Reporter’s Notebook

jason-miller-original“Reporter’s Notebook” is a weekly dispatch of news tidbits, strongly-sourced buzz, and other items of interest happening in the federal IT and acquisition communities.

Submit ideas, suggestions and news tips  to Jason via email.

 Sign up for our Reporter’s Notebook email alert.

How a simple tweet opened frustration floodgates over security clearances

A single tweet on Thursday about something Rep. Will Hurd (R-Texas) said at the IBM ThinkGov event in Washington, D.C. created quite a bit of discussion and debate.

Hurd said he’d like to see the government be able to complete a security clearance in a week instead of six months or, in many cases, more than a year.

 

“Why does it take 10 months? Does talking to my neighbor who lived next to me 10 years ago have a better idea of me versus what I’ve clicked on over the past few weeks?” Hurd asked. “Why are we doing security clearances the same way as we did 100 years ago? We should be able to do a security clearance in one week. If you do that, you must make sure people [they’re] collaborating with in the private sector have the ability to share information.”

That single comment and ensuing tweet opened a torrent of frustration about the security clearance process that, while the feelings aren’t new, contractors and agencies seem to be getting less patient with the government’s efforts.

Rep. Will Hurd, R-Texas, wants to test out an approach to see if a federal employee can get a security clearance in a week. (AP Photo/Pablo Martinez Monsivais)

It’s not like the last three administrations haven’t recognized this problem, trying an assortment of approaches. The most recent statistics show progress against the backlog, which is a good sign, but far from a fix.

The National Background Investigations Bureau said the number of pending investigative matters stands at 542,000, down from 725,000 a year ago.

The Trump administration is transferring the NBIB to the Defense Security Service any day now, an executive order has been stuck in the ubiquitous “soon” of government talk for what seems like six months.

At the same time, agencies from the Air Force to the Office of the Director for National Intelligence to the Defense Information Systems Agency are testing new approaches or fixing the technology to accelerate the security clearance process but not lose any rigor.

The Air Force, for example, worked with the NBIB to establish temporary centralized interview hubs at 11 key locations where there is a high concentration of investigator case work and the mission in those areas needs immediate relief. Hubs are areas where security clearance interviews can take place without requiring someone to go to Washington to be vetted.

ODNI started to use a continuous evaluation approach in 2017 to supplement and enhance the current process, but not replace it.

While these two examples show change is possible, Hurd wants to transform the security clearance process even more quickly.

“I’ve had some conversations with smart people in the government about whether we can do a pilot project to try to streamline this process, and do it alongside people who already are getting their clearances to see if we can make it work,” Hurd, who became member of the Intelligence committee this session, said in an interview after his speech. “When I look at my initiative on the cyber national guard, one of the things that is getting in the way is the security clearance process.”

Hurd said the arduous clearance process impacts many of the issues he works on, which is why the he asked whether a week to get a security clearance is possible.

“My goal and my time will be spent on going out there to figure out a test case to do this and let’s introduce this,” he said.

Public, transparent standards needed

Hurd’s comments came as two other initiatives — one on Capitol Hill and the other from the Defense Department — kicked off to put more focus on security clearances.

Sens. Mark Warner (D-Va.) and Susan Collins (R-Maine) introduced the Integrity in Security Clearance Determinations Act to “ensure that the security clearance process is fair, objective, transparent, and accountable by requiring decisions to grant, deny or revoke clearances to be based on published criteria. It explicitly prohibits the executive branch from revoking security clearances based on the exercise of constitutional rights, such as the right to freely express political views, or for purposes of political retaliation. It also bans agencies from using security clearances to punish whistleblowers or discriminate on the basis of sex, gender, religion, age, handicap, or national origin.”

Warner and Collins said the bill also lets federal employees appeal decisions to deny or revoke a security clearance, and requires agencies to be more accountable and transparent about the results of those appeals.

Finally, the bill would apply more rigor and accountability of to the process to prevent abuses.

“The security clearance system is critical to protecting our country from harm and safeguarding access to our secrets. Americans should have the utmost confidence in the integrity of the security clearance process,” Collins said in a press release. “This bipartisan bill would make the current system more fair and transparent by ensuring that decisions to grant, deny or revoke clearances are based solely on established adjudicative guidelines.”

A major reason why Collins and Warner introduced this bill can be traced back to the Trump administration’s handling of security clearances for the president’s son-in-law Jared Kushner as well as the administration’s decision to withdraw security clearances from former intelligence officials over political disagreements.

