Reporter’s Notebook

jason-miller-original“Reporter’s Notebook” is a weekly dispatch of news tidbits, strongly-sourced buzz, and other items of interest happening in the federal IT and acquisition communities.

Submit ideas, suggestions and news tips  to Jason via email.

 Sign up for our Reporter’s Notebook email alert.

For transparency at GSA, squeaky wheel finally gets a little oil

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

It’s a bit too early to pop the champagne and begin celebrating. But when Emily Murphy, the administrator of the General Services Administration, announced a new pilot this fall that would begin to shed some light on  the schedules program, my heart skipped a beat.

For the better part of a decade, I have been asking — sometimes nicely, other times less so — for GSA to make requests for proposals, requests for information and contract awards under the schedules program visible for non-schedule holders.

So there I was at the Coalition for Government Procurement’s (CGP) spring conference in Falls Church, Virginia, on May 16 when Murphy dropped the news.

“If we are trying to attract vendors and customers to our schedules being clear about what is actually bought is really helpful,” Murphy said at the event. “One of the areas GSA is looking at starting for next fiscal year is a pilot in the agency so after award using e-Buy, GSA would publish its own statements of work. We would publish the results of this so we would be clear what it is we are buying from the schedules. I asked for defined metrics for how we will decide whether that’s a successful buy. It’s an area I’m excited about because it goes back to those principles of transparency and increasing competition.”

Now it’s just a pilot, and it doesn’t start for several months. But the fact that Murphy and others such as Alan Thomas, the Federal Acquisition Commissioner; Mary Davie, the FAS deputy commissioner; and many others recognized this as a shortcoming and are willing to try something is a major step forward.

4 priorities for newest GSA admin

The news about the planned pilot was one of several specific examples of her plans Murphy brought to CGP’s annual event. For reasons of full disclosure, CGP has a show called Off the Shelf on Federal News Radio.

Murphy started by driving home her four overarching priorities with each speech and each interview over the last five months. She then put some details behind those four priorities of increasing competition, ethical leadership, increasing transparency and reducing duplication.

From all signs, if GSA can accomplish many of these initiatives, Murphy’s tenure will live up to expectations.

The biggest lift may be in modernizing the federal payroll providers. GSA issued a pre-solicitation notice on May 17 for a 10-to-13-year contract worth upwards of $2.5 billion.

GSA wrote on the notice that it plans to “compete its requirement to modernize the Payroll and Work Schedule and Leave Management (WSLM) ecosystem. The competition will be conducted among holders of GSA IT Schedule 70 contracts, SINs 132-40 and 132-51. The government expects to award one or more Blanket Purchase Agreements (BPAs) under which orders may be placed directly by participating federal agencies.”

GSA expects to issue the final request for quotes in June.

“Under the President’s Management Agenda, GSA is charged to be the co-lead with the Office of Management and Budget to provide quality services,” Murphy said. “I think it’s always important to remember that the goal is to provide quality shared services, not just shared services.”

She added that the government spends $28.6 billion a year on administrative services, and speculated that if surveyed, federal executives would say they were unhappy with the quality of those services.

“If you are going to spend nearly $30 billion, you want to be happy with the results,” she said. “For GSA, the challenge is not can we put together another contract vehicle. It’s how can [we] go out and help agencies. To be very clear this is not something GSA is doing to another agency or is doing for another agency — this is something GSA is doing with other agencies.”

She said the shared services effort is about agreeing on what is needed and then coming up with the best solutions for everyone. That could mean a common set of contracts or designating agencies to provide the services or a single provider supplying a service to all others, such as the Treasury Department processing payments.

“One area that OMB and GSA have been working with agencies right now is putting together a checklist on how ready are you to transition to a new payroll system,” Murphy said. “Instead of saying, ‘We have [a] new contract, everyone move,’ it’s a quarter-by-quarter, month-by-month set of items to make sure we are ready to transition. This isn’t an overnight solution. This is a 10-year process GSA has sketched out with OMB. The end goal is savings and a better service.”

New shared services strategy explored

Maybe the biggest differences in this shared services effort are the use of software-as-a-service and the broad recognition that providers need to make a “profit” to ensure they can continually upgrade their services.

To that end, Murphy said many of these shared services will be contracts for commercial services with at least three solutions.

“One area I’ve asked everyone to look at also is whether we could use a model somewhat similar to the EIS model for networks, where we retain a portion of the fees to pay for the next round of transition so we are not finding ourselves in a few years locked into one solution without the ability to pay for the transition to the next. Let’s start starting planning for transition now,” she said. “In other cases, it could be that GSA instead of helping to support contracts is actually for the SaaS or commercial services is instead helping agencies better align the personnel and providing them with support to manage the systems they already have as they prepare for transition.”

Another opportunity GSA is exploring for shared services is around document digitization to meet the National Archives and Records Administration’s requirements.

“OMB came to us asking about NARA’s requirements for digitization, and  we were able to say we have two new special item numbers (SINs) under the schedules program that could help agencies with that,” Murphy said. “ Now we are working with them on how to leverage the schedules to adopt digitalization and records management solutions.”

Read more of Reporter’s Notebook


What’s in the BHAG for Transportation Dept.’s IT modernization?

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Watch out for the BHAGs at the Department of Transportation.

What is a BHAG, you may ask? Well, it stands for “big hairy audacious goals,” and it’s DOT Chief Information Officer Vicki Hildebrand’s plan to continue the agency’s IT modernization effort.

Hildebrand, who joined DOT in October, sees a lot of money that the agency is misspending and could be redirected toward new systems and better services.

“After about two or three months of observing, learning and asking questions, I got the team together and we talked about where we want to go, what our vision was and what it would take to get there,” Hildebrand said after a panel discussion at the CIO Summit sponsored by Foreign Affairs and the Advanced Technology Academic Research Center (ATARC) in Washington, D.C. “We started a series of six study teams and four work streams and we have official details assigned from the modes. Some of the CIOs leading them and some of the leadership from my organization are leading the teams making this a truly departmentwide initiative.”

She said nine BHAGs are under her Destinations Digital strategy:

  1. Strengthen the federal IT workforce
  2. Eliminate 1 million hours of burden
  3. Modernize multimodal processes
  4. Reduce malicious cyber incidents
  5. Shrink the IT footprint
  6. Implement intelligence software
  7. Promote transportation cybersecurity
  8. Expand self-service options
  9. Retain savings

“We are [very] federated with nine modes of transportation. We were operating very independently and we are bringing the modes together to develop departmentwide strategies,” she said. “We have more help desks across the agency than we should ever have. This is one example of  an opportunity [to] collaborate on the back end.”

Spend wisely

DOT has so much misdirected spending that Hildebrand said when it comes to accessing potential dollars from the governmentwide central fund under the Modernizing Government Technology Act, she neither wanted nor needed any money.

“We have a lot of spend out there that we need to spend more wisely,” she said. “I’m actually doing many of the same things that are happening over at [Agriculture Department], but we are doing it internally and evoking the Federal IT Acquisition Reform Act (FITARA) to make that happen.”

Hildebrand was referring to USDA being a “lighthouse agency” to pilot the centers of excellence (CoE) effort under the IT modernization initiative from the Trump administration.

