.”

Return to the Reporter’s Notebook


With 17 existing working capital funds, some CIOs excited about added flexibilities of MGT Act

The real change the Modernizing Government Technology (MGT) Act will bring agency chief information officers, now that it has cleared one of the final hurdles to becoming law, is not the creation of a working capital fund. But rather, it’s the flexibility and specific requirements for using the money in the working capital fund that may be the MGT Act’s biggest impact.

House and Senate conferees agreed to the 2018 defense authorization bill last week and included the MGT Act provision.

The NDAA says agencies can establish working capital funds for modernizing technology and can reprogram or transfer funds for up to three years to modernize or retire legacy systems.

Joe Klimavicz, the Justice Department CIO, said at a Partnership for Public Service event before Congress finalized the NDAA that the MGT Act would potentially help his agency improve upon its growing modernization effort.

Klimavicz said Justice already saved or avoided spending more than $300 million by consolidating to one email system and optimizing and reducing data centers from 110 to 30.

Justice also is moving to the cloud with two dozen initiatives, and is adding advanced data analytics.

But Klimavicz said Justice’s current working capital fund includes only one-year money, meaning he has to spend it all before the end of the fiscal year.

“If I had a multi-year, like a three-year, which is being considered out there, then I could accumulate enough money to make these modernization or transformation efforts over the hump into a better place and also with some bigger systems,” he said at the PPS event. “They all require modernization, but right now, you have to do everything in a one-year timeframe.”

Klimavicz’s challenges are not unique to Justice.

According to the White House budget request for fiscal 2017, 17 agencies currently have working capital funds. For instance, the Commerce Department has working capital funds at the headquarters level, the Census Bureau and the National Institute of Standards and Technology. Additionally, the Environmental Protection Agency, GSA and the departments of Justice, Treasury, State, Labor, Transportation and Interior are among the agencies with working capital funds.

And the challenge is that none are the same and all have different requirements for one-year money or multi-year money, or how that money is accumulated and even spent.

It was because of this widespread use of working capital funds that served both as an obstacle and as an opportunity for the MGT Act.

The Interior Department is facing a similar challenge as Klimavicz. While the agency funds its CIO’s office through a working capital fund and its no-year funding, the CIO is limited to how they can use the money.

Sylvia Burns, Interior’s CIO, said at the PPS event before the MGT Act passed, the bill would give her office the ability to target funds to the most pressing areas.

“I think the potential change to the working capital fund that we have now, which we have to have much more conversations about, it could offer that capability of taking savings in IT, parking the money in a modernization fund, then we could have some sort of process, potentially similar to the process that OMB outlined in that legislation, about having a board with the proposals coming in and selections, monitoring and putting the resources to make it successful,” she said. “That’s potentially how we could do stuff in the future, but again, much more to talk about inside the department.”

Burns said spending money through the current working capital fund is managed by a consortium with representatives from all of the components, bureaus and offices that pay into it. She said there is a charter that outlines roles and responsibilities, how the board will function as issues up to the bureaus and offices for voting.

Burns added it would be helpful for IT to traverse the different appropriations across the agency.

“This doesn’t exist and I know it’s a contentious issue. I know my agency wouldn’t necessarily support the idea of having a single appropriation for IT, but somehow having more flexibilities, and I hope the MGT Act actually gives that to us, to be able to go through the different bureau appropriations for what is spent on IT and have some more fungibility in that space,” she said.

Burns, Klimavicz and Scott Blackburn, the acting CIO at the Veterans Affairs Department, all agreed that having enough money to modernize and transform IT systems isn’t the problem.

“We don’t spend that money well,” Burns said. “I think it is our responsibility as CIOs and just stewards of taxpayer’s money to find a better way to spend that money. The way I’m trying to do it at Interior is I’ve created a very collaborative environment with me and the associate CIOs at our bureaus. We are just agreeing to work together on stuff, including if we want to invest in something. We haven’t done this yet, so maybe the proof is in the pudding, but maybe we all agree that we will not do that thing we were going to separately, but direct the money to the thing we want to do together. In the next year, we will see how this plays out.”

Blackburn said because transformation efforts need investment, he’d like to see some help come from the White House.

“The only way to attack this problem is to be aggressive, to make the appropriate investments and have a good plan, and to be held accountable,” he said. “One of the things I’d say to the oversight committee or Office of American Innovation is let’s together build that plan. Over a longer period of time, say five-to-10 years, we will retire these systems when we get the new system online, and there will be the cost benefits, the resource benefits and hold the department accountable over that longer period of time to include when we are retiring and when we are getting the cost savings.”

Blackburn said VA cannot continue to spend $4.5 billion a year on IT, especially on so many legacy systems. He said that is why to drive down spending is critical, but it will take time, investment and being held accountable.

And the passage of the MGT Act is the first step toward creating that accountability. The Office of Management and Budget has said numerous times over the past year that when the modernizing bill becomes law, it will be ready to start running.

Return to the Reporter’s Notebook


Industry tries to prune ‘Amazon’ amendment before NDAA is finalized

As House and Senate conferees close in on an agreement for the 2018 National Defense Authorization bill, the controversial “Amazon” provision remains in play. But it seems likely the final version will look a lot different than the current one.

If you aren’t familiar with this provision, Section 801 of the House version of the NDAA would require the General Services Administration to create one or more online marketplaces for agencies to buy commercial items, therefore simplifying the process and reducing costs. House Armed Services Committee staff members say the goal of the provision is to make federal procurement less complex and more competitive.

The Senate version of the bill doesn’t include such a provision, meaning it is one of many differences that have to be ironed out in the conference committee.

