“Reporter’s Notebook” is a weekly dispatch of news tidbits, strongly-sourced buzz, and other items of interest happening in the federal IT and acquisition communities.
Submit ideas, suggestions and news tips to Jason via email.
When it comes to the Trump administration’s priority to reskill or upskill the federal workforce, the best place to start in understanding the uphill challenge is with the numbers.
A Federal News Radio special report in May found more than 45 percent of the federal workforce is more than 50 years old and 25 percent of them are more than 55 years old. Conversely, just six percent of feds are under 30 years old.
But numbers, as is usually the case, don’t tell the entire story.
Nearly every job in the public and private sectors tries to answer the continuous question of how to evolve as new technology impacts the routine and complex parts of your day.
Basically what this means is agencies — and let me emphasize the private sector as well — have hundreds of thousands of employees who will need new skills or will need to change the way they do work over the next three to five years.
“Our data analysis found that 1.3 billion out of 4.3 billion hours could be freed up in the federal workforce by automating manual tasks. That is a lot of potential hours that could be moved from lower value to higher value activities,” said Bill Eggers, the director of public sector research for Deloitte Service. “A good portion of these higher value activities might require a certain amount of reskilling/upskilling. If you assume about 2,087 hours worked per federal employee annually, then you see a large number of employees (in the hundreds of thousands) could eventually require some updating of their skills as they move to higher value activities and under-resourced jobs like cybersecurity and data science. But that’s no different than nearly every organization, public or private, as we enter this new age of work.”
In the President’s Management Agenda, the administration estimates based on 2016 data that 45 percent of all work could be automated and 5 percent of all occupations could be automated entirely.
Now the reason why this workforce discussion is coming up today is the Office of Management and Budget had another one of their “secret” no press allowed events — well, except for one member of the media who moderated a panel in the morning, but that’s for a different story — where they wanted to discuss potential solutions to this ongoing workforce challenge.
Unlike the no-press-allowed event held a few weeks ago around the Technology Modernization Fund, OMB, to their credit, provided some details and background on the discussion points.
An OMB spokesman said the symposium brought in “leading industry experts from around the country to participate in a day-long working session to share best practices and identify concrete next steps for action. Leveraging representatives from diverse organizations with deep, cross-functional expertise in human resource issues, we hope to gain policy ideas and also identify capabilities to help modernize a Federal Workforce for the 21st Century.”
But I decided to go a bit further and talk to people who actually attended the morning and afternoon sessions. All participants spoke on the condition of anonymity because OMB asked the event be “on background.”
Overall, the five people I spoke with all were complementary and enthusiastic about the sessions. All said the tenor and tone of the conversations were nonpartisan and focused on learning and sharing. The day-long event seemed also to be part of OMB’s preparation to launch the Government Effectiveness Advanced Research (GEAR) Center in 2019.
“Everyone is dealing with [the] same challenges around their workforces. There is a lot of anxiety in the workforce around artificial intelligence and robotics so how do we engage employees in that process so they don’t have a negative reaction to the technology?” said one industry source. “How can we partner with them to better understand how to make work more productive? They want to move up value change and technology can help, but if they are not engaged in the process, there is a risk that they may not adopt and embrace the technology like they should.”
Another industry official added the emerging technologies, employee expectations and cost pressures are driving these changes.
“There is so much the government needs to do especially when you consider the size of federal workforce has remained constant or has been declining over the last few decades while the size of the government in terms of what it does has grown significantly,” said the official. “In order to enable government workers to address their mission imperatives, technology can help in a constrained workforce environment to free up time. That’s where reskilling and upskilling comes up, and that was much more the tenor of discussion.”
OMB brought in speakers from Willis Towers Watson, a global advisory firm focusing on risk management and human resources, the International Brotherhood of Electrical Workers (IBEW), Amazon Web Services and even someone from California Governor Jerry Brown’s office, according to the day’s agenda obtained by Federal News Radio and attendees who spoke to us.
What seemed to be missing, besides the press, were the federal employee unions. We know the relationship between the administration, the American Federation of Government Employees, the National Treasury Employees Union, the National Federation of Federal Employees and others is not good. But these changes will not happen unless the administration works closely with the employees unions. That may have been one part of the day which OMB overlooked.
The morning sessions were mostly one-way discussions with the assorted panelists laying out the challenges and/or describing some ongoing industry efforts to address workforce challenges, participants said.
The afternoon breakout sessions were much more interactive and focused on three main areas: Reskilling the workforce, talent management, and performance and compensation. Participants said OMB expects to issue a report from the event in a few months.
“One good takeaway from the private sector was around the performance appraisal process and the need to separate it from the feedback process,” said another industry source. “Right now, the government does both once or twice a year. But the industry speakers said there is need to separate the feedback and make it an ongoing and regular part of the discussions. By doing the feedback and appraisal at same time, it doesn’t do justice for the organization.”
Another key takeaway was the flexibility agencies have around compensation, the industry source said.
“Once you realize the limitations of the Title V structure, there are more interesting things that you can do, like pay demonstrations,” the source said. “When was last time OPM approved a pay demonstration? It was probably 15 years ago. So promoting more experimentation in that space was discussed. If you have the authority, why not use it?”
Another participant said part of the discussion reskilling or upskilling employees focused on balancing all the different needs of the workforce, the taxpayer and the administration.
“This is a really important conversation,” the source said. “There is a lot of sensitivities around the perception that this all will lead to a reduction in force (RIFs). This is a good topic to talk about and not one previous administrations gave a lot of attention too. I was impressed by the questions [OMB deputy director for management] Margaret Wiechert and [OPM Director] Jeff Pon are asking.”
Around performance management, the source said several previous administrations unsuccessfully tried to address this issue.
“One of the more interesting inputs from the commercial sector was instead of using the typical federal employee rating structure where you are too focused on the rating of 1-to-5, maybe a better way would be to use pass/fail. Then, you can discuss things the employee is doing well or things they need to improve on,” said the source. “You also can communicate early in a person’s career if people are on a leadership track, what it looks like and what performance characteristics they should strive for. There were a lot of questions around the grading system and what are the pros and cons of it.”
Another participant said during the breakout session, the group recognized agencies don’t have credible performance management data, which makes it harder to address workforce issues because performance management is linked directly to having a talent management and not a compensation strategy.
“It was a healthy conversation especially since all sectors are going through this at the same time,” the participant said. “The government doesn’t know some of that basic workforce information so jumping to reskill hundreds of thousands of people comes back to what skills are needed. You have to understand the plans and strategies for how to make progress on objectives and goals before you can decide what you are changing.”
Larry Prior, the former CEO of CSRA, recently described the excitement around the Defense Department’s Joint Enterprise Defense Infrastructure (JEDI) contract like watching a “battle of the titans” square off and is leading to “high drama” across the federal market.
