The Defense Department will revise its final request for bids in a massive information technology services contract known as ENCORE III following months of industry complaints about the agency’s strategy for deciding the winning bidders, including two formal protests that were upheld by the Government Accountability Office last week.

The Defense Information Systems Agency said it would update the RFP to fix some of the problems pointed out by protestors Booz Allen Hamilton and CACI. GAO agreed with the companies’ protests on at least two points in a decision Wednesday, saying DISA didn’t provide any reasonable basis for evaluating contractors’ costs in the parts of the potential $17.5 billion multiple-award contract that were set to be awarded on a cost-plus basis, and lacked an adequate scheme for deciding whether bidders’ prices were reasonable.

“We will amend the ENCORE III RFP in accordance with the findings and decision of the GAO, which pertains only to limited aspects of the cost/price evaluation,” Douglas Packard, DISA’s procurement executive said in a statement Friday afternoon. “It is the mission of the Procurement Services Directorate and Defense Information Technology Contracting Organization (DITCO) to be the premier DOD cyber procurement workforce. It is always our goal to obtain global and mobile information technologies and capabilities on behalf of our national defense mission partners through timely, quality, and ethical contracting. In doing so, we fully embrace the tenants of Mr. Kendall’s Better Buying Power.”

(more…)

The Air Force is in the midst of a significant reorganization of its space workforce that’s somewhat reminiscent of what began with the IT workforce a decade ago. Back then, it became clear to DoD officials that those folks were running something that looked much more like a warfighting platform than an ancillary service that helps out with traditional combat missions.

Under a new construct termed the Space Mission Force, Air Force Space Command is overhauling the training and duty rotations of most of its uniformed workforce to reflect the fact that potential enemies might want to knock out the satellites that just about every modern-day military mission depends on.

“We’ve already seen some countries perform live testing of anti-satellite weapons against their own spacecraft, and if they have the ability to destroy their satellites, they can destroy ours too,” Col. Dean Sniegowski, the total force lead for the Space Mission Force, said in an interview. “We’re going to revamp our crews to respond to threats in a dynamic environment and better support our combatant commanders.”

(more…)

On Thursday, the Defense Department made much-anticipated awards in the next generation of contracts to run its TRICARE health plan: $41 billion to Humana and $18 billion to Health Net.

Assuming the awards survive the bid protests likely to follow, Defense officials aren’t necessarily in a hurry to transition TRICARE to the new contract structure, known as T-2017. They’d much rather ensure the two vendors are ready to handle the work in the newly-reconfigured East and West regions before moving away from the current arrangement (T-3), whose expiration date the department has extended just in case things go awry.

DoD is aiming to avoid a repeat of what happened in 2013, when UnitedHealthcare, the vendor that eventually took over the West contract after three years of bid protests wasn’t able to handle the workload it agreed to take on, leading to widespread delays and improper denials of claims and forcing DoD to take emergency measures, including letting patients get specialty care without preauthorizations.

“We learned some fairly significant lessons in that last transition,” Vice Adm. Raquel Bono, the director of the Defense Health Agency told reporters Friday. “In our selection of the vendors we wanted to look closely at transition plans and their ability to meet our standards. One of the big lessons we’re going to put into play here is that we absolutely will not shift over until we are assured that the new vendors can perform all the tasks they need to.”

(more…)

There have been, sadly, more than a few cases in which the Defense Department has sunk seven or 10-figure sums into enterprise IT systems with little to show for it.

On the other hand, there are examples like the Logistics Modernization Program, in which the Army has already saved more money by implementing the system than what it’s  spent so far and what it will cost to keep it going for the next decade.

Army officials acknowledge that they hadn’t done the greatest job of articulating LMP’s financial benefits during the first decade of what’s expected to be a $4 billion program that started in 2003 and that the Army expects to continue through 2026, as the Government Accountability Office noted in a 2013 report.

But in an interview first aired Friday on Federal News Radio’s On DoD, they said the system, which helps manage the workflow of the sprawling maintenance and manufacturing network overseen by Army Materiel Command eliminated $2 billion in costs to maintain the 40-year-old IT systems LMP replaced; it’s also cut $4 billion in “spare” parts that it turns out the Army doesn’t actually need.