And because the Senate Armed Services Committee didn’t include or fully understand the “Amazon” provision, staff members did some last-minute cramming before the conference on the bill started.

Why is it called the “Amazon” provision? Well, some in the industry believe the Seattle, Washington giant played a key role in writing or strongly encouraging the House to develop the language

Industry sources confirmed SASC staff members held 90-minute-or-so learning sessions in early October with 30-to-40 industry experts seeking details and insights about the provision.

Sources say about six or seven staff members showed up, asked questions and then requested ideas for a pilot to test out the “Amazon” provision.

“They asked what were the challenges and the advantages of the provision,” said one industry source who was familiar with the briefing. “The tone and tenor of the discussion was that this is a big initiative that has merit, but its impact can’t be understood and implemented if we did the whole thing right away. There is an openness for the impact and some skepticism of what is the best thing to do at this time.”

Another source said the attendees ranged from medical supply, technology and office supplies businesses to industry associations and lobbyists.

The source said attendees expressed concerns about the provision’s language as it’s currently written.

A SASC spokeswoman refused to comment on the meeting or the committee’s feelings toward the provision.

The committee received ideas for the pilots from at least two industry associations.

The IT Alliance for Public Sector and the Coalition for Government Procurement submitted responses.

The CGP made their comments public, while Federal News Radio obtained a copy of ITAPS’ letter to SASC.

The ITAPS letter is interesting because the association, of which Amazon is a member, suggested IT and communications technology (ICT) not to be included in any pilot.

“ITAPS has long advocated for the purchase of ICT using commercial terms and conditions to the maximum extent practicable. It is unclear, however, whether the proposed marketplace platform would allow for such purchases,” Trey Hodgkins, the association’s senior vice president, wrote to the committee. “The language bars the government from requiring the direction/flow-down of additional terms and conditions on the platform itself, leaving the government with limited compliance capabilities, notwithstanding the fact that statutory requirements remain in place for the purchase of items. The provision’s current language shifts the compliance burden for many laws from the vendor to the government (while excluding the platform contractor from accountability for that which is being purchased), which has cost and administrative burden implications for the government as it compiles this information for the provider.”

What ITAPS is referring to is the assortment of statutory and policy regulations, including the Truth in Negotiations Act (TINA), the Berry amendment, the Buy American Act and small business rules such as the Rule of Two.

“This burden is especially the case with ICT, as there are a number of requirements regarding cybersecurity to safeguard the supply chain and prevent vulnerabilities from entering any given agency’s IT system,” Hodgkins wrote. “For example, there are strict requirements in place to ensure that counterfeit products do not enter the supply chain, but the provision is silent on how the portal vendor or the [GSA] will monitor compliance for this requirement. Thus, the government customer must still comply with these requirements, and the vendor selling on the portal could potentially be held liable for issues that may arise from their products interacting with counterfeit products.”

An ITAPS spokesman told Federal News Radio that the association had no further comment beyond the letter.

Meanwhile, the Coalition for Government Procurement’s suggestions focused more on the impact on the federal acquisition market.

“As it stands, Section 801 of the FY18 NDAA embodies the most consequential procurement policy changes in a generation,” the CGP wrote. “Considering the requirements of the e-commerce proposal, it is likely that only one or two providers would possess the capability and potential regulatory compliance (e.g., FedRAMP) necessary to participate. Thus, the proposal could result in monopoly or duopoly control over access to the federal market for commercial items. Monopolies and duopolies can, of course, lead to higher prices, limit competition, and create barriers to the federal market to new entrants and innovative technologies.”

The coalition stated the government spends about $52.9 billion a year on products using commercial item acquisition procedures, thus giving the commercial marketplace vendors access to a huge revenue stream.

“Assuming the commercial e-commerce provider charged a 10 percent fee to suppliers, the contract(s) proposed under Section 801 would have an estimated value of between $5.29 billion and $5.88 billion annually, which could make the e-commerce provider(s) one of the top 20 largest contractors in the federal market, without having to have gone through a full and open competition, consistent with the Competition in Contracting Act (CICA),” the coalition stated.

The CGP offered 12 suggestions lawmakers and GSA should consider for launching any pilot. These include identifying long-standing procurement policies that could be waived, identify metrics to measure the direct and indirect costs to determine the total acquisition cost and define how all pilot transactions will be handled.

CGP also provided five additional suggestions for how the pilot could work. These range from limiting the amount bought from the commercial marketplaces to $10,000 per transaction, asking GSA’s 18F organization to test in parallel other e-commerce solutions in and out of government and to evaluate multiple online commercial marketplaces on an equal basis.

The industry source said there’s a pretty good chance some sort of pilot will come from the NDAA.

“I expect this issue to be elevated to the big four — the chairman and ranking members of the House and Senate committees — to be solved,” the source said. “There is a reason why the House made it Section 801 of the NDAA, the first section of the acquisition reform efforts.”

It’s also unclear how much support there is from the Trump administration. In the statement of administration policy, the White House doesn’t mention any support for or unhappiness with the provision.

Lesley Field, acting administrator at the Office of Federal Procurement Policy, mentioned it at the Professional Services Council Vision Conference on Nov. 2, saying the administration has an “appetite” for bold ideas, and is “looking for new ways of buying things, whether it’s through an online marketplace or other things that were suggested by Congress. The federal marketplace is changing so quickly.”

That seems to signal the administration would support at least testing the commercial online marketplace concept, leaving GSA and others to get ready for the beginnings of a major acquisition transformation.