DOT launched the study teams earlier this month and they already have devised several potential short- and long-term changes.

“I was surprised when I got here because the government gets charged more than the private sector for IT services, and sometimes the services aren’t quite as good,” Hildebrand said. “I’m challenging that. I’ve seen the price tag from the private sector, and we need to compete more. I know part of that is it’s more challenging to procure in the government than in the private sector, but we have to shake things up. We are spending more money on things than we need to.”

Learning from the past

Hildebrand is picking up many of the initiatives started under former DOT CIO Richard McKinney, who left in January 2017. McKinney used FITARA to break through the culture plaque that had built up over the years by freezing IT spending across the agency until he could have better visibility, going so far as suspending a modal’s access to the internet until a cyber vulnerability was fixed.

Hildebrand said she has talked to McKinney and is taking advantage of the foundation he laid. And that is why her IT modernization efforts are not on hold until the BHAGs get going.

Hildebrand said her office recently consolidated some back-end functions and saved more than $1 million by reducing the number of contractors DOT worked with to provide the services.

“In terms of a new application, we just have a prototype at this point,” she said. “We had taken one of our applications off line and we had some issues with it and it has been down for some time. We needed to do something quickly and I wanted to use that opportunity to demonstrate that software doesn’t take multiple years and multiple millions of dollars to do.”

She said DOT used design-centered thinking to address this customer-facing system.

The modernization effort is not being done in a silo either. She said the acquisition, financial and human resources communities within DOT also are part of these teams.

“I always say IT exists for the mission and we can’t be successful without the support of the rest of the department,” Hildebrand said.

The biggest challenge she faces is, like any political appointee, to win over the career staff. She said to do that, it’s all about the quick victories such as the software or contractor consolidation examples.

“I understand the modal CIOs don’t know what to make of me. Part of that is because they have heard it before, and I think there is this sense that the ‘Christmas help,’ as I’ve been called, come in and talk big and nothing happens,” she said. “This is not the first time the career folks have been through this. If I were in that role, I’d understand who is this person and what are they doing with my job.”

That’s why she knows building up that body of accomplishments is so important. It also takes listening to career folks to keep her out of hot spots and create a very different DOT.

Read more of Reporter’s Notebook


SSA bid protest win demonstrates power of acquisition to protect the supply chains

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The White House is considering two new executive orders to address growing threats to the federal supply chain.

Sources confirmed the executive orders focus on two major areas: telecommunications and federal procurement.

The New York Times reported on May 2 that the White House was drafting an EO that would ban agencies and possibly contractors from buying telecommunications equipment from Chinese firms, including Huawei and ZTE.

The second order and corresponding policy, sources said, would extend the supply chain threats into the federal procurement arena even further. Details on the second order were vague, but sources said these steps are part of the growing public recognition that the federal supply chain continues to face serious risks.

At the same time, House Armed Services Committee lawmakers approved a provision in the fiscal 2019 Defense Authorization bill that would ban agencies from buying equipment from telecommunications companies owned, controlled or partly managed by the Chinese government, such as Huawei and ZTE.

Under the provision, every agency by Jan. 1, 2021 would have to stop using ZTE, Huawei or any other equipment or services either directly or indirectly through a third party that is connected to the Chinese government.

“This section would require the head of an agency to submit to the specified committees a plan to phase in the prohibition in this section, including with respect to the ‘white label’ problem,” the NDAA states. “This section would also permit the head of an agency to provide an additional 2-year waiver if he determines it is appropriate to allow an entity to terminate its use of covered telecommunications equipment and he can demonstrate certain other conditions have been met.”

In another congressional action, lawmakers on the House Appropriations Subcommittee on Commerce, Justice, State and related agencies added supply chain provisions to the 2019 spending bill.

The provisions in the draft bill released May 8 would require the agencies that fall under this subcommittee to review criteria of companies providing systems at the moderate and high levels, review the possible risk of the awardees particularly around cyber espionage and then send a report of that determination to the House and Senate appropriations committees and their respective inspectors general.

While a lot of these efforts are for public show, the real action to secure the federal procurement supply chain can be found one level down within the agencies.

A good example of this happened recently with the Social Security Administration. SSA issued a solicitation for printers and associated equipment and services. As part of the request for quote, SSA required a supply chain risk assessment of the awardee — including an assessment of any subcontractors, suppliers, distributors and manufacturers involved in the awardee’s supply chain.

Among the nine factors SSA said it wanted to review were :

  • The foreign ownership or control of the apparent awardee, or its subcontractors or suppliers;
  • The degree to which the apparent awardee and its subcontractors or suppliers maintain formal security programs, that include personnel, information, physical, cyber security, and supply chain risk management programs;
  • The locations of the manufacturing facilities where the hardware and software are designed, manufactured, packaged and stored prior to distribution.

The procurement received a lot of interest from a handful of bidders, and the supply chain requirements even worried a few.

Iron Bow submitted a pre-award protest first to the Government Accountability Office and then to the Court of Federal Claims after GAO dismissed the complaint. Iron Bow said SSA’s decision to disqualify them was “irrational.”  SSA downselected Iron Bow out of the competition due to the printers the company was proposing to use in the contract were from Lexmark. SSA said the Lexmark devices were “an unacceptable supply chain risk to the government” because the Chinese government’s interest in the company was greater than the SSA initially recognized.

You can read the entire court case here. The upshot is the Court of Federal Claims ruled that SSA conducted the supply chain risk assessment in accordance with the terms of the RFQ, and that the agency reasonably concluded that the printers proposed by Iron Bow presented unacceptable risks to the government’s supply chain.

This is an important case for several reasons.

First, it drives home a key point about supply chain risk that Bill Evanina, the director of the National Counterintelligence and Security Center (NCSC) in the Office of the Director of National Intelligence, said at a recent event sponsored by the Intelligence and National Security Alliance (INSA).

“You can have the best cyber program in your company and you can hire a private cybersecurity firm who has the best software, but if your procurement and acquisition folks are not part of the team, you will fail,” Evanina said. “Our adversaries, that’s how they get us, through procurement and acquisition programs. If you are a chief information security officer or chief information officer, are you aware of all the procurement being done by your company — to buy new printers, scanners, faxes, PBX switches, routers — probably not.”

He said agencies are required to do some basic research, such as finding who are on the company’s board of directors, who are their subcontractors and who is on the ownership team.

“The Defense Department does this every single day. We do National Intelligence Determinations for companies who want to do business with the government all the time. It’s a big process,” he said. “Private sector needs to do this more often. Understand who your suppliers of the suppliers are because our adversaries strike us with the subs and subs of subs.”

Evanina said agencies and companies need mitigation plans as well as opportunities to exercise those strategies, similar to what organizations need to do with cyber intrusions.

The second point the court’s decision for SSA drives home is around vendors who need more help to ensure the security of their supply chains as agencies continue to ask for more details.

Eric Crusius, a partner with Holland and Knight law firm, said he’s sees more and more clients asking for assistance to make sure they are compliant with laws and regulations.

“The fact is there are supply chain requirements in procurements themselves and if a company, generally speaking, thinks it’s the wrong approach, they should protest it before bids are due on solicitation,” he said. “Otherwise you are agreeing for the government to evaluate your supply chain as part of the overall evaluation process.”