But what Prior didn’t answer—maybe on purpose—is why do so many contractors care about the $10 billion cloud contract?
Which led me to ask several other industry experts a similar question: Why is there so much angst over JEDI?
Now I know, it’s worth $10 billion. But really it’s ONLY a ceiling of $10 billion over 10 years so at most DoD will spend $1 billion a year. How many contract vehicles actually reach or come near the estimated ceiling? Few, if any.
Add to that the fact Deputy Secretary of Defense Pat Shanahan said JEDI would account for only 15-to-20 percent of all DoD cloud spending. That means 75-to-80 percent still is up for grabs. You can follow the bouncing cloud RFP ball to the Defense Information System Agency’s $8.8 billion Defense Enterprise Operations Solutions (DEOS) contract, to the Air Force’s Enterprise-as-a-service plans, to the Navy’s Next Generation Enterprise Network (NGEN) and so on. Bloomberg Government found recently that DoD will spend about $2 billion on cloud services in fiscal 2018 and that figure only will grow in 2019 and beyond.
Taking all of this together, the military will spend billions of dollars on cloud services over the next decade and there will be plenty to go around. Right? That seems to be the pragmatic and logical conclusion?
Well, not so fast say several industry experts.
“Any time you have a contract that is potentially that large in such a competitive market where the perception is ‘winner take all,’ that causes angst to begin with. And most contracts like JEDI are multiple award so anything that could be market limiting would cause angst,” said Stan Soloway, a former Defense acquisition executive, and now president of Celero Strategies. “The perception is that JEDI is the tip of the cloud iceberg. I believe based on conversations I’ve had, JEDI represents the first step toward an alternative DoD cloud policy where they want to ride the commercial cloud.”
Soloway said companies are nervous if DoD is riding a commercial cloud wave and it doesn’t include them.
Ok, so change is hard for contractors?
Well, not exactly said Ray Bjorklund, the president of Birchgrove Consulting and a former DoD acquisition official.
Bjorklund, who worked on and sees similarities with the Defense Information Systems Network (DISN) procurement in the late 1990s, said for many vendors it’s a matter of VHS vs. Betamax or Westinghouse vs. Edison Electric where the fight was over alternating current or direct current.
“Cloud is much like a utility with the expectation of instant on, immediate connectivity and certainly in case of JEDI when you look at military operations that are dispersed around the globe, accessibility of information is most valuable,” he said. “DoD is looking for a way to further connect all platforms and applications, and now platforms and apps don’t necessarily talk to each other, but having this one pool of data where all of it can be exchanged, that is a really good notion.”
Bjorklund said even though DoD expects there will be other cloud solutions in the future, JEDI is the initial big one.
“If it’s a single award and it gets traction with users who get comfortable, that single award may lead to increasing proprietary technology and make it more difficult for other cloud vendors to integrate with this cloud and also with the platforms and apps,” he said. “DoD already is establishing some degree of interoperability based on technical specifications for solutions. But to have this uneasiness about long term where there will be increasingly levels of proprietary technology that will be difficult to break without a lot of breakage.”
So, it’s all about being first one in and marking your territory?
Well, given that DoD already has cloud instance from Microsoft, from Google, from Salesforce, IBM and so many others. That can’t be the cause of the angst.
Not so fast says one former DoD official, who requested anonymity because their company still does business with the Pentagon.
The former official said the way the Pentagon and its leadership, including Ellen Lord, the Undersecretary of Defense for acquisition and sustainment, and Chris Lynch, the director of the Defense Digital Service, have talked about their desire to move to a single cloud and that creates angst. The fact that many in industry consider the procurement “wired” to Amazon Web Services is why JEDI is tormenting industry.
“Comments that a single cloud was needed or DoD couldn’t get interoperability, data, machine intelligence caused everyone in industry to be suspicious of this effort from the start,” the former official said. “Many were convinced from the start that the goal from technologists of JEDI has been to get a contract with AWS and get access to their secret region that was funded by intelligence community.”
The former official said the angst continued to increase when the certain specific requirements in the RFP and performance work statement seem to be AWS-centric.
“The requirement to have three copies of your infrastructure is an approach AWS has taken from the beginning. The requirement to have three-way replication so your data is not lost is an AWS feature,” said the former official. “The other one around tactical requirements and the description of capability sounds a lot like Amazon’s snowball capability that it created to move data around and now turned it in to a deployable cloud of sorts. I’m not sure how it can be used to build forward deployed cloud so it has not solved DoD’s problem, but it’s where DoD wants to go.”
So then the angst is about not having a level playing field where all vendors can compete equally?
If you read Oracle’s initial pre-solicitation bid protest, one of its major complaints is the anti-competitive nature of the RFP.
But wait one more time. Another industry official, who is following JEDI closely and requested anonymity because their company does business with DoD, said the angst comes down, in part, to the contract being worth $10 billion.
“There is school of thought that this is $10 billion and everyone wants to be part of it. It’s a lot of money. We know today that it’s hard to switch clouds so it’s not like you are in AWS one day and move to Google the next day. The reality of that happening is not strong and you’ve got to have a compelling reason. It’s not easy to switch like cell phones are, and then you have train people in the new cloud too, which will hinder people from switching,” the expert said. “The fact is DoD is being vocal about not wanting a multi-cloud approach is bad. If you look at all experts, multi cloud is the future. There are tools to help manage multi cloud.”
The industry source said it would be hard for Microsoft, Google, Amazon, IBM or any vendor to tell their board of directors they lost out on a $10 billion contract with DoD.
“It’s not a great conversation to have,” the expert said. “And if it is like the CIA Amazon Web Services C2S cloud and everyone else is locked out, that is a bad situation, and why people are nervous.”
So given all of these reasons, industry has pretty good reason for being up in arms over JEDI.
Part of this is DoD’s own fault due to its inability to communicate its real goals for cloud. And part of this is industry’s own idiosyncrasies when it comes to large contracts and needing to be part of every one of them.
The former DoD official said they remember similar angst among contractors during the bidding of the Navy-Marine Corps Intranet, which ended up being more than a $10 billion contract.
“JEDI seems unique. There is so much investment by companies, both spiritual and financial,” the source said. “There is much more of a pre-award information campaign that started last year. Companies believe if they do not get a piece of this, they may be concerned about losing their jobs or leaving the DoD market entirely.”
The official said based on their experience what is most likely to happen JEDI will end up being more for development purposes and less for legacy systems, and then the other programs like DEOS will begin to address the older applications.
DoD has pushed back the due date for the award and the Oracle protest continues to hang over JEDI so industry will continue to watch this battle of the titans for a few more months and we can watch their angst continue to grow.
The federal cybersecurity landscape is seeing several shifts in terms of the people who manage, oversee and secure federal networks, systems and applications.