Return to the Reporter’s Notebook


Can a new model for cyber come from an existing consumer protection effort?

WILLIAMSBURG, Virginia. — As the 27th and final Executive Leadership Conference sponsored by ACT-IAC wound down in Williamsburg, Virginia last week, the industry group announced its plans to revamp the event for 2018. Called ImagineNation 2018, ACT-IAC is rethinking both ELC and its other big conference, the Management of Change, and is asking for industry and government input.

ELC and MOC have been constants in the federal IT and acquisition communities over the last 25-plus years, where you could track down news and gossip, and renew business relationships. While ACT-IAC continually tried to freshen up the conferences, the federal market has become saturated with similar events, so the time is right to breathe some new life into ACT-IAC’s offerings.

But before we move into 2018, ELC delivered some interesting discussions and news tidbits. Here are my top takeaways from the event:

Consumer Product Safety Commission for cyber?

Trevor Rudolph, the former chief of the Office of Management and Budget’s Cyber and National Security Unit Office, who now is a cyber policy fellow at New America, offered up this fascinating idea.

Why not copy the successful model for food, pharmaceuticals and general consumer products for cybersecurity?

Rudolph said this new agency could be called the Consumer Technology Security Commission (CTSC).

“It could be under the National Institute of Standards and Technology or the Consumer Product Safety Commission, or an entirely new agency in government,” Rudolph said during one of the ELC’s TechTalks. “It would set and enforce standards for cybersecurity of consumer products.”

He said the best example of this approach is the CPSC. The agency works with Congress and industry to develop standards, accredits third-party assessment labs to accredit products and provides regulatory oversight through recalls for faulty products.

“The market alone will not solve the cyber problem,” Rudolph said. “The consumers do not have the technical knowledge to force vendors to change either. Creating such an agency would help improve the cybersecurity of consumer products.”

The Food and Drug Administration actually launched an effort that could be a building block to this new agency. The Digital Health Software Precertification (PreCert) Program kicked off Aug. 1 with a goal of creating a new evaluation approach for software products, including a precertification program for the assessment of companies that perform high-quality software design and testing.

“This voluntary pilot program is part of FDA’s ongoing efforts to develop pragmatic approaches to balance benefits and risks of digital health products. FDA intends to develop a precertification program that could replace the need for a premarket submission in some cases and allow for decreased submission content and/or faster review of marketing applications for software products in other cases,” FDA said in its July notice in the Federal Register.

Rudolph said the new Consumer Technology Security Commission would focus on coordinating and developing security design standards, create a certification and accreditation program and enforce the quality through third-party assessment and recalls.

Would vendors really be keen on another regulatory approach?

Rudolph said if the government uses tax incentives or labor market incentives as carrots and borrow the certification and accreditation process already accepted in other consumer markets, the acceptance curve may not be that great.

4 priorities for GSA’s acquisition service

Alan Thomas, the commissioner of the Federal Acquisition Service at the General Services Administration, still is getting situated in his new role, but offered some updated ideas of where he wants the service to go over the next few years.

Thomas, who started as FAS commissioner in June, detailed four priorities, starting with improving customer experience.

Thomas said he wants to modernize FAS systems to make finding vendors, getting on the schedules or using governmentwide acquisition contracts (GWACs) easier.

David Zvenyach, the acting assistant commissioner for systems management at FAS, said his goal for the common acquisition platform, which includes the System for Award Management (SAM), is to provide an “excellent buying experience and customer experience.”

“Bet.SAM.gov is going to be the future home of FedBizOpps. I want you to imagine a future that doesn’t involve SAM.gov, FBO.gov, FPDS.gov, CPARs and PPIRS, and instead just having SAM.gov. When you register as a vendor for SAM.gov, you say, ‘Let me tell you who I am,’ and guess what, it tells you what opportunities are relevant to you.”

Zvenyach added that agency customers get notified that there are new vendors in a specific space.

“We are underway,” he said. “We are actually in the midst of release 11 for Beta.SAM.gov, so you should see some new functionality going out there. We will be doing some planning for release 12 in mid-November, so if you have some ideas, go to Beta.SAM.gov and provide some feedback.”

Thomas’ second priority is around continuing to streamline and simplify GSA’s processes, including the FASTLane program to get on schedules or the Springboard program to help get small, innovative companies into the government.

“I would like to do a little more and do it a little more quickly,” he said. “A great example would be around the ‘making it easier’ campaign in terms of getting on-schedule. We have some very good guidance for industry, but it’s still sort of guidance for how to fill out your tax form, or the solicitation in this case, versus a TurboTax-like experience. I’m pushing for that more TurboTax-like experience in that area.”

A third priority is shared services, across areas such as fleet, contact centers and other back-office areas.

“We think those are things we can do more efficiently for agency partners and then essentially give them dollars back that they can put toward their mission,” Thomas said.

The final priority is around supply chain security. Thomas said ensuring products don’t increase agency risk thresholds is a governmentwide challenge and GSA can help improve coordination, and be more proactive in how it secures the supply chain.

He said GSA may also hire a senior executive to organize and oversee those efforts.

“We want good systems and we want good people leading the businesses and portfolios we have out there serving the customers,” Thomas said.

Return to the Reporter’s Notebook


5 agencies expected to send data to governmentwide cyber dashboard by end of 2017

The first agency has submitted data to the federal dashboard under the continuous diagnostics and mitigation program, and four others are following closely behind.

Kevin Cox, the CDM program manager for the Homeland Security Department, almost seemed relieved when he announced it at the ACT-IAC Executive Leadership Conference last week.