Crusius said companies need to go beyond just the minimal level of compliance.

“It’s  just not meeting the legal requirements of supply chain risk management, but sometimes companies have to look at it from a practical and business standpoint,” he said. “As a prime contractor, you are responsible for the entire chain below you, and that is not always practical. So you should do a risk analysis and see where it leads you down the supply chain, and then you can make smarter decisions, and maybe even change suppliers if you can’t ensure the security of the vendor.”

There are several other cases like that of SSA that highlight similar points. For instance in 2018, the Commerce Department upgraded its supercomputers and decided not to go with Lenovo, which had bought IBM’s x86 server business — the type of servers NOAA bought previously. Instead, Commerce brought in Dell systems after concerns increased about Lenovo’s relationship with the Chinese government.

Supply chain risk management also played a big role in another recent Commerce Department acquisition for cybersecurity services.

In the request for proposals, Commerce required the vendor to have supply chain risk management expertise on staff with 16 different skill sets, including conducting research and analysis, preparing situational awareness briefings and conduct individual assessments for internal department customers buying technology.

Evanina said many organizations don’t have effective supply risk management programs but like cyber was 5 or 7 years ago, there’s a growing understanding of why it’s important.

“We spend a lot of time with DoD and others training acquisition folks to understand the threats that manifest in contracts,” he said. “The contracting world is something we have to hurry up and train and make them aware of threats.”

Read more of the Reporter’s Notebook.


FBI boosts IT efforts to protect itself from rogue employees

The one challenge facing every agency where IT innovation and modernization could make a huge difference is defending against the insider threat.

So it shouldn’t come as a surprise to anyone that the FBI is making IT innovation and insider threat synonymous.

Roger Stanton, the assistant director of the insider threat office for the FBI, said for the bureau it’s more than just protecting information and people. The new technology can help address the culture challenges of a force of alpha males and females.

“I have two types of employees, creators and system people. Creators are those people who are out on the edge, in the white space, driving to create a capability that does not exist yet,” said Stanton, who joined the FBI’s insider threat office about a year ago. “Then I have the system people who are between the four corners of policies and regulations, and they get things done and they do it within the systems. I have also found they drive each other crazy because the creators want to be out there on the fringe that will be the next great thing, and the system people are the ones who say, ‘You can create that iPhone, but if you can’t deliver to the customers, then our business is going to fail.’”

Speaking at the Justice Department’s cyber symposium on May 9, Stanton said having a healthy tension between the two groups is a good thing, but it also makes leading them more difficult.

To help address the people side of the insider threat challenge, Stanton said the FBI is launching two new platforms.

The first one will help the FBI do a better job of understanding the possible threats within its three investigative elements — security violations, internal misconduct and internal espionage.

“We manage those referrals and we make sure we are monitoring every referral that comes into completion so it’s my job to make sure collaboration is emphasized and maximized,” he said. “We use this software application, we call Javelin, it’s home grown, and it manages referrals. What we do to make sure the big three get a benefit from entering referrals into the system and monitoring them is we pull from our holdings so when you type in an individual’s name, it throws a bunch of information at you, whether it’s the history of polygraph exams, any incidents they have been associated with in the past and any investigative information.”

Through privileged user access, when a referral comes into the insider threat office, the investigator is the only one who has access to the case and information.

The second application is called Insider Threat Analysis Platform (InTAP), which is the FBI’s big data analytics tools that looks at potential models, triggers and the data sets it has to identify potential threats to the organization.

Stanton said analytics receive the data and decide whether it needs to be referred to an investigator.

“We are developing that now. We are at initial operating capability for that,” he said. “Until that final capability is issued, and everyone in the insider threat program knows that anyone who says they have this [issue] licked, they lose credibility with us because it’s a continual examination of your internal business processes, your culture, the applications that are unique to your organization, that is what an insider threat program is. And because they change and modify, we have to change with it.”

Stanton said the FBI doesn’t talk too often about this program as its concerned about adversaries taking advantage of its strategies.

This is why getting this look inside is the FBI — pun intended — is worthwhile. This is especially since October will be seven years since President Barack Obama signed an executive order requiring agencies implement an insider threat detection and prevention program and, for the most part, they have struggled.

Until the FBI can fully launch its InTAP application, its relying on its legacy approach where it uses bulk data derogatory records checks where it looks at different triggers and models.

“We take our 70,000 employees, contractors and detailees and through it against certain data sets that might be an indication that there could be misconduct or could be a risk posed by that insider based on the modeling and triggers we do,” he said. “The FBI takes great research to work with its intelligence community partners to push information sharing about how we are modeling or identifying insider threats, and what we think behavior analytics should be for that. It’s a huge challenge because it’s another thing that changes as cultural things change as the way we communicate changes.”

All of these efforts are overseen by an Insider Threat Risk Board, which is run by the associate deputy director of the FBI and includes all the executive assistant directors and assistant directors involved with insider threat matters, including human resources, financial management, technology and others. The board meets quarterly to review the FBI’s critical assets and what potential risks they are facing.

“Key vulnerabilities are business processes. How do we go about our day-to-day operations? What sort of vulnerabilities may be there?” he said. “One example could be how we escort visitors into the building. Each individual office had its own policy, and when we looked at them some were good and some were great.  A business process across the whole FBI can be improved so those good ones could be great.”

Stanton said the FBI identifies those risks by getting together every two years with the risk board and ordering the entire organization to think about critical assets and business processes that are vulnerable to insider threats.

From that, the board will come up with a manageable risks based on the highest or most critical vulnerabilities.

“My office has a critical asset vulnerabilities assessment team and they will do a ‘red team’ approach to look at everything around that asset or business process and try to identify any gaps or vulnerabilities that are posed by an insider,” Stanton said.

Once they find the gaps or vulnerabilities, communication and training help fix any potential or real challenges.

While the FBI’s requirements for protecting against insider threats may be more rigorous than many other agencies, there is no reason why these two platforms couldn’t become shared services for other agencies , especially given it’s one of the administration’s priorities.

Read more of the Reporter’s Notebook.


Some House lawmakers want special procurement rules for e-commerce platform

The House Armed Services Committee isn’t sitting idle while the General Services Administration comes up with an implementation strategy for the e-commerce portal, otherwise known as the “Amazon amendment,” over the next nine months.

Once again, lawmakers are trying to disrupt the federal procurement system before the paint is even picked, let alone dry, on the e-commerce portal. The committee approved a provision in the fiscal 2019 Defense Authorization bill that would raise the micro-purchase threshold to $25,000 from $10,000 for all purchases through the forthcoming e-commerce portal.

“The committee expects the commercial e-commerce portals would simplify and streamline the defense acquisition process as well as provide better transparency,” the bill that passed the committee on May 10 states.

GSA also recommended increasing the micro-purchase threshold to $25,000 in its initial implementation plan sent to Congress in March.

Additionally, the bill includes language that would increase the micro-purchase threshold for all other buying approaches across DoD to $10,000 from $5,000. In the 2018 version of the NDAA, all non-DoD agencies received the MPT increase from $3,500 to $10,000.