But if you take a step back from the big “p” politics of the bill, the move to continuous evaluation or using social media and other public information as part of the basis for a decision requires more transparency and accountability in the process.

And the need for transparency leads us to the second initiative around security clearances from last week. The Defense Digital Service released a request for white papers to collect ideas to develop a prototype for automated background and reviews.

DDS wants help transforming the process

“The Defense Digital Service (DDS), in coordination with OUSD(I), will direct the creation of a prototype system that successfully collects a subject’s information, executes a background investigation (with automated and manual parts), and records an adjudication decision,” the request states. “This prototype will require integration with a wide variety of U.S. government and commercial databases to verify the subject’s identity and background information. Development of the prototype will be rapid and agile in nature, fielding new functionality to users for feedback every two weeks.”

Questions are due March 19 and white papers are due March 26.

DDS said it eventually will award a nine-month contract worth no more than $5 million to a vendor to build the prototype system.

The DDS efforts come as DISA has been modernizing the current online background investigation form for the last nine months and has been working on new technology to support the security clearance process since 2016. DISA recently transferred the technology infrastructure and employees to the Defense Security Service in early March as part of the consolidation effort.

With all this attention, the administration must not only make progress, but communicate how the security clearance process is improving while not losing any rigor. The opaqueness of NBIB’s efforts over the last year — aside from a recent update from ODNI’s Bill Evanina — has undoubtedly led to the frustration we saw when Hurd’s comments were spread to a broader audience.


How two efforts are trying to improve feds’ skills

The Trump administration’s initiative to reskill and retrain federal workers is picking up steam.

Federal Chief Information Officers Suzette Kent announced last week that the Federal Cyber Reskilling Academy received more than 1,500 applications, of which half of the employees were GS-5 to GS-11s.

Kent launched the academy in November to address the shortage of cybersecurity expertise across government through hands-on training. The first class is expected to hold 25 people who will be given a “cyber essentials” course, followed by four weeks of “follow-on learning, exercises and exams” over a four-month period.

At the same time, the Defense HR Activity issued a RFI for industry and other experts to submit white papers around six topics:

  • An approach to talent acquisition, talent development, talent analytics and talent management.
  • Describing software/technologies used to support talent acquisition, talent development, talent analytics and talent management.
  • Using advance technologies such as machine learning, artificial intelligence, simulations, virtual advisors, interactive autonomous programs, mobile applications and gaming.
  • Addressing Federal Risk Authorization and Management Program (FedRAMP) certifications, federal cloud computing, security and interoperability with existing federal IT systems.
  • Approaches to career pathing, competency identification and management, job roles, progression models and management, workforce and succession management, position management, performance management.
  • Providing operations and maintenance for software, mitigation and contingency operations.

“The key area of focus for this requirement is to gather information on industry best practices in the talent management and talent development arena and explore the new and future technology to support competency gap identification, employee re-skilling and agile workforce career management, while enacting best practices to elevate employee experience and engagement,” the RFI states.

Responses are due March 15.

The Defense HR Activity may be a part of the Trump administration’s broader effort to modernize the workforce, which is a key cross-agency priority goal under the President’s Management Agenda.

In December, the cross-agency goal leaders reported “OMB and the Office of Personnel Management are working with agencies to analyze workforce data and develop reskilling plans and test methods to reskill and redeploy existing federal talent. Interactive tools to assist executives, managers and employees are currently under development including a reshaping playbook, a reskilling toolkit and video vignettes featuring agency successful practices.”

Source: Performance.gov December 2018 report.

Additionally, the goal leaders say agencies want better technology and automation tools to make career paths easier to understand for employees.

“Respondents noted that career paths have the potential to yield improved outcomes in recruitment, retention, succession planning, talent development and reskilling. An industry day is planned for January 2019 to engage leading private sector career-pathing providers to explore how to better serve agency and employee needs, preferably through an enterprise service available to all agencies,” the goal leaders write.

Additionally, the National Science Foundation launched a reskilling challenge soliciting prototypes that NSF — and later all of government — can use to match existing federal employees and their skills to other kinds of work.

Public and private sector experts say agencies can move thousands of people out of low-value work and use automation to make up for that work.

OMB estimated in 2018 that about five percent of all federal occupations could be automated entirely, while 60 percent of all occupations could have at least 30 percent of their work automated. Overall, OMB says 45 percent of all “total work activities” could be automated.

