Reporter’s Notebook

jason-miller-original“Reporter’s Notebook” is a weekly dispatch of news tidbits, strongly-sourced buzz, and other items of interest happening in the federal IT and acquisition communities.

Submit ideas, suggestions and news tips  to Jason via email.

 Sign up for our Reporter’s Notebook email alert.

Exclusive

OMB requires updated EIS transition plan in IT passback guidance

Final results aren’t in yet, but in all likelihood, agencies missed another deadline under the Enterprise Infrastructure Solutions (EIS) telecommunications and network modernization program.

The General Services Administration set a March 31 deadline for agencies to transition at least 50% of all services to the new contract from the Networx program.

But this deadline, unlike the previous ones, will have consequences.

The Office of Management and Budget is requiring a report from each agency by July 1 on its EIS progress.

In its budget passback guidance, which Federal News Network obtained, OMB told agencies to submit a report detailing “how it will make progress on past-due milestones and actions it will take to complete the transition before the legacy contracts expire on May 31, 2023.”

While it’s unclear if this is the first time OMB mentioned EIS in the passback, the fact they are doing it now and combined with the pressure from House Oversight and Reform Committee members through the Federal IT Acquisition Reform Act (FITARA) scorecard, agencies may be feeling a little more pressure than normal.

Allen Hill is the deputy assistant commissioner for category management in the Office of the IT Category (ITC) in GSA’s Federal Acquisition Service. (Photo courtesy ATARC)

“I do believe with the new administration coming in the focus on security and the need to secure our national data, the emphasis is not just to get to the cloud, but how we get it to our customers and in our users. The combination of the passback is one influencer, in addition to FITARA,” said Allen Hill, the deputy assistant commissioner for category management in the Office of the IT Category (ITC) in GSA’s Federal Acquisition Service, in an interview with Federal News Network. “But more so what I consider most important is getting outdated technology off the infrastructure, it can’t do zero trust architecture. For you to get there, you have to eliminate that technology. It’s not just about saving money, it’s also about securing that national security interest, and you can’t have access to the cloud without the network, you can’t get that information to your end device without the network. You have to have security built into it from end to end, and that’s where zero trust architecture comes into play. It’s important for agencies to say ‘what is that North Star that we’re going to?’ The zero trust architecture is that, and where we can be able to work in a mobile environment because of what’s happened with the pandemic, but do it securely.”

The House committee added EIS transition as a grading factor in the 11th version of the scorecard that came out in December. The General Services Administration, the United States Agency for International Development, the Commerce Department and the Small Business Administration also saw whole letter grade drops because of their lack of progress with EIS. Five agencies — Commerce, the Department of Homeland Security, NASA, SBA and the Office of Personnel Management — received Fs on their EIS transition progress. GSA and the departments of State and Defense received D grades.

Hill said GSA will not know whether agencies met the March 31 deadline until the May timeframe when the new EIS data comes in. But even then GSA’s insight into the progress is limited.

“In terms of where agencies are, it’s hard to gauge all the agencies and where they’re at because we don’t necessarily get to see that information. We can only see it purely from an inventory perspective,” Hill said. “I do think that this is not something that is going to happen where you see steady decline of inventory. You’ll see bulk changes and inventory has been reduced as they do the necessary infrastructure updates for their network and move over to the new technologies.”

The Labor Department is one of the outliers with EIS among large agencies. It says in an April 5 tweet that it transitioned 70% of its telecom network circuits to the new contract, easily besting GSA’s goal.

Hill said the Social Security Administration is another large agency that has made significant progress in moving to EIS.

But Hill and EIS vendors acknowledge there is still a lot of work to do between now and September 2022 — agencies next deadline to move 100% of their network inventory to EIS.

Source: GSA

As of Jan. 31, Hill said out of the 212 fair opportunity solicitations expected, agencies have released 164 to industry. Of those 164, agencies have awarded 93 task orders and 48 still need to be released.

Additionally, 9 of 17 large agencies and 11 of the 25 medium agencies have awarded all of their task orders.

Hill added agencies under EIS have awarded about $14.5 billion in task orders over the last few years, and eight of the nine vendors have won some form of work under the program.

Award decisions taking too long

Vendors supporting the EIS program said the release of solicitations and corresponding awards picked up steam over the last three to six months. But, at the same time, the program continues to be a slog.

Several vendors said some agencies are sitting on proposals for more than a year, calling into question whether the government is missing out on cost savings and better services.

“The elongation of the award cycle is brutal. We’ve submitted bids over a year ago on some solicitations that haven’ been awarded. It makes us wonder that when the government finally does make the award, are they getting today’s technology and the appropriate cost structure?” said David Young, the senior vice president of public sector at Lumen. “We’ve attempted a couple of times on some of the more lengthy awards to ask for best and final offer, but we haven’t achieved that. If the government has a desire to get a lower cost structure, they are missing because of elongated award cycles.”

Young said in his 30-years in the federal telecommunications market, he’s doesn’t remember seeing timelines to award being this long. He said the fact the government isn’t asking for best-and-final offers is frustrating and surprising.

Tony Wellen, the president at BT Federal, added that when agencies are making awards, their transition schedules are aggressive.

“The fast response times are not an indictment of the process, but just fact. Agencies have a short fuse for when we are to respond to questions, and depending on the nature of the questions, it can make it difficult to get it done on time to meet deadline for bid,” he said. “The short timelines seem to benefit the incumbent contractors too.”

Young, Wellen and others say they have brought the elongated schedules to GSA’s attention.

Time to relook at strategies

Hill said GSA is in regular contact with agencies that haven’t awarded or released their solicitations.

“We talked about the remaining inventory that’s left for them to understand the complexity of their transition. But if they have a solicitation that has not been awarded, we especially have been reaching out, and we do suggest that they go back and update since it’s been a while,” Hill said. “The vendors have communicated to me too that they are getting better prices, understanding things a lot better and being more innovative. The competition is really good with the vendors, and it’s not just from the pricing perspective, but they’re being very innovative with what they’re offering in terms of modern solutions to eliminate the legacy technology and help us move to where we can better secure our information that is going through those circuitries.”

While vendors are offering innovation, some say agencies are not always taking full advantage of it.

Chris Smith, AT&T’s vice president for civilian and shared services, said agencies are trying to find the right balance between moving existing technologies and circuits — known as “like-for-like” — and implementing new technologies like software-defined networking (SD-WAN).

“A majority of the bids we are looking at are asking for SD-WAN and other newer technologies. We still are early on implementation, but SD-WAN is mainstream now,” he said. “Cybersecurity advanced solutions has always been something individual agencies are looking at, and with the SolarWinds hack, and that incident doesn’t stand alone, we are seeing the demand for newer cybersecurity solutions as well as solutions around mobility and 5G.”

Hill said several agencies are planning for innovation over the medium term, but following the like-for-like approach more immediately. But he said the term “like-for-like” is a bit of a misnomer.

“There are some agencies that are saying ‘let’s just start out with modernization,’ while other agencies are saying, ‘let’s get it moved over, and then let’s rebaseline of what we modernize in a more sequence fashion.’ I understand that approach too because if you take a moving from a legacy voice system to a modernized voice system, you don’t want your phone not working. You want to make sure that it’s updated,” he said. “If you’re taking voice and data circuits and collapsing them where they’re being leveraged, there’s a lot of tweaking that has to be done to make sure that the Voice Over IP (VOIP) works the way it’s supposed to, and making sure you have a good quality of service. Agencies are going out and asking for software defined wide area network solutions, but they may not move to it immediately because there’s a lot of infrastructure for you to move to a software defined wide area network. In addition, working with CISA and TIC 3.0 guidance also is helping to drive how Trusted Internet Connections (TIC) is being done to support the past, but also the support the new the zero trust network architectures that are needed.”

Procurement innovation happening

Robert Dapkiewicz, senior vice president and general manager for MetTel Federal, said some of the more recent task orders have asked for more transformational technology, but not at the expense of mission effectiveness.