First, Tim Ruland, the chief information security officer at the Census Bureau, is retiring on Sept. 27.
Ruland, who has been working part-time at Census over the last few months, will leave after more than 40 years of federal service, including being in the charge of the decennial count’s cybersecurity since 1998.
He said he plans to relax and travel during retirement, but may decide to work part time or contribute to the federal community in another way.
Ruland leaves the Census at a critical time as the bureau prepares for the 2020 count. The Government Accountability Office found that Census, as of June, had reported 3,100 security weaknesses “that need to be addressed in the coming months.”
Census and the Commerce Department, more generally, recognize their cyber challenges. Commerce Chief Information Officer Rod Turk wrote in an Aug. 31 blog post, shortly after the GAO report came out, that the “Census Bureau engages in a multi-stakeholder approach across the Federal government, intelligence community, and industry to implement the best tools to secure their data. The security of the 2020 Decennial Census is strengthened by this cybersecurity partnership and network.”
Ruland also spent 13 years on active duty in the Army where he worked for the Army Security Agency and the Intelligence and Security Command as a linguist and analyst.
“Now for some new adventures with my wife traveling the U.S. on our Harleys and by car, learning how to be a better cook and just enjoying life,” Ruland wrote on a LinkedIn post. “To all I have worked with I enjoyed the opportunities, for those I have met professionally I appreciate your work and have learned something from each and every one of you. So to all, farewell and keep us safe going forward.”
While Ruland joins an ever-growing number of senior executives leaving government, five others found new permanent positions.
Mark Kneidinger, the director of Cybersecurity and Communications Federal Network Resilience Division (FNR) in the Homeland Security Department, will join the new the National Risk Management Center as the deputy director. DHS named Bob Kolasky to lead the new center in early August.
In an internal newsletter obtained by Federal News Radio, Emily Early, the National Protection and Programs Directorate’s chief of staff, wrote Matt Hartman will serve as acting director of CS&C while Mike Duffy will serve as acting deputy director for FNR.
Kneidinger led FNR since 2015 and has been with the office since 2013.
Before that, he worked for private sector companies including CSC and CACI, and was the CIO for state offices in New York and Virginia.
Hartman has been with DHS since 2010, having spent four years working as acting program manager and deputy program manager of the continuous diagnostics and mitigation (CDM) program.
At the State Department, Lonnie Price gets to finally remove the “acting” title from his business cards and is the permanent deputy assistant secretary and assistant director for the Cyber and Technology Security Directorate, which falls within the Diplomatic Security Service.
State created the new directorate in August 2017 to provide “advanced cyber threat analysis, incident detection and response, cyber investigative support and emerging technology solutions.”
The agency named Price as the new organization’s interim director a year ago. He has been with State since 1987, serving as a security engineer, director of the Countermeasures Division and most recently director of the Office of Security Technology, according to his LinkedIn profile.
The Government Publishing Office and the National Credit Union Administration named new CIOs as well.
GPO announced Sept. 10 it has selected Sam Musa as its new CIO, replacing Tracee Boxley, who left the agency in January. Layton Clay has been the acting CIO since Boxley left.
Musa comes to GPO from after serving as the chief of IT services for the Equal Employment Opportunity Commission (EEOC) for the last 10 years, where he oversaw the help desk, desktop security, training, audio visual/video teleconferencing services, mobile devices and security audits.
Prior to EEOC, Musa served as an information systems security manager at the National Weather Service (NWS) and as an information systems program manager at the FBI.
He also teaches network/cybersecurity courses at the University of Maryland University College. Musa received a Doctorate degree in business administration from the National Graduate School, holds a Master’s Degree in public service from Fort Hays State University and a Master’s Degree in telecommunications from George Mason University.
It took Rob Foster just about a year to become the CIO at NCUA after joining the organization as deputy CIO in August 2017.
NCUA Board Chairman J. Mark McWatters announced Foster’s promotion on Sept. 4.
Foster joined NCUA last year after spending the previous two years as the Department of Navy CIO and also served as the deputy CIO at the Department of Health and Human Services.
Finally, Pamela Wise-Martinez joined the Energy Department’s Energy Information Administration on Sept. 4 as its chief architect. She comes to EIA after spending the last three years being the chief cloud and enterprise architect at the Pension Benefit Guaranty Corporation (PBGC).
This is Wise-Martinez’s second time at Energy. She was NNSA’s chief architect from 2010 to 2013 before moving to the Office of the Director of National Intelligence. She also worked at DHS, the Interior Department and the Securities and Exchange Commission.
The General Services Administration wants its agency and industry customers to know they are listening when it comes to the schedules contracting program.
Not only is the Federal Acquisition Service in the final stages of updating the schedule contracts to make it easier for agencies to buy products and services at the same time, but FAS is planning other major changes for 2019.
Alan Thomas, the commissioner of GSA’s Federal Acquisition Service, said in an exclusive interview, agency customers and industry partners are, in many ways, driving the schedules modernization strategy.
“The schedules program is still a flagship program at GSA. It’s one of the crown jewels in the franchise at the Federal Acquisition Service. We take the health of the schedules program seriously and we are actively promoting it,” he said. “We do a customer satisfaction survey every year. We got more than 13,000 responses this year and they tend to be heavily focused in the general supplies and services portfolio in terms of the users that respond to it. Overall, the results of the survey were pretty heartening. We heard from customers that the value they perceive GSA providing is up year-over-year. One of my favorite measures is when asked if GSA has their best interests, that is up as well, which I think is a good sign.”
Thomas said he’s been to all the regions once and about half a second time to meet with GSA and federal agency customers since he took over as commissioner 14 months ago.
“I got a lot of individual data points with the customers and it’s really gratifying to hear them talk about GSA’s people. That’s the thing they complement the most,” he said. “I get some feedback in terms of room for improvement on processes and systems so things like minimum order quantities and the usability of GSA Advantage are things we bring back and work on across the organization.”
One of those things GSA has been working toward is the change in the schedules program to let agencies combine products and services under one buy. Commonly known as order level materials (OLMs) or other direct costs (ODCs), this modification has been a long time in coming, and has been particularly frustrating for vendors who sell both products and services. Thomas said the impact of this major change will be felt in fiscal 2019. But, Thomas quickly pointed out that vendors and agency buyers can take advantage of the change today.
“There is a contract modification and special item number that vendors will have to get added to their contracts,” he said. “There is training and awareness. We have to make industry aware of it. We have to make our workforce aware of it, and then make the broader acquisition workforce aware of it. This is new and different so we want to make sure we get the guidance and training out.”
Another major change is around eliminating minimum purchase thresholds. Thomas said that was another request from agency customers because sometimes you just need to buy one of something and not 10.
“We consistently hear from customers that minimum order quantities often times will lead them to cancel orders,” Thomas said. “We are working with vendors on schedule to try and reduce or in some cases remove those minimum order quantities. Customers may be willing to pay a little more for that unit.”
