How the nation’s premier cybersecurity agency can handle its new procurement authority

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Few agencies in recent years have grown in scope, people and dollars as much as the Cybersecurity and Infrastructure Security Agency. Now CISA is about to get its own procurement authority and not have to rely on Homeland Security headquarters. Could it be a case of: Be careful what you wish for? For analysis  Alan Thomas, the...

READ MORE

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Few agencies in recent years have grown in scope, people and dollars as much as the Cybersecurity and Infrastructure Security Agency. Now CISA is about to get its own procurement authority and not have to rely on Homeland Security headquarters. Could it be a case of: Be careful what you wish for? For analysis  Alan Thomas, the former commissioner of the GSA’s Federal Acquisition Service, now the chief operating officer of Intellibridge, joined the Federal Drive with Tom Temin.

Tom Temin  And in standing up a greenfield procurement organization, I guess is what they’re hoping to do at CISA, where do you start? What’s the first thing they have to do to make sure that they have that capacity from the foundational level?

Alan Thomas  I think you start with the people, Tom. Right? In particular in CISA’s this case, they’ve said they want to hire around 50 folks within the organization. And I think there in particular, it’s very important that you look for folks who have, not just the right aptitude, but the right attitude, because as you mentioned, it’s a startup procurement organization. And in some sense, it’s really a startup within a startup. I mean, CISA is the newest component within DHS. So you’re doing a startup within a startup in an area that’s changing pretty rapidly, right? A lot of technology? The focus is obviously cyber. So I think you get the right people, and that builds the right kind of culture. And then from there, lots of other things fall into place. But if you don’t have the right people, the fact you’re using good systems, or you’ve got appropriate processes doesn’t really matter. So it’s a little bit like a sports analogy. You gotta get the right players, to execute the strategy. I would start with the people.

Tom Temin  And what about what it is that they hope to buy. It’s unlikely they’ll be buying supercomputers and hardware and all of this stuff, even office furniture, but likely professional services, and IT types of services, which might be then deployed in some way throughout the government, given what CISA’s role is. Do they need people that are experts in cybersecurity related professional services?

Alan Thomas  I don’t think you necessarily need acquisition, people who are experts there. Their customers will be the expert. But I do definitely think you need people who have some fluency in technology, and also some interest, right, because I said, this is an area that’s rapidly changing. Something that you knew 18 months ago about the technology might be different today and it certainly is going to be different 18 months from now. So I think you need the kind of people who are interested and curious. And again, hey, I’m an acquisition person. I’m not a technology expert, but I’m willing to read and try and stay abreast of things and at least be somewhat fluent in that so when I engage with my customer in building requirements, and thinking about a statement of work I can have an intelligent conversation with that customer.

Tom Temin  Right. And that’s something you point out that are two distinguished skills. One is knowledge of the Federal Acquisition Regulation, that’s a skill. But in setting the right requirements really is ultimately what lets projects go forward in some kind of a smooth manner. And even mature organizations like the Army, for example, or some large ancient federal agency have these projects that never really go right that waste a lot of money. It’s endemic. DHS itself, Veterans Affairs. So that contact with, as you say, the customer within the agency, and understanding how to build requirements, that would seem like the foundational skill.

Alan Thomas  It really is. I mean, it all starts with the requirements, if you don’t get the requirements right it almost doesn’t matter what you do from sort of a process standpoint. The whole reason you do an acquisition is to acquire some services, or some goods or some combination thereof, that helps an end customer achieve a mission. If you don’t get the requirements right, you’re ultimately shooting at the wrong target. So the customer is going to be unhappy, you can run a really successful acquisition from a process standpoint, but if you don’t get what the customer wants at the end, it’s a fail. And most acquisition people don’t want that. Again, start with the right people who’ve got the right attitude and aptitude to be in this kind of fluid organization, where you’re building something as you go in an area that’s very dynamic from a technology perspective.

Tom Temin  We’re speaking with Alan Thomas. He’s chief operating officer at IntelliBridge and former commissioner of the GSA’s Federal Acquisition Service. And what should they avoid doing so that there’s no original sin in the operations and, and so on, for systems acquisition workforce?