“With one customer, they wrote their solicitation as a like-for-like transition with the understanding that they will transform at a later date. But coming out of the gate during the pandemic, they started to move to SD-WAN right away,” he said.

BT Federal’s Wellen added agencies have been more open to new or different acquisition strategies, such as splitting up large task orders into smaller ones in order to work with multiple vendors as well as asking for managed security and network services.

Dapkiewicz pointed to the Department of Homeland Security as an example of an agency taking the smaller bit approach.

Lumen’s Young and several others continued to express concerns about solicitations, particularly large RFPs, either favoring incumbents or agencies awarding incumbents follow-ons.

“EIS is packed with opportunities for agencies and GSA did an incredible job in putting the vehicle together so if an organization isn’t moving along fast enough, they should reach out to vendors or other agencies for help. And if you put together your procurement or plan a while ago, you need to look out over the horizon about what capabilities are available today and tomorrow, and how you can make the best investment in security, resilience and increase productivity and collaboration,” AT&T’s Smith said.


DoD initiates CMMC review — big deal or perfunctory?

When the Defense Department confirmed that Deputy Secretary Kathleen Hicks decided to review the Cybersecurity Maturity Model Certification (CMMC) program, initial reactions were mixed.

Some experts said this is a significant sign that the Biden administration wants to rethink major aspects of CMMC.

Others say it’s a perfunctory review and one any new administration would undertake given the importance of the program. They say these reviews likely are happening across DoD.

A DoD spokeswoman offered little insight into the review and what its goals are.

“In light of increasingly frequent and complex cyber intrusion efforts by adversaries and non-state actors, the department remains deeply committed to the security and integrity of the defense industrial base. As is done in the early stages of many programs, the DoD is reviewing the current approach to CMMC to ensure that it is achieving stated goals as effectively as possible while not creating barriers to participation in the DoD acquisition process,” said Jessica Maxwell, the DoD spokeswoman in an email. “As this internal assessment is ongoing, we are not able to provide further detail.  This assessment will be used to identify potential improvements to the implementation of the program.”

One former CMMC Accreditation Board member downplayed the review saying it likely was just part of the administration changeover.

Another source familiar with CMMC, who requested anonymity because they didn’t get permission to talk to the press, offered an even more restrained opinion.

“There is more support in the department and more impetus to do this than ever before based on what DoD leadership is saying the resources they are willing to commit to it,” the source said. “One of [the] things that CMMC recognizes is that they did things fast, and things will come up that they will have to course correct.”

Congress reviews about to get started

Stacy Cummings, who is currently performing the duties of the Under Secretary of Defense for Acquisition and Sustainment, issued a memo a few weeks ago outlining two specific review areas, including CMMC implementation.

FedScoop first reported the DoD’s decision to review CMMC.

On top of this review, DoD is in the middle of delivering reports to Congress and working with the Government Accountability Office on CMMC reports and analyses. The 2021 Defense Authorization Act required the DoD chief information officer to assess each department component against the CMMC framework and report findings to congressional defense committees by March 1. Lawmakers want details on how each component “will implement relevant security measure to achieve a desired CMMC [level] or other appropriate capability and performance threshold.”

Congress also asked the Government Accountability Office to independently assess and brief Congress within six months of the CIO report’s issuance.

The NDAA also requires DoD to withhold 60% of its CMMC appropriated funding until its Office of Acquisition and Sustainment (A&S) submits a plan to Congress detailing timelines for pilot activities, the relationship with auditing or accrediting bodies, planned funding and involvement of the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and its plans to train acquisition staff to implement CMMC.

Finally by September, DoD needs to submit a report on whether it makes sense to develop a cybersecurity threat hunting program to work on defense contractor systems. While the provision didn’t specifically called out CMMC, it’s related to the entire supply chain security effort.

The source said DoD is busy developing those reports for Congress and likely Hicks will reviews a lot of the same information.

“This is a holistic review and not just some document drill. I think they will take [a] thoughtful look at the program to make sure everyone is comfortable,” the source said. “The team they have stood up is very knowledgeable, and the CMMC PMO isn’t concerned they will find anything wrong.”

The source said DoD expects to turn the review around quickly and not impact the program’s timeline for CMMC’s initial roll out.

Areas that need to speed up

The review also comes as the CMMC-AB named Matt Travis as its new CEO. Travis comes to the board after spending two years as the deputy director of the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security.

“This is an opportunity I was excited about for two reasons. This obviously allows me to continue to continue the cyber evangelization work that I feels strongly about. But more importantly I really wanted this position for two reasons. This is really the first opportunity to stop talking about cybersecurity and actually do something about it. I hope you all appreciate how trailblazing and what a new frontier this is with CMMC and what the department is doing,” Travis said at the town hall. “This is really the long game, and doing a lot of work to together to build the resilience and raising the cybersecurity baseline. The second reason I’m excited because this is where the risk is. When you think about the DIB as one of the 16 critical infrastructures, we know the nation’s adversaries are targeting this sector and we know there are vulnerabilities, this is where the risk is. So it’s incumbent on all of us to raise our game, and this is a collective effort.”

Matt Gilbert is a principal with Baker Tilly’s government contracts advisory practice who leads a team that conducts reviews under National Institute of Standards and Technology special publications 800-53 and 800-171. He said that while he couldn’t offer any insight into the DoD review, there are several areas where DoD need to accelerate its efforts.

“The area in which the DoD should focus is making sure there will be adequate assessors to handle the volume. The DoD might want to consider announcing a gating mechanism. A gating mechanism could restrict assessments to only those contractors that will be awarded one of the pilot contracts with the new DFARS 252.204-7021 clause,” Gilbert said in an email to Federal News Network. “Adding to the challenge, if the certified third-party assessment organizations (C3PAOs) are not timely assessed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), then significant portions of the provisional assessors will be on the sideline. Since all assessments need to be registered with the CMMC-AB, the DoD could give instructions that only those contractors that have the 7021 clause in a pending award should be allowed to proceed with the assessment.”

At the CMMC-AB town hall on March 30, the board reported 109 total C3PAOs and 100 provision assessors.

The AB continues to review C3PAO applications with 332 still pending.

Ben Tchoubineh, the chairman of the CMMC-AB training committee, said the process for the C3PAO is the most complex one and still requires the level 3 assessment from the Defense Contract Management Agency

“There is only CMMC level 3 assessment that has been completed so far. It will take some time for the C3PAOs to be ready to go,” he said.

Part of the reason is the DCMA’s ability to conduct the level 3 assessments through its DIBCAC program.

The AB doesn’t expect the full training and certification program to be fully ready until the fall.

Source: CMMC-AB town hall March 30.

Two other challenges that the DoD review may address is how to improve the markings of controlled unclassified information (CUI) and to accelerate the release the scoping guidance to address reciprocity.

Gilbert said without the scoping guidance, C3PAOs and contractors s are likely to run into challenges and differences of opinion without authoritative literature to reference.

As for CUI, Gilbert said if contracting officers mistakenly label CUI inaccurately there could lead to some unintended consequences.

“If the requirement is tied to taking possession of CUI, this would allow a prime to issue a laptop to a sub to minimize their CMMC obligations. The sub would be saved from possessing CUI in their systems and therefore would necessitate only a level 1 certification,” he said. “The more flexibility that the DoD can provide the DIB, I think the more likely their estimates of greater than 50% of contractors only requiring level 1 will hold true.”

DoD already is seeing some delays in its CMMC roll out. Several of the initial pilots it outlined are either pulling back because the service or agency’s timelines don’t match with CMMC being ready. DoD has said the goal is not to harm the acquisition process as it stands up the CMMC program.

The source said some of the initial pilots may look at requiring their vendors to be CMMC certified in a specific amount of time after it has awarded the contract.

“Contractors are frustrated because they want a list of pilots, but DoD doesn’t want to put pilots out there because it’s changing day to day,” the source said.