Overall, Thomas said the health of the schedules is strong. He said GSA expects the schedules program to break even before they reinvest in the business, but will be in the black after investments.
“We are on a trajectory to be at break even at the level when we include our investments hopefully in two years. That’s a goal I’ve set for the organization,” he said. “Schedules spending is pretty steady over the last several years. Some of the volume has moved to governmentwide acquisition contracts and governmentwide multiple award contracts. But from my perspective, I take a portfolio approach and we want to make sure we capture all the spend that’s appropriate and having it placed on the right vehicle. But I’d say schedule spend is steady and from a cost recovery perspective, the program is healthy.”
Thomas said 2019 also is shaping up to bring major changes to the schedules program.
He said FAS is considering consolidating schedules down to one or a smaller set of schedule contracts.
“We have an internal team that is looking at that made up of a cross section of folks from FAS and they eventually will come to a set of options, they will brief up to me and we eventually will take them to [GSA Administrator] Emily [Murphy],” Thomas said. “The impetus behind schedules reform is to make sure the program continues to be healthy and meets the needs of our customers and industry partners. If you are a customer and you are looking to buy through the schedules, from our perspective sometimes it’s a little challenging to think about what schedule should they be buying it off of? Take contact centers, is that an IT purchase off of Schedule 70 or is that a professional services purchase off of 00CORP? I don’t know. I can make an argument for either.”
Thomas said he wants to reduce any potential or real confusion for agency customers as well as lessen the burden on vndors having to manage multiple schedules.
He said the working group should have some recommendations on potential schedule consolidations by the end of 2018 with implementation coming in late 2019 or 2020.
Additionally, Thomas said FAS is looking at whether it needs to reduce the number of contractors on the schedules, particularly those who haven’t done any sales in two or more years.
Thomas said many of these changes will need to be vetted and discussed with agency and industry partners before any implementation, which also is part of how FAS is trying to be more customer focused.
Two other major changes coming to the schedules are around transparency and fee adjustments.
Transparency has long been a problem for non-schedule holders. If you can’t see what agencies are buying through request for quotes or task orders, then how can a vendor determine whether or not to get a schedule contract — which can cost tens of thousands of dollars in time and money?
Murphy said in May that FAS would launch an e-Buy pilot in 2019 to provide more transparency into the schedules program.
Thomas said FAS Region 7 and Office of Administrative Services, which handles all the internal procurements for GSA, will take part in the pilot by making the full statement of work available on FedBizOpps.gov after the award is made.
Around the fees of the schedules program, it’s been 15 years since GSA reduced the industrial funding fee to 0.75 percent from 1 percent.
GSA and the Office of Personnel Management in August cut the fee to use the Human Capital and Training Solutions (HCATS) GWAC contract by 60 percent to 0.75 percent from 2 percent.
“We have a group that is looking at pricing [fee structure] across all of our GWACs and schedules. We want clarity and consistency for customers. We don’t want customers making choices for which vehicle to use based on the contract access fee. We want them thinking about what does the statement of work say and what is the appropriate scope of the contract? Then, making the decision based on that. In some sense, harmonizing fees or bringing them more in line with each other and making them more clear and consistent is a good move.”
A final area where GSA is trying to reduce confusion of agency customers and industry partners is around medical supplies.
The Veterans Affairs Department long has run its own medical supplies and services contracts, commonly referred to as schedules, despite GSA also running a similar program for the rest of government.
Thomas said GSA and VA are discussing how the two agencies could improve collaboration across the similar contracts.
He said VA is looking at how it could use some of the technology that GSA uses to manage its schedule program as well as how VA could use GSA’s global supply program to gain more control, visibility and more efficiencies in its micro-purchase spending.
“We are much further down the path [with the global supply program], joint teams have been stood up and projects plans have been put in place. We think in fiscal 2019 you will see some significant spend flow through that requisition channel from VA,” Thomas said.
The idea of iterative or agile development hasn’t quite come to the Enterprise Infrastructure Solutions (EIS) contract.
If the initial handful of fair opportunity soliticiations are any indication of what’s to come, the pressure on agencies to transition to the new $50 billion telecommunications contract run by the General Services Administration by May 2020 is pushing them to take a “winner take all” approach.
And industry experts say that approach likely means the Trump administration’s goal of using EIS to jumpstart IT modernization efforts will be overlooked.
Diana Gowen, general manager and senior vice president for MetTel’s federal program, said based on what she’s seen from the three solicitations so far, agencies are mostly taking a “like-for-like approach and asking vendors to tell them how they would modernize in order to get going. It’s not unlike Networx. So despite OMB pushing and all that stuff, it looks like same old same old, which is unfortunate.”
Denny Groh, executive director for corporate relations for Accelera Solutions, an IT services firm, and a former GSA executive who managed the FTS 2000 and FTS 2001 long distance contracts before retiring in 2003, said while agencies may be motivated to transform through EIS, he estimates less than one-third will actually do anything different.
“A lot of agencies don’t necessarily have all the buy-in of their sub entities and that makes it tough to get a unified front to figure out what they have and what they will do,” he said. “Many will do like-for-like, or they are going to transform in some moderate way.”
Both Groh and Gowen pointed to the three fair opportunity solicitations that are out today as an initial small sample size of the direction EIS may be heading.
The departments of Labor and Justice are among the first out of the gate and both solicitations are taking the “winner take all” approach for voice, video and data.
Justice is taking an interesting approach, Gowen said. The agency issued one solicitation, but it has three sections: one for the FBI’s voice and data where the vendor needs a top secret facility clearance, one for just the Bureau of Prisons telecommunications needs and finally one for the rest of DoJ. Vendors can bid on all three or any combination of the three.
The Social Security Administration, which was the first agency to release its request for proposal, wasn’t much better, looking for a vendor to provide data and voice services, which accounts for a majority of the agency’s needs.
The fact that these agencies seemingly are not transforming or modernizing through EIS doesn’t bode well for GSA’s situation that is getting tougher by the month. The Networx contract ends in May 2020 and GSA has said many times it doesn’t want to extend the contract so agencies have to get their transitions done.
Kay Ely, GSA’s assistant commissioner for the Office of Information Technology Category (ITC) in the Federal Acquisition Service, opened the door slightly to an extension saying in July that if agencies can show they are transforming more than transitioning to EIS, then an extension may be possible.
“If an agency says all I can do between now and May 2020 is like-for-like, then extensions are off the table,” Ely said at an AFFIRM event on July 26. “But if they are doing a hybrid or partial transformation and there is only so much work that can be done, we know in the back of our minds an extension is still out there. But agencies need to put all their efforts into transformation.”
But Groh Gowen and others say an extension is all but assured.
