DoD Reporter’s Notebook

jared_notebook_notext“DoD Reporter’s Notebook” is a biweekly feature focused on news about the Defense Department and defense contractors, as gathered by Federal News Network DoD Reporter Jared Serbu.

Submit your ideas, suggestions and news tips to Jared via email.

Sign up for our Reporter’s Notebook email alert.

Audit questions VA’s accountability system

In 2009, the Department of Veterans Affairs heralded a new era in government technology development. Its Project Management Accountability System (PMAS), it said, would deliver new capabilities in short sprints, allocate developmental resources to whatever projects are most pressing at the moment, and kill off projects that were spending money without delivering. Officials have credited the system with making sure more than 90 percent of its projects are on schedule.

Five years on, the department’s inspector general isn’t so sure VA has lived up to PMAS’ promises. In a nutshell, the auditors seem to feel that VA hasn’t committed the resources it needs to achieve its vision of wrestling its programs into a framework of accountability.

For example, the internal dashboard VA created so that it could track its IT development costs is short on reliable cost information, according to auditors. Ten out of the 19 jobs in the management office VA’s Office of Information and Technology created to oversee the agency’s compliance with the PMAS system are vacant. And many of the periodic oversight reviews of development programs that that were supposed to be a key facet of PMAS don’t appear to be happening.

Two OI&T offices in particular weren’t living up to their oversight responsibilities, auditors said. The Office of Product Development, which is supposed to bring senior leader visibility into the planning phases of new IT projects, was required to conduct planning reviews on 16 projects over the past year. It only did three. And the Enterprise Risk Management Office, charged with overseeing compliance with the PMAS system completed just three out of 10 reviews it should have conducted.

“As a result, VA’s portfolio of IT development projects, budgeted at approximately $495 million in fiscal year 2014, were potentially being managed at an unnecessarily high risk,” the OIG wrote. “In addition, OI&T and VA leaders lacked reasonable assurance that development projects were delivering promised functionality on time and within budget, which makes them more susceptible to cost overruns and schedule slippages.”

The OIG’s findings seem to undercut VA’s assertions over the last five years that it is requiring programs to produce results or else be killed off. By the book, PMAS demands that programs be looked at every 60 days to decide whether it’s time to take new ideas out of the planning stage and into active development or whether they should be canceled altogether. But in 81 percent of the cases the OIG examined, those reviews never took place.

A program designed to monitor suicide risk among medical patients stayed in the planning phase for 260 days without receiving a single review. Another, intended to help process claims for the caregivers of newborn children was in planning for 315 days without attention from overseers.

The audit also concluded that the PMAS program as a whole doesn’t have the staffing resources to meet its own objectives. VA has filled some of the gaps by hiring contract support, but the OIG calculated VA could have saved $6.4 million by beefing up its civil service ranks to do the work.

Stephen Warren, VA’s chief information officer and acting executive in charge of OI&T, concurred with most of the IG’s recommendations, including that the PMAS offices conduct their reviews on schedule and improve the reliability of cost information in the dashboard.

But he disagreed with a recommendation to cut back on contract support. In a written response to the report, he said a recent restructuring of the PMAS office reduced the number of full time positions to 13. All but two are now filled, and VA hopes to fill them soon. In the meantime though, the PMAS oversight program’s workload is increasing, he said, so it will need to continue to rely on contractors for work the department deems non-inherently governmental.

This post is part of Jared Serbu’s Inside the DoD Reporter’s Notebook feature. Read more from this edition of Jared’s Notebook.


Air Force picks San Antonio to centralize its base support functions

L ast July, the Air Force announced it would be moving toward an enterprise approach for several of its management functions as part of a major restructuring effort that also called for a downsizing of the civilian workforce.

As part of the shakeup, the service decided to create a single organization in charge of providing support functions on its military bases around the world, rather than letting major commands handle things themselves. But that organization hasn’t had a full staff or a permanent headquarters until now.