It’s hard to say what impact Hicks’ review will have on many of these issues. But as a first step, reviewing the program and bringing a fresh set of eyes to CMMC can only help to accelerate it, and, as Travis said, actually do something about cybersecurity and stop just talking about it.


GSA kicks off two-year effort to innovate service contracting beyond OASIS

Let’s get the jokes about the General Services Administration’s working title of its new services governmentwide acquisition contract out of the way. Today it’s known as a BIC MAC—Best-in-Class Multiple Award Contract.

Go ahead have some fun.

It’s a contract brought to you by McDonald’s.

It’s a contract, no it’s a new pen.

April Fool’s Day is coming so Larry Allen, who’s always up for some fun, is probably already hard at work developing some fake press release about how Burger King already submitted a protest over the BIC MAC that he will send out to his friends and colleagues for a good laugh.

Whatever name GSA eventually comes up with that is not BIC MAC, the new approach to services contracting aims to shake things up in a way the federal contacting community hasn’t seen in at least five years.

GSA released the first of at least two requests for information on March 2 seeking industry feedback on some of the basic ideas around the contract like socioeconomic reserves, the initial list of functional domain areas, contract structure and much more. Responses to the 27-page survey are due March 17.

Jill Akridge, the director for Customer Account Management for the Office of Professional Services and Human Capital Categories (PSHC), an office within GSA’s Federal Acquisition Service (FAS), said at a recent ACT-IAC webinar that the goal is to reduce friction in the services market and possible consolidate existing services contracts like the Human Capital and Training Solutions (HCATS) and the Building Maintenance and Operations vehicle to make it easier for customers.

Jill Akridge is the director for Customer Account Management for the Office of Professional Services and Human Capital Categories (PSHC), an office within GSA’s Federal Acquisition Service.

“All of these things are concepts and they are in flux. If feedback shows that we missed the mark, we will come back and say how we pivoted our assumptions. We do want to build this with both industry and customer agencies in mind. That is the approach we will be taking moving forward,” she said. “We are trying to make the future, create better data and we are using this contract to get us there in the world of services.”

Akridge said FAS is just at the beginning of a nearly two-year effort to get new contract in place before the OASIS vehicle sunsets. The next date is April 1 for an industry day. She said FAS will release a second RFI in the May timeframe looking at functional capabilities and source selection criteria. In the meantime, Akridge said FAS will continue with an assortment of industry and agency customer discussions.

She said as of now the schedule is for the final request for proposals would come out in early fiscal 2022 and initial awards would come in early calendar 2023.

The goal of the BIC MAC is to replace the OASIS contract, which is set to expire in 2024.

“It’s both an evolution and a departure from the OASIS contract. It’s an evolution because it’s clearly a follow on contract put out by the same team at GSA that runs OASIS. But it is a departure in that it’s broader in scope, likely include many more vendors than OASIS and is based on less distinct capabilities to let vendors on the vehicle,” said Alan Thomas, the former commissioner of the Federal Acquisition Service at GSA and now chief operating officer at IntelliBridge. “It’s ambitious for sure, but since it’s still early I think GSA is starting by putting everything on the table and as they hear from industry and other customers, they will whittled it down and reduce any potential risks they face.”

But some wonder if GSA is trying to fix something that isn’t broken. OASIS unrestricted and small business are hugely successful contracts for professional services with more than $10 billion in sales in fiscal 2020 and $9 billion in 2019.

Source: GSA’s OASIS Dashboard

Roger Waldron, the president of the Coalition for Government Procurement, said on his program Off the Shelf on Federal News Network that GSA should consider the impact of making major changes to OASIS as it’s become a strategic contract for many agencies.

“The current thinking just raises lots of questions I get from industry partners about the approach. I think GSA is thinking about a larger contract with hundreds if not, 1000s of companies on the contract. It’s thinking about continuous open seasons. It’s would combine the two contracts so rather than have an OASIS small business and OASIS unrestricted, they would have a single contract. I think they’re looking at whether they’re going to have a pool structure or develop some sort of domain structure around NAICS codes and sub NAICS codes around the project. And they’re also looking at using section 876 so the evaluation or price will take place at the task order level rather than at the contract level,” he said. “So the companies are trying to understand what’s the business case for moving to really what is a fundamental different approach than the current OASIS approach.”

Source: GSA’s OASIS Dashboard fiscal 2020 top agencies.

Waldron said there are a lot of questions that still need to be answered about how the BIC MAC program will work, including how it will complement the schedules program and the overall management of the contract.

GSA’s Akridge said there are some specific differences between this new vehicle and the schedules, including the initial requirements for vendors to earn a spot on BIC MAC.

“There’s capabilities that we can’t do on schedules and we tried to get authorities for it that we know are needed in the world of services like cost-type contracting, non-commercial services and unpriced aspect,” she said. “There are scope areas that schedules don’t cover as well today. We want to set this up in a way that thinks through contracting from purely a services perspective. Schedules is designed in a way that also has to accommodate products so it has some rules in there that maybe aren’t the best for services acquisitions.”

Changes to the federal sector

She said there are some similarities with the schedules, so FAS wants to take the best of all worlds and bring them into the new vehicle.

Akridge said there already are some discussions about adding an unpriced aspect to schedule contracts.

Intellibridge’s Thomas said he did ask about changing the schedules program to allow for different contract types when he ran FAS.

“It’s a different workforce that manages the schedule contracts than the one that runs OASIS so the skill-sets are different, which may be a challenge for them to manage cost-plus contracts,” he said. “It was a perspective that I hadn’t thought about. Schedule contracting officers have good set of skills that are well established. The schedules program also is based on commercial offerings, while OASIS is not necessarily commercial.”

Tris Carpenter, the director of capture for Red Team Consulting, said with the changing nature of the services market and how it’s becoming more complex, GSA’s thinking for its BIC MAC is an important recognition of the changes that are happening in the federal services sector.

“The right step toward increasing integration, reducing duplication and eliminating the ‘race to qualify’ for sporadic award/on-ramp milestones,” Carpenter said. “Although the claw back of the Alliant 2 Small Business GWAC was a blow to many in the industry, it has also now created the opportunity to synchronize the major GSA GWAC portfolio (including STARS III, Polaris, and BIC MAC) into an integrated federal acquisition approach. However, GSA needs to be continuously aware of the need for transparency and representation across all industry partner types and business sizes. Most firms want to deliver and support agency missions, while growing their profitability and employee base. This includes having a fair opportunity to compete for opportunities in their specialized domain areas at a reasonable price that align with operating market conditions. GSA’s exploration of eliminating price at the master IDIQ level and setting a minimum set of domain award qualifications/criteria is encouraging; however, it must be clearly defined how it will be reliably applied on an ongoing basis.”

3 considerations going forward

Intellibridge’s Thomas added there are three things FAS should consider as they continue to develop the BIC MAC program.

First, he said strong industry engagement must continue.

Second, FAS should continue to talk to agency customers, particularly those who are big users of OASIS and those that haven’t been to find out why and what FAS can do to make BIC MAC more attractive.

Third, Thomas said the most difficult conversations will be internally where they have to deconflict the scope with other contracts, address contract access fees and using common tools so customers receive a standard message about how to work with GSA.

The Coalition’s Waldron added GSA must also consider the impact on small businesses if it decides to go down the path of having one contract. Small firms have thrived under the OASIS small business contract, but would having one contract impact how agencies issue task orders?

“When you start combining into a single contract, then you get into all the stuff like whether the rule of two applies,” he said. “I think it behooves GSA to provide a clear statement and business case as to what it’s trying to achieve here and how it will meet customer agency missions through this vehicle because OASIS is hugely successful and meeting fundamental requirements for customer agencies like the Air Force every day. Could it be refined and are there other areas where it could be improved? Yeah, absolutely. There’s nothing that’s perfect out there. But BIC MAC seems to be, as we currently understand it, a 180-degree turn to a different approach and that raises questions.”

