Reporter’s Notebook

jason-miller-original“Reporter’s Notebook” is a weekly dispatch of news tidbits, strongly-sourced buzz, and other items of interest happening in the federal IT and acquisition communities.

Submit ideas, suggestions and news tips  to Jason via email.

 Sign up for our Reporter’s Notebook email alert.


NASA’s ‘act of desperation’ demonstrates continued cyber deficiencies

One of NASA’s main networks used by almost every employee and contractor and managed by Hewlett Packard Enterprise is in such bad shape, the agency’s chief information officer could no longer accept the risk and let the cybersecurity authorization expire.

Renee Wynn, NASA’s new CIO, didn’t sign off on the authority to operate (ATO) for systems and tools under the $2.5 billion Agency Consolidated End-user Services (ACES) contract, which HPE won in 2010. Under the 10-year contract, HPE provides and manages most of NASA’s personal computing hardware, agency-standard software, mobile information technology services, peripherals and accessories, associated end-user services and supporting infrastructure.

A NASA spokeswoman confirmed the ATO expired on July 24. She said Wynn signed a “conditional” ATO for the systems under ACES, but internal NASA sources said the authorization is just for the management tools and not for the desktops, laptops and other end user devices.

“NASA continues to work with HPE to remediate vulnerabilities,” the spokeswoman said. “As required by NASA policy, system owners must accomplish this remediation within a specified period of time. For those vulnerabilities that cannot be fully remediated within the established time frame, a Plan of Actions and Milestones (POAM) must be developed, approved, and tracked to closure.”

Letting an ATO expire on a major agency network is unheard of in government.

Multiple federal cyber experts said agencies know at least a year in advance when an authorization and accreditation needs to be renewed.


GSA’s 4th quarter buying event turns category management talk into action

Over the last few years, there has been a lot of talk about the goals of the Obama administration’s category management initiative, particularly around getting agencies to buy as one entity.

The first real demonstration of that concept happened earlier this month when the General Services Administration conducted a reverse auction to set up three blanket purchase agreements for five agencies to potentially buy more than 45,000 laptops and desktops. The customers for this fourth quarter buying event were GSA’s Chief Information Office, the Department of Veterans Affairs, the Defense Health Agency, the U.S. Holocaust Memorial Museum and the Defense Logistics Agency.

“The discounts offered by industry from the GSA schedule price list was an average up to 18.97 percent from the initial eBuy submission,” said a GSA spokeswoman. “Participating agencies provided estimates of future purchases for the fourth quarter buying event. The breakdown of how many laptops versus desktops were purchased will be available once participating agencies place their actual orders against the BPAs that are awarded.”

GSA finalized two of three BPAs on Aug. 17 and is expected to complete the third one later this week.

Impress Technologies Solutions Inc. will provide Dell computers under one contract, and ABM Federal Sales will provide Hewlett-Packard PCs and laptops on another BPA. GSA’s spokeswoman said the agency will publish all final prices on GSA Advantage later this week as well.


VA doesn’t waste time in implementing Supreme Court decision

The Veterans Affairs Department acted unusually quickly to comply with the U.S. Supreme Court’s “rule of two” decision in the Kingdomware case.

So much so that it both surprised observers and had them wondering if VA was acting too hastily.

VA issued new acquisition regulations July 25, just more than a month after the decision, which found VA’s interpretation of a law requiring the agency to set-aside all procurements if at least two veteran-owned small businesses are qualified was flawed. The nation’s highest court reversed the lower court’s decision on June 16 by an 8-0 vote, finding VA must use the “rule of two” for supply schedule contracts even if it has met its statutory contracting goals.

“We expect to set aside a greater volume of VA contracts to service disabled veteran-owned small business and veteran-owned small business suppliers,” said a VA spokesman in response to questions from Federal News Radio. “VA senior officials will be developing market research principles during a two-day integrated process team meeting Aug. 10-11. These principles will be transformed into a comprehensive policy, which will be used by all VA requirements personnel in the conduct of market research. In addition, a training course is currently being developed by the VA Acquisition Academy, and training will be conducted for required VA personnel during August 2016. The Office of Small Disadvantaged Business Utilization (OSDBU) is improving its existing market research platform to provide more robust research and analysis capability.”

Additionally, it said it completed training of its acquisition workforce by Aug. 5 through its VA Acquisition Academy.


A-130 finally gives identity management a much needed policy boost

Of all the changes Circular A-130 brought forth, maybe the most significant is catching federal policy up with reality.

The fact the Office of Management and Budget hadn’t done a full update of A-130 in 16 years gave some agencies the ability to slow-roll unfunded mandates, because they said those requirements weren’t in the overarching policy document.

Identity management is a great of example of where this happened.

Judy Spencer, the policy management authority chairwoman of the Certipath bridge and a former General Services Administration official who oversaw many of the identity management initiatives across government, said the A-130 update creates that one place for leaders to point to and move government and industry toward a more complete use of identity management. CertiPath is a trusted authority for interoperable identities for collaboration in the aerospace and defense industry.


HHS IT executives finding new homes

Dave Nelson and Frank Baitman are taking what they learned at the Department of Health and Human Services and applying it to other organizations.

Nelson, the former chief information officer and the director of the Office of Enterprise Information at the Centers for Medicare and Medicaid Services, took a new job as the Nuclear Regulatory Commission’s CIO. His first day will be Aug. 22.