This latest action by the House committee likely will add to the growing anxiety about the e-commerce portal.

“Everyone who saw that report on first sight was a little taken aback as it was a little unexpected in the defense authorization bill,” said Angela Styles, a former administrator in the Office of Federal Procurement Policy and now a partner with the law firm Bracewell in Washington, D.C., on the Off the Shelf program. “We have no idea of the ramifications will be with the increase. What worries me is the lack of transparency. We as taxpayers will have no idea of what’s going on and to raise the micro-purchase threshold to $25,000 is a huge increase. I think the real question is why increase it to $25,000 before we know what $10,000 looks like?”

Styles wasn’t alone in her concerns about the increase of the MPT.

Jonathan Etherton, a former DoD and congressional executive and now founder of Etherton and Associates, a consultancy for federal contractors, said he too was surprised and thought the rationale by the committee “wasn’t compelling.”

Jonathan Aronie, a partner with the law firm Sheppard Mullin, said there are costs and advantages to raising the micro-purchase threshold, including opening up the government to more produces from overseas, including China. He said the increase would reduce accountability and competition, which would have a dramatic effect on agency and vendors alike.

The concerns about Chinese products, including supply chain risks (see my other notebook item) are so strong that the National Association of Wholesaler-Distributors wrote to President Donald Trump on April 20 expressing serious reservations about the increase of the MPT to $25,000.

“The proposal confounds Executive Order 13788, Buy American and Hire American (April 18, 2017). Instead of fostering the purchase of U.S. goods and products by government agencies, it circumvents and dilutes your Executive Order’s commitment,” writes NAW, which represents approximately 30,000 enterprises of all sizes that employ more than 5.9 million workers in the U.S. “By more than doubling the micro-purchase ceiling, it will expand enormously the foreign products purchased by the government. Its breadth collapses the compliance structure mandated by the Buy American Act and your Executive Order.”

Additionally, NAW writes that GSA hasn’t conducted a cost-benefit analysis and doesn’t seem to be considering one.

“Section 846 fundamentally restructures the way the federal government acquires commercial products. NAW agrees with what we understand to be Section 846’s purpose: to improve the commercial product acquisition process,” the letter states. “We have conveyed to the Congress and to GSA that only meaningful competition at platform and supplier levels will afford fair opportunities to participate and give federal agencies broad choices at competitive pricing. GSA’s jettisoning Buy American Act obligations is wrong. Moreover, the momentum implementing Section. 846 is toward the ‘Amazon Amendment’ model and is to the detriment of countless private sector stakeholders, the federal government and taxpayers. It will generate potentially several billions of dollars annually in fees to what will at best be an extremely limited number of commercial e-commerce portal providers. The disparate, specialized and unique requirements of many federal agencies will be compromised.”

The association requested to the president and Congress that GSA removes its suggestion to increase the MPT and reconsider its overall plan.

Jim Anderson, NAW’s vice president for government relations, told Federal News Radio that the association hasn’t heard back from the White House and continues to educate lawmakers about their concerns.

At the same time, the National Office Products Alliance (NOPA) and the Office Furniture Dealers Alliance (OFDA) are holding a “fly-in” on Monday and Tuesday to meet with lawmakers.

NOPA and other organizations, such as the Institute for Local Self-Reliance, are worried about the e-commerce portal as part of Amazon’s growing influence.

“An important aspect of Amazon’s lobbying strategy will no doubt be how it is a friend to U.S. small businesses rather than a competitor and that using the Amazon Marketplace for federal government purchases will be beneficial to small and medium businesses,” wrote NOPA in a release after Amazon released its Small Business Impact Report in May. “Indeed, that was part of Amazon’s message back in January when the GSA asked for stakeholder input into the proposed federal e-commerce portal. Amazon identified four areas for the GSA to consider: ‘using commercial terms and conditions and commercial practices; enabling robust competition; enhancing opportunities for small and disadvantaged businesses; and encouraging the availability of tools to simplify compliance.’ As U.S. business products associations NOPA and OFDA prepare for their small business advocacy fly-in to Washington later this month, they will be mindful of Amazon’s efforts to portray itself as a platform that underpins small business growth and job creation.”

In its report, Amazon states more than 1 million small and medium sized businesses sell through Amazon, including more than 300,000 who started in 2017, and those firms account for an estimated 900,000 new jobs.

Styles and other experts agreed that GSA needs to do more homework and research to really understand the impact of many of its proposals, including increasing the micro-purchase threshold.

“They have to go out and talk to disinterested companies,” Styles said. “You can have an industry day, but all of those who attended have an interest, so GSA needs to talk to companies out there and learn how they are buying. I think legislative proposals are premature. It’s unusual to have access to GSA thinking and I think they may have some second thoughts after doing more research.”

Etherton added the House provisions to increase the micro-purchase threshold also seem a bit premature given GSA isn’t expected to implement the portal until 2020.

All the more reason why some vendors are so concerned about the House’s effort to put the cart well before the horse.

Read more of the Reporter’s Notebook.


Defense Digital Service’s ‘cease and desist’ letter to industry group symptom of larger communications problems

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Defense Department’s problems with its commercial cloud procurement known as JEDI really can be traced back to one thing: Poor communication with industry.

In talking with industry experts and contractors, all the concerns and anxieties over the Pentagon’s goal of a single cloud award or the question of whether the DoD is copying Amazon’s secret cloud for the CIA and the intelligence community could be alleviated with more in-depth and hearty discussions.

And what may be at the heart of this issue are the “experts” from the Defense Digital Service running the initiative, who observers say need to be more open to ideas and less egotistical.

A perfect case-in-point of DDS letting its ego get in its way is its treatment of John Weiler and the IT-Acquisition Advisory Council (IT-AAC) he leads.

Weiler and the IT-AAC, which includes a who’s who of former DoD technology and acquisition executives such as Marv Langston, a former Navy chief information officer and Kevin Carroll, the former Army Program Executive Officer-Enterprise Information Systems (PEO-EIS) director, received a “cease and desist” letter from DDS and Tim Van Name, its deputy director.

In an email to Weiler from Jan. 26, Van Name said the “Defense Digital Service (DDS) team feel harassed by the insistent calls and messages they are receiving from you, including on their personal phones and accounts.”

Yes, Weiler is known in the federal IT and acquisition community for both his passion for fixing federal IT problems, as well as for his almost obsessive need to make waves and see controversy in almost every corner.

When you mention Weiler’s name to current and former DoD executives, it comes with both an uncomfortable laugh and an understanding that Weiler’s doggedness is appreciated — up to a point.

At the same time, IT-AAC and his for-profit company the Interoperability Clearinghouse have provided valuable assistance to a host of agencies, including the Navy, the Air Force and the National Reconnaissance Office, that has helped fix troubled programs.

The back story of why Van Name decided to write a “cease and desist” letter is not entirely clear.

DoD spokeswoman Heather Babb refused to answer specific questions about Van Name’s letter, sending only a general statement about DoD’s work with industry around JEDI.