Questions that GSA will spend much of the next year answering.


Technology Modernization Fund on track to receive biggest pay day ever

You could see the momentum to finally push real funding to the Technology Modernization Fund building all last week.

Three nominees for key positions at the Office of Management and Budget specifically mentioned the need to put serious money behind federal agency cybersecurity and IT modernization efforts. Senate lawmakers did more than casually mention it or offer to submit questions for the record.

A draft of the Senate’s version of the American Rescue Plan — labeled a manager’s amendment — leaked out finally offering some specifics: $1 billion for the TMF, $650 million for cybersecurity and another $350 million for other related IT modernization efforts.

But it wasn’t until the Senate Budget Committee released its initial version of the bill did reality set in. Real, impactful funding for the TMF was closer than ever to crossing the finish line.

By March 6, the Senate sealed the deal with a vote of 50-49 passing the American Rescue Plan with the $2 billion for federal technology and cybersecurity efforts.

Matt Cornelius
Matthew Cornelius is the executive director of the Alliance for Digital Innovation (ADI), an industry association.

“Having $1 billion dollars in the Technology Modernization Fund is a good first step and will be critical to helping address many of the common challenges still hampering effective IT transformation across the government, such as identity management, secure data sharing, leveraging AI and other emerging technologies to enhance citizen service delivery and expanding critical cybersecurity shared services to combat persistent threats,” said Matthew Cornelius, the executive director of the Alliance for Digital Innovation, an industry association, and a former senior technology and cybersecurity advisor at OMB, in an email to Federal News Network. “Because these funds are being provided as part of this relief bill and should be used to deal with immediate challenges, it is incumbent upon OMB and the General Services Administration to use the authorities they have under the MGT Act to suspend repayment and quickly make targeted investments to the most high priority projects in one or more agencies.”

The TMF and other funding are not a done deal. The House still must pass the Senate’s version of the American Rescue Plan. That, however, is a strong likelihood given the House’s long-standing support of the TMF.

Once the House passes the legislation and President Joe Biden signs it into law, along with the TMF receiving $1 billion — it never received more than $100 million at a time — the Cybersecurity and Infrastructure Security Agency in the Department of Homeland Security would receive $650 million to shore up federal networks from cyber vulnerabilities, the U.S. Digital Service would receive $200 million and the Federal Citizen Services Fund would get $150 million.

The Biden administration called for $9 billion for the TMF and another $1 billion for cybersecurity and IT modernization efforts to address the “urgent national security issue.”

“The American Rescue Plan emphasizes the importance of modernizing federal information technology and bolstering governments’ cybersecurity. These investments in technology infrastructure and tools are an important down payment on helping to deliver modern and secure citizen services and critical networks. We commend the U.S. Senate for prioritizing this vital need and urge the U.S. House of Representatives to approve the measure,” said Jason Oxman, president and CEO of the IT Industry Council, in a statement.

TMF is just a start

ADI’s Cornelius added that while the initial funding is a great start, Congress and the administration must continue to work toward addressing the legacy technical debt.

“We fully expect that any forthcoming jobs package will include digital infrastructure and technology investments to spur economic growth and improve digital service delivery in both the public and private sectors,” he said.

In addition to the funding for the TMF and other cybersecurity and IT initiatives, the Senate bill included the extension of the Section 3610 authorities to let agencies pay contractors if they cannot work during the pandemic.

Industry associations pressed lawmakers to move the sunset date from March 31 to Sept. 30.

Professional Services Council president and CEO David Berteau praised the work of Sens. Mark Warner (D-Va.) and Marco Rubio (R-Fla.), the chairman and vice chairman, respectively, of the Intelligence Committee.

“With so much uncertainty around safe access to workplaces, now is not the time to let up on COVID-19 protections. If enacted, this extension will help the federal government continue to access the highly skilled, cleared and trusted contractor workforce needed to meet mission needs,” Berteau said in a statement.

National Defense Industrial Association also applauded the Senate’s passage of the 3610 extension.

“Extending 3610 and safeguarding the defense industrial base workforce is critical to our national security today and, more importantly, into the future,” said Hawk Carlisle, NDIA president and CEO.

The fact that the Senate is supporting $1 billion for the TMF means that OMB must do its part and figure out what their version of transparency looks like and offer 110% of it. This is the Biden administration’s big opportunity to reverse decades of neglect and mistrust, let’s hope for every agency’s sake they don’t revert to the actions of the last three administrations when it comes to communicating about the funding.


The Senate has never truly supported IT modernization and here’s what has to change

Let’s take a quick trip back to the early 2000s when Congress passed and former President George W. Bush signed the E-Government Act of 2002 into law. Those were heady times. The internet (we still capitalized the “I” back then) was still new and the possibilities were endless. It was before the iPhone, before Facebook and before the gig economy.

The law created the E-Government Fund, authorizing a “whopping” $300 million to help agencies make federal online services more responsive and easier to use.

Those were times of hope and excitement for sure — $300 million was a lot of money back then.

Here we are 18 years later — the E-Government Act passed in December 2002 — and agencies continue to fight to get out from under an ever-increasing amount of technical debt to improve citizen services and address cyber vulnerabilities.

Despite the massive data breaches suffered at the Department of Veterans Affairs (26 million veterans affected in 2006) and the Office of Personnel Management (21.5 million federal employees and contractors affected in 2015), the COVID-19 pandemic pushing most federal employees to work from home and closing down in-person services, and the SolarWinds cyber attack, agencies are no closer to receiving significant and specific funding to develop, modernize and enhance their IT services.

But wait — there is renewed hope that the IT modernization boulder may finally reach the top of the hill. The Biden administration’s support and its request of $9 billion in the American Rescue Act, new leadership on key Senate committees and the technology success stories from the pandemic all point to an opportunity like never before.

“The pandemic has shown how technology can help. There is widespread acknowledgement of that even though there is not necessarily a deep understanding of how or why. There is a good wind in the sails,” said Trey Hodgkins, who has been part of the e-government debate since the 1990s and now is president of Hodgkins Consulting. “The economy and jobs are changing and that’s being driven by technology so we are getting momentum behind that and we didn’t have that before. I’m hopeful things are moving at a faster pace and in the right direction as people are acknowledging the challenges and the things that Congress could do to play a role in addressing those challenges.”

To ensure the IT modernization boulder hits the top of the mountain, or to latch on to Hodgkins analogy, doesn’t run aground, the Biden administration must heed the lessons of previous failed attempts to convince the appropriators to fund IT modernization at a scale that would make a real and lasting impact.

New committee leadership

The first opportunity comes from the change in leadership across the committees that oversee and appropriate the Technology Modernization Fund (TMF) — the follow-on to the E-Gov Fund.

Sens. Gary Peters (D-Mich.) and Rob Portman (R-Ohio) now hold the reins of the Homeland Security and Governmental Affairs Committee. Portman is a former director of the Office of Management and Budget so his understanding of the problems should be deeper than any other Republican leaders on the committee in the last decade.

Peters and Portman said in December the committee will hold hearings on the SolarWinds breach to figure out how to ensure agencies and private sector companies are protected in the future.

Alejandro Mayorkas, nominee to be Secretary of Homeland Security, testifies in Washington
Sen. Rob Portman (R-Ohio) is the ranking member of the  Homeland Security and Governmental Affairs Committee.  (Joshua Roberts/Pool via AP)

“The TMF is clearly important because of SolarWinds and the pandemic with everyone home and working online right now,” a Democrat committee aide told Federal News Network. “Bolstering cybersecurity is a priority of Sen. Peters. Congress and the administration are still working on the path forward for any funding.”

Portman said he too supports the need to get agencies off of the outdated systems so many rely on.