The new Installation and Mission Support Center will be based at Joint Base San Antonio, the Air Force announced this week — disappointing other contenders in the communities around Scott AFB in Illinois, Joint Base Langley-Eustis in Virginia and Wright-Patterson AFB in Ohio.

Part of the rationale, the Air Force said Thursday, was that about half of the employees who will work under the new center’s chain of command are already based at San Antonio. Roughly 350 other positions in other parts of the country will be relocated to Texas, but the transition will take time: the Air Force doesn’t expect all of the new headquarters staff to be in place until fall 2016.

The Air Force created the center in response to Defense Secretary Chuck Hagel’s directive to reduce DoD-wide headquarters staff levels by 20 percent. It will try to centralize several functions that the Air Force felt were being handled redundantly and inefficiently by major commands around the country, including civil engineering, policing, contracting for base services, morale programs and military pay and accounting support.

This post is part of Jared Serbu’s Inside the DoD Reporter’s Notebook feature. Read more from this edition of Jared’s Notebook.


Report suggests most DoD networks susceptible to mid-grade cyber threats

A new Pentagon report on the Defense Department’s major systems includes some worrying assessments of DoD’s overall cybersecurity posture: A troubling proportion of its IT systems appears to be vulnerable to low- or intermediate-level hackers, leaving aside the advanced persistent threats everyone’s worried about.

The annual report from the Office of Operational Test and Evaluation is most known for its summarized assessments on the performance of dozens of individual weapons programs. But a separate eight-page section dedicated to cybersecurity draws some stark conclusions about DoD’s overall defensive positioning.

For obvious reasons, the unclassified report tends not to spell out specific cyber weaknesses in specific systems, but the office’s assessment teams found “significant vulnerabilities” on nearly every major acquisition system that went through operational testing and evaluation in 2014, including many problems that could and should have been found and fixed earlier in the acquisition cycle.

“Nearly all the vulnerabilities were discoverable with novice- and intermediate- level cyber threat techniques,” the authors wrote. “The cyber assessment teams did not need to apply advanced cyber threat capabilities during operational testing.”

Likewise, following the 16 cybersecurity exercises it observed in 2014, in which DoD “red teams” tried to penetrate the defenses of combatant command and military service networks, the OT&E assessors concluded that “many DoD missions are currently at risk from cyber adversaries” with only low-to-mid-level cyber expertise. The department, they wrote, cannot consistently show that its critical missions could be kept safe from an advanced attacker.

“The continued development of advanced cyber intrusion techniques makes it likely that determined cyber adversaries can acquire a foothold in most DOD networks, and could be in a position to degrade important DoD missions when and if they chose to,” according to the report. “It is therefore critical that DoD network defenders, and operators of systems residing on DoD networks, learn to ‘fight through’ attacks, just as they are trained to fight through more conventional, kinetic attacks.”

The authors noted special concern for that “fight through” capability. In just over half the assessments, the military’s network defenders were able to mount a response that was designed to expel cyber attackers from their networks. But that response was often too slow to deal with a mid-level or advanced attacker before they got a foothold elsewhere in the system at hand.

Auditors also found it worrisome that the DoD defenders’ response to seeing enemies on their networks was often to reboot affected machines or reinstall software they thought was infected. While those may be effective countermeasures against an ongoing attack, they’re not particularly helpful if the objective is to keep mission-critical systems up and running.

The assessors were apparently impressed with at least one of the DoD exercises. In one, called Turbo Challenge 14, U.S. Transportation Command managed to successfully block an attack by an intermediate-level group of simulated attackers through a combination of quick response, hardened server infrastructure and ongoing, automatic review of server logs and strong password policies.

But that “infrequent success” was the exception and not the rule in 2014, according to OT&E. Elsewhere, red teams “routinely” burrowed their way deep into networks using stolen passwords. The most common points of entry were vulnerable websites and through phishing attacks.

“The asymmetric nature of cyber operations allows even a single default or weak password to lead to rapid access and exploitation of the network,” the report said. “This is particularly true when the password belongs to an individual with elevated privileges. FY14 assessments revealed numerous violations of DoD password security policies, which indicates the policies are either too difficult to implement, too hard to enforce, or both.”

