GSA plots path ahead for once-troubled acquisition management system

GSA says its problem-plagued System for Award Management is now working, but its failures have pushed agency officials to pursue a new path to consolidate the g...

When the General Services Administration launched its System for Award Management (SAM) a year-and-a-half ago, there was trouble right away. It was slow and had frequent outages.

Then, several months later, a serious cybersecurity vulnerability popped up.

But GSA says it has now fixed the system, and the path it’s charted for the next 10 years of IT systems that handle government contracting will take a drastically different path — open architecture, open source code, a marketplace for third-party apps, and the government as the system integrator.

SAM was supposed to consolidate eight federal data repositories that are used across the government in the day-to-day management of the acquisition process. So far, three of those legacy systems have been folded into SAM: the Central Contractor Registration (CCR) system, the Excluded Parties List System (EPLS) and the Online Representations and Certifications Applications (ORCA).

After more than a year of work squashing bugs, GSA officials say the system is now pretty stable. It hasn’t suffered an unplanned outage since August, it’s undergone a full battery of cyber penetration tests, and it’s just received a new authority to operate (ATO).

Overall, said Kevin Youel Page, an assistant commissioner in GSA’s Federal Acquisition Service, the system is much more usable.

“We’ve had a great deal of effort put into reducing the wait times for help desk calls, the call wait times are dramatically down and the number of calls to our help desks are dramatically down,” he told an IT industry audience Tuesday at GSA’s headquarters in Washington. “We’re starting to see that some of the growing pains of a new system are being worked through, and we’re starting to see that the mission is being delivered in ways that we were having a hard time explaining a year ago.”

More confidence in SAM

Now that the system is working, agencies are starting to see some of the benefits GSA originally envisioned from consolidating disparate IT systems that didn’t communicate with one another into a single environment.

For example, GSA cites a 91 percent reduction in data errors compared with the legacy CCR system. And a year ago, only 29 percent of contractors’ representations and certifications were up to date in the ORCA system. Under SAM, it’s nearly 100 percent, Page said.

“That’s a dramatic improvement for federal acquisition,” he said. “It really allows contracting officers to have a lot more confidence in the acquisition system writ-large. That’s a very big deal.”

Page said in order to remold SAM into a system that’s more functional and responsive, GSA changed its approach to rely more heavily on acceptance testing with end users across the federal and contractor community.

“We haven’t always been top-shelf in that department,” he said. “A lot of work has gone into bringing federal users, and, for the first time, non-federal users into the user acceptance testing regime. We serve tens of thousands of federal contracting and program officers, but there are 500,000 users registered in the system, everyone from small grantees to very large corporations. Getting each of those user experiences right is a non-trivial task, and understanding their needs is an important thing for us in our path forward.”

The path forward involves a course correction for GSA, based on some of the hard lessons it learned from SAM.

The agency decided it shouldn’t continue to build features onto a platform that appeared to be inherently not secure, not adaptable and not scalable enough to keep pace with a changing regulatory environment. So it intends to move away from the proprietary, system-centric approach and into an integrated, app-driven environment of common services for managing data across the entire federal acquisition lifecycle.

The future Integrated Award Environment (IAE) will be based on an open architecture.

“Thinking about this, we asked ourselves, ‘Do we really need one system, or do we need a very thoughtful set of data management principles and a functional understanding of what it is we do?'” Page said. “Would we be better off thinking of what we do as a collection of web services? What’s in the way of us thinking about a world of [application programming interfaces]? What’s in the way of us building on a common platform of services, probably cloud-based, that give us room to grow and expand and track cutting-edge commercial capabilities in cutting cost and doing data analytics?”

Open to all developers

Ultimately, GSA decided there is nothing in the way of those ideas. So, it’s moving ahead with plans to open up not just the broad architecture of its acquisition management systems, but also every single line of source code that’s written for the project, whether the coder is a government employee or a contractor.

“Every piece of code we build using taxpayer money ought to be available to everybody else to use,” said Sonny Hashmi, GSA’s chief technology officer. “If New Zealand or Clackamas County, Ore., has a problem that’s similar to ours, we want them to be able to use our code to solve it. Not only that, we can also create communities of interest around this, so that if there’s a drop-down menu that doesn’t work in a particular web browser, the user community there can take on some of those challenges themselves. Then, we can really create the same kind of model that the open source Linux community has, where there’s a vested interest in fixing things. If it were up to us, we would not be focused on making sure all our pages were optimized for Opera or Android smartphones. But if it’s important to a community of users, we want to make sure they have the ability to go forward.”

GSA says it wants its environment to be so open that third-party developers who aren’t even involved in the official development of the Integrated Award Environment can easily build apps that solve particular niche requirements among agencies or contractors who need to access or manipulate acquisition data.

But doing that in a secure way will require a robust system for identity management that applies across all of the government’s data sources.

“Everything must have a common identity,” Hashmi said. “When a contracting officer does their job, they shouldn’t have to worry about logging into FPDS to do a certain function and then FBO to do something else. They should have one identity. That identity should dictate what they have access to, what kind of data they can see, what kind of processes they can initiate. That’s going to allow us to be better monitors of what’s going on in the system.”

Controversial role

As it builds the infrastructure for the new acquisition management environment, GSA says it believes it shouldn’t rely on a single vendor to act as a system integrator for the project. Hashmi said the underlying open approach will require the government to take on that role, though he acknowledges it’s a controversial decision given the government’s spotty record as a system integrator.

“We ultimately own the risk,” he said. “We ultimately own the responsibility to make sure that taxpayers’ data is secure, that the code is high-quality, that it meets the architecture standards, that it meets security standards, and we have not been very good about that in the past. We need to be able to test and validate a piece of code. In the past, we’ve told you to build a house, we need four or five bedrooms and maybe a kitchen and a basement, and then we walk away. Then we’ve come back after 18 months and said, ‘This is not what I wanted. It’s not even in the neighborhood I wanted to be in.’ We don’t want to be those people. We want to be part of the process throughout the way, and to do that, we need to build some muscle internally. That’s going to be a challenge for us.”

GSA’s approach also will emphasize agile development. It wants to release new capabilities into the environment in intervals no longer than six months apart, but with enough quality assurance processes in place to ensure that it’s not introducing new bugs every time it tries to solve a problem from an earlier software release.

“One of the lessons we learned in our last go-round with SAM was that all the risk was managed over a long period of time,” Hashmi said. “The thought was good, but the implantation still took a waterfall approach, and the risk was managed in a black box so that it didn’t materialize until the end of the project. We never want to repeat that mistake again. We want to do iterative development and modular releases. Then, we can manage the risk in increments and change course as necessary along the way.”

GSA officials did not offer a schedule for implementing the system. They said that while they’ve worked out the fundamentals of the architecture of the environment, the process is still at its early stages.

RELATED STORIES:

GSA issues IBM a letter of concern for problems with procurement system

Cyber vulnerability in GSA’s SAM portal exposes vendors’ data

GSA sending resources, expertise to rescue SAM

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

    Stacy Bostjanick and Jennifer Henderson

    Risk and Compliance Exchange 2024: DoD’ Stacy Bostjanick, DCMA’s Jennifer Henderson on finding ‘any means possible’ to help small biz with CMMC

    Read more
    Amelia Brust/Federal News Networkcybersecurity

    How should software producers be held accountable for shoddy cybersecurity products?

    Read more