“Attacks like SolarWinds demonstrate the weakness of our cyber defenses and the sophistication of our adversaries. This attack has made clear we have got to redouble our efforts to shore up our defenses because federal agencies are simply behind the times when it comes to defending themselves from these kinds of attacks,” Portman said in an email to Federal News Network. “These types of attacks are going to continue and we must work across the federal government, as well as with our private sector and state and local partners, to identify the most significant vulnerabilities and strengthen our cyber defenses moving forward. I plan to work with my colleagues on bipartisan legislation to better defend federal networks, modernize federal IT, and protect the sensitive personal information of all Americans.”

The second opportunity is from Sen. Chris Van Hollen (D-Md.) taking over the Appropriations Financial Services and General Government Subcommittee.

This is the first time a local lawmaker has run the subcommittee in recent memory.

“The recent intrusions into our cyber infrastructure and the impacts of COVID-19 have dramatically exposed the failures of outdated IT systems and underscored the need for network modernization,” Van Hollen said in an email to Federal News Network. “Increased funding for these technology updates will allow both agencies to increase security and also support our federal workforce in their efforts to help Americans and businesses during this challenging time. I look forward to working with my colleagues to advance these critical efforts in my role as chairman of the Senate Appropriations Subcommittee on Financial Services and General Government.”

Senate leadership must remove the roadblock

The reason why the support of Peters, Portman and Van Hollen is so important to the IT modernization efforts is the Senate appropriations committee has been a roadblock to new and significant IT modernization funding for the better part of 20 years. While the House has been more generous, the Senate never approved more than $100 million and that happened only once when the Democrats took over during the first term of the Obama administration. Since then, it’s been $3 million to $25 million.

That trend may be changing as the Senate’s draft manager’s amendment includes $1 billion for the TMF and another $900 million for cybersecurity and other IT modernization efforts.

Some Senate appropriators and authorizers did not support a centralized fund for IT modernization. Whether it’s their inability to understand the reasons or a reluctance to give up control or a belief that there is a traditional process agencies should go through to request funding, the Senate has been a major roadblock.

“There has been a lack of champion on Senate side. No one to push this,” said Charlie Moskowitz, the former chief legislative counsel for former Ranking Member Sen. Clair McCaskill (D-Mo.) on the Homeland Security and Governmental Affairs Committee staff, and now executive vice president for Signal, a strategic communications and government relations firm. “It never made any sense that there wasn’t a member of Congress from Maryland or Virginia on HSGAC. They would have been a natural ally. That has been the number one problem that I’ve seen.”

Charlie Moskowitz is  a former chief legislative counsel for former Ranking Member Sen. Clair McCaskill (D-Mo.) on the Homeland Security and Governmental Affairs Committee staff, and now executive vice president for Signal.

It’s also the lack of support from the appropriations committee. Moskovitz and other former Hill staff members say the reasons vary.

One former Hill staff member, who requested anonymity because they didn’t get permission to speak to the press from their current company, said while there have been limited support from some IT modernization efforts like the Modernizing Government Technology Act, which created the TMF, and the Federal IT Acquisition Reform Act (FITARA), there hasn’t been the same level of personal passion and interest that you see on the House side.

“It’s a good issue and bipartisan, but it hasn’t been an issue where there is direct member level personal engagement on this issue,” the former Hill staff member said. “There has not been much interest in this topic since the Healthcare.gov debacle. Those big issues get attention versus ongoing problems. If there is not a crisis, it is harder for Congress to act.”

Another former Hill staff member, who also requested anonymity, pointed to some members who have no interest in investing more money in agency operations, while others have been burned by failed technology programs too many times so gaining their support is much more difficult.

Portman seems to recognize the ongoing challenges with transparency and oversight.

“I plan to work with the appropriators to ensure there are appropriate controls in place for funds directed toward IT modernization. Data-driven analysis on the effectiveness of the efforts funded by the TMF will be important to make sure the government is making responsible investments,” he said. “I also plan to make sure that cybersecurity considerations are built in on the front-end so agencies don’t have to spend time and money securing these new systems on the back end.”

OMB, agency transparency matters

Portman also said the Biden administration should support the Risk-Informed Spending for Cybersecurity (RISC) Act, which he and Peters introduced.

The bill would assist agencies in developing their cybersecurity and information technology budgets using a risk-based model.

“With a better sense of return on investments for existing cyber capabilities, agencies will be better able to estimate any additional necessary funds they need for IT modernization efforts,” Portman said.

And this brings us to another reason for the Senate’s reluctance: the Office of Management and Budget. No matter the administration, no matter how qualified or unqualified the federal chief information officer has been, OMB consistently has failed to effectively make their case to lawmakers to put real money in the E-Government Fund or the TMF.

“Part of the problems is the construct of the fund and part of it is the way it’s managed. There is not enough visibility into where the money is going, and then there is an institutionalized dynamic between agencies and appropriators about the normal way funding is handed out,” Hodgkins said. “OMB has to figure out the level of transparency Congress wants to give them confidence that the funds are being spent in a way to help individual agencies. It’s not that it hasn’t been done, but not in a sufficient way to satisfy people in the process to support the TMF.”

The second former Hill staff member said OMB struggles to get the information lawmakers seek so the challenges are layered because Congress asks OMB for data; OMB asks agencies for data; and many agencies are so federated, getting information takes too much time.

“Agencies are big and complicated and OMB is strapped for people so it becomes cloudier and cloudier every single step of the way,” the source said. “What happens is OMB doesn’t have the greatest of information because the agencies don’t have the greatest of information because a bureau doesn’t have it.”

The source said OMB and agencies need to give lawmakers “a clear cut success story,” about how they modernized a system with extra funding and how it’s now serving citizens, specifically their citizens, much better.

Industry’s education and explanation falls short

Blame also must lay at the feet of agencies and industry too. The lack of a concerted and consistent effort to educate, explain and demonstrate the impact of IT modernization on citizens.

“The biggest thing OMB, agencies and contractors can do is broaden the support on the Hill by ensuring more staff members know the TMF exists and why it’s important,” Moskovitz said. “There is a real lack of understanding on Capitol Hill and a disconnect between cyber and IT modernization. I think IT modernization is much bigger. It gets into customer services, robotics process automation, artificial intelligence and other issues. I’m not sure people understand networked nature of systems, how the cloud works, the vulnerabilities they face and why. The cyber framework that was set up 10 or 15 years ago doesn’t fit with movement to cloud.”

Moskovitz and others agreed the new federal CIO and deputy director for management at OMB must lead the education and explanation efforts. It has to come in agency budget requests. It has to come during hearings. And, most importantly, it has come from meetings and briefings with lawmakers on every committee, but especially appropriations.

“I think lawmakers want to see agencies finish existing initiatives, or close the gaps on them. The new politicals come in and they don’t care about old political priorities. I think lawmakers want to see them execute better, manage what they are doing better and show results,” the second former staff member said.

They emphasized the need to communicate a well thought-out plan to appropriators — one that includes projects, how to achieve them, year-end expectations and a way to hold agencies accountable for the plan.

“OMB and agencies should brief them every other week on the good, the bad and the ugly,” the former staff member said. “That is how you create the trust that has been missing between OMB and the Hill. I think there is an opportunity with the changes on the Hill, and I do think there is a chance to get some of these initiatives launched and pushed forward.”


Senate to get on the IT modernization bandwagon?

The Senate may be finally getting on the IT modernization funding bandwagon.

After almost of two decades of Senate appropriators blockading almost every attempt to add substantial money to governmentwide funds — first the E-Government and now the Technology Modernization Fund — there is hope in the American Rescue Plan.

A draft manager’s amendment obtained by Federal News Network shows the Senate Homeland Security and Governmental Affairs Committee put $1 billion into the TMF.

This comes after Senate lawmakers signaled they would not support the $9 billion request from the Biden administration.

The manager’s amendment, which is expected to be introduced during the debate over the American Rescue Plan later this week, would resurrect the idea that lawmakers need to help address long-standing federal technical debt. The last time the Office of Management and Budget estimated the depth of the debt was in 2016 when it was $7.5 billion. Five years later, the amount of technical debt likely only has increased as agencies continue to spend 80% of their IT budgets on outdated technology.