Among their recommendations, the authors say DoD needs to work toward a more realistic training environment, including routinely simulating cyber threats by a “representative opposing force” during every exercise it conducts.

But the department will be challenged to pull that off, given workforce constraints. Unsurprisingly, the need for trained cyber personnel continued to rise across-the-board in 2014.

“Demand has begun to exceed the capacity of existing personnel able to portray cyber threats,” the authors wrote. “Projected FY15 personnel needs for cybersecurity tests and assessments, as well as training for the Cyber Mission Force personnel in support of U.S. Cyber Command, may not be met unless critical resource shortfalls are addressed.”

This post is part of Jared Serbu’s Inside the DoD Reporter’s Notebook feature. Read more from this edition of Jared’s Notebook.


Jessica Wright, top Pentagon personnel official, set to retire next year

Just as Ashton Carter, the likely successor to Chuck Hagel, begins his tenure as Defense secretary, he’ll be in the market to replace one of his most senior deputies.

Jessica Wright, who’s served as the undersecretary of Defense for personnel and readiness since January 2013, announced on Thursday that she’ll be retiring at the end of March.

Hagel, speaking at a Pentagon briefing on the military’s latest sexual assault statistics, said he had asked Wright to stay in her position until a review team on sexual assault had finished its work, and she agreed.

Wright’s departure caps 40 years of government service, including as assistant secretary of Defense for reserve affairs and 35 years in the Army before that. She retired from uniformed service as the adjutant general of the Pennsylvania National Guard.

This post is part of Jared Serbu’s Inside the DoD Reporter’s Notebook feature. Read more from this edition of Jared’s Notebook.


Pentagon launching new review of LPTA contracts

Persistent defense industry complaints about DoD’s use of “lowest-price technically acceptable” contracts — or what the industry likes to deride as “cheap, but good enough” — didn’t receive much attention in the draft version of the Pentagon’s latest version of its Better Buying Power plan.

But there now appears to be a move afoot to gather good data on exactly how widespread the use of LPTA is. Industry seems to think it’s pervasive and is causing many firms to lose money on contracts. But Frank Kendall, the Pentagon’s acquisition chief, has told us before that he suspects a few high-profile cases have blown the whole thing out of proportion.

Randall Culpepper, the Air Force’s top official for service contracting, told an AFCEA audience last week that Kendall has tasked him to lead a new team that will examine the use of LPTA throughout the department. He expects the results to wind up in a study that will inform the final version of Better Buying Power 3.0.

He didn’t specify the scope of the project or spell out exactly which questions it’s trying to answer — DoD and Air Force spokespeople weren’t immediately able to fill us in on those details either — but Culpepper said his office had been asked to lead the review for two reasons.

“One is we’ve had great success with doing LPTA, but we’ve also had a few bumps along the way that we believe we’ve learned from, and we’ll bring that experience to bear,” he said.

Among them: the “technically acceptable” part of LPTA can be hard to define, especially in the services arena. Culpepper said the Air Force has seen plenty of circumstances in which contractors lowballed their bids in an effort to win the contract, and contract dollars they got weren’t nearly enough to hire the support staff the Air Force needed to do the job.

“We did have some contractors that came in and proposed low rates that made it very difficult to deliver,” he said. “It may have been a misunderstanding of our requirements, but it might also have been because we wrote our requirements poorly. In any case, it created issues for us that we had to go back and fix.”

And somewhat paradoxically, in cases like that, Culpepper said the Air Force has now started considering vendors’ price proposals as part of its “technically acceptable” calculus during the source selection process.

In other words, the government wants low prices, but if a vendor proposes a price that’s so low that it calls into question whether the vendor is going to be able to hire the caliber of people needed to do the job, the work might actually not go to the cheapest vendor, even in an LPTA contest.