As of Aug. 8, GSA reported four of nine EIS vendors have completed the business support systems testing, and all nine contractors will not be done until early November at the soonest.
After the BSS functional testing, all vendors’ systems must go through the final security approval process.
“GSA is now beginning to be concerned about how get everyone through that authority to operate (ATO) hurdle. They are thinking about how do they expedite this ATO process,” Gowen said. “One of the things that has been suggested is for those awardees who want to work on sprint can nominate themselves to get to the FISMA moderate accreditation faster. We certainly would raise our hands.”
Gowen said given the timeline of vendors not getting ATOs until the spring, GSA likely will have little choice but to extend Networx.
“As we are working with agencies we suggest, as they craft proposals, that they factor in whether all of their modernization goals are achievable within the targeted transition timelines. Timeframes are going to be aggressive,” said a Verizon spokeswoman by email. “When agencies are making their decisions, they should consider past performance to determine if the vendor they are selecting is capable of executing on an aggressive transition. Agencies must balance the urgency of transition with the necessity of modernization.”
The Interior Department may be one of the IT modernization outliers under EIS.
Tim Quinn, Interior’s chief of enterprises infrastructure, said at the Network Modernization Forum in June sponsored by ACT-IAC, that the agency started discussing what transformation would look liked under EIS more than a year ago.
“Go big means citizen delivery,” Quinn said. “If we have better, more complete big data driven, high performance computing heavy model driven interoperability between what USGS does with ground water and surface water with what NOAA does with its weather models, we can get much better predictions of things like [the flooding] in Ellicott City, Maryland. So when I talk about going big with EIS ,in order to do those things I have to be prepared to deliver 100,000 sensors over the next few years. So going big is putting your business first.”
Quinn said Interior is looking for technology that industry may not be ready for today but since EIS is a 15-year contract there are a lot of possibilities on the horizon.
“We have tremendous change capacity built into the contract. I can write and award a new fair opportunity a year later,” he said. “We continue to write fair opportunities under Networx. We made changes along the way. One we did was a broadband fair opportunity through Networx and brought in a technology we didn’t even think about when we started Networx. I think it’s been a good thing for both Interior and government.”
Quinn said that approach is the future of EIS as well where agencies can bring on new technologies as they are ready.
“We want to get off Networx as fast as humanely possible, but we also want to change as fast as possible,” he said. “I have customers who view me as a dinosaur. We are behind and we need to be innovative so we need to partner with everybody to help each other get there faster.”
Gary Hall, the director of strategy, planning and operations at Cisco, said transformation for many agencies doesn’t have to mean a full scale revolution, but more of an evolution.
“They should transform themselves from a perspective of providing operations and maintenance of on-premise gear to brokering the services they need, however they need whether on-premise or in the cloud,” Hall said.
The Office of Management and Budget’s idea to create a public-private applied research center to focus on federal challenges is not necessarily new. Over the last half century, there are dozens of examples of partnerships between the government and the private sector around challenges such as transportation, parks and recreation, and high-speed Internet access.
But what is different about OMB’s plan to create the Government Effectiveness Advanced Research (GEAR) Center is the focus on internal federal challenges such as workforce modernization and the use of data.
“When I arrived here in government, I was actually surprised to find there was a lot of cross-cutting applied research that brought that academic rigor to the problems of management in the public sector. The challenges we have around procurement, HR and IT are all intersecting challenges that I believe interdisciplinary skillsets of the private sector and the academic world will help us solve,” said Margaret Weichert, the deputy director for management at OMB, during a webinar on the GEAR effort on Aug. 23. “At its heart, what we are hoping to achieve in the GEAR Center, is to get your innovative ideas from the marketplace of ideas that you all live in and how we might tackle those challenges.”
Much of that applied research Weichert was referring to is done by places like the Partnership for Public Service, the National Academy of Public Administration and the Performance Institute and industry, which pays for the reports and studies.
While there is a level of objectivity in those efforts, the vendors aren’t paying tens of thousands of dollars for a study that doesn’t benefit their business line. For example, if vendor X provides management consulting services, they don’t want a report that finds agencies have plenty of skills to manage programs and projects.
The question then comes back to whether this GEAR Center can be any different? Can it be sustainable?
Those are among the questions OMB is asking for feedback by Sept. 14 on an RFI issued earlier this month.
Weichert said the vision of the GEAR Center is one that has an “independence of thought” and isn’t hamstrung by federal procurement rules and requirements.
“We know there are a number of universities who have centers of academic research. We know across government there are experts at Defense Advanced Research Projects Agency, Defense Innovation Unit in the Defense Department, the National Science Foundation involved in working with the academic community and many good government organizations have many good ideas. My personal favorite, state and local governments have great ideas about how they are partnering in their communities to transform old-style jobs into the jobs of the 21st century,” she said. “We didn’t want to confine our thinking to our initial hypotheses. We wanted actually to go to the experts, the people who are experts in data science, experts in continuous learning and reskilling and ask you what would be the things you would focus on and how might we structure this? How do we fund test and learn activities?”
At the end of the day, Weichert said the GEAR Center is about innovation and the ability to test theories that may lead to the need to change policies or laws.
“Part of the goal of the center is to help unlock money for infrastructure, innovation through test and learn activities that would benefit not only the government, but the private sector providers of those solutions,” she said. “This would be a message to the private sector folks…think about all the things you find difficult when trying to pitch new ideas or new economic models to government, how a center like this might help us ingest that innovation and how we might use this to create an on-ramp to pay-for-performance type solutions or better alignment to pay-as-you-go models. Those are all the kinds of things I could see happen here.”
Mark Bussow, a program manager in OMB’s Office of Performance and Personnel Management (OPPM), said the GEAR Center is expected to launch in 2019.
He said a lot of the responses to the RFI will help influence what the center will eventually look like. Weichert added that OMB will have some seed funding of a couple millions of dollars to get the center going.
She said the GEAR Center likely will be similar to centers at academic institutions that take on corporate funding to work on projects that have a commercial benefit in the future and can create long-term sustainable funding models that way.
“We at the government can provide a seat at the table, clarity around the vision and the agenda. We’d anticipate in whatever form that this center takes shape that the governance model would include probably two seats on whatever governing body there would be for this center for the government. One would probably be the DDM position and then we would probably have more of an institutional director at GSA also have a seat. Whether that’s the administrator or someone else is yet to be determined,” Weichert said. “The goal in having those two seats at the table is to help create that on-ramp back into the government. Ultimately the vision would be that the funding model would be self-sustaining outside of government.”
Weichert said the real measure of success is more than creating a test-and-learn environment and a self-sustaining funding model. It is taking the applied research and transforming the government.