In January, then President-elect Joe Biden called the need to address federal technology and cybersecurity an urgent national security issue.

Reps. Gerry Connolly (D-Va.), chairman of the Oversight and Reform Subcommittee on Government Operations, Carolyn Maloney (D-N.Y.), chairwoman of the Committee in Oversight and Reform, and four other members pressed House leadership in late January to include the full $9 billion request in the bill.

“The federal government’s consistent failure to prioritize IT modernization and program delivery prevented the public from receiving the federal assistance Congress authorized to help the nation stay afloat during one of the worst global pandemics and economic crises of our lifetime,” the lawmakers wrote. “Without modern and nimble IT systems, the federal government cannot deliver critical payments and services to individuals, families, and businesses who rely on them. We cannot allow a failure to invest in technology prevent us, once again, from effectively implementing.”

But neither the House nor the Senate version included the extra funding for the TMF.

More money for cybersecurity

The draft manager’s amendment also includes $650 million for the Cybersecurity and Infrastructure Security Agency in the Homeland Security Department to protect federal networks, specifically after the SolarWinds attack.

Additionally, the draft legislation would give $200 million for the U.S. Digital Service and another $150 million for the Federal Citizen Services Fund run by the General Services Administration. Both of these additions would go for IT modernization projects too.

This isn’t the first time members tried to get Congress to significantly fund the TMF. Democrats to add more money to the TMF in previous pandemic relief bills. In July, Rep. Steny Hoyer (D-Md.) wanted to appropriate $3 billion for TMF as a line item for the IRS.  Rep. Gerry Connolly (D-Va.) also tried to increase the TMF by $3 billion in May. These and other attempts never made it past the Senate.

In addition to the TMF and other specific IT modernization increases, the draft bill includes $20 million for the IRS for premium pay for the development of technology; $140 million for the Indian Health Service to expand its telehealth infrastructure and for its electronic health record program; and $25 million for the Agriculture Department to improve the technology that runs the supplemental nutrition assistance program (SNAP), including launching a mobile pilot.

The funding for TMF, CISA, USDS and the FCSF is far from a done deal. There are plenty of members in the Senate who still do not support adding more funding, especially to the TMF, which some view as a “slush fund.”

But the fact HSGAC got the language in the manager’s amendment is one of the most optimistic signs the federal IT community has seen in almost a decade.


Vice Adm. Norton was ‘right leader at right time’ for DISA

While few thought former Rep. Mac Thornberry (R-Texas) was serious about axing the Defense Information Systems Agency in 2018, Vice Adm. Nancy Norton is credited with staving off Congressional ire.

Now three years later as Norton exited DISA after a 34-year military career, former agency executives praised her for not only “saving” the organization, but changing its trajectory to be more of a forward-thinking, cutting-edge provider of technology services.

“Vice Adm. Norton’s greatest success as director of DISA was to restore confidence in the agency. In the years prior to her assuming command, DISA had an increasingly difficult relationship with the Pentagon,” said David Mihelcic, the former chief technology officer at DISA and now the consultant. “At the same time Adm. Norton greatly improved employee morale, satisfaction and performance to ensure DISA’s ability to meet new challenges. Adm. Norton was the right leader at the right time for DISA.”

During her tenure, Norton was not known for giving speeches or making news, instead letting the senior executives at DISA claim the spotlight and credit for the agency’s successes.

Vice Adm. Nancy Norton retired after 34 years in military service, including spending the last three years as the director of the Defense Information Systems Agency.

Alfred Rivera, the former vice director of strategic plans at DISA and now a principal at Breakwater Solutions, echoed Mihelcic’s comments about DISA’s direction under Norton.

“Her leadership during the COVID-19 pandemic was immeasurable. Throughout the period, it was evident how focused she was on leading the organization under remote operations while simultaneously taking care of and ensuring all DISA personnel were safe and healthy under these difficult situations,” he said.

Norton’s last day as DISA director was Feb. 25. Air Force Lt. Gen. Robert Skinner replaced Norton on Feb. 26 as DISA’s new director.

Norton said on Feb. 25 during a briefing with reporters that DISA was fortunate the plan to dismantle the agency didn’t come to pass.

“Some of the most important things that we did to prevent that from getting traction and coming to fruition were telling our story and helping people understand what we actually do,” she said. “Very few people can stand back and have the full picture of the scope and scale of the mission DISA is responsible for and how significant it is. I don’t think anyone could imagine how difficult it would be to move many of those missions somewhere else.”

Reversed harmful trends

DISA’s value to DoD became more obvious during Norton’s tenure.

Rivera said Norton supported the agency’s drive to test and begin to implement new technologies like Cloud Based Internet Isolation (CBII) and Windows Data at Rest (WINDAR).

He said both of these let military servicemembers and defense agency employees more easily work remotely.

“These two solutions represent just a small example of technologies and solutions that she made available to DoD during her tenure,” Rivera said.

Mihelcic said Norton not only supported technology innovation, she reversed harmful trends.

“From significant budget cuts to pay for Joint Regional Security Stacks (JRSS), the transfer of major missions like nuclear command and control, and commercial satellite communication (SATCOM), the sidelining of DISA in the early portions of JEDI, to a Congressional proposal for outright elimination of the agency, DISA seemed to have lost the confidence of the department,” he said. “Instead of eliminating DISA, the department transfers significant new responsibilities and budget under the Defense Enclave Services (DES) program. Likewise DoD chief information officer has moved its cloud computing program office under DISA’s administrative control.”

Customers came first

Norton said DISA’s evolution over the last two years is focused on how its serves its customers.

She said her goal was to make DISA more mission focused based on customer needs.

“We have field commands and field sites with combatant commands. We have an O-6 or captain or a colonel that is part of that field office and specifically focused on the geographical or functional priorities of that combatant command to understand their priorities and mission. They can be the interface back to headquarters on what is required to support that mission,” Norton said. “We have this very robust process of mission partner engagement with each combatant command, agency or service so we can make sure we are understanding the requirements, delivering on those requirements that they actually have and accelerating the understanding so we can deliver faster and helping them to understand what the cost drivers are so we can help drive down costs.”

Norton said while the idea of having captains and colonels with the combatant commands isn’t new by any means, the importance of their roles increased over the last few years as they learn and communicate back to DISA the needs of the commanders.

One example of their impact can be directly traced to the ongoing 4th Estate back-office technology consolidation.

Norton said DISA’s offering under O365 and the Defense Enterprise Office Solutions (DEOS) contract is rolling out across the 4th Estate. She said all of DISA and initial users in each of the other agencies — 16,000 employees in all — have migrated to the new enterprise services.

“It’s working great and I’m very pleased with the capability it provides,” she said. “We will start migrating others en masse in the near future. It will be exciting to have all of us migrated here in the next couple of months.”

Under the Defense Enclave Service (DES), DISA will be the desktop service provider. Norton said it will let the field activities focus on their core missions and not have to be worried about the back-end infrastructure and services.

This is another example of DISA’s evolution over the last few years, developing a common set of standards for the desktop, for the security and for the delivery of services.

“We on-boarded the first group of people over the summer and migrated the first agency, Defense Technical Information Center (DTIC), and we will move on from there, starting with the small ones and accelerating with larger ones with DES contract,” she said.

While Norton was not a flashy DISA leader and one that probably would’ve preferred not to do the “rubber chicken” speaking circuit, her impact on the agency was clear and respected inside and out of the DoD.

 


Best, brightest federal cyber workers competing in ‘save the world’ scenario

The Cybersecurity and Infrastructure Security Agency is receiving reinforcements just as their fight against cyber attacks is ramping up.

CISA announced Nitin Natarajan has joined as its deputy director, Eric Goldstein as its executive assistant director for Cybersecurity and David Mussington as its executive assistant director for infrastructure security.