Deloitte’s Center for Government Insights found government has the potential to free up anywhere from 266 million hours to 1.1 billion hours a year by retraining employees and using automation.

The appetite and potential for federal employees to move into new fields, whether it’s cybersecurity, data science or many of the other emerging occupations is real. The administration shouldn’t waste this opportunity because of big “P” politics and reach out to House lawmakers and employee union officials. The reality is change is happening, it’s just a matter of how quickly it can come and if OMB and OPM aren’t inclusive and strategic about all of this potentially impactful and needed work, agencies either will be stuck manually inputting data into Excel spreadsheets or they will make change on their own, which tends miss the important point of moving everyone forward together.


DHS continues a trend in IT contracting by no longer managing its own

The Homeland Security Department spends billions of dollars a year on technology products and services, and for much of the past 14 years through its EAGLE and FirstSource vehicles.

While Soraya Correa, DHS’ chief procurement officer, signaled a change in approach for the third version of EAGLE late last year, a new procurement notice details DHS’s plans.

“DHS spent several months collaborating across the information technology and procurement communities in identifying DHS’s IT priorities, evaluating the IT services requirements needed to support those priorities, and in establishing an overarching acquisition strategy that enables continued mission success,” Correa writes in a Feb. 27 notice. “EAGLE I and II have served their purpose. The department will not pursue a re-competition of EAGLE II. DHS will, however, continue to utilize EAGLE II until the expiration of its period of performance.”

Instead of version three of EAGLE, Correa said DHS will call its next step “EAGLE Next Gen,” where it will create a portfolio of DHS IT services contract vehicles with specialized, targeted scope in conjunction with balancing the use of existing governmentwide acquisition contracts (GWACs).

Correa said those GWACs include the General Services Administration’s Alliant 2, Alliant 2 Small Business, 8(a) STARS II and VETS 2, as well as the National Institutes of Health’s CIO-SP3 and CIO-SP3 Small Business.

Additionally, DHS plans to establish “a phased approach, DHS-specific contract which could include agile, cloud services, data center optimization, independent verification and validation and systems integration services.”

At the same time, Correa said DHS will decide by the end of March what the future holds for the FirstSource, IT products multiple award contract.

On the surface, the decision by DHS to move away from a duplicative indefinite delivery, indefinite quantity, multiple award IT services contract is a good thing. This is especially true given that GSA specifically designed Alliant 2 to be flexible enough to address current, emerging and future technologies and IT processes.

Contract duplication has long been a concern for the Office of Federal Procurement Policy. Two of the past three OFPP administrators attempted to address this issue, going as far as requiring a business case for any new multiple award contract worth more than $50 million over the life of the deal. The Obama administration also seemed to make some progress as Bloomberg Government found in 2017 that the number of MACs dropped by about 200 from 2012 to 2016.

More recently, OMB has pressed agencies to use governmentwide contracts designated “best-in-class” at GSA, NIH and NASA, and stop developing or renewing their own—we can save a discussion about what “best-in-class” really means for another time. The FBI, the Air Force and now DHS has committed to using GSA schedules or other vehicles.

But at the same time, Correa’s comments about creating DHS-specific contracts for what seems to be commodity IT services is disconcerting.

It will be interesting to see why Correa believes DHS needs its own contracts for things like agile, cloud and systems integration services. These services rely on the same basic concepts whether your agency’s mission is law enforcement, immigration or agriculture so the reason for DHS not to use these GWACs, GSA’s schedules, or other similar MACs from NASA and NIH should be telling about whether the message from the Office of Management and Budget about reducing duplication and taking advantage of the government’s size is truly getting through, or is DHS just pulling the wool over the federal market’s eyes?


Are escape rooms for cyber education a new trend in government?

The Federal Housing Finance Agency has faced six audit reports from its inspector general since 2015 highlighting a host of challenges ranging from governance to business functions to supervisory activities related to risk.

Basically, FHFA, which oversees Fannie Mae, Freddie Mac and the federal home loan bank system, has many of the same problems protecting its systems and data like most of its federal brethren.

This is why FHFA’s recent contract notice detailing a potential award to a small women-owned business stands out. FHFA says it plans to hire Living Security, Inc. to “design, build, and operate a customized hands-on two day cybersecurity-themed escape room training on-site at [FHFA’s] headquarters” in Washington, D.C.