Baitman, the former HHS CIO who left the agency Nov. 30, is working as a part-time advisory fellow with Cisco.

“I’ll be working with Alan Balutis, senior director at Cisco, along with Martha Dorris, who has also joined the Cisco team as a fellow,” Baitman told me via email.

Nelson replaces Darren Ash, who left NRC in February to be the CIO of the Agriculture Department’s Farm Service Bureau.


Agile contracting craze is taking government by storm

The Homeland Security Department and its components have jumped fully on the agile or dev/ops bandwagon. You could possibly blame Mark Schwartz, the chief information officer at the U.S. Citizen and Immigration Services, for his success in using this approach for both contracting and project management.

Or you could blame the Office of Management and Budget for its push to change the culture of government and stop the struggles of IT projects.

And, of course, it would be easy to blame industry for its recognition of the “next great IT advancement” for pushing DHS and almost every other agency toward the concept of iterative development. Let’s say the common refrain heard at so many conferences together, “If it’s good enough for Netflix, Uber and every other startup, then why not the federal government?”

So no matter who you blame, questions arise:

Has DHS, and really almost all of government, gone overboard with agile? Is the government heading down the same contracting rat hole it did with IT services where every agency and their brother and sister had an IT services contract, which cost agencies and vendors hundreds of millions of dollars to bid, protest and run?


Cyber checklist is dead, long-live the new A-130

One of the last vestiges of the old way of thinking about cybersecurity is dead.

The requirement to reevaluate the security of IT systems every three years has been flushed from the governmentwide policy that for so long stood in front of agencies and inspector generals moving toward a continuous monitoring approach.

The Office of Management and Budget July 28 issued the update to Circular A-130.

“The revised circular consolidates in one guidance document a wide range of policy updates in information governance, acquisitions, records management, open data, workforce, security, and privacy. In particular, the revisions highlight requirements from the Federal Information Technology Acquisition Reform Act (FITARA) to improve the acquisition and management of information resources,” OMB said in a fact sheet about A-130. “The revised circular also emphasizes and clarifies the role of both privacy and security in the federal information lifecycle. Importantly, the revised circular represents a shift from viewing security and privacy requirements as compliance exercises to understanding security and privacy as crucial components of a comprehensive, strategic, and continuous risk-based program.”

OMB last updated A-130 in 2000 so it was due for a refresh. The White House released the draft update in October and received 67 comments from companies, industry organizations and several others.


Software, shared services spice up summer

Don’t ever tell me summer is a “down time” in the federal IT and acquisition communities. The Office of Management and Budget has been pushing out memos like summer blockbuster movies — hopefully with better results.

Contract awards and bid protests continue to be hot and heavy, especially in the Defense Department.

But there may have been a few important news items that slipped through the proverbial cracks of your news cycle.

First off, federal chief information officers are getting a new role — software sheriff. CIOs must develop an inventory of software licenses, track spending and find opportunities for consolidations and savings under the MEGABYTE Act.

President Barack Obama signed the Making Electronic Government Accountable By Yielding Tangible Efficiencies Act of 2016 into law July 29.


Rep. Connolly plays both sides of IT modernization debate

Rep. Gerry Connolly (D-Va.) believes agencies can have their cake and eat it too when it comes to IT legacy modernization.

Connolly is supporting both the $3.1 billion IT Modernization Fund (ITMF) developed by the Obama administration and introduced in the House by Rep. Steny Hoyer (D-Md.), and the MOVE-IT Act introduced July 14 by Rep. Will Hurd (R-Texas) and Sens. Tom Udall (D-N.M.) and Jerry Moran (R-Kan.).

The Modernizing Obsolete and Vulnerable Enterprise IT (MOVE-IT) Act would create working capital funds in each agency as part of a decentralized approach to addressing the growing problem of legacy IT systems across the government.

Connolly’s co-sponsorship of the MOVE-IT Act along with his vocal support of the ITMF created an “only in DC” optics problem, which he quickly tried to address in an internal memo to Hoyer trying to explain how both of these bills could work together.


DoD’s stress reliever: A new forecasting tool to ease fourth quarter buying spree

Agencies are just about three weeks into the federal fourth quarter procurement spending spree and, like the weather, the buying is heating up. Contractors know taking vacations in August and September are all but verboten because of the wave of solicitations coming out.

Bloomberg Government says on average the government spends about 32 percent of their contracting budget during July, August and September.

The Defense Department, which usually leads the way when it comes to year-end spending, is trying to improve the process on both ends of the equation.

Ken Brennan, the deputy director for services acquisition in the Office of Defense Procurement and
Acquisition Policy in DoD, said the Pentagon is rolling out a new forecasting tool to better describe what it’s buying and who is buying it.

“We shared it with the broader community, but it’s not significantly robust yet. We need to know what folks are looking to buy so we can identify them and connect them to a solution that meets their requirements,” Brennan said at an event hosted by the Association of Proposal Management Professionals (APMP) in Vienna, Va. on July 20. “We believe this holds great promise for us. We have a long way to go and a lot of things that happen in the fourth quarter are discretionary so we are really trying to see how we keep that appetite in check.”

DoD is building the forecasting tool based on work done in the small business arena to leverage the software they are using.


« Older Entries