(Editor’s note – Lt. Col. Robert Williams, the product manager for LMP and Joshua Call of Army Materiel Command will field your questions in a free online chat on Wednesday at 1:30 pm EDT.)

“It has let us make the right decisions on divesting our inventory. We’re still providing the right parts where soldiers need them,” said Joshua Call, the chief of AMC’s supply chain management division. “Some of that was linking together what had been our legacy systems to get a clear picture of what our inventory posture is on any given day, but we also have a view into our contracting processes so that we can see when new procurements are going to be delivered, when the items that are out for repair are going to come back, when all of the items that are in transit are going to be delivered to our customers. An item manager at, let’s say, Tank Automotive Research, Development and Engineering Center can see the worldwide status of all of his logistics assets in one place.”

(more…)

Five years ago, the program manager then in charge of Navy networks described his service’s reasoning for moving to the Next Generation Enterprise Network as akin to knowing the cost of a carton of eggs: It’s reasonable to ask how much the styrofoam container itself costs if you’re buying almost a million per day.

To deconstruct that IT analogy and fast forward through a few years of history, the Navy successfully moved in 2013 from outsourcing the entirety of its 800,000-seat Navy-Marine Corps Intranet to a single vendor, HP. Yes, the same firm wound up winning the first NGEN contract and still operates the Navy portion of NMCI, but the government now controls the physical and intellectual property that make up NMCI, so, at least in theory, it’s free to switch to cardboard containers or a cholesterol-free diet.

That brings us to last week, when the Navy released a request for information flagging cloud computing as one of the IT domains that it may break apart from the next NGEN contract — expected to be awarded to a new vendor or vendors sometime next year.

The document asks any and all interested parties to lay out any potential solutions for private clouds – for government use only, but constructed and possibly housed by commercial vendors – noting that “federal and DoD policy directs cloud-based solutions be considered prior to any information system procurement,” and asking for ideas on how to “change users thinking from the current NMCI/NGEN implementation model so customers are willing to adopt cloud technologies.”

(more…)

The Defense Department said Friday that it’s just finished closing all 138 verified security vulnerabilities uncovered by white hat hackers during its first-ever “bug bounty,” and pronounced the program successful enough to warrant a significant expansion.

In the first “Hack the Pentagon” challenge, the department asked anyone with expertise in IT security to find security flaws on five of its largest public-facing websites, including the Defense.gov homepage. The first vulnerability report arrived seven minutes after the contest started, and 1,410 pro and amateur hackers from 44 states wound up making 1,189 reports of security problems during the three-week pilot in late April and early May (though many of those reports were duplicates of the same vulnerabilities).

DoD spent $150,000 on the pilot version of Hack the Pentagon, with about half the money going to administrative costs, including a contract with HackerOne, the private firm that helped run the challenge and the other half as bounties to the hackers who discovered the cybersecurity holes.

“That’s not a small sum, but if we’d gone through the process of hiring an outside firm to do a security audit and vulnerability assessment — what we usually do — it would have cost us more than $1 million,” Defense secretary Ash Carter told reporters. “Also, by allowing outside researchers to find vulnerabilities on several sites and subdomains all at once, we freed up our own cyber specialists to spend more time fixing them.”

David Dworken and Craig Arendt, two of the white hat hackers who participated in the project, said most of the issues they found were fairly run-of-the-mill bugs that are common on web servers around the world, including insecure databases and cross-site-scripting holes in which an attacker can do damage simply by pasting malicious code into a form on a vulnerable website.

(more…)

The Obama administration has already voiced its objections to the major reshuffling of DoD’s organizational chart the Senate proposed in its version of this year’s Defense authorization bill, complaining that the plans were drawn up “without careful study and consideration.” But several of the department’s top financial officials said last week that the Senate plan is directly at odds with one of Congress’ top priorities:  getting DoD to pass an audit.

Their argument, in essence, is that it’s taken the better part of seven years to get the department’s current bureaucratic structure in sync and working together toward auditability, and moving the puzzle pieces around just one year before the audit deadline would be unhelpful.