“The department is committed to a transparent process and a full and open competition to acquire a cloud services solution through the Joint Enterprise Defense Infrastructure (JEDI) Cloud Initiative. The department has been engaging with industry throughout this process to ensure it develops the best cloud solution for the warfighter,” Babb wrote. “The department appreciates industry’s participation in the draft solicitation process. DoD is confident that these inputs will help us refine and clarify the requirement so that we can provide the best capability for the warfighter.”

Babb highlighted the same statistics about JEDI that we’ve seen over the last few months — more than 1,000 questions from 46 companies on the first draft request for proposal, a round two of questions is under consideration for the version 2 of the draft RFP and more than 900 attendees at the industry day in March.

And when Weiler pressed Van Name for more details on the alleged harassment, he received no answer.

I called Weiler to get his side of the story. He said starting in November he engaged DDS, offering lessons learned from their experiences with cloud acquisition.

“They were receptive,” he said. “We told them things like leverage standards, and then focus on the outcomes and what problems you are trying to solve, and don’t be overly prescriptive. We said we can help you when you are ready.”

Weiler sent DDS a white paper on agile acquisition a few weeks later. Weiler said he remembers Sharon Woods, the DDS general counsel, telling him at an event to give her a call to discuss IT-AAC’s ideas further.

So over about a 30-day period, Weiler said he called the DDS office about 12 times, called DDS executives’ personal cellphones based on the recommendation of a former digital service employee who said that’s the main way they communicate, and sent a handful of emails.

“It’s hard to get anyone to answer the phone at DDS. And when I did, it seemed like no one was getting the messages,” Weiler said. “I’m expecting a call back and wasn’t getting one so I called back. I followed up on a communication thread where there was apparent interest in IT-AAC’s help.”

Weiler admitted he was maybe making more phone calls then he normally would, but he said the lack of response from DDS, even someone who said “thanks but no thanks” was all he was looking for.

“I was trying to find out information and get an answer. I was asking for transparency,” he said. “I was never told they weren’t interested and to stop calling. I just got the letter. If they would’ve called and told me to go away, I would’ve sent one final letter explaining IT-AAC’s concerns, and then gone away.”

Weiler, obviously, was quite upset over the “cease and desist” letter. When I asked others in the federal community if they’ve ever heard of DoD or any agency telling an industry organization to only go through the press office with communications going forward, no one could remember such an instance.

And it’s that claim by Van Name that Weiler was “harassing” DDS is the symptom of DoD’s larger problem with the JEDI procurement of thinking they know everything already.

An industry expert who is following JEDI closely said DoD could’ve been more forthcoming with its plans for JEDI, and there is no reason why it hasn’t.

“It either has been a conscious decision or a result of factors that we can’t see — inexperience or incompetence,” said the industry expert, who requested anonymity in order not to hurt their relationship with DoD. “The lack of answers in the Q&As with the draft RFP leaves you wondering why. Do they don’t know the answer, or do they know the answer and industry will not like it so they don’t want to give it, or is it something else? DoD has done the same thing with some past procurements like the Air Force tanker where they didn’t answer questions and it caused a lot of challenges for industry.”

Roger Waldron, the president of the Coalition for Government Procurement, said it’s unclear why DoD wasn’t more willing to engage with industry.

“I think DoD’s efforts created a ‘check the box’ impression because between industry day and draft RFPs their efforts were not optimal. They put out the draft RFP and then gave companies two weeks to respond, and then many of the answers to many questions were just ‘noted’ instead of giving more details, that left a lot of people wondering,” he said. “Then with the next draft RFP, DoD gave another two-week timeframe, which also was too short. It’s not a textbook example that you’d use in an acquisition training course for how to run a large procurement.”

And now DoD’s communication shortcomings are almost forcing Congress to get involved.

First in the fiscal 2018 omnibus spending bill, lawmakers asked DoD for a report to justify its approach to JEDI. DoD is expected to deliver that report by May 7.

The latest example of Congressional concern is a new provision in the House version of the 2019 Defense Authorization bill.

“Prohibits the Department of Defense from using 50 percent of the funds authorized to be appropriated for the JEDI cloud initiative, until the Secretary of Defense provides Congress with information sufficient to conduct oversight of the acquisition,” the chairman’s version of the NDAA states.

The industry expert said while the NDAA provision looks like a big deal, by the time the bill becomes law, JEDI will be well down the path of award and/or protest making the provision almost moot.

“People want answers to questions, and at the end of the day the stakes are so high that competitors want to understand the framework, the innovation, the security and how DoD will foster continuing competitions,” Waldron said. “All are fair questions and the lack of communication on answers, and the lack of a public cost-benefit analysis of single award versus a multi-award approach created a lot of the concerns.”

There are few people who believe JEDI will ever get off the ground. Either it will crumble under its own weight, get hung up in protests for the next year and eventually just go away or Congress will ramp up its pressure forcing DoD to make changes.

And all of this time, resources and effort could still be saved if DoD just opens up to be more forthcoming and hold meaningful meetings with industry.

Read more of the Reporter’s Notebook.


Exclusive

7 ways to make category management more responsive to small businesses

This is part two of a two-part look at OFPP’s version 3 category management strategies. In last week’s Reporter’s Notebook, I looked at the goals of the new strategies such as attempting once again to reduce contract duplication.

The small business community has a right to be concerned with the Office of Federal Procurement Policy’s reinvigorated category management initiative.

History hasn’t been kind to small firms when it comes to big, bold initiatives to better manage spending or reduce costs, or, as is the case for category management, all of the above and more.

The small business community remembers OFPP’s strategic sourcing efforts. The Obama administration talked a good talk about small businesses winning a bigger piece of the pie in areas such as office supplies. But the administration failed to recognize that smaller number of firms winning a larger percentage does as much harm to the industrial base as a larger number winning a smaller percentage of contracts.

With the Trump administration’s latest set of category management plans, small business is one of four main focus areas across the 10 spending categories, which agencies spend more than $294.1 billion a year on.

According to version 3 of the strategic plans, which Federal News Radio obtained, OFPP and the Category Management Leadership Council (CMLC) determined each category should target 13 percent-to-50 percent of their spending to small firms. The goals include 39 percent in the IT category, 50 percent in the office management area and 33 percent for professional services.

But the plans also raised serious concerns from the federal small business directors about whether category management and small business as a socioeconomic policy can live in harmony. So far, the harmony has been hard to come by as a recent study found the number of small firms winning prime contracts is down by 25 percent since 2010.

“While the committee is encouraged by the expressed of the Office of Federal Procurement Policy to further small business goal achievements, the committee’s review identified opportunities to strengthen aspects of the general approach of the plans to promote small business participation,” wrote Denise Sirmons, chairwoman of the committee and director of the OSDBU office at the Environmental Protection Agency, in a letter to OFPP, which Federal News Radio also obtained.

The Office of Small Disadvantage Business Utilization Council’s category management committee, and Robb Wong, the associate administrator in the Small Business Administration’s Office of Government Contracting and Business Development, wrote to OFPP detailing recommendations to make the strategic plans more responsive to small business concerns.