Cox added that DHS also is working with the non-CFO Act agencies on a shared service dashboard offering. He said they are now trying to get final approval under the authority to operate the process to go into production.

“That will get non-CFO Act agencies connected up to that shared dashboard and get visibility to the federal dashboard,” Cox said. “As for the agency dashboards, the uptake is still occurring. We are working with the DHS Federal Network Resilience team to set up training and webinars on how best to use the dashboard. We had our first webinar last week and received good feedback.”

He said a number of agencies already have dashboards in place, so DHS is helping those departments integrate the new dashboard with the current processes.

But the real benefit will be as vulnerabilities come out, DHS’ National Cybersecurity and Communications Integration Center (NCCIC) will be able to run a report on the federal dashboard and see what products and devices agencies have, and what might be vulnerable to attack, then work with that agency to get the vulnerability patched.

Without a doubt, it has been a long, hard slog to get CDM to the point where the value is clear — and it’s becoming more effective each month.

Both DHS and the General Services Administration, which acts as the procurement arm of the program, recognized the need to make the program more flexible for agencies and vendors alike.

So the fact that federal dashboard is up and running, and all departments have their agencywide dashboards pulling data from their networks, can signal the beginning of the end of the old CDM program.

Cox prefers to say in CDM’s ABCD model, the “step A” is done and “step B” should be completed by the end of 2018.

“Phase one … was very basic activities that take a lot of time to get the capabilities in place. We have been working this for about three years,” he said later in the week at the CDM conference, sponsored by FCW in Washington, D.C. “In terms of successes here and helping agencies understand what’s in their environment, we found underreporting across the agencies at about the 70-percent level. In certain agencies — maybe not intentionally, because they weren’t aware of everything in their environment — the underreporting was up around the 200-percent mark. That in itself was a key win for the program, but what we really want to get to is to give agencies day-after-day visibility into their networks so they can ensure they are patching well, they have overall good cyber hygiene and we can better manage the risk.”

Cox said the “C” and “D” layers will add more value to the agencywide and federal dashboards.

“Under the C layer, agencies will get object-level data, so they can run reports and understand and prioritize what needs attention first,” he said. “Under the D layer, the federal dashboard, as we get into phase 3 of CDM, we can understand where incidents are happening across the government.”

Phase 3 of CDM comes under the DEFEND task order, which is where GSA and DHS shift away from the old way of managing the program, using a blanket purchase agreement, and begin the agile, flexible approach where GSA’s Alliant governmentwide acquisition contract and the schedules program add necessary flexibility.

GSA released the first task order for DEFEND under the Alliant governmentwide acquisition contract in August, and an award is expected later this fall.

Cox said GSA will release other task orders under DEFEND over the coming months for each group of agencies. The goal is to make one award for each of the five major agency groups where the systems integrator and their team has five-to-six years to further implement cyber protections.

The phase 3 task orders will be cost-plus-award-fee type contracts focusing on adding cyber protections to areas such as cloud, mobile device, applications and network awareness.

Cox said GSA and DHS will continue to develop the requirements around phase 4 of CDM.

“We are still working to fully scope this out, but we think we want to start with a proof of concept for areas like data loss prevention and data rights management. Our intent is to start with high-value assets,” he said. “We also will look at architecture changes, like micro-segmentation, to shrink environments that adversaries could have access to if they get in. The goal is to stop them from hopping to other networks. We will continue to work with industry and the agencies to develop our phase 4 approach.”

Return to the Reporter’s Notebook


Will GAO’s decision to charge $350 per filing stop frivolous protests?

Subscribe to Federal Drive’s daily audio interviews on iTunes or PodcastOne

Call it the “Latvian Connection effect” or blame it on Congress, but either way filing a bid protest with the Government Accountability Office is no longer going to be free starting in 2018.

And if Senate lawmakers get their way, the cost of filing a complaint with GAO could cost some large companies tens of thousands of dollars or more.

Ralph White, the managing associate general counsel for procurement law for GAO, said the agency is developing a new electronic protest docket system and will move forward with its plan to charge $350 for each filing to help offset the cost of development, operations and maintenance of the system.

“GAO has completed development of the EPDS application, however, we are in the final stages of completing security enhancements to the system,” White said in an email to Federal News Radio. “Once the enhancements have been implemented, and GAO issues an authority to operate the system, the production environment will be established. GAO will implement the system in two phases. The first phase will be a pilot program. In the pilot phase, GAO will migrate several existing protests to the system and require the parties in those cases to use the system; since the pilot program will be limited to protests already filed, we will maintain redundancy with the existing methods of processing a protest. The pilot program will allow GAO to ensure that the system is functional and properly calibrated, as well as provide GAO and external users the opportunity to become familiar with the system prior to deploying the system in all cases.”

White said GAO will begin collecting the filing fee when the docket system moves into phase two in the March timeframe.

“After successful completion of the pilot program, in the second phase, GAO will fully implement and go live with the system for all new cases,” he said. “At that time, protesters will be required to file all new protests in the system and they will be required to pay the filing fee.”

White said GAO is developing the system and collecting fees to support it after Congress mandated it in the Consolidated Appropriations Act of 2014. GAO first proposed charging $350 per protest in 2016 and asked for comments from industry and other stakeholders.

“GAO received several comments regarding the proposed filing fee. Several commentators expressed support for a filing fee, including suggesting a higher filing fee to discourage or reduce the number of protests,” White said. “On the other hand, several commentators were concerned that the imposition of a filing fee or the amount of the proposed filing fee would discourage small businesses from filing protests. GAO does not intend for the fee to discourage or reduce the number of protests. Rather, the sole purpose of the proposed filing fee will be to cover the costs of establishing and operating EPDS. GAO determined that a uniform fee for all protests that was limited to offsetting the costs of the system was appropriate.”