“The professional compensation package has an awful lot to do with your ability to attract and retain employees of the quality that’s required,” Culpepper said. “And if you come in with a price that’s widely different than what’s already out there on the ground in a given arena, there’s a very high likelihood that you’re not going to be able to get the kind of talent that you think you’re going to be able to get. So we’re now looking at that as part of the technical evaluation.”

This post is part of Jared Serbu’s Inside the DoD Reporter’s Notebook feature. Read more from this edition of Jared’s Notebook.


DoD awards contracts for its first large-scale financial audit

This week, the Pentagon awarded a series of contracts to outside accounting firms to begin the widest-ranging series of external financial audits in the department’s history.

To be clear, DoD knows quite well that it still can’t receive a clean financial opinion on its entire consolidated financial statement — the only cabinet- level department still in that camp — but the contract awards show that financial managers think they’ve got a decent shot at passing muster with auditors on a key subset: the schedule of budgetary activity (SBA) for all of the military services.

The Marine Corps paved the way by receiving a clean opinion on its 2012 SBA audit after several years of trying. DoD hopes to do the same in the three other military services by the end of 2015 via three new contracts in which outside auditors will examine their books.

  • Ernst & Young will audit the Air Force. Cost: $14,402,567
  • Cotton & Company will audit the Navy. Cost: $9,945,932
  • KPMG will audit the Army. Cost: $13,011,077

An SBA audit is not the whole tamale — it examines only whether the military can sufficiently document the money it received via general fund appropriations and the money it spent in any given budget year. And it’s a scaled-back version of DoD’s previous goal to perform a more ambitious audit known as a schedule of budgetary resources by 2014. The Pentagon eventually abandoned that plan as unworkable because it would have required pulling together documentary evidence from past years when DoD financial management systems were in worse shape than they are now.

But DoD nonetheless believes the SBA audits, which it expects to wrap up by next November, represent progress toward its latest congressional mandate: a full audit of all of the department’s books by 2017.

“There is much left to be done, but this level of rigor will help the department focus on those areas that require the most attention,” the Pentagon said in a statement. “The awarding of these contracts is another milestone towards the department’s ultimate goal.” Subsequent contracts will be required as the scope of coverage expands to meet this goal.

This post is part of Jared Serbu’s Inside the DoD Reporter’s Notebook feature. Read more from this edition of Jared’s Notebook.


Pentagon, Congress make changes to DoD CIO’s role

The Pentagon is making some adjustments to the role of its chief information officer, intended in part to help lay down where the CIO’s role begins and ends with respect to DoD’s still-developing cyber doctrine.

The changes, laid out in a Nov. 21 update to the existing DoD directive that defines the CIO’s roles and authorities, include a clearer delineation of the roles of the DoD CIO and the newly-created Principal Cyber Advisor (PCA). The Pentagon, responding to a congressional directive, designated Eric Rosenbach, the assistant Defense secretary for homeland defense as the first PCA in June.

The CIO, the directive also makes clear, is not just the Defense secretary’s top adviser on IT management matters, but also has the secretary’s backing when it comes to getting rid of duplicative IT in the military services, creating an interoperable DoD-wide enterprise IT architecture, and has a role in determining what IT the military buys.

Terry Halvorsen, the acting DoD CIO told reporters Friday that the changes added some responsibility to the office, but that the most important changes were clearer lanes in the road between the CIO’s office and the military cyber functions in the orbit of U.S. Cyber Command.

“As we look at the CIO and cyber, there are some things that overlap on that and there are some that don’t,” Halvorsen said. “This, along with all the other things DoD is doing, tries to clarify the CIO and PCA’s role, where the operational commander has a bigger role, what is the CIO’s role to the operational commander, and I think it did that very well.”

For instance, the new directive makes clear that while the CIO is in charge of setting certain policy guidelines when it comes to offensive and defensive cyber operations, he or she has no operational control over those missions — that belongs to the operational commander.

Additionally, the document names the CIO and the department’s deputy chief management officer (DCMO) as the co-chairs of the Defense Business Council, which oversees investment decisions for business IT systems and acts as a coordinating body for a broad array of DoD management decisions. The panel also includes representation from the CIOs and DCMOs of each of the military services.