Alan Thomas  I think it’s important to avoid trying to do too much too fast. So sometimes an organizations says “oh, I’ve got some new authority. I want to sort of race ahead and try and grab as much real estate as I can early on.” That can often lead to some stumbles. And those early stumbles, then you started to get branded as having a problem and you sort of get in this cycle where you’ve got to go back and start over. My sense, having talked to a few folks around this startup, is that that’s not going to happen there. They’re taking a very gradual approach, you know, we’re talking a 24 month plus ramp. Acquisition folks love milestones so the chief procurement officer at DHS has a series of milestones in which they’re going to want the acquisition organization within CISA to hit. Getting the right people is one but also taking on the departmental systems that are used for acquisition and ultimately standing up a CISA instance of those systems will happen, but it’ll happen gradually. There’ll be a series of processes that will go into place.  And look, the chief procurement officer and the office procurement operations at DHS will continue to have oversight, continue to certify the folks at CISA.  CISA is ultimately going to be a component like a Customs and Border Protection (CBP) or the Transportation Security Administration. But again, it’s a ramp, you know. 24 month plus ramp. So I think they’ve got the right approach in not trying to do too much too fast.

Tom Temin  Right. That instinct to lets go big sometimes can be a huge, big mistake.

Alan Thomas  It can. It can. It’s human nature, right? You go “oh, great. I’ve got these new authorities, you want to sort of exercise them right.” I know you’re a motorcycle rider Tom. You get a big fast new motorcycle, maybe the first thing you don’t want to do is take it out on the beltway. Maybe you want to ride some side streets first to get a feel for the bike.

Tom Temin  Yes. It’s easy to get squished in that situation. And should they detail people or get people from within the government? Or is this something, as you say, the right aptitudes and attitudes — are there people outside that could come in and do this?

Alan Thomas  I think it would be great to see a mix of folks. So you’re going to need some people from within the government and this is always the challenge. And I do know that they’re going to do some remote hiring as well, right. So have a mix of a D.C. based and a remote workforce. Particularly in D.C., agencies tend to steal good acquisition people from each other, right? So it’s like, all the agencies are kind of recruiting against each other. So I do think you’re going to need some senior folks who come from government, but again, who got the right attitude and aptitude. I think it would be really interesting to bring in some more junior folks from the outside. Maybe people who are a little more fluent in technology, who need to be trained up to some extent. But again, they’ve got maybe a little bit different outlook and approach. I think, particularly for a place like CISA, it would be interesting to sort of mix some seasoned feds and some newer folks. And they got a little bit of a selling point there. From “Hey, you know, we’re starting something up, so you can be part of something new. You can help shape the culture if you’re a young person.” I think that’s attractive. That plus the sense of mission can help sort of compensate sometimes for what the federal government can pay, which is, look, there’s only so much the government can pay,

Tom Temin  I would think they would want a couple of crusty, shrewd, far oriented lawyers for in there, so that these new people coming in with great ideas and great requirements, the lawyers can help make it kosher so that will pass muster legally, and maybe protest proof. But then the danger there is don’t stifle the creative thinking of those people that are doing the work initially.

Alan Thomas  That’s right Tom. You know, it’s interesting you bring that up. I saw that a bit at GSA with the Technology Transformation Services team, the TTS team there and the General Counsel’s Office at GSA. There’s a good healthy tension that can happen, but people have to have the right attitude and ultimately be solution oriented. We’re trying to get to yes, we need the lawyers to help us figure out what the boundaries are. But yeah, I think you’re spot on there in terms of the kind of folks you’d want to bring in from a senior perspective.

Tom Temin  Right and that process requires collaboration, because if you craft some —what is in your mind as the new young person coming — in the perfect solution and then throw it over the transom to the lawyers, say, then you’re gonna have trouble. Whereas if you engage those people, the lawyers, early on just as you engage your stakeholders and your customer early on, then maybe the lawyers will join the bandwagon and help you rather than find 50 ways why you can’t do this.

Alan Thomas  That’s correct. There’s a way to avoid the “tunnel of no” and it is to bring folks in early and have them be part of the solution. Team sport. Legal folks believe in that too, right. I mean, there definitely are some folks out there who think “Look, I don’t want to touch it until it’s completely finished and then I’ll opine on it, right.” But I think, for the most part, you’ll find good lawyers in government service who say, “Hey, I’m happy to dig in early,” and as I said, be solution oriented —help you figure out how to get to yes, but stay within some guardrails, which are there for generally pretty good reasons.

Tom Temin  Allen Thomas is chief operating officer of IntelliBridge, former commissioner of the GSA’s Federal Acquisition Service. Thanks so much for joining me.

Alan Thomas  Thanks for having me Tom.

Tom Temin  And you’re in my good luck to CISA.