The recommendations include:

  • Ensuring accountability for small business participation by developing key performance indicators and expanding the metrics to include specific goals for each socioeconomic category.
  • Performing data analysis of how many socioeconomic small firms already are included in best-in-class (BIC) contracts and whether both the total contract value and vendor base are enough to support all the goals of category management.
  • Clarify through policy or communications that category management, reducing contract duplication and the emphasis to use best-in-class contracts do not conflict with current acquisition regulations and laws.
  • Develop a more transparent methodology to calculate cost savings, which is particularly important given the regulations require a cost-benefit analysis for consolidated requirements.
  • Ensure each BIC has on-ramps, particularly for firms in the socioeconomic programs.
  • Satisfy mandatory set-asides requirements under policy and law.
  • Require prime contractors to provide data on how they are meeting their subcontracting plans.

Stacy Riggs, the acting director for the category management governmentwide program management office, said in an email to Federal News Radio that the OFPP, the SBA and the OSDBU Council have been collaborating to “align goals, collaborate on improvements and develop data intelligence to ensure agencies can continue to meet their small business procurement goals as they implement category management principles.”

“We also have developed tools and dashboards to help agencies understand and optimize their usage of well-managed contracts, and to find identify small businesses to meet their needs,” she said. “Moving forward, we will continue to work with OSDBUs, SBA and across government to grow existing capabilities (e.g., governmentwide category management dashboards, all small Mentor-Protégé Program, 8(a) Business Development Program, best-in-class contract on- and off-ramping, and supporting policies) and innovate new methods for maximizing opportunities for small businesses.”

Lesley Field, the acting OFPP administrator, also expressed the commitment to small firms.

“We have conducted a deep analysis of the current state on all BICs. Currently 45 percent of spend and 75 percent of the vendors are small business,” Field said in an email to Federal News Radio. “Many of the best-in-class solutions have pools or groups that are set aside exclusively for small business (e.g., OASIS and BMO). Other best-in-class solutions allow set asides at the order level, consistent with existing regulations and the Small Business Jobs Act. Several of the best-in-class contracts have on/off ramps.”

Field said category managers have identified requirements for a BIC finder tool that will let agencies more easily determine what BICs are available to meet small business needs. The tool even lets contracting officers search for set-aside and socioeconomic category set-aside options.

She added OFPP and the category managers have “compiled all details regarding small businesses on BICs, including spend, vendors, types, on-ramping, terms and conditions.”

In fiscal 2017, OFPP says 7 of 10 categories met or exceeded their small business goals.

But what Field and Riggs are missing is details about how they will hold the category managers accountable given shortcomings in the data.

Jack Kelly, a former OFPP analyst, who retired after 36 years in government, reviewed the new strategies and said there needs to be more specific data in each category.

“One of things each category should have is a small business participation strategy that lays out fundamental things like the number of small businesses available in this part of the supply chain, how much goes to small businesses and how much goes to large businesses currently,” he said. “One of things that always killed me about the government’s small business policy is we always talked about increasing the share of spending going to small businesses, but what I want to know what is the potential spend? We don’t know that. We could be close to the maximum of potential spend so pushing beyond that may not make sense.”

Kelly said when it comes to small business contracting, one-size does not fit all, which is why collecting the data on the current status of the industrial base is so important.

Joe Jordan, a former OFPP administrator for the Obama administration and now an independent consultant, said drilling down in each of the socioeconomic categories would be an important addition to the strategies to help address the potential impact on small firms.

“Where the strategies talk about best-in-class contracts, having on-ramps and holding them frequently is critical,” Jordan said. “You have to give new entrants the ability to access these opportunities and folks who are not delivering BIC results need an exit from these vehicles. It’s very hard to do, but that’s got to be a collaborative focus to make it work. The number of small businesses on a contract vehicle is not where the inefficiencies are as long as there are good ordering mechanisms and you have a good set of terms and conditions.”

Jordan said this is an area where Congress may even be helpful by focusing on metrics to ensure maximum small business participation and whether its total dollars or total number of companies participating.

Jordan said OFPP and the category management council need to pay close attention to the continued tension with small businesses. He said he recognized the flash point with strategic sourcing and came around to understand that measuring the percentage of dollars given to small businesses was not as good of a metric as measuring the number of small businesses receiving contracts.

Maybe that’s a lesson OFPP should heed?

Read more of the Reporter’s Notebook.


Exclusive

New OFPP strategy targets 13 percent reduction of duplicative contracts by 2020

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

This is part one of a two-part look at OFPP’s version 3 category management strategies. In next week’s Reporter’s Notebook, I’ll look at concerns by the small business community about the current and future impact category management could have on contracting.

The Office of Federal Procurement Policy has been trying to solve contract duplication for almost a decade.

OFPP required agencies to justify new multiple award contracts by submitting business cases. That had limited success.

OFPP tried to create catalogs of existing contracts so agencies could see what was out there first before going down the path of a new contract. That had even less success.

Now OFPP is trying to use category management and its subcategory best-in-class contracts to shrink the number of technology, professional services, transportation and logistics and seven other categories where the number of MACs has grown and grown for decades.

Each category manager developed new strategies for 2018 with goals across four broad areas. Without a doubt, reducing contract duplication and ensuring small businesses aren’t left behind are going to be the hardest to achieve.

The category management strategic plans version 3, which Federal News Radio obtained, details 2018 and 2019 goals for each of the 10 categories, including a 5 percent-to-20 percent reduction in the number of contracts that serve each specific area.

“Each of the categories is focused on increasing spend through best-in-class (BIC) solutions, which is what the category managers can work to influence by working with the agencies,” said Lesley Field, the acting OFPP administrator, in an email to Federal News Radio. “Agencies are held accountable for meeting the targets for BIC and spend under management (SUM).”

Field said among the goals the administration has set for 2020 is “a cumulative reduction of unnecessary duplicative contracts of 13 percent” out of the 425,000 contracts that are under what OFPP calls Tier 0 or unaligned spend that do not align or conform to category management principles.

Source: Category Management Leadership Council Version 3 strategy.

The strategies don’t describe how OFPP will hold agencies accountable for the 13 percent reduction.

For example, under the professional services category the strategy calls for the leaders to “implement professional services supplier relationship management program; Services spend analyses completed for top five professional services spend agencies; and Administrative savings methodology adopted for the Professional Services Schedule.” Each of these areas has quarterly goals ranging from hosting supplier relationship management community of interest meetings or developing a forecast opportunities strategy, but there aren’t any specific assignments to people or agencies, or OFPP oversight details.

Jack Kelly, a former OFPP policy analyst, who spent 36 years in government, said in an interview that the issue the administration needs to solve is that no one wants to give up control of their contract, or their spend in a particular category.

“I think contract duplication needs to be more of focus than it is in 3.0 plan,” Kelly said after reviewing the strategies.

Joe Jordan, a former OFPP administrator during the Obama administration and now an independent consultant, said addressing contract duplication is a critical success criteria for category management.

“It’s extremely hard, but what needs to happen is for OFPP, GSA and others to look at the economics of contract providers. If they charge a fee on everything that goes through the contract, does that make sense? Are the economics right?” Jordan said. “At the end of the day, the two biggest challenges to reducing contract duplication are understanding the economics involved, particularly around the agencies receiving fees, and the human desire to have control. Too often acquisition professionals say, ‘Sure, some other agency can do most of what I want, but I like my agency, my buyers and our mission is different.’”