But the real muscle may come later this week during the finals of the 2nd annual President’s Cup Cybersecurity Competition. On Feb. 25, the top five teams and the top 20 individuals will compete to be named the best in federal cybersecurity.

“This year we’ve made some tweaks to the format and how we are delivering it. This year it’s more of a ‘save the world’ scenario,” said Harry Mourtos, an information security IT specialist at CISA and project lead for the President’s Cup during a CISA video. “The audience we are reaching is different and the limitations of hardware and software in certain cases, we wanted to make this competition as open as possible. By providing this competition in a virtual manner and using virtual machines for all of the challenges, there is no hardware or software limitations. Our competitors don’t have to download anything or run any hardware or software on their native machines. This allows us to really broaden our reach to identify the best and brightest in the federal workforce regardless of where they may be found.”

Matt Karr, a team lead and cyber exercise developer for Carnegie Mellon’s Software Engineering Institute, said the scenario focuses on a storm that took down the critical infrastructure using remote activated robots. Teams can earn points by bringing systems back online.

CISA said the teams are all from various parts of the Defense Department, and the individuals include experts from DoD, the Justice Department and another independent agency.

CISA says the competition consists of three rounds, each increasingly difficult, that are focused on real-world scenarios. Participants will use their technical skills to solve a problem or complete a task. Each of the challenges are mapped to tasks and work roles from the NICE Framework and categories listed in Executive Order 13870, which established the competition.

Both individuals and teams compete in each of the three rounds. This year, there are two tracks available within the individual competition. Each participant can take part in one or both tracks.

Source: CISA

Round one of the competition started in August with 249 teams and more than 600 individuals in each track.

CISA said 20% of the teams and the top 100 individuals — and everyone tied for 100th place — from each track made it to round two based on their scores.

Round two took place in September and from there the top teams and individuals are competing for the championship.

“The team competition is really all encompassing. We identified eight NICE work roles,” Mourtos said. “We are looking to identify the best well-rounded team to bring to the competition. We really wanted to try to identify a way to challenge the teams in addition to their cybersecurity knowledge, their ability to work together and solve complex cyber problems.”

For the 2019 competition, the contest focused on the first two rounds on remotely answering Jeopardy-like questions that required contestants to solve the challenge in a virtual environment. The third round included two competitions. The first was an escape room challenge for each team or individual, and then a capture the flag contest.

The President’s Cup Cybersecurity Competition comes as the Department of Homeland Security Secretary Alejandro Mayorkas said the agency will double-down on its efforts to mitigate cyber risks and expand its investment in the infrastructure and people required to defend against malicious cyber attacks as part of a whole-of-government effort.

“DHS plays a key role in protecting the American people from threats in cyberspace,” Mayorkas said in a statement on Feb. 22. “The department’s Cybersecurity and Infrastructure Security Agency (CISA) is charged with securing federal civilian government networks and our nation’s critical infrastructure from physical and cyber threats. Congress, in the recent National Defense Authorization Act (NDAA), further empowered CISA to execute this mission, including by providing authorities for CISA to ‘hunt’ for cyber threats in federal agency networks and to more effectively identify vulnerable technologies used by critical infrastructure sectors.”

Congress included the provision in the NDAA on the recommendation of the Cyberspace Solarium Commission, which called on appropriators to increase funding for more hunt and incident response teams. This would help agencies find real and potential threats sooner and expand the current bug bounty and similar programs.

Mayorkas is scheduled to speak at the President’s Cup Cybersecurity Competition finals where he will “issue a call to action to build a diverse cybersecurity workforce and leverage DHS’ partnerships to tackle the growing risk from ransomware.”


Age-old small business contracting challenge rears its ugly head, again

For the third time in five years, another court decision is opening the door to major changes to multiple award contracts.

The Court of Federal Claims weighed in on the controversial “rule of two” requirement originally intended to help promote small business contracting, but now is causing concern and confusion for how agencies should apply it to multiple award contracts.

At the heart of the issue is a court ruling in favor of small businesses who protested what experts called a ridiculously poor choice by the Army to set-aside and award a contract to small firms, and then once it faced a protest, pull back the awards and re-release the task order under a multiple award contract where there were no small businesses.

Known as the Tolliver decision, the court said found that “the rule of two unambiguously applies to ‘any’ ‘acquisition,’ FAR 19.502-2, without any loophole for [multiple awards IDIQ] task orders.”

Todd Overman is a lawyer and chairman of the government practices group for Bass Berry and Sims.

Todd Overman, a lawyer and chairman of the government practices group for Bass Berry and Sims, wrote in a blog post this means even though the Army may have satisfied the rule of two requirements in respect to forming the multiple award contract, it still must meet the rule of two set-aside requirement as it started to do with its first solicitation.

“This is a big deal,” said Overman in an interview. “It does have the potential far reaching impact with regards the need to document the rule of two analysis.”

The debate over when the rule of two applies has been ongoing for more than two decades.

Industry experts say when the General Services Administration was setting up the schedule contracts in the 1990s, the debate over whether the rule of two would apply was strong.

The debate continued in the 2008 Delex ruling where the Government Accountability Office reinforced the rule of two, saying it does apply to any task or delivery orders.

Congress weighed in on the rule of two in the Small Business Jobs Act of 2010 where it tried to address the confusion by saying that at the ordering level for multiple-award contracts, agencies have discretion to set aside orders and the ‘rule of two’ is not mandatory.

Then in 2015 came the Kingdomware case that went all the way to the Supreme Court, which found the rule of two is required for all contracts let by the Department of Veterans Affairs under the Simplified Acquisition Threshold — between $3,000 and $150,000.

Three years later, GAO reinforced the Kingdomware decision as it dismissed a protest brought before the Customs and Border Protection directorate. But experts said at the time that agencies should be aware that there is a strong school of thought that task orders under the Simplified Acquisition Threshold must adhere to the rule of two, and that the Kingdomware decision, once and for all time, established that a task order is a contract.

Even with this long history, there still are some who say the rule of two should apply to all task order and delivery order contracts under the SAT, including GSA’s schedules.

Overman said the most recent Court of Federal Claims ruling doesn’t change the fact that the GSA schedules program is exempted by this requirement.

Defining discretion shouldn’t be that difficult

But that doesn’t stop some from worrying whether the court’s most recent ruling will mean some will press the case even further.

Christoph Mlinarchik, a government contracts expert and owner of a consulting firm, www.ChristophLLC.com, said the confusion over what “discretion” means likely will be at the heart of any ongoing disagreements.

“The Federal Acquisition Regulatory Council and the Small Business Administration regulations– when implementing the ‘discretion’ part of the Small Business Jobs Act of 2010– both used the same word, ‘discretion.’ We have a law and two different sets of regulation; all three use the word ‘discretion,’” he said in an email to Federal News Network. “Ask yourself one question: What does the word ‘discretion’ mean in plain English? One stray Court of Federal Claims case does not erase the Small Business Jobs Act of 2010, nor the FAR and SBA regulatory implementation thereof, which all use the word ‘discretion’ for small business set-asides under multiple-award contracts. The Tolliver case is a lot of sound and fury, but it signifies almost nothing.”

Mlinarchik added Congress granted broad leeway for contracting officers to use their “discretion” with respect to whether to set aside orders under multiple-award contracts.

“Wake me up when Congress changes the law about using ‘discretion,’ otherwise, I’m hitting the snooze button on Tolliver, which is a false alarm,” he said.

But Overman and other experts say the case does send a message to agencies and vendors alike.

“This case provides support for rule of two analysis and gives an interpretation of how applies in multiple award contracts,” Overman said. “Even though you may have utilized the authority without the rule of two, you still need rule of two analysis before placing an order under a MAC.”

Signs the decision will have an impact

An industry expert, who requested anonymity because they work with both large and small contractors, said it’s clear Tolliver is the same flavor as Kingdomware, but it could be considered more expansive since Kingdomware was only focused on service-disabled small firms and VA.