FHFA issued a intent to sole source to Living Security, but industry has until March 7 to respond and make the agency aware their similar capabilities before it finalizes the award.

That’s a pretty innovative approach to training employees at all levels how to deal with cybersecurity challenges, which impact nearly everything every agency does.

Living Security’s website describes its escape room as an “intelligence-driven security awareness training platform that leverages gamified learning to make cybersecurity training fun and effective.”

The Smallwood, Texas-based company said the game creates storylines and teaches lessons in security, safety and online privacy.

Under the four-month deal — a total cost figure wasn’t provided — Living Security will create an escape room that is customized to the FHFA’s IT and security policies, according to the sole-source notice. There isn’t a whole lot of other details about what the room will look like or what the challenges will address.

But if you’ve ever participated in an escape room with friends, your kids or through team building, you probably can see potential for cybersecurity. But for those of you who may not be familiar, the escape room concept is innovative because it teaches several important traits needed to address cyber challenges: Team building, critical thinking and problem solving.

FHFA not the only one

There are a handful of other federal cyber companies offering similar experiences. The Thales Group offers a “mobile box” that is a 10-minute experience that uses clues, hints and strategy to help participants complete the puzzle.

The SANS Institute also offers a similar experience to reinforce and teach cybersecurity best practices and principles.

“In many ways, a well designed escape room can represent an attack kill-chain and poor defense-in-depth. Each puzzle represents a vulnerability that the participant is exploiting, and if best practices were followed, the puzzle could not have been solved,” SANS wrote in an online presentation about its escape room concept.

This concept also is gaining some momentum in other areas of government. A team from the Washington State Department of Revenue won a statewide contest last November.

“The Office of Cybersecurity’s escape room challenged players to solve a variety of high-tech and low-tech puzzles to uncover clues needed to access information on a laptop,” the office wrote in a press release. “The purpose of the competition was to heighten awareness about common bad practices many people fall into when it comes to securing their digital information.”

This type of approach to cybersecurity training just makes sense given the ever-increasing need to keep employees engaged and familiar with the latest cybersecurity threats. And maybe even more important, typical cyber training at your desk through webinars or through half-day classes are boring and too often tuned out by employees.

Kudos to the FHFA for trying something different to not only fix long-standing cyber challenges, but also for finding a way to hopefully get employees to remember why  cybersecurity matters and how to protect themselves and their agency.


Exclusive

FBI, DoD IG conducting preliminary investigation into JEDI, procurements

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Defense Department inspector general and the FBI have launched a preliminary investigation into the DoD’s $10 billion Joint Enterprise Defense Infrastructure (JEDI) program and the Washington Headquarters Services’ role in this and other acquisitions.

A source confirmed to Federal News Network that they have met with the DoD IG and the FBI’s Public Corruption Squad recently to discuss a host of issues around DoD procurement.

The source, who requested anonymity in order to discuss an ongoing law enforcement matter, said the discussion centered on times and dates of meetings, and the Cloud Executive Steering Group and its role in drafting the solicitation for JEDI.

The source said the DoD IG and FBI also asked about relationships of contractors and government personnel as it relates to JEDI and other procurements.

Neither the DoD IG nor the FBI would confirm or deny the existence of an investigation.

While there are several unanswered questions about what the FBI and DoD IG are looking into, a former FBI agent and lawyers not associated with JEDI or the DoD cloud efforts — but familiar with how IG and FBI investigations typically work — said it’s not unusual for these two investigative organizations to work together on a case.

“Often when it comes to government contracting investigations, the FBI will not take over the case, and they often will enlist other people who are experts,” said Thomas Baker, a retired FBI special agent who worked in a variety of investigative and management positions at the bureau.

But if the FBI is involved in interviews on any topic, the experts say it implies there potentially is some sort of wrongdoing involving DoD civilian personnel and/or DoD procurement procedures.

“The FBI and the DOD IG are both very talented and professional law enforcement agencies, who each have overlapping legal authority to investigate matters. The two agencies have learned how to avoid stepping on each other’s turf, and to ‘work’ matters jointly when appropriate. There may be an aspect of any case that is important to the FBI, which most often takes investigation of public corruption cases, although that may not be the case here, and the DoD IG which has expertise on government procurement matters,” said Stephen Ryan, a former general counsel to the Senate Committee on Governmental Affairs, a former assistant U.S. attorney and now a partner with McDermott Will & Emery. “One may be focusing on a part of an investigation while the other maybe focused on another issue, but it makes sense to collaborate.”