But some procurement lawyers say the filing fee to pay for the cost of the docket system is a way to hide the real reason — to deter frivolous protests, hence the “Latvian Connection effect.”

If you remember, GAO suspended the company from filing new protests for a year in August 2016. Latvian Connection had filed more than 500 bid protests over the last few years, claiming agencies are routinely and knowingly violating the Small Business Act and other small business provisions. In 2016 alone, the company filed 150 bid protests.

Since GAO lifted the suspension in August 2017, Latvian Connection has filed five bid protests, according to the agency’s docket.

“GAO can’t admit their ulterior motive, and here’s why. In 2009, GAO sent a report to Congress saying that imposing penalties on frivolous protesters is a bad idea, which could harm the federal contracting process by causing a chilling effect, and that GAO doesn’t have the capabilities to determine frivolity,” said Christoph Mlinarchik, the owner of Christoph LLC, federal contracting consultancy. “In 2016, GAO made the unprecedented move of ‘banning’ a serial protester for one year. GAO never used the word ‘frivolous’ to describe the banned protester, instead opting for the nearly synonymous ‘vexatious,’ likely because they tied their own hands from the 2009 report. Similarly, GAO won’t admit this filing fee is to deter frivolous protests and serial protesters because that would contradict their own recommendations from the 2009 report. The dollar amount of the filing fee might be another hint that it’s designed to deter frivolous protests and serial protesters. Heavy hitters like Boeing or Booz Allen Hamilton won’t blink at a $350 fee, nor will the occasional protester. For a small business with a strong case, $350 is a reasonable expenditure. But for a serial protester filing hundreds of protests per year, a $350 fee is a strong deterrent, and that’s the point.”

Steven Schooner, a Nash & Cibinic professor of government procurement law at the George Washington University in Washington, D.C., and an expert witness for federal procurement cases, said GAO’s decision is harmful to more than just those who file what some say are frivolous protests.

Schooner said the decision to charge a fee will resonate around the world.

“This will have no impact whatsoever on major defense contractors or, for that matter, most firms that compete for government work. But the symbolism is striking, particularly given how hard the government works to create meaningful opportunities for small business participation,” Schooner said in an email to Federal News Radio. “The government is becoming less open, less welcoming of protests — a form of third-party oversight. In other words, the government is disincentivizing, making it more expensive for disappointed offerors to point out to the government when it has made mistakes or mistreated treated firms. For more than a generation, the GAO bid protest process —warts and all — has been considered a model that developed and developing states around the world have sought to emulate. We’re sacrificing the moral high ground for an insignificant handful of cash.”

The $350 filing fee will generate less than $1 million based on GAO’s bid protest data. In 2016, GAO received 2,789 protests, which would have brought in more than $976,000.

Other procurement experts say the filing fee is minimal and the benefits of the electronic docket system will outweigh the costs by far.

David Yang, a partner with Blank Rome in Washington, D.C., said contractors already spend a lot of time paying attorneys and paralegals to file documents and find information connected to a bid protest, so having all the information related to a complaint in one place would be valuable.

White said the docketing system will “modernize the intake of protests, improve and streamline notification of agencies when a protest is filed, and modernize GAO’s ability to meet records retention requirements.”

Yang added the $350 fee is $100 less than what it costs to file with the Court of Federal Claims.

All of this comes as the Senate included two provisions in the 2018 defense authorization bill to exact more money from contractors filing protests.

The first provision would require unsuccessful bidders who protested to pay the costs for denied protests to the Defense Department. This provision would apply to companies with revenues in excess of $100 million and only when all elements of the protest are denied in an opinion issued by GAO.

A second provision would withhold payments above the incurred costs of incumbents that file protests. This generally provides that an incumbent contractor filing a DoD protest would have “all payments above incurred costs withheld on any bridge contracts or temporary contract extensions” awarded to the contractor, as a result of a delay resulting from the protest.

The House and Senate started the conference to settle the differences in the two versions of the NDAA last week, so it’s unclear whether lawmakers will support these two provisions. But the Senate has been trying for years to address what some say are too many protests.

So no matter what Congress decides, the cost to file a bid protest with GAO is going up.


GSA gets fiscal 2018 rolling with major procurement initiatives

Subscribe to Federal Drive’s daily audio interviews on iTunes or PodcastOne.

The General Services Administration’s Federal Acquisition Service is kicking off fiscal 2018 with a bang.

FAS released three requests for information and made a major governmentwide acquisition contract (GWAC) award in just the last week. And this is just the first few weeks of the fiscal year, while industry expects the fall and winter to remain busy.

Let’s start with the award, because that’s a sure thing.

GSA hired 70 small service-disabled, veteran-owned firms for the $5 billion Veterans Technology Services (VETS 2) GWAC.

“Building on the success of the first generation solution, GSA has performed an unprecedented amount of market research for VETS 2 and is proud to offer these services from such highly qualified, innovative firms,” Kay Ely, assistant commissioner of GSA’s Office of Information Technology, said in a release.

The potential 10-year indefinite delivery, indefinite quantity contract is for a variety of IT services, including software development, systems design, IT operations and maintenance, new and emerging technologies, information management, and information and communications technology.

The first VETS GWAC was moderately successful, accounting for $2 billion in sales over the last decade.

A protest of VETS 2 is still highly possible. GSA received 187 proposals, so there are 117 unhappy vendors.