“I wouldn’t be surprised if people will try to use Tolliver as precedent. The question the government has to ask is if you take it to the logical conclusion, wouldn’t any contract with small and large businesses under an IDIQ have to follow the rule of two if you’ve decided the small firms were qualified?” the expert asked. “I think the judge is over reading it. But the decision does fundamentally raise the question about all IDIQs if you take it to the logical conclusion.”

The expert added the impact of the Tolliver case will not be felt for several months, but some signs to look out for are protests referring to the Court of Federal Claims decision, or if GAO starts citing that case in decisions.

“I think a lot of it will depend on when the Biden administration gets its procurement leadership in place and whether they take any position on it,” the expert said. “The court’s interpretation of discretion language almost makes the rule of two meaningless. If I understand the court’s point, they say rule of two applies to every contract, and then if you determine it doesn’t apply, you can still set it aside at the agency’s discretion.”

What is the answer to once and for all resolving the debate over the rule of two? Is it Congress? Is it the Office of Federal Procurement Policy?

The answer must come soon because the confusion over the requirement and debate around the regulation must end in a way that both supports agency needs and small business contractors in a consistent and fair way.


DoD’s AI center striving to be connective tissue across all projects

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

It’s unclear if anyone really knows just how many pilot projects in the Defense Department are using artificial intelligence, machine learning or intelligent automation.

Some say it’s around 300, while others say it’s closer to 600, and then there are those who believe the number could be more than 1,000.

But unlike so many technology innovations that came before it, the Pentagon, through its Joint Artificial Intelligence Center (JAIC), is taking aggressive action to stop, or at least limit, AI-sprawl.

“There’s a lot of efforts that are out there that are not very well tied together and there’s a whole bunch of them that are dealing with exactly the same thing. So one of them is talent. Do they have talent? Or do they have to grow their talent or do they have to acquire the talent? The other big one, of course, is data and it’s almost invariably when anybody in the Department of Defense talks about doing work, they get to the data saying, ‘Okay, my data hasn’t been cleansed so is it usable?’” said Anthony Robbins, the vice president of the North American public sector business for NVIDIA, in an interview with Federal News Network. “They try to assess use cases, and then they’re trying to figure out how to get started. The JAIC wants to help them figure out this out.”

Jacqueline Tame is the acting deputy director of Joint AI Center in DoD.

DoD launched the JAIC in June 2018 with a much different vision than where it stands today. Whereas the Pentagon saw JAIC nearly three years ago as pushing AI to the military services and defense agencies through pathfinder projects, it’s now focused on providing services and setting the foundational elements for mission areas to take advantage of the technologies.

In November, DoD announced JAIC 2.0 detailing its new vision and mission. As part of that new approach, the JAIC awarded a $106 million contract in September to build the Joint Common Foundation Artificial Intelligence (JCF), and plans to create three new other transaction agreements (OTA) vehicles in the coming year under the Tradewinds moniker to further build out its services catalog.

Jacqueline Tame, the acting deputy director of JAIC, said the move to 2.0 is a recognition that the services and defense agencies need a different kind of help to ensure AI tools improve and measure mission readiness.

The JAIC doesn’t need to be a doer, but a trainer, educator and supporter because the adoption of AI and AI-like capabilities —think robotics process automation (RPA) and predictive analytics — are spreading across the department like wildfire.

“What we have been able to do over the last two-and-a-half years is really test what the department actually needs, what the department is actually ready for and what the foundational building blocks of AI-readiness actually are. JAIC 2.0 is a recognition and learnings that we’ve undertaken that there are some key building blocks we have to put in place departmentwide to be AI ready,” Tame said during AFCEA NOVA IC IT day. “Where we are today, having developed a lot of capabilities, deployed a lot of prototypes and implemented a lot of solutions across the department is that we’ve learned that what the department actually needs is enabling services.”

Tame said while some like the Army Futures Command, the Special Operations Command and in the Air Force have matured their AI capabilities, the efforts too often are rolling out in siloes.

“What is still not happening, and this is the underpinning of JAIC 2.0, is the connective tissues between all of those capabilities that is being researched or deployed. What is still lacking in our assessment is the aggregate of the components of AI-readiness,” she said. “That includes removing some of the barriers to entry that present themselves in terms of both education and awareness about what AI is and what AI is not, what things actually lend themselves to AI and AI-enabled applications. Really understanding what the data need to looks like, the status of AI readiness in order to leverage it, test it appropriately and an understanding of the ethical underpinnings in terms of what that needs to look like as we consider some of the more advanced capabilities that we are trying to deploy across the force. Having a really foundational understanding of the types of infrastructure and architectures that need to be able to be interoperable in order to achieve the goals we are trying to achieve here. And really trying to understand the culture barriers to entry that still exist.”

Like with any new technology, the culture barriers to AI aren’t unusual. But Tame, Robbins and other experts say trust, confidence and usability are at the heart of AI-readiness.

“This is a technology that is and will affect every person, every country and every industry around the world,” Robbins said. “It is a technology that can go into every industry from transportation to healthcare to defense. Technology transformation is as much about leading change in transformation as it is the technology. The technology is ready.”

Army use case proving power of AI

Robbins said a predictive and preventive maintenance program, as well as its use to help with humanitarian assistance, are two examples of how DoD already is using AI.

One example is the Army’s Aviation and Missile Command G-3’s work with the JAIC since 2019 on the predictive and preventive maintenance for the UH-60 Blackhawk helicopter.

“When it comes to logistics and maintenance, there is an overwhelming amount of data available — anything from aircraft sensor data to maintenance forms and part records,” Chris Shumeyko, JAIC product manager, said in an Army release. “Ordinarily, subject matter experts play a huge role in understanding this data and identifying trends that may affect the readiness of the Army’s vehicle fleet. However, as the amount of data grows, you either need more experts to comb through that data or possible warning signs of problems may get missed. By injecting AI/ML, we’re not replacing these experts, but rather providing them with tools that can find hard-to-spot trends, anomalies or warning signs in a fraction of the time. Our goal is to increase the efficiency of the experts.”

It’s this type of service that the JAIC is providing under its latest iteration.

Tame said the new services include or will include:

  • AI acquisition-as-a-service
  • Test and evaluation-as-a-service
  • Responsible AI-as-a-service
  • AI-related policy-as-a-service
  • Some level of capability development focusing on business process transformation and big bets in terms of our joint warfighting and other key capability areas
  • Ensuring a foundational understanding, templatizing the learnings we’ve made to date through an AI maturity model and readiness assessments
  • Consultancy advisory services for how to scale AI

Robbins said these services and other recent actions by JAIC is part of how DoD is moving AI out of the testing phase and into the operations phase.

Tame added part of the way to address that operational need is not to develop, test and deploy in the siloes of yesterday, but through a common framework that creates a starting point for all AI technology.

“These critical building blocks will enable us to get to the point of implementation of AI across the force in a really cohesive way are not there yet,” she said. “The JAIC’s role really needs to be driving that advocacy and education of our senior executive leadership all the way down to line analysts and intelligence agencies about institutionalizing the ethical underpinnings that need to be talked about every time we are thinking about AI, about ensuring there is a departmentwide test and evaluation framework that is specific to AI, which is different than everything else the test and evaluation community has been saying before, and ensuring we have a really foundational understanding across the board of those data standards, many of which do not exist yet or haven’t been agreed upon, and the level of infrastructure interoperability that we need to both put in place in terms of new systems and reimagine in terms of our legacy systems.”

The end goal of JAIC 2.0 isn’t just about offering new services or changing its mission focus, but addressing the AI-sprawl that seems to be quickly happening by giving the military services and Defense agencies a common baseline to build on top of and ensure the necessary trust, confidence, security and ethical foundations are in place. This is something that was missing with cloud, mobile devices and many other technologies that led to unabated sprawl.


« Older Entries

Sign up for breaking news alerts