OFPP has had some positive results in which it worked with agencies to reduce duplicative contracts, such as for satellite communications where the Defense Information Systems Agency and the General Services Administration partnered on the Future Commercial Satellite Communications (COMSATCOM) Services Acquisition in 2012.

Additionally, Bloomberg Government reported in 2017 that the number of multiple award contracts dropped by 239 over the last five years, while spending continues to increase to over $111 billion a year.

But as category managers saw in 2017 when only two of 10 categories came close or accomplished their contract duplication goals, there are more examples of contract duplication than not.

These strategies mark a return of sorts for category management. Over the first 15 months of the Trump administration, there has been little public attention to category management — no new polices, the draft circular from October 2017 seems to have fallen by the wayside and only some basic references by Field or other OFPP executives at conferences.

OFPP floated a draft category management policy last fall, but it seems to be stuck in place.

But with the approval of the strategic plans and the release of the President’s Management Agenda, the administration finally is putting its support behind the initiative, despite still no permanent OFPP administrator and no one coming in the next six months either — the time it takes for someone to be nominated and go through the Senate confirmation process.

Overall, the goals for category management are straightforward and lofty

“The strategy of category management is focused on reducing costs and increased use of best-in-class solutions, as well as reducing duplication, improving  communications through vendor management, sharing transactional data to inform better procurement and maximizing small business participation,” said Stacy Riggs, the acting director for Category Management governmentwide program management office, said in an email to Federal News Radio.

Field said the administration expects to reach $18 billion in cumulative cost avoidance, over a baseline of $5.8 billion in 2016, bring 60 percent of common spend under management, an increase over the baseline of 44 percent, and increase the total addressable spend through best-in-class contracts to 40 percent from a baseline of 10 percent in 2016.

“OMB and the Category Management Leadership Council (CMLC) developed a spend under management tiered maturity model to help agencies evaluate their progress in aligning common spend activities with category management principles,” Field said. “The model is designed to be a living management tool that can be refined by OMB, in consultation with the CMLC, based on experience and best practice.”

Kelly said the strategies and goals, generally speaking, seem to hit all the right notes, but OFPP needs to put a finer point on the spend under management data.

“It’s hard to tell how much is really spent under management. If the goal is to reduce unmanaged spend and increase the use of best-in-class contracts, but there isn’t anything that talks about what percentage or how much isn’t managed,” he said. “When you run those numbers, for example under facilities and construction less than 0.01 percent is not managed, but that’s still a lot of dollars, but low percentage. There are definitional challenges and I’m not sure how it will be handled. For instance, how do you count blanket purchase agreements (BPAs) versus indefinite delivery, indefinite quantity (IDIQ) contracts? IDIQs are a license to buy, but the actual contracts are against BPAs.”

At the same time, Kelly said the savings numbers also are concerning because too often the data isn’t accurate enough to show the difference in costs.

Jordan added that he too has some concerns about the savings numbers. But instead of worrying about having the right data or all the data, agencies should move forward with what they know and figure out how best to reduce costs without focusing on specific percentages.

“I’m not sure this is the best place to spend their energy on precise percentages,” he said. “This is why I retain hope that category management will make a difference by presenting clear data about what’s going on. If you can show how much people are paying through various vehicles, you can create the natural ‘shark tank’ effect and make dispassionate arguments that this vehicle is providing equal but lower prices. Right now, there isn’t enough objective data, but I think given how much focus OFPP, GSA and the BIC managers have put in collecting good and more robust data within these categories, I retain hope that this will be one of several positive outcomes.”

Read more of the Reporter’s Notebook.


Agencies faced 14 percent more cyber incidents last year, but security is improving

Sen. Heidi Heitkamp (D-N.D.) wants the Homeland Security Department to be a center of excellence (CoE) for cybersecurity for the entire country.

She told Chris Krebs, during his confirmation hearing to be the Under Secretary of Homeland Security last week, that DHS should be the lead on all things cyber that impact the nation’s defense and national security. If confirmed, Krebs will be the head of the National Protection and Programs Directorate.

“We need a broader, governmentwide, nationwide plan for what we will do in cyber so we are not stepping on each other, so we are not taking missteps that are incredibly costly, and we can’t ignore the small stuff. The resiliency of the foundation, which I will tell you, is fairly porous,” Heitkamp said during the Senate Homeland Security and Governmental Affairs Committee hearing. “We expect you to throw some sharp elbows. There’s been a lot of turf on this and there can’t be. We need a center of excellence and that’s your job in my opinion, to create a center of excellence to be that entity that evaluates products out there that can be, in fact, protective and shield to develop products to better educate the public on how to protect themselves.”

What Heitkamp is asking Krebs to do is take a similar approach to what DHS has taken with federal networks over the last decade.

DHS, for all intents and purposes, has become that CoE for civilian agency cybersecurity, and the latest report on the Federal Information Security Management Act (FISMA) to Congress demonstrates that in may regards.

Let’s be clear early on, DHS is not perfect. It still has plenty of shortcomings and challenges it must face, but the services and help it provides — think of the continuous diagnostics and mitigation program or the EINSTEIN tools — to civilian agencies is undeniably more valuable every year.

The 2017 FISMA report to Congress, which the Office of Management and Budget released in March, highlights several of these areas where agencies are improving their cybersecurity.

“OMB and DHS’s long-running efforts to instill disciplined cyber practices across government helped safeguard agency IT systems in 2017,” the report states. “As a clear example, DHS’s efforts ensured that Federal agencies had already patched their systems to protect against the vulnerability that led to the WannaCry, Petya, and NotPetya ransomware before those attacks swept across the globe. Agencies also expanded their use of continuous monitoring tools and of multi-factor authentication Personal Identity Verification (PIV) cards throughout the year.”

An OMB senior adviser, who requested anonymity, said DHS and agencies now have greater situational awareness about the threats, vulnerabilities and posture of their systems than ever before.

“We focused on the attack vector. Do agencies know where these incidents originate and where the attacks are coming from?” the official said. “With CDM, EINSTEIN and other tools, agencies have an improved understanding of where the [risks] are, and how to mitigate them.”

And having better situational awareness is only getting more important as the number of incidents continues to increase.

OMB said agencies reported 35,277 incidents in 2017, a 14 percent increase over 2016 (30,899), and only five reached the threshold of being “major incidents,” which requires immediate reporting and steps.

The OMB official said this is the first year in which  OMB and DHS are looking at standard data from agencies. In 2014, OMB and DHS created a standard approach to reporting cyber incidents.

The official said the data shows agencies and DHS are getting the right information, and are able to identify trends across the government.

“There is a delta in incident reporting from 2015 where there were 25,000 more incidents. We weren’t using the information in a meaningful way, so we wanted to verify the incidents to root out false positives,” the official said. “Now the data shows you trends, like email is one of top attack vectors, so we can decide what security controls we can put in place, which is where the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol binding operational directive came from.”

In October, DHS issued a BOD requiring agencies to implement DMARC to improve the security of emails coming into agency networks.

OMB reported that the number of attacks via email or phishing more than doubled in 2017.

Click on the image to see statistics on all attack vectors.