In the meantime, FAS issued three RFIs that provide a glimpse into its future thinking.

4 Centers of Excellence

The most interesting of the three is the one GSA is collaborating with the White House’s Office of American Innovation to obtain support for “key initiatives and projects under four Centers of Excellence (COEs) for four key technology initiatives.”

The initiatives include:

  • Establishing and growing identity and authentication services for account users that integrate with agency systems and platforms.
  • Providing a portfolio of cloud computing services across multiple cloud service provider (CSP) offerings, and implementing flexible solutions for the delivery of cloud services.
  • Using consolidated contact center services to make it easier and more cost-effective for the public to access federal services.
  • Improving access to data so that government leaders better manage agency missions and transparency for the public is increased.

The vendor will support the program management office to oversee the technology initiatives, including establishing metrics and providing shared resources.

“Industry support will cover a wide range of activities, including project management assistance/guidance, acting as the support catalyst for completing all plans/activities, creating a centralized approach to track progress against metrics, associated Executive-level interactive dashboards, and agile project management/change management support,” GSA stated in the RFI. “Critical to this is ensuring all processes have a positive effect, and that progress reporting is of minimal burden on the teams.”

Responses to the RFI are due by Nov. 1.

GSA anticipates awarding a multiple award contract for three years.

An interesting aside already in the RFI process: In its initial RFI, the agency included the requirement for vendors to sign a non-disclosure agreement that would’ve prohibited them from bidding on implementation work governmentwide. But GSA amended the RFI two days after initial issuance and removed the conflict of interest provision, and instead restricts “any use of inside information learned during the project as procurement sensitive.”

It will be interesting to see how industry reacts to this change, as this seems to benefit several large consultant vendors, but puts others at a potential competitive disadvantage when bidding on the implementation work.

New ways to buy software

The second interesting RFI is to revamp Schedule 70 to improve how the government meets the MEGABYTE Act of 2015, and the Office of Management and Budget’s third attempt to improve federal management of $6 billion in software purchasing from June 2016.

GSA is proposing to change how agencies buy software from the IT schedule, specifically around term licenses, perpetual licenses, and evolving the concept of software maintenance-as-a-service.

“In order to properly delineate ‘term’ licenses under SIN 132-32 and to keep those licenses distinct from any form of cloud products available under SIN 132-40 (Cloud Computing Services), ‘term software licenses’ have been redefined so that they are only applicable to software that is provisioned and executed from the ‘user’s servers, computing end-points, or other designated computing devices where the user has the right to load or deploy software,’” GSA stated. “Additionally, the requirement to convert term licenses into perpetual licenses has been modified so that it is only required when an offeror offers the same conversions to their commercial customers.”

GSA then is updating the concept of a perpetual license. It says it isn’t changing the definition, but creating two options for vendors to include in their offerings.

“Option 1 contemplates software vendors that will embed software identification tags in their software products that are consistent with the ISO/IEC 19970-2 standard,” the RFI states. “Option 2 contemplates software vendors that will allow incumbent software licensees a right to transfer or move perpetual licenses to a new licensee for a previously negotiated fee. It is intended that these new asset management rights and features are voluntary, meaning that software vendors who wish to offer them may optionally include them on their schedule contract.”

Finally, GSA would delete software maintenance-as-a-service and replace it with software maintenance-as-a-product.

“Software maintenance-as-a-product, henceforth, will be the maintenance that software vendors charge for on an annual basis. Because software maintenance-as-a-product has not been previously identified with its own special item number (SIN) and because it is a component of a term license or perpetual license acquisition, it has been difficult to track the federal government’s actual spend on annual software maintenance,” the RFI states. “Under the current software maintenance SIN structures, it is impossible to differentiate a software purchase from an annual software maintenance purchase. Providing software maintenance-as-a-product with its own SIN identifier allows the federal government to better manage software as an asset and appropriately track categories of spend by differentiating between software licenses and software maintenance.”

Responses to this RFI are due by Nov. 24.

The future of GSA and DUNS

The third RFI is actually a follow-on from one in February and may have the biggest impact on every vendor. GSA continues to pursue an alternative to the legal identifier of businesses currently provided by Dun & Bradstreet.

GSA issued both a new RFI as well as a draft performance work statement for industry to comment on.

“The government is exploring all viable means of continuing to meet its ongoing need for entity identification and validation services after the contract’s expiration,” GSA stated in a release.

GSA said the first RFI from February received “numerous” responses, but didn’t say how it influenced the second RFI.

In the latest RFI, GSA seeks answers to seven questions focused primarily on the draft statement of work.

The draft PWS states GSA is looking to meet both business and technical objectives.

Under the business objectives, GSA highlighted its need to “determine entity uniqueness, which could include the assignment and/or use of a unique entity identifier in perpetuity, validation of certain entity data, and associated services,” to validate data for contracting officers or others in making an award and determination of responsibility; an approach to understand the hierarchy and family tree of an entity; and “a method to determine relevant information about an entity that is being excluded from doing business with the government.”

Under the technical objectives, GSA said it needs the vendor to transmit data in real-time for validation services, to make sure the data is in machine-readable formats and doesn’t require any custom software and to encrypt all data in transit and at-rest.

The RFI and draft statement of work received a lot of attention in industry.

Hudson Hollister, the founder and executive director of the Data Coalition, has been a vocal supporter of GSA moving away from D&B and lauded this second RFI.