“I’ve been asked to identify how many federal workers I can retrain in the next two years toward the jobs of the 21st century, particularly around IT and cybersecurity jobs. I haven’t settled on the final number that I can make a commitment to, but if GEAR Center were an effective place I could turn to and say, could I could train 200,000 workers in the next 18 months in the skills they would need to migrate from a paper-based process oriented type of jobs to a cybersecurity job or a data center job, what might that look like? What tools could I access on demand to help make that transition?” she said. “If this center would enable us to provide examples of that, that we could actually deploy, that would be an incredibly successful start.”
Weichert said the biggest difference in the GEAR Center approach and the other previous ideas is the lens by which the initiative is looking for solutions. She said GEAR is taking an operator lens versus a legal or policy lens.
“Both are critical to any question that has to do with government, but starting with the question of how do we act differently and how do we implement differently is a question that is normally in government only gets asked around mission,” she said. “DoD asks this questions all the time in the field. FEMA asks this question all this time in the field. But it hasn’t been a priority to invest in these types of questions around disciplines that are just not that talked about in Washington. All the things I’m passionate about on the management agenda, finance, accounting, procurement, IT, information security, personnel policy, digital customer experience are not common priorities.”
She said the GEAR Center would help find those communities outside of government to help agencies better understand how technology can improve services to citizens.
“Government is in the services business, at least 50 percent of our services are delivered electronically, but we don’t invest that way,” she said. “That is the biggest difference to shift from the inside out to an outside in and look at what industry is doing around these same questions.”
Innovation has become one of those words that has lost its meaning, particularly in the federal market.
Think about what is considered “innovative” these days. Reverse industry days? Vendors and agencies are supposed to talk.
Other transaction authority? The Defense Department, NASA and other agencies have had access to OTAs for 25-plus years.
Cloud computing? Ever heard of managed services or alternative service provider (ASP), these were the cloud before “the cloud.”
So does that mean innovation in the federal sector is unattainable? Is it just, in the words of Mark Forman, the former administrator of e-government and IT at the Office of Management and Budget under the President George W. Bush administration, “putting lipstick on the pig?”
“There is more discussion around innovation both inside and outside of the government, but there is not as many solid use cases and stories that break things down in practical sense that will help people,” said one federal procurement expert, who requested anonymity because they didn’t get permission to talk to the press. “The biggest challenge that I see is with innovation in general is people are throwing out the word and do not know how to apply it, how to problem solve. They are just saying, ‘We are doing something innovative,’ but it may not be innovative.”
This question of what is innovation and how to measure is at the center of new effort by the Office of Federal Procurement Policy (OFPP). It has asked the industry association ACT-IAC’s Institute for Innovation for help in identifying and detailing federal acquisition innovation across government.
Tim Cooke, CEO of ASIGovernment and a member of the institute, said a team of 40-to-50 volunteers are starting to work on a project to figure out what’s working in government and develop a series of use cases for others to follow.
“I’ve heard from lawmakers that they feel like they’ve got to find a way to reduce the burden and get some of the red tape out of the acquisition process for agencies,” Cooke said. “A lot of the concerns are real because there is a perception that there is a lot of red tape and a lot of barriers to entry to the federal market.”
Cooke said OFPP asked the ACT-IAC working group to focus on four specific areas:
Cooke said ACT-IAC hopes to deliver initial findings at the Executive Leadership Conference (ELC) in October.
And it looks like the sharing of information can’t come fast enough. A recent survey by the Professional Services Council and Grant Thornton found in their 9th annual biennial survey of federal acquisition leaders that the use of innovative practices is a major priority over the next 2-to-3 years.
The survey found 82 percent of the respondents expect the use of innovative practices to increase by 2021, while more than half rated the use of and access to innovation a 2 on a scale of 1-to-4.
“This was an area I was a little disappointed in. It was clear that the term innovation is being talked about a lot in government, but it’s not well understood. I don’t think senior leaders are defining the issue well and I don’t think the acquisition community understands what is expected of them in terms of innovation,” said Alan Chvotkin, senior vice president and counsel at PSC. “The acquisition respondents we talked to really didn’t believe they were doing a good job in either using innovative acquisition techniques or gaining access to innovative capabilities in industry.”
Chvotkin said there clearly are pockets of innovation with the labs and the rise in the use of OTAs are two examples of where change is happening.
But he said agencies should refine where they really need innovation, in the acquisition process, in the technology and services they buy or both.
The federal procurement expert said the results of the survey were not surprising.
The expert said too often agencies are satisfied to continue with the status quo because being innovative requires more work and more risk.
“The larger piece to all of this is you can’t turn the Titanic easily, and the government is not set up whether around acquisition or finance or human resources or IT to ‘innovate’ quickly,” the expert said. “The resources just aren’t there. If you had a project and wanted to pitch your executive with options, folks may want to do it, but to actually do it right, you will have to devote resources that aren’t there. Other offices will not give up their resources for something that is potentially experimental. They are more willing to go the traditional way of doing the work.”
But experts say hope is far from lost. DHS’ Procurement Innovation Lab (PIL), GSA’s Federal Acquisition Service, the Department of Health and Human Services’ Buyer’s Club and several other examples prove that the combination of leadership and desire can create the right environment for change.
Now whether it’s innovation or just bringing existing tools to the front and center, well that’s a different discussion.
Look back over the last say 25 years and see if you can remember the last time an agency publicly admitted defeat with a program or project and decided to move on. Don’t think about a contract that failed or even an act of Congress ending a specific program, but focus on a service offering that just couldn’t make it.
It’s hard to find one. Right?
This is why the General Services Administration’s decision to shut down its reverse auction tool on Dec. 31 is significant.
GSA is pulling the plug after just over five years.
“GSA has made the difficult decision to decommission our Reverse Auctions (RA) platform. Unfortunately, the platform did not prove to be financially viable,” Erv Koehler, the acting deputy commissioner of the Federal Acquisition Service, wrote in a note to GSA agency customers and industry partners on Aug. 7. “Our focus now is to ensure the platform is shut down in an orderly way. As such system operations will conclude at the end of Fiscal Year 2018, which means the RA platform will not be available for either the creation or management of auctions after Sept. 30, 2018. Auctions with end dates after Oct. 1, will be allowed to conclude as scheduled. GSA will maintain RA system access for users through Dec. 31, allowing for the retrieval of auction-related documents.”
What’s even more surprising is that fact that Koehler wrote the note to announce the decision. Koehler, who when not acting deputy commissioner is the regional FAS commissioner in Atlanta, spearheaded the reverse auction platform so he launched it and shut it down.
A GSA spokeswoman added: “Decommissioning GSA’s Reverse Auctions will allow GSA to refocus resources and personnel to support other critical growth areas in the Federal Acquisition Service. Our customer service directors are working with current RA vendors and customers to find the GSA tools, platforms and programs that best meet their specific acquisition needs.”
That last sentence from the spokeswoman really is at the heart of why the reverse auction platform ultimately failed. Experts say GSA’s tool never did enough to meet customers’ specific acquisition needs.