“So we’re able now to take our cross-functional problems and share our cross- functional solutions and good data much more effectively throughout the department than we were before we had that kind of coordinated effort,” Halvorsen said.

Meanwhile, Congress is pressing the department’s CIO and DCMO operations to get even closer while also elevating their authority.

A provision in the House- Senate compromise on the 2015 Defense authorization bill would merge the CIO and DCMO offices into a new Senate-confirmed position, the Undersecretary of Defense for Business Management and Information. If the bill is passed by the Senate and signed by the President, the new title would take effect in February 2017, becoming the third-ranking position in the department behind the secretary and deputy secretary.

Because the NDAA is not yet law, Halvorsen declined to comment specifically about the provision, but made clear that he thinks the closer working relationship that he and acting DCMO Dave TIllotson have already developed is a very good thing. For instance, they’re already jointly in charge of a department-wide business process systems review that has already begun to yield $10 million in annual savings in the CIO’s office alone.

“The integration of process and the IT systems that support process is key to any successful business operation,” he said. “Since I own the IT systems and Dave owns the review of those business processes, it makes sense for us to go together when we look at the elements that are conducting the operations and using the systems. That synergy is really, really good.”

This post is part of Jared Serbu’s Inside the DoD Reporter’s Notebook feature. Read more from this edition of Jared’s Notebook.


Pentagon looks to upgrade its aging videoconferencing infrastructure

I n many federal agencies, video conferencing began to catch on only when travel budgets began to plummet, but in the Pentagon it’s been a mainstay for decades. The downside is that much of the equipment and technology DoD relies on for video teleconferences (VTCs) has been around for decades.

So the outfit that manages most of the Pentagon’s IT, the Army Information Technology Agency (ITA), is starting a pilot program that is examining the possibility of replacing the current infrastructure — which relies on expensive point-to-point ISDN circuits and dedicated, purpose-built appliances — with a software based, IP-based solution.

Tom Sasala, ITA’s chief technology officer, says the agency is looking at multiple software packages right now in the pursuit of a potential everything- over-IP approach. While the Pentagon has been upgrading the equipment within its 584 VTC-equipped conference rooms at a pace of about 20 installations per year, the projects are essentially replacing old equipment with newer versions that still rely on the same legacy technical architecture.

“It costs us between $200,000 and $500,000 to upgrade our VTCs today, because in the end they’re really multimedia renovations in big rooms with mohagany-clad walls, and you have to replace big, big appliances and multiple screens,” Sasala told an IT conference hosted by the Association for Federal Information Resources Management last week.

“And the users want to be able to push slides, do Web presence and then bridge together telephone calls with VOIP and ISDN, and it’s a very complicated thing. I would be very happy if we could get everything on IP, put a computer in there and just click an icon. But right now we’ve got these consoles that are circa 1980s, and they’re not intuitive,” Sasala said.

They’re also more prone than usual to technical snafus in the middle of massive virtual gatherings of high-level military officials, like the weekly meetings Pentagon-based leaders hold with their senior commanders outside the capital region.

That sort of problem happened just last week, when all of the attendees at the Army Forces Command at Fort Bragg, North Carolina, were accidentally dropped from an important call. It turned out that for some reason, the legacy switched circuits the current VTC infrastructure relies on had been routed through Guam, to the displeasure of several officers with multiple stars on their shoulders. “When one of these goes south, it’s a thing,” Sasala said. “It is utterly a thing.”

This post is part of Jared Serbu’s Inside the DoD Reporter’s Notebook feature. Read more from this edition of Jared’s Notebook.


Marines with government-issued mobile devices about to become fewer, prouder

M any members of the Marine Corps who currently have access to a government- issued BlackBerry had better start weaning themselves off.

The Marine Corps’ internal budget shakeout for 2015 was particularly unkind to Headquarters Marine Corps’ operating and maintenance budget for mobile devices, which pays for not just the phones issued to the top brass, but for about one- fifth of all of mobiles issued to Marines around the world.