Additionally, experts say the DoD IG is one of the most well-resourced, well-trained units across the government, meaning they typically don’t need the FBI’s help. And if the FBI is involved, agents aren’t just participating because they don’t have better things to do.

Experts say if the FBI is involved in a case like JEDI or more broadly around potential public corruption, they are looking at any sort of crime that falls under 18 U.S. Code, 201, the federal bribery statute, and other similar statutes that cover unlawful acts by public officials.

Ryan stated that if it is established that both the DoD IG and the FBI are working together on any matter, one cannot infer the case has greater weight or importance legally until there is a court filing or other lawful public disclosure of the matter.

And Baker added that many times the FBI looks into something and finds there isn’t enough evidence for it to be a criminal matter and administratively closes the case. He said the FBI could very easily be at the beginning of an inquiry where they are just gathering information.

The fact that the DoD IG is looking at JEDI, however, isn’t surprising. Reps. Steve Womack (R-Ark.) and Tom Cole (R-Okla.) asked the agency to dig into the much anticipated and highly controversial contract in October. The House Appropriations Subcommittee on Defense members said they were most concerned that JEDI restricted competition.

Womack’s spokeswoman told Federal News Network that the DoD IG hasn’t given the lawmaker “an official response in writing yet.” Emails to Cole’s office seeking comment were not returned.

DoD has been under heavy scrutiny for much of the past 18 months as it developed its plan and solicitation for JEDI.

Since the release of the request for proposals last summer, industry has turned up the pressure with multiple bid protests, first to the Government Accountability Office and now to the Court of Federal Claims.

The news of the preliminary investigation comes as DoD announced its own investigation into a possible conflict of interest that compromised the procurement.

What is surprising, however, is the FBI’s involvement. Several industry and Hill sources expressed outward surprise when told of the bureau’s interest. One Hill staff member chuckled out-loud, as if to say “it figures” rather than to express glee or shock.

While it’s difficult to know exactly what the FBI and DoD IG are working on, it’s clear there is enough concern to warrant them asking questions and digging into the details. No matter what comes from this, it’s just another factor that will impact JEDI and DoD’s plans in the near term.


The end is near for the worst website in government?

Just two weeks after calling FedBizOpps.gov the WORST WEBSITE in GOVERNMENT, there is a light at the end of the tunnel.

The General Services Administration quietly let those who were paying attention know that the new FBO.gov will migrate to beta.SAM.gov late in calendar year 2019.

Source: GSA IAE website

In the first quarter 2019 Integrated Acquisition Environment (IAE) digest released last week, GSA’s Vicky Niblett, the deputy assistant commissioner for IAE in the Federal Acquisition Service, wrote, “We’ll be unveiling our newest roadmap and schedule in the second quarter, but we already know that [Wage Determinations Online] WDOL.gov will be the next IAE system to transition into beta.SAM.gov. After that will be FBO.gov, probably sometime in late 2019.”

Wait, that means we have to put up with the 15-year-old site that’s stuck in the 1990s for only a few more months?

Let’s not put the champagne on ice quite yet, but you know I’m ready to celebrate.

Now after expressing my continued frustration with FBO.gov, a former FAS systems guy tweeted at me reminding that maybe I should use the beta.SAM.gov site.

That’s a fine idea, so over the next few weeks, I will commit to testing out the new site – just like I used FBO.gov – and will report back with an analysis.

In the meantime, Niblett said GSA also will make other changes to beta.SAM.gov, including adding login.gov to the registration process and implementing ‘federal hierarchy,’ which is an internal process through which appropriate roles can be assigned to federal government workers.

In related news, GSA announced that IBM would continue to provide maintenance and migration support for the SAM.gov effort.

The agency awarded IBM a sole source contact worth $24 million over the next four years.

GSA awarded IBM the initial contract in 2010 and experienced some initial challenges with the program. But GSA says in its sole source justification that IBM has delivered good performance.

“During IBM’s eight years of performance on the SAM-AOCS contract, they have gained substantial knowledge of IAE systems. They have repeatedly delivered good performance and have improved over time,” GSA states in the justification. “IBM has gained the most technical knowledge of IAE systems among any source in the marketplace. Additionally, the SAM legacy systems are at the end of their product life and are scheduled to be retired and their functions transferred to the GSA cloud business platform over the next one-to-three years. The timing will depend on funding, completion of new system modules and applications, and the number of hurdles encountered during transition to the new information technology platform. It is considered impractical and risky to have a new contractor step in at this phase of the work, which is in the final steps of a 10-year project. For reasons of continuity during completion of the work, it would not be advantageous to the Government to solicit a new full and open RFP.”