Reid Jackson, the CEO of Compusearch, which runs the FedBid reverse auction platform, buying the company in 2017 —said GSA’s decision caught him by surprise but customer agencies clearly wanted more from the platform.
“We ran into competition from GSA’s account managers at agencies who had competitively awarded contracts with FedBid and it seemed to us GSA was actively competing,” Jackson said in an interview. “There are different models for reverse auctions. GSA was running more of a self-service portal where agencies posted things like they do on eBuy. FedBid is more of a full-service portal where we help buyers recruit sellers and drive competition to the marketplace. This statement by GSA is perhaps evidence that what buyers are looking for is more full service offering to drive competition, save time and actually reduce procurement action lead time. We think buyers want a more comprehensive service offering than a self-service portal.”
Comparative data is between FedBid and GSA is hard to come by. A July Government Accountability Office report on reverse auctions found in 2017 agencies conducted about 19,000 reverse auctions valued at about $1.5 billion, but didn’t break down how many went through GSA, how many went through FedBid and how many went through some of the other lesser known tools such as the Army’s CHESS IT e-mart auctions.
GSA says on its reverse auction website that it has awarded $249 million through the platform across 31 agencies.
Tim DiNapoli, GAO’s director of Contracting and National Security Acquisitions, said only a very small percentage of the reverse auctions in the federal marketplace went through GSA’s platform.
“It is worth mentioning that GSA started the initiative some five years ago. It seems to me that despite their efforts, the use of the platform never seemed to pick up enough steam or visibility to make it, in GSA’s eyes, a viable proposition relative to the costs of providing the services or diverting the staff resources from other priorities,” he said.
To some, it was unclear why GSA even got into the reverse auction game in the first place.
One former federal procurement official, who requested anonymity because their current company still does work with the government, said the market spoke years ago about which platform they liked better.
“The GSA tool didn’t have all of the functionality, features and ancillary services that some industry providers offered. The economics of it weren’t any more compelling than using existing tools,” said the former official. “I really hope that the lesson learned here is when GSA or other service providing agency sees an opportunity to improve a technology, service or tool provided by industry already they try to partner with industry to benefit all partners.”
The former official said GSA didn’t work with FedBid or Compusearch, which had its own reverse auction tool before it bought FedBid, to create an integrated offering, and instead tried to compete with the vendors.
“It was clear from the initial look and feel of GSA’s tool that it was modeled after existing reverse auction platforms and used the same characteristics and terminology,” the former official said. “Despite the time GSA took to improve the tool and an aggressive marketing of it, the vast majority of government buyers chose the industry option over GSA’s option. I think this also points to some overriding concerns around GSA’s services in general. I think that with all of the industry and government focus on trying to bring innovative technology to government buyers, this strange imbalance exists where GSA too rarely thinks creatively about how to partner with industry. The reverse auction tool is an example of a missed opportunity to improve service delivery.”
Compusearch’s Jackson said the reverse auction market seems to have settled into a good rhythm and understanding. He said FedBid has seen a 10 percent growth in 2018 over 2017, and for the first time in the last five or so years lawmakers didn’t include any new provisions in the Defense authorization bill targeting reverse auctions. The last memo from the Office of Federal Procurement Policy around reverse auctions came in 2015, and agencies, including GSA, are successfully using reverse auctions with little or no fanfare.
“It is one of many available tools and as such there are places where it makes a lot of sense when buying commercial items,” he said. “Now people are understanding the right sorts of acquisitions that lend themselves and what don’t. I think during the first 5-to-10 years of reverse auctions people may not have understood that as well and may have applied reverse auctions where it wasn’t the right tool. I think we’ve moved beyond that.”
Jackson said most agencies use reverse auctions for commercial auctions below the simplified acquisition threshold (SAT) of $250,000, and use traditional solicitations for more complex goods and services.
The former federal procurement official said they give GSA a lot of credit for deciding to shut down the reverse auction tool because too often agencies continue to “throw good money after bad for fear of embarrassment of admitting failure.”
It feels like you can’t go by a week without another federal IT executive or two or three leaving for the private sector or the Florida sun.
And while the path to the private sector and retirement remain well traveled, the good news is reinforcements are arriving.
At the Veterans Affairs Department, Secretary Robert Wilkie appointed Karen Brazell as the new principal executive director for the Office of Acquisition, Logistics and Construction, on Aug. 6.
Brazell replaced Greg Giddens who retired in November after 37 years in government.
In her new role, Brazell oversees acquisition, contract administration and supply-chain processes for VA as well as serving as the agency’s chief acquisition officer.
One of her big focus areas likely will be VA’s continued focus to improve its construction project management. In January 2016, Giddens launched an initiative to improve the project and program management of projects around five core principles.
In January, VA said the Rocky Mountain Regional Medical Center in Aurora, Colorado, was 98 percent complete, and the department expected patients to begin using the new medical center in August.
In addition to construction challenges, Brazell will have a full plate with the agency moving to the cloud in a big way, is trying to bring in new technologies more quickly through a Lighthouse initiative, and continues to struggle with IT logistics initiatives.
Before coming to VA, Brazell has worked in several different government organizations and served in the Army for four years in the 1980s.
She comes to VA after serving as the chief of staff for the White House Military Office, where she oversaw strategic planning, engagement planning, communication product development, staff coordination and integration, special projects, policy development, and resource management. She also was deputy director of the Acquisition and Resource Integration for the Naval Facilities Command.
Additionally, Brazell spent 17 years as a contractor in the Defense sector before joining the DoD civilian service in 2006.
The Defense Information Systems Agency also filled a key acquisition position by naming Carlen Capenos as its newest Office of Small Business Programs (OSBP) director.
Capenos started in her new role on Aug. 6 after spending the last 22 years working for the Department of Defense in contracting and with small businesses. She has been with DISA since 2015.
She replaces Sharon Jones, who retired in April after 40 years of federal service.
Capenos moves into her new role with a goal of continuing to expand DISA’s contracting success with small businesses. The agency reports that in fiscal 2018 it awarded $1.7 billion in prime contracts to small businesses. These 6,522 contract actions represented 28.2 percent of all contracts awarded by DISA.
Capenos joined DISA in 2015 where she worked as the chief of the acquisition resources and special projects branch. Prior to that, she worked with the U.S. Army Corps of Engineers in a number of roles including as the deputy for small business programs and as chief of the Secure Environment Contracting Branch.
While VA and DISA added new executives, the Agriculture and the Labor departments are looking at resumes to fill key positions.
Tony Cossa, who served in significant technology roles at USDA including as director of cloud strategy and acting chief technology officer, left government after more than a decade to join Oracle. Cossa is a senior product strategist for the software giant.