That budget had seven figures in 2014. It will be a five-figure budget in 2015.

Rob Anderson, the chief for vision and strategy in the Marine Corps CIO’s office laid out the scenario in those somewhat-imprecise terms at AFCEA’s mobile technologies symposium in Washington on Wednesday. While he didn’t offer exact dollar figures or specify the number of devices that will be taken away, the point is that there will be a significant reduction.

“Those devices that are currently issued to people who are considered privileged users, a large percentage of those devices will be retracted, and those individuals will no longer have the ability to do what they do with their mobile devices today,” Anderson said.

The cutback is all the more reason, he said, to get rolling with a program that could allow Marines to begin connecting their personally-owned devices to government networks as soon as 2015. The bring-your-own-device approach is still in its early stages, but the Marine Corps believes it could dramatically cut its wireless bills. Each government-issued phone costs the service roughly $480 per year. On the other hand, officials estimate they could outfit a Marine’s personal device with a secure container certified for government data for about $40 per year.

Anderson said the pilot and the research his service conducted in preparation for it has left him very optimistic that they can solve any serious security concerns associated with a BYOD approach using, for example, an iPhone.

“The sandbox, which is 256-bit encrypted and FIPS 140-2 compliant can be placed inside this device, so I’ve got encryption on the device, plus an organizational container with another layer of encryption and protection,” he said. “And what we’ve found with our penetration testing of some of these organizational containers is that even if you take a compromised device, you cannot extract usable data from that container. There ought to be a way we can leverage this technology for individuals so they can get access to at least their personal organizational data. We have to have a solution. We have to come up with something that we can present to leadership.”

Anderson said the use of containers might also help solve one of the nagging problems that has remained a barrier to the adoption of BYOD in government — namely, if a user’s device is compromised, can or should the government confiscate or wipe the entire device, including personal data?

“I stipulate that because the encryption is so good now, that when we remove that government container, maybe that should meet the requirements for cleaning that spillage,” he said.

This post is part of Jared Serbu’s Inside the DoD Reporter’s Notebook feature. Read more from this edition of Jared’s Notebook.


DoD updates rules to protect servicemembers from shady retailers, creditors

O n Friday, the Pentagon announced it is changing its financial management regulation to curtail the types of payments service members are allowed to make to companies directly from their regular paychecks, a move officials said was intended to protect troops from unscrupulous businesses.

The changes will bar military members from using the automatic payments, known as “allotments,” to pay for merchandise, vehicles and several other types of goods. But they appear to be targeted at a particular class of predatory lenders whose entire business models rely mostly or entirely on convincing service members to sign up for financing plans at exorbitant interest rates.

Such vendors tend to proliferate around military bases, but in one famous case, Rome Finance, a company that operated in various states under several different names, set up mall kiosks near military bases and sold laptops, video games and other electronics to at least 17,000 service members at triple-digit interest rates, though the documents the military members were asked to sign masked the actual APR. The company was shut down and ordered to cancel $92 million in fraudulent debts in July.

According to the New York Attorney General, the company’s success was based on the fact that its salespeople were determined not to allow their military customers to pay the actual retail price, but to pressure them into financing agreements paid via military allotments. So a $1,000 laptop, including interest, became a $4,000 laptop.

As the Pentagon noted in its announcement decreeing the new policy, the allotment system made military members especially attractive targets for lenders like Rome, because they were virtually guaranteed that the borrower would continue to make payments as long as he or she remained in the military.

The regulations, which take effect on Jan. 1, will ban service members from using allotments to buy, rent or lease “personal property.” Cars, appliances, furniture and electronics, for example, will be off-limits, but allotments can still be used for basic necessities, including rent, mortgage payments and regular transfers to family members.

This post is part of Jared Serbu’s Inside the DoD Reporter’s Notebook feature. Read more from this edition of Jared’s Notebook.


« Older Entries

Newer Entries »