“There is greater awareness at the CIO level, even among small or federated agencies, because CIOs are seeing all the information, the inspectors general are seeing the same information so there is much greater accountability for results,” the OMB senior adviser said. “We are driving accountability throughout the budget and saying those who haven’t performed shouldn’t necessary get more money, and let’s drive reforms and deal with risks. We have a mechanism for better fidelity and training information where to take action to deal with cyber shortcoming.”

In regards to driving accountability, the OMB adviser said while spending on cybersecurity increased by 14 percent in 2017 over 2016, agencies and the administration have a better idea of why spending needed to go up.

“We are not throwing good money after bad,” the OMB official said. “If you look at the metrics, the cross-agency goals, you can see we are not throwing money at agencies that need it the most. We’ve tied FISMA implementation to the budget. If an agency is underperforming in specific areas, we want to know where do we need to invest to mitigate a threat or add a capability? We also want to augment those programs that are leading the charge like CDM, so we can raise the bar for everyone.”

While the FISMA report shows a lot of progress, agencies continue to struggle in some basic areas. For instance, the governmentwide maturity around cybersecurity continues to struggle, particularly around detecting threats and vulnerabilities.

Agency IGs report hardware and software asset management continue to lag behind OMB goals.

The report also leaves some to question the long-term value of EINSTEIN in terms of return on investment.

DHS has spent more than $820 million on EINSTEIN over the last few years and it only detected 2,200 incidents across all three versions of the program, and E3A blocked just over 600 incidents.

“As of Sept. 29, 2017, DHS reports that, of 119 federal civilian agencies, 31 report implementing all three NCPS [EINSTEIN] capabilities, 17 of which are CFO Act agencies,” the FISMA report states.

The OMB adviser said the report shows that agencies, DHS and OMB are communicating better, which is leading to a better cyber posture governmentwide.

“The report shows people are understanding threats in a way that has context around it, and we are putting resources where they are needed the most,” the official said. “We also have shifted focus to capabilities to drive the threat down and move out of the compliance mode. All you have to do is look at the responses, agencies care about this on a daily basis, not because of a cyber executive order, but because we gave them meaningful reasons, increased engagement and are sharing the risk through a reasonable approach that holds them accountable.”

Read more of the Reporter’s Notebook.


OPIC, Mint to hire new CIOs while Navy CBP fill out key IT roles

One of the biggest surprises in the last few months in the federal chief information officer community had to have been the Department of Navy’s decision to basically get rid of its standalone CIO.

The DoN revealed in March it was restructuring the CIO’s role and merging it into a dual-hatted role with the undersecretary of the Navy and chief management officer, in this case Thomas Modly.

The decision seems to deemphasize the notion that the two sea services should operate under one set of IT policies, but also reflects the realities of the different directions the Navy and Marine Corps have taken. The split was noticeable after a 2013 restructuring of what had previously been a single contract for a fully-outsourced Navy-Marine Corps Intranet (NMCI).

A month after this dramatic change, we are receiving a few more details on what this new CIO set up will look like.

Dr. Kelly Fletcher, the acting DoN CIO, wrote a memo April 16 outlining her new role as well as how the new combined organization will work.

Fletcher announced she will be one of four senior executives leading specific efforts. In her case, Fletcher will be in charge of the CMO’s business system rationalization and modernization team.

“The CMO office will be led by four senior executives focusing on business system rationalization and modernization, development of a data strategy, improvement of audit outcomes, and reform initiatives,” Fletcher wrote. “The direct reporting of both the CIO and CMO offices to the under secretary reflects the Department of the Navy’s focus on leveraging information technology to drive rapid business process improvements.”

Fletcher didn’t say who would be the other three SESers leading the other offices.

“Many of the talented and dedicated people currently in the office of the DON CIO will follow their transferred functions to new positions in these organizations,” she wrote.

Fletcher has been acting CIO since August when Rob Foster, the last permanent DoN CIO, left to be the deputy CIO of the National Credit Union Administration.

Details of the Navy’s reorganization highlighted a busy week in the CIO community.

In addition to Fletcher announcing her new role, Sonny Bhagowalia, the former Treasury Department CIO who was unceremoniously moved out of his position in July after more than three years, revealed his new position as deputy assistant commissioner at the Homeland Security Department’s Customs and Border Protection directorate.

As CBP’s deputy CIO,  Bhagowalia, who had been a senior adviser at the Bureau of Fiscal Service, wrote on his LinkedIn bio that he will be overseeing two broad areas: information and data, which includes everything from application programs to security to data management, as well as technology and systems, which includes infrastructure programs, cybersecurity, technology training and network management.

Two other agencies also are looking for CIOs.

The Overseas Private Investment Corporation (OPIC) released an announcement on USAJobs.gov looking for a new CIO. Applications are due April 30.

Bob DeLuca left OPIC in early March after spending two years in the role.

DeLuca joined the General Services Administration in March to implement the day-to-day operations of the Centers of Excellence initiatives.

Similar to OPIC, the U.S. Mint also put out a hiring announcement for a new CIO.

Lauren Buschor had been CIO since January 2014 before leaving in July, according to a Mint spokeswoman.

Buschor now is the CIO at the Bureau of Fiscal Service.

Another interesting job announcement came up on USAJobs.gov from the Defense Information Systems Agency.

DISA is looking to hire a new SES position, the National Background Investigations System executive.

DISA says the person will be “responsible for establishing goals, priorities and measures of effectiveness to ensure that DISA and OPM driven information technology policy and objectives are achieved with regard to the security, standardization, implementation, and sustainment of the National Background Investigations Bureau (NBIB). Additionally, he/she will work closely with OPM in order to provide executive lifecycle management of its enterprise capabilities to support their transformation to net-centricity through adoption and fielding of a more up to date program and an enterprise-focused IT services and capabilities; directs planning for the implementation, operation, and sustainment, of the OPM NBIB information technology infrastructure and services.”

Applications are due April 30.

What’s interesting about this position is the rumor about whether the White House will move almost all of the security clearance processing to the Defense Security Service.

If the administration goes through with this plan, which some say is no longer a realistic option, would DISA continue to run the technology or would DSS take over all aspects of the modernization effort?

Add to that the House Armed Services Committee’s plan to get merge, integrate or even get rid of DISA, and the entire future of the position and effort will something to watch.

With these people on the move, we can’t overlook two long-time federal employees who quietly left.

DISA’s Jessie Showers, the director of the infrastructure directorate, left after 10 years with the agency in March.

As one of Showers last accomplishments, DISA announced last week that the Defense Information Systems Network (DISN) optical transport system now operates at 100 gigabytes per second up from 10 GB. DISA says the next generation optical transport network upgrade project “supports combatant commands with improved infrastructure resiliency, service delivery node resiliency, encryption and transitions critical legacy components to an internet protocol-based Ethernet infrastructure.”

It’s unclear what Showers is doing next in his career.

Randall Conway, the Defense Department’s deputy CIO for information enterprise, retired after 26 years as a uniformed officer and another seven as a civilian employee.

Conway, who left in March, worked on DoD’s implementation of the Joint Information Environment (JIE) and helped lead the move to the cloud.

Conway says on his LinkedIn page that he is an independent consultant, living in Florida.

Read more of the Reporter’s Notebook.


« Older Entries

Newer Entries »