Read more of the Reporter’s Notebook


In the move to the cloud, FBI hangs out the ‘innovations wanted’ sign

Innovation is one of those overused words in the federal sector. Every agency wants innovation. Every vendor says what they do is innovative.

So what makes a program or initiative innovative? Like the Supreme Court famously said about something else, “you know it when you see it.”

That’s the case with the FBI’s new Innovation Council.

Jeremy Wiltz, the FBI’s assistant director IT enterprise services division, said the council, which is just getting started, will bring together a diverse set of people, both those who have been at the bureau for a long time and newer employees, to generate ideas and focus areas.

“I have IT specialists that support tier one, that support desktops and visit customers. In our headquarters building with 11 floors and people going all over the place, we came up with an idea of a solutions center. We kind of tried to make it like an Apple store where people come to us in a central location in the building and get service,” Wiltz said at a recent AFCEA Bethesda event. “I had a couple of folks who were instrumental in making this very successful. One of them came to me and asked ‘how do we do more of this?’ And he said, ‘there are more of us like me.’ So I said, let’s come up with this idea of an innovation council.”

He said the goal of the council is to encourage employees to come up with ideas to improve processes and procedures and have a place to go where someone will assuredly listen to them.

“I want to hear from them and be able to say, ‘is that a tasking you can take?’ I don’t want to derail or circumvent their management so they will have to take this on as additional duty,” he said. “But it’s very rare to find those kinds of people who came to me. If I ignore this, I’m ignoring a whole set of people who are motivated to do things and not just sit around and wait for things to happen.”

One obvious idea the council may work on is franchising the solutions center concept to other FBI offices at Quantico or regionally.

“Franchising in the government, who’s talking about that? That, in and of itself, is an innovative idea. That wouldn’t have come about if these people weren’t motivated themselves and willing to approach me,” he said. “So having that kind of courage, I thought I have to take hold of that. I can’t wait to see where it goes.”

Wiltz offered an update to the council last week. He said the innovation council continues to come together.

“The individuals leading the effort are currently working behind the scenes to ensure alignment on mission, vision and goals prior to establishing a formal charter,” he said in an email to Federal News Network. “The innovation council will be composed of a diverse cadre of employees, working in the field and at headquarters across a variety of roles (IT and non-IT). Participants will share an interest in leveraging innovation solutions to make the FBI more efficient. Topics and priorities are still to be determined but one of the primary focus areas will be improving customer service.”

Giving employees a real voice in change

What makes the FBI innovation council so “innovative” is the simple fact that they are listening to the employees on the ground. Too often agencies want innovation to come from outside the agency, like the Defense Department’s Innovation Board. The DIB is made up of well-known technology industry experts like Eric Schmidt, founder of Google, and professors from Duke University, the California Institute of Technology and Carnegie Mellon University, who are helping the Pentagon take on enterprisewide issues.

Other efforts such as the Obama administration’s SAVE awards petered out after several years, and it’s unclear if any of the ideas that emerged from the frontline employees were ever fully implemented.

Michael Giuffrida, the CEO of Acendre, said engaging employees and giving them a real voice to drive change is much easier said than done.

“There are a lot of organizations out there where they give employees the opportunity to be heard through things like pulse surveys or in other ways. But how do you take that feedback and act on it?” Giuffrida said. “It’s important for employees to see the change that comes from their ideas. If they don’t see that change that’s where these efforts fail. It’s all about how you turn ideas into action and close the feedback process. That is where you see positive outcomes of engagement.”

Giuffrida said employee engagement “fits hand-in-glove” with increasing productivity and mission success.

“[From] the metrics we look at – on average – people are losing $9,000 per employee a year due to a lack of engagement in terms of productivity. If you have 100,000 employees, that’s a lot of money,” he said. “So if you can move the needle 10 percent-to-20 percent, that’s a lot. It’s important and getting mission critical especially when we are all fighting all the dynamics in the federal space.”

Giuffrida added that the dynamics include budget uncertainty, shutdowns and the arduous hiring process, all of which make it more difficult to bring innovative approaches into government.

Not if, but when apps move to the cloud

And this brings us back to the FBI’s innovation council.