“Neither Dun & Bradstreet nor any other company should be permitted to retain a proprietary interest in the identification code that is used within the registration system,” Hollister said in an email to Federal News Radio. “GSA actually specifies in the [draft] PWS that a new identifier must be ‘available for public use at the federal government’s discretion.’ This is encouraging. GSA, therefore, should ensure in their recompete process that whoever runs the registration system for the next five years allow taxpayers and the public to freely download and use federal contract and grant spending information. Last week’s statements suggest open data is winning.”

A Dun & Bradstreet spokesman also welcomed the RFI and draft PWS.

“Dun & Bradstreet is pleased to participate in the General Services Administration’s process to fill the government’s need for entity identification and validation services,” the spokesman said in an email. “The federal government has leveraged the Duns number for the past 40 years because it provides critical data and insights into the government’s business partners and programs, including beneficial ownership, company hierarchy linkage and historical financial data, as well as other information that the government needs to effectively manage and run its operations. Dun & Bradstreet believes that our government partners will continue to find value in what we deliver to support the federal government across a multitude of missions.”

The government slowly has been preparing for the end of the Dun & Bradstreet contract, which expires in 2018. In 2015, the Federal Acquisition Regulations Council issued a proposed rule and finalized it in September 2016 removing any proprietary references of DUNs numbers or D&B for identifying vendors.

It’s still unclear if D&B will lose its 40-year hold on identifying federal contractors, but the recognition is clear that change is coming.


Agencies complete step one of DHS cyber directive, now comes the hard part

The recent completion of step one of the Homeland Security Department’s Sept. 13 Binding Operational Directive to remove all Kaspersky Lab products from their IT systems in 90 days may have been easier for some agencies than others.

Under BOD, agencies needed to identify where these products live on their networks or systems in 30 days. For about 20 who have implemented the continuous diagnostics and mitigation (CDM) program dashboard, the data collection was the easy part.

Laura Delaney, the deputy director of Network Security Deployment at DHS and a member of the Information Security and Privacy Advisory Board (ISPAB), said through the dashboards, agencies have, for maybe the first time, a holistic view of their networks.

“Previously for a data call like this, an email goes down through entire agency and it might hit some agencies past the due date, and sometimes not at all. And those who get the email have to determine if they have the data. Some don’t know and say ‘check the procurement records.’ But if the software was bought through other direct costs (ODCs), then who knows,” Delaney said at the ISPAB meeting on Friday in Washington, D.C. “CDM will ease getting information and improve the validity of the information.”

But identifying Kaspersky products may have been the easy part not just for those 20 agencies, but for all departments.

Over the next 60 days, agencies have to come up with a plan and remove these products from their networks once and for all.

While many cyber experts say removing any software product from a system or network is much more difficult — especially without any additional funding — than it seems, initial data shows Kaspersky products are not as intertwined in federal systems as many might think.

There is good news from step one of the BOD.

Michael Duffy, chief of the Federal Network Resilience Division in DHS, said Oct. 27 that not only have a majority of all agencies met the initial 30-day deadline to identify what products from Kaspersky Lab they have on their networks, but a less than half of all agencies say they actually have Kaspersky products on their systems.

Duffy, who spoke at the ISPAB meeting, said DHS and the Office of Management and Budget relied on the definition of a federal information system contained in Circular A-130 as to where agencies need to analyze.

Under A-130, OMB defined a federal information system as “an information system used or operated by an agency, by a contractor of an agency, or by another organization on behalf of an agency.”

Duffy said that means agencies had to analyze systems beyond those on premise, including those in the cloud and anything contractors are working on behalf of the government.

“We worked with the National Institute of Standards and Technology, the General Services Administration and OMB in partnership to make sure it was clear across all stakeholder groups in the government about what we were asking for and what was expected of them,” Duffy said. “What we’ve tried to do is have agencies determine the risk for themselves versus us trying to micromanage it.”

Agencies now move into stage two where they are developing a plan for how they will remove these software titles. Those strategies are due to DHS by mid-November.

Duffy said DHS may have a better idea of the challenges agencies face in getting rid of Kaspersky Lab software once the plans come back to them next month.

Agencies also are seeing benefits from CDM tools around closing critical vulnerabilities.

Duffy said at the board meeting that DHS found earlier in October that for the first time agencies had no critical vulnerabilities open for more than 30 days.

DHS has been tracking agency critical vulnerabilities since the 2015 cyber sprint when they found hundreds that has been open for more than 30 days.

“This is an incredible success,” Duffy said. “It shows our ability to measure and motivate. It’s not just a quick turnaround action, but it’s a change in way the dot-gov culture behaves. It’s part of a downward slope of bad things impacting agencies in the cyber environment across government.”

In a document obtained by Federal News Radio in 2015, agencies said they had more than 50 critical vulnerabilities open for more than 30 days and more than 75 active critical vulnerabilities. Several agencies listed double-digit vulnerabilities open for more than 30 days and/or active problems.

There has been a lot of impatience and doubt about CDM over the past four years, but these two initiatives not only show the value of the program and why agencies are chomping at the bit to implement it more quickly.


Could updated controls from NIST drive up cloud security costs?

Subscribe to Federal Drive’s daily audio interviews on iTunes or PodcastOne

Among the biggest complaints about the cloud security program known as the Federal Risk Authorization Management Program (FedRAMP) have been the cost for vendors and the time it takes to get approved.

The FedRAMP program management office has tried to address both over the last few years, most recently introducing the Tailored program for low-impact, software-as-a-service offerings last month.

But now the program management office is concerned that many of those advances could be at risk with the updated security controls from the National Institute of Standards and Technology.