Cossa spent the last four months working as a senior advisor on Agriculture’s technology modernization effort under the White House’s Center of Excellence (CoE) initiative.
He also worked at the General Services Administration for four years and the Homeland Security Department.
Over at Labor, Mika Cross jumped to the private sector after spending nearly three years working as the director of strategic communications, digital and public engagement for the Veterans’ Employment and Training Service.
Cross is now vice president of employer engagement and strategic initiatives at Flexjobs, a service that helps workers find flexible/telecommuting jobs from multiple sectors.
In addition to her time at Labor, Cross set up a well-respected telework program at USDA, worked at the Office of Personnel Management as a HR consultant and the Consumer Financial Protection Bureau as the director of work/life and flexible workplace strategy.
The number of agencies playing “Russian Roulette” with their email remains amazingly high.
With less than two months before the Homeland Security Department’s Oct. 16 deadline, the number of agency domains still not meeting the requirements under Binding Operational Directive 18-01 is more than 200.
The main focus of the BOD from last October is for agencies to move to full use of the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol, which is an email-validation system designed to detect and prevent email spoofing. They also must implement Hyper Text Transfer Protocol Secure (HTTPS), HTTP Strict Transport Security (HSTS) and disable weaker cryptography standards.
“If you don’t know where an email comes from, that is creating a risk from the number one communications platform,” said Alexander Garcia-Tobar, CEO of VailMail, a cybersecurity company focused on implementing DMARC and other email safeguarding standards, at the recent cyber summit sponsored by 1105 Government Information Group in Washington. “The risk is still growing as email is completely unsecure. Criminals, state actors and others are taking advantage of the fact that email isn’t authenticated. You wouldn’t accept a credit card without swiping it, but it seems to be okay in accepting email on its face value.”
The Office of Management and Budget’s website tracking agency progress against BOD 18-01 and other related requirements shows some surprising agencies that have made little to no progress in complying. The Federal Election Commission is at 28 percent complete. The Consumer Financial Protection Bureau is at 33 percent complete. And the Treasury Department is at 55 percent complete.
These are just three agencies that deal with the public and hackers could easily spoof their email accounts to trick citizens into revealing personal information. Add to that: OMB found in the 2017 Federal Information Security Management Act report to Congress that the number of attacks via email or phishing doubled in 2017 to more than 7,300.
Patrick Peterson, the founder and executive chairman of Agari, another cyber company protecting emails, said 81 percent of the civilian agencies have adopted phase one of DMARC, meaning they can authenticate their email address to other users.
He said 52 percent of the agencies have implemented the second part of DMARC, which focuses on protecting, rejecting and enforcing the domain name security protocols.
“Over the next two-to-three months to get to 100 percent across government will not be easy,” Peterson said. “In order to get to phase 2, agencies have to track down all third party senders, so that means all sub-agencies that use subdomain to send email. That does take work. But hopefully by the October deadlines agencies will be much closer to 75-to-80 percent. That would be a pretty good one-year turnaround.”
Peterson pointed to a case study Agari likes to highlight as to why DMARC matters so much. Agari worked with the Department of Health and Human Services to protect the HealthCare.gov website.
After implementing DMARC in 2016, HHS saw no phishing campaigns against the popular health care website.
“Their chief information security officer sent us a note saying there was no phishing going on and he thought there was something wrong with system. We doubled checked it, and found everything was fine,” Peterson said. “The emails went to reject and didn’t get delivered. The bad guys had gone off to attack other agencies because emailing citizens with fake notices wasn’t working well.”
An example such as this one should be enough to convince every agency and private sector organization to move quickly to DMARC.
Peterson said there are 217 domains subject to directive not yet compliant with phase 1, but a majority of the consumer facing ones, including IRS.gov, HealthCare.gov and others are in good shape for phase 1 if not also for phase 2.
But that’s not the case, most surprisingly, at the intelligence community, including the CIA, the Office of the Director of National Intelligence and the Terrorist Screening Center, which OMB’s website shows are 0 percent complete. Now to be clear, the IC doesn’t have to comply with the BOD because national security systems are exempt, but it’s nonetheless surprising.
John Sherman, the assistant director of National Intelligence and Intelligence Community chief information officer, said in an email to Federal News Radio that the IC has a range of activities to implement cybersecurity best practices.
“Cybersecurity is a key priority of mine, and IC CIO is currently in the process of coordinating with the Intelligence Community a cybersecurity implementation plan that will identify the foundational tasks needed to improve our safeguarding posture and drive some really important conversations on risk,” he said.
At the same time, lawmakers want DoD to implement DMARC. In the 2019 Defense Authorization bill, Congress included a provision requiring the Pentagon to implement the email security protocol.
Additionally, lawmakers also are requiring DoD to implement future BODs by having the DoD CIO “notify the congressional defense committees within 180 days of the issuance by the Secretary of Homeland Security after the date of the enactment of this act of any Binding Operational Directive for cybersecurity whether the Department of Defense will comply with the directive or how the Department of Defense plans to meet or exceed the security objectives of the directive.”
At the same time, DoD CIO Dana Deasy told Sen. Ron Wyden (D-Ore.) in July that the Joint Force Headquarters DoD-Information Networks (JTF-DoDIN) will issue a tasking order by mid-August to implement the BOD’s requirements with a completion date for most requirements by Dec. 31.
But even if you take out the IC and Defense community, the number of domains that still have a long way to go with less than 60 days left is disconcerting for many reasons.
Rob Holmes, vice president of email security at Proofpoint, said the biggest challenges for agencies include identifying legitimate senders, finding internal owners of email programs/mail flows and working with authorized third parties to align their sending practices with the constraints of the DMARC standard.
“While there are no technical reasons why certain agencies may not be able to deploy DMARC, there are technical reasons why it may be more difficult and risky for some agencies to deploy DMARC,” Holmes said. “For example, if an agency has a particularly large and/or complex email ecosystem that uses a number of different email service providers across different locations with different change control processes. Some agencies might feel that the BOD 18-01 was sprung on them and therefore might not have the necessary DMARC deployment funds and resources in addition to an already established budgeting cycle.”
Marcus Christian, a cybersecurity and data privacy attorney with Mayer Brown and a former executive assistant U.S. attorney for the Southern District of Florida, said DMARC implementation is a good news story for agencies. He said this is a good example of federal employees getting ahead of the private sector and changing the perception that the government can’t be ahead of the private sector when it comes to technology.
“There is no reason why all of these domains couldn’t be secured by DMARC,” Agari’s Peterson said. “Even those that aren’t used all that often are actually easier it is to apply DMARC to. We don’t see any rhyme or reason why agencies can’t meet the Oct. 16 deadline. It’s just a matter of agencies having their act in gear.”
|Sep 17, 2018||Close||Change||YTD|
|Closing price updated at approx 6pm EST. each business day. More at tsp.gov.|