Wiltz said new ideas and approaches become more important as the FBI moves more apps to the cloud.

“I see going into the cloud as a force multiplier. You have Amazon, Microsoft, Google’s security operations center on top of your SoC and their layers of security on top of your layers of security,” Wiltz said. “My boss has put out a vision, a toolbox of the future. We are beginning to plant it in the minds of people who don’t think the way we think or don’t think about moving toward mobility. We are starting to plant those seeds.”

And what better way for those seeds to grow and prosper than by seeking the input and backing of the people who are going to reap the harvest.

Read more of the Reporter’s Notebook


Cyber gushes from 2019 spending bill, if you know where to drill

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

When you dive into the fiscal 2019 budget sometimes you need a miner’s hat, and sometimes you need to be an oil driller.

Where a miner must go underground and chip away at rock to find the IT “gold,” a driller just has to know where to start.

That is the case with cybersecurity in the 2019 budget — hitting just the right spot brings a gusher of black cyber gold.

The best place for drilling is in the Department of Homeland Security’s section where the Cyber and Infrastructure Security Agency (CISA) now lives.

In this region of DHS, lawmakers allocated CISA $322.8 million for “procurement, construction, and improvements.”

To get the oil out of that field, you have to start boring some holes, first in the continuous diagnostics and mitigation (CDM) program. CDM received two funding allocations: The first is for deployment of capabilities where DHS received a total of $115.8 million, which is $3.7 million more than the Trump administration requested and $13 million more than CDM received in 2018.

But that’s a minor gusher compared to the money DHS received for the procurement of tools. Congress allocated $160 million for DHS to buy agencies new tools under CDM, which is $34.4 million more than the White House requested, but almost $87 million less than what the program received in 2018.

Now with Congress acting as the investors in this CDM Spindletop-of-sorts, they want updates on how DHS is pumping out their profits.

“CISA is directed to provide a briefing, not later than 90 days of the date of enactment of this act and semiannually thereafter, on the updated timelines and acquisition strategies for the National Cybersecurity Protection System (NCPS) program and the Continuous Diagnostics and Mitigation (CDM) program, including the accelerated deployment of CDM Phase 4 data protection management (digital rights management, data masking, micro-segmentation, enhanced encryption, mobile device management, etc.) across all ‘.gov’ civilian agencies,” the omnibus spending bill states.

While the CDM field continues to flow millions of gallons of oil, the NCPS program, which includes the Einstein intrusion and prevention tools, is starting to dry up for tool procurement.

Lawmakers allocated $96 million in total funding for this year, down from $115 million last year and $5 million less than what the administration requested.

“A reduction of $15 million to the NCPS acquisition program is included due to contract delays,” lawmakers write.

But at the same time, lawmakers increased NCPS funding to $297 million for deployment of NCPS tools, up $10 million over 2018 and about $600,000 more than the administration requested.

The third piece of the federal cybersecurity funding came to the Federal Network Resilience group at DHS. It received $50.1 million for 2019, which is $7.3 million more than in 2018 and slightly over the administration’s request.

Lawmakers also told DHS to redirect some of their extra funds for “facility construction, expansion and renovations necessary to support CISA’s growing cybersecurity workforce; expanding operations, laboratory, and logistics support activities; and Continuity of Operations functions at the agency’s existing support facility. In fiscal year 2018, $500,000 was appropriated for facility design purposes.”

The DHS oil fields are well known for their gushers, but the 2019 spending bill also had some lesser known fields for some deeper drilling.

Supply chain risks continue for CJS bill

In the Commerce, Justice and State bill, lawmakers reemphasized supply chain risk management.

Legislators told those agencies, including NASA and the National Science Foundation, they can’t buy any technology for high or moderate impact systems unless:

  • They have reviewed the supply chain risk for the information systems against criteria developed by the National Institute of Standards and Technology and the Federal Bureau of Investigation (FBI) to inform acquisition decisions;
  • They have reviewed the supply chain risk from the presumptive awardee against available and relevant threat information provided by the FBI and other appropriate agencies; and
  • They have consulted the FBI or other appropriate federal entity, conducted an assessment of any risk of cyber-espionage or sabotage associated with the acquisition of such system, including any risk associated with such system being produced, manufactured, or assembled by one or more entities identified by the United States government as posting a cyber threat, including but not limited to, those that may be owned, directed or subsidized by the People’s Republic of China, the Islamic Republic of Iran, the Democratic People’s Republic of Korea, or the Russian Federation.