In its public comments about NIST Special Publication 800-53, Revision 5, FedRAMP said the move from Revision 4 to Revision 5 could cost millions of dollars across the cloud service providers, third-party certifiers and the federal Joint Authorization Board (JAB) to update the approved cloud services and related standards.

“We wanted to understand the financial impacts of this update for both government and vendors in order to understand what sort of return on investment implementing these changes would provide,” said Matt Goodrich, FedRAMP program manager, in an email to Federal News Radio. “Our cost estimates are based on our experience with the transition from Revision 4 to Revision 5, and were a high-level estimate based on documentation updates alone and not any costs associated with implementing and assessing new security requirements.”

NIST released the Revision 5 in August and comments were due Sept. 12. NIST says it expects to issue a final draft in October and the final version of 800-53 Revision 5 by December.

But it’s more than just cost — a recent report by Coalfire found the average cloud service provider (CSP) spent between $350,000 and $865,000 to get FedRAMP certified — that worries the program office.

Goodrich detailed in the comments three areas of concern, and made two recommendations to NIST.

A NIST spokeswoman said the agency doesn’t comment on another agency’s comments about a draft publication.

One area is around the priority of the new controls versus updated controls.

“Are all new and updated controls considered to have the same positive impacts on security and should be treated equally? Based on FedRAMP’s review, this is not the case,” the comments stated.

The second area is around what NIST calls “new security concepts.” FedRAMP stated these new security concepts need to be defined more clearly and better explained why these concepts are important to Revision 5.

A third concern is around the security objectives for each new or updated control. FedRAMP stated NIST should “clearly articulate the intent of each control so alternate implementations and mitigating controls can be properly analyzed.”

“Without understanding what the objectives are, how are agencies and vendors going to be sure they meet the intent of security controls if not meeting a security control explicitly as stated? Without the objectives, it is difficult to understand if alternate implementations or mitigating security controls are sufficient,” FedRAMP stated in its comments.

NIST also hasn’t discussed the test cases for the new controls, which vendor experts say are key to implementing any revision.

“They put out test cases for 800-53A under Rev 3, but didn’t update them for Rev 4. Since Rev 5 is a big change, I would expect NIST is looking at test cases. And they need to because I think moving to Rev 5 will need a long on-ramp,” said Maria Horton, CEO of EmeSec, a third-party assessment organization (3PAO), in an interview with Federal News Radio. “FedRAMP, 3PAOs, the PMO and the cloud service providers will have to evaluate the test cases to see how they are implemented. There will be some challenges because the changes to Rev 5 reflect the new digital economy.”

Horton said FedRAMP, 3PAOs and CSPs will need to architect, design and adopt the new controls for cloud services.

“I would recommend to NIST and FedRAMP give certified-CSPs and anyone FedRAMP-ready a year beyond when they settle on the test cases to allow for investment and adaptation to the digital economy, and privacy and security requirements,” she said.

Horton and other executives at 3PAOs say the security and privacy changes in Rev 5 are the most significant updates to the controls.

NIST says among the changes it’s proposing are to:

  • Make the security and privacy controls more outcome-based by changing the structure of the controls;
  • Fully integrated the privacy controls into the security control catalog creating a consolidated and unified set of controls for information systems and organizations, while providing summary and mapping tables for privacy-related controls;
  • Separate the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects; and mission/business owners.

Doug Barbin, a principal and cybersecurity leader for Shellman and Company, a 3PAO, said in an interview with Federal News Radio that while privacy was always a part of Rev 4 and previous revisions, Rev 5 brings in more of the generally accepted privacy requirements, policies and guidelines for information sharing.

“Every single area of the control set around data or information has privacy controls,” Barbin said. “For cloud providers, it gets interesting and starts going toward the delivery model such as infrastructure- or software-as-a-service, which may be data agnostic so some of those controls may get pushed down to the agency to implement.”

Barbin said for SaaS, both the cloud provider and the agency customer must consider what data is being collected and which users are potentially interacting with that information, especially if it’s personally identifiable information (PII).

“This will take time to roll into FedRAMP because you will have to update all the core templates for authorization,” he said. “We also will have to do control tailoring, and come up with the criteria for testing and analysis that the 3PAOs will perform.”

Abel Sussman, director of the cyber risk advisory group for Coalfire, said the integration of the privacy controls with the rest of the security controls is the biggest change.

But Sussman said he believes about 40 percent of the controls at the moderate level will need to be changed.

“I don’t think any of the new controls will require a major uplift,” he said. “It’s about documenting how things are already implemented with appropriate tweaks.”

Sussman added for cloud service providers, the Rev 5 changes also means ensuring the security changes are ingrained in the training, planning and reporting functions.

“As organizations develop good risk compliance programs, they will be able to meet many of these controls,” he said. “One of the things that came up is the wording from JAB. They want security controls that are outcome-based. It means there is more direct language of what is expected. For example, multi-factor authentication for privileged accounts in Rev 5 versus Rev 4 is more direct. and that may be confusing because CSPs may not be sure what outcome-based means. This is where test cases could help.”

There seems to be a lot of uncertainty around what Rev 5 will mean for CSPs, 3PAOs and agencies, and that’s why the test cases will be critical.

“Technology Transformation Services (TTS) has a spirit of transparency, and our FedRAMP team spends a lot of time engaging with our industry partners to better understand their concerns and thoughts on major programmatic updates. The comments note common questions we’ve heard from our stakeholders related to this update,” Goodrich said. “FedRAMP continues to have a thoughtful dialogue with NIST and OMB about the issues raised in our comments and how to best address the concerns noted.”

Return to the Reporter’s Notebook


« Older Entries