In particular, Mike McCord, DoD’s undersecretary for comptroller matters and its chief financial officer, objected to a provision that would move the sprawling Defense Finance Accounting Service (DFAS) out from under his control and place it under a brand new undersecretary for management in February 2017, just a few months before the department hopes to submit fully-auditable financial statements for the first time in its history.

“It disrupts what I see as an end-to-end financial management process that I think should be under the CFO,” he told the House Armed Services Committee last week. “But that’s only one of the many changes which we think are excessive in the Senate bill, and many of these changes are being thrown at us right as there’s a transition of administrations.”

DFAS, in addition to handling virtually all of the military’s payments to its personnel and contractors, manages many of the IT “feeder systems” that have to communicate with all of the military services and defense agencies. Ensuring they produce a proper paper trail for all of their transactions is vital to a successful audit.

(more…)

Editor’s note: This story has been updated to include comments from the DoD Inspector General’s office

July 1 will mark exactly three years since stronger whistleblower protections went into place for employees of defense contractors, the most notable change being that subcontractors are now protected against reprisal when they report wrongdoing.

When the new rules took effect in 2013, the Pentagon’s inspector general predicted they’d cause an uptick in reprisal complaints. That’s proved correct, but the number of complaints the IG has substantiated has remained surprisingly low. Specifically, the IG has backed a contract employee’s reprisal claim in  just one case in the past three years.

A periodic summary of DoD’s inspector general submitted to Congress last week combined with similar documents over the last three years shows that the office has handled 370 complaints from contractor whistleblowers who claimed they suffered reprisal since midway through 2013.

Of those claims, the vast majority, 322 (87 percent) were dismissed by the IG for lack of evidence. Another 22 were withdrawn by the whistleblowers themselves, leaving just 26 cases that led to formal IG investigations during that period. The IG wound up closing 25 of those investigations without substantiating the complaints of the people who filed them.

The near-zero substantiation rate is despite a large increase in claims that happened almost immediately after the new protections took effect. In 2012, the IG processed 64 reprisal claims from whistleblowers working for contractors. By 2013, that figure rose to 107 and has stayed above 100 in every year since. The office processed 69 reprisal complaints from contract employees during just the first six months of fiscal 2016.

(more…)

The Army is a few weeks away from an experiment that aims to tackle one of the most persistent bugs in the federal government’s budgeting process: the “use it or lose it” phenomenon that manifests itself at the end of each fiscal year in almost every government office.

As part of a directive set to take effect on July 1, the Army is telling the leaders of all of its major commands that they cannot cut a program’s funding just because it didn’t spend all of its money the year before. In theory, the policy would at least reduce managers’ incentives to binge on questionable purchases in the last few weeks of September.

The Army’s comptroller and its director of business transformation are in charge of drafting specific regulations to put more meat on how the policy will work in practice. Until the rules are written, an April memo signed by then-acting Army Secretary Patrick Murphy describes the basic thrust:

“Commanders and staffs will not automatically decrement commands or programs in future allotments when they do not spend all funds without further investigation.” Unit comptrollers and other higher-ups will have to “evaluate the reason for the under-execution and determine if it was a onetime event or funding adjustments are needed.”

Another provision of the broader directive, titled “Changing Management Behavior,” says top commanders must find ways to encourage the organizations under their charge to save money instead of spending everything they have. This includes letting them repurpose any savings they find to pay for their own unfunded priorities in the next budget year.

(more…)

Following a year in which spearphishing attacks including the one against the Office of Personnel Management were the main preoccupation of government cyber officials, the Navy’s top cyber commander said her service needs to spend the next one thinking about a broad array of new activities that fall under the general heading of “procedural compliance.”

By that, Vice Adm. Jan Tighe wasn’t only referring to the Navy’s own workforce and whether it’s following the service’s existing cybersecurity policies. For those matters, the Navy and the broader military already conducts regular cybersecurity readiness inspections, encapsulated in reports that now go all the way  to the Secretary of Defense, tallying each command’s violations every time a sailor plugs a smartphone into a government computer’s USB port.

Instead, the “year of procedural compliance” is meant to ferret out potential cybersecurity gaps in almost every interaction between the fleet, its IT vendors and the ways the Navy currently integrates IT onto its ships and shoreside bases.

(more…)