Additionally, lawmakers say these agencies must not buy technology for high or moderate risk systems unless the agency has “developed, in consultation with NIST, the FBI, and supply chain risk management experts, a mitigation strategy for any identified risks; determined, in consultation with NIST and the FBI, that the acquisition of such system is in the national interest of the United States; and reported that determination to the Committees on Appropriations of the House of Representatives and the Senate and the agency Inspector General.”

These provisions follow a long history of concerns at these agencies over supply chain risks. In 2014, former Rep. Frank Wolf (R-Va.), added a similar provision in that year’s spending bill.

Treasury, Transportation get cyber funds

Two other regions ripe for bringing in rigs for drilling is in the Treasury and Transportation sections of the bill.

First, the Treasury Department received $25.2 million for enhanced cybersecurity services and personnel. Lawmakers instructed Treasury’s bureaus to send the agency’s chief information officer a spending plan for approval.

In the Transportation Department sector, you had to drill a little deeper to find $15 million in cyber oil.

Lawmakers told Transportation to use the money for “necessary expenses for cybersecurity initiatives, including necessary upgrades to wide area network and information technology infrastructure, improvement of network perimeter controls and identity management, testing and assessment of information technology against business, security and other requirements, implementation of federal cybersecurity initiatives and information infrastructure enhancements, and implementation of enhanced security controls on network devices.”

This is, by far, not a comprehensive review of all things cyber in the spending bill. Congress also allotted quite a bit of cyber money for election security, critical infrastructure protections and research and development. But the cyber spending highlighted above are what will impact agency security postures in real and immediate ways.

Read more of the Reporter’s Notebook


CIO shuffle continues: USPTO, USITC find new ones

The movement in the federal chief information officer’s community has been quiet over the last few months. But two agencies finally filled CIO positions that have been open for almost a year.

The U.S. Patent and Trademark Office named Henry “Jamie” Holcombe to replace John Owens, who left in November 2017. David Chiles, PTO’s chief technology officer, has been acting CIO since Owens left to work for CGI Federal as its vice president of its Solution Development for Emerging Technologies Practice.

Holcombe starts at PTO on Feb. 25, coming to the agency after a career in the public sector.

He is leaving his position as vice president and general manager at Harris Corp., where he was responsible for the delivery of communications and IT services to federal intelligence, defense and civilian markets as well as commercial telecom, energy and e-commerce customers.

In addition to Harris, Holcombe worked at the Universal Service Administrative Company, Globix Corporation in New York, and served as chief operating officer of TJ Westlake and chief executive officer of Visium Technologies, focusing on cybersecurity at both companies.

Henry “Jamie” Holcombe, CIO, U.S. Patent and Trademark Office

“Our legacy IT systems are old and it is well beyond time to undertake a fundamental stabilization and modernization effort. As our new CIO, Jamie will have a unique opportunity to help the USPTO improve these systems and transition our agency to state-of-the-art technology,” said Under Secretary of Commerce for Intellectual Property and Director of the USPTO Andrei Iancu in a statement.

Holcombe’s priorities at USPTO are well known. He will continue to decrease the patent backlog and modernize both the patent and trademark systems. Owens modernized the bureau’s processes by implementing dev/sec/ops.

Holcombe holds a Master of Science in computer science from George Washington University, and a Master of Business Administration from Chaminade University. He also has a Bachelor of Science degree from the United States Military Academy at West Point, where he finished first in his class in computer science.

CIOs shifting among small agencies

In addition to the USPTO, the U.S. International Trade Commission replaced its CIO with an internal candidate.

Keith Vaughn, who joined the agency in 2011 as its chief data architect, replaces Kirit Amin, who left in January 2018. Vaughn also was acting CIO from January to September 2018.

Before coming to USITC, Vaughn worked at several contractors in senior level positions, including The Ambit Group, SI International and Zen Technology.

As the CIO, he will develop and manage the agency’s information technology budget, work with offices throughout the agency to ensure that their information technology requirements were met, strengthen the agency’s network security and direct a number of crucial information technology modernization and enhancement efforts.

Two other small agencies have put out the “help wanted” sign for CIOs.

The Millennium Challenge Corporation posted a job notice on USAJobs.gov that closes on Feb. 22.

MCC’s previous CIO, Vincent Groh, passed away unexpectedly in October, according to the agency’s release.

“Vince was an important member of the management team, and a respected leader who demonstrated compassion and teamwