“Inside the Reporter’s Notebook” is a biweekly dispatch of news and information you may have missed or that slipped through the cracks at conferences, hearings and the like.
This is not a column nor commentary — it’s news tidbits, strongly sourced buzz, and other items of interest that have happened or are happening in the federal IT and acquisition communities.
As always, I encourage you to submit ideas, suggestions and, of course, news to me at firstname.lastname@example.org.
Insight by Sonatype: Stephan Mitchev, acting CTO at USPTO, discusses how USPTO is looking at supply chain issues to address cybersecurity concerns. Dr. Stephen Magill, VP of product innovation at Sonatype, provides an industry perspective.
DoD taking own path with cloud security?
Defense Department CIO Teri Takai raised some eyebrows at the recent cloud and mobile integration conference sponsored by the National Institute of Standards and Technology.
Takai said DoD is developing its own cloud security standards.
“Moving into commercial clouds is a challenge. Each comes with a little different flavor of how they do security, how they manage and then the question becomes how much are they going to let us, DoD, see of the inner workings of their cloud and how far do we have to get in to make we can meet our security standards?” Takai said March 26. “We are looking at implementing a DoD cloud security model, which will effectively help us, with the assistance of the work that Federal Risk Authorization and Management Program (FedRAMP) is doing, provide to the commercial cloud providers some standards and some requirements to be able to operate for DoD.”
One industry expert said Takai’s mention of DoD cloud cyber standards is not a big deal as the Pentagon is focused solely on high security systems.
But GSA recently said it’s beginning to work on FedRAMP standards for NIST level 3 high security systems. So if DoD is working on a separate set of security controls for high-value systems, that seems to fly in the face of what FedRAMP is all about. No?
A government source says DoD, and really all of government, is trying to figure out how to incorporate existing government security capabilities, such as continuous monitoring, Einstein and the Trusted Internet Connections, with public, private and hybrid cloud infrastructures.
Takai didn’t clarify whether DoD’s cloud cyber effort is complementary to FedRAMP efforts or directly related. Publicly, she’s always been a big supporter of FedRAMP, which is why her comment raises concerns.
Without a doubt, security has to be DoD’s top concern when using public or even hybrid clouds, but the whole point of FedRAMP was to take advantage of common, agreed upon standards to reduce time and cost.
“Our move to the cloud and our desire to move to the cloud is as security based as it’s based in efficiencies, saving money or, to some extent, the presentation to the customer,” she said. “We are at significant risk if in fact we continue to have very sensitive information on devices. That is not just from mobile perspective. That’s from a standpoint of all the devices we use. We are seriously looking at how we can move to thin clients in those areas where it makes sense. From our standpoint, the less data on a device that can be compromised and lost, the better off we are from a security perspective.”
What is clear about DoD’s cyber efforts is the move to integrate NIST standards into the 8500 document is a big deal for federal IT community. This is the first update of the 8500 document since 2007. DoD released the revised cyber standards March 14.
“We are basing our standards on the NIST framework. There are going to be, in some cases, additional criteria that we will place on it,” Takai said. “But we will no longer put companies in a situation of having to do something different for DoD than what they are doing for others in the federal government who also are picking up and meeting the NIST standard.”
This is a major change that has been in the works for many years. DoD said in July they are more common than not when it comes to security standards.
And speaking of DoD and cybersecurity, Gen. Keith Alexander, the head of the National Security Agency and first commander of the U.S. Cyber Command, is retiring Friday.
Alexander faced a rough last year as head of NSA, but that shouldn’t overshadow his contributions and success with standing up and making Cyber Command an influential organization.
Over the last four years, Alexander brought Cyber Command from an idea to reality, and expanded its capabilities from primarily defensive to a combination of both offense and defense.
He also promoted the hiring of more and better trained cyber workers and brought each of the service’s individual cyber command under him for better oversight and coordination.
His tenure at NSA likely will be questioned based on details released by Edward Snowden, but as the father of the U.S. Cyber Command, his legacy is strong.
By the way, the Senate Armed Services Committee approved the nomination Alexander’s replacement, Adm. Mike Rogers, March 26 as well as Robert Work to be deputy secretary of Defense.
Treasury’s Reger joins OMB to fill financial management void
The Office of Management and Budget turned to a veteran of federal budgeting to begin replacing its top two financial managers.
Mark Reger recently came over to OMB on detail from the Treasury Department to be the acting deputy controller.
Reger’s detail helps fill the void left when controller Danny Werfel became the acting IRS Commissioner in May 2013, and his replacement Norman Dong, who had been deputy and then acting controller, moved over to head up the General Services Administration’s Public Building Service in late March.
By bringing Reger over, OMB has a veteran of state and local government, and someone who has served in senior executive capacities in small and large agencies.
Reger has been Treasury’s deputy assistant secretary accounting policy in the Office of the Fiscal Assistant Secretary since 2010 where he’s helped lead the financial management standards effort. He is a member of the Federal Accounting Standards Advisory Board and was CFO at the Office of Personnel Management for three years.
Reger also comes as OMB is putting some of the most important pieces in place to give its financial management shared services some life. OMB and Treasury’s Office of Financial Innovation and Transformation are expected to name new federal shared service providers in the coming month.
Along with the controller position, the White House still must name a new administrator in the Office of Federal Procurement Policy.
Federal Computer Week reported recently that Anne Rung, the associate administrator in the Office of Governmentwide Policy, is the on tap to be named to that role.
But talking with several senior executives and well-connected industry observers, Rung’s nomination is nothing more than strong rumor.
OMB has suffered from holes in its management ranks for most of the last three-plus years of the Obama administration. With Director Sylvia Mathews and Deputy Director for Management Beth Cobert in place now for several months, senior federal executives have told me they are hoping for a re-emergence of the “M” side of OMB.
It’s never a dull time for agency chief information officers what with Rob Carey, the principal deputy CIO at the Defense Department, and Interior Department’s Bernie Mazer becoming at least the seventh and eighth CIO or senior IT executive to announce he’s leaving in the last six months. Currently, five large agency CIOs are in acting roles, including at the Veterans Affairs Department, where Stephen Warren has been acting for more than a year.
But on the positive side, NASA Goddard Space Center quietly named Dennis VanderTuig as its new CIO back in January. VanderTuig has been with Goddard since 2007 and previously lead an evaluation and restructuring of the Goddard IT functions.
Several people are asking why the sudden exodus of CIOs.
Is it just time for people to move on to new challenges?
Or is something else happening in the federal IT community?
New contracts database a win for OFPP, but will it stop the proliferation?
It’s great when OFPP commits to doing something and actually comes through and we find out about it. The combination of the two is a rarity across government.
Back in October 2011, then administrator Dan Gordon issued a memo in an effort to try to tame interagency contracting. In that memo, Gordon committed that OFPP would develop a database of all governmentwide acquisition contracts, blanket purchase agreements and other interagency contracts.
Well, OFPP launched the Interagency Contract Directory (ICD) and mentioned its existence to my knowledge for the first time publicly at the Acquisition Excellence Conference on March 20.
The ICD is pretty straightforward. You can do a simple search for keywords or, through the advanced search, you can filter the search through nine categories, including vehicle type, contracting department, who can use it — agencywide, DoDwide, governmentwide — and by product or service.
A quick search of IT and Telecom (D399 of course) returns more than 3,800 results. Who knew how many options an agency had to buy IT and telecom?
The results actually are quite informative, listing 26 different data elements ranging from who can use it, to whether it’s set-aside for small businesses or other socioeconomic categories to how many orders have been placed and how much money obligated against the contract so far.
In all, there are more than 18,000 contracts listed on the site, which should be the first sign there is a problem with the proliferation of these contracts.
In addition to the ICD, OMB launched Uncle Sam’s List last spring as a way to promote shared services. USL provides details on OMB’s MAX site about more than dozen commodity IT service areas and more than a dozen support IT service areas that can used across the government.
“I think we need to build [ICD and Uncle Sam’s List] out. I think we need to make it very clear what’s already out there. We are learning a lot on those commodity teams,” said Lesley Field, acting OFPP administrator. “We bring the people together and [they say] ‘We have a contract for this, and we have a contract for this.’ Those folks have never actually got into a room together to talk about how best to do it. And so, there’s a lot more we can do in this space.”
The idea of such a database is something that has been called for several times over the last eight years, and long-seen as a way to begin to address the proliferation of multiple award contracts.
The Government Accountability Office first highlighted the need in 2006. The Services Acquisition Reform Act Panel called for such a repository in its report in 2007. And GAO, again in May 2010 called for the development of a database, saying the lack of data hurts the government’s ability to ensure they are getting the best prices and best value.
OFPP tried to develop such a database in 2006 when it launched the interagency contracting data collection initiative. But that effort didn’t produce a worthwhile database.
Now that agencies know what contracts exist and who runs them, the long-held hope is that they will stop developing new ones and use the existing MACs.
Starting this year, OFPP requires agencies to develop a business case for any multiple award contract worth more than $50 million over the life of the vehicle and place the business case on OMB’s MAX website for other agencies to review for at least 15 days.
The ICD may be one of the few ways to know if this policy is actually working based on raw numbers of contracts on the database.
IT Job of the Week:
Ever dreamed of running the technology for an organization Congress actually likes? Well, the Congressional Budget Office is looking for a new CIO. You would manage a 13-person staff, must be able to obtain and maintain a top secret clearance and would oversee all aspects of CBO’s IT infrastructure. The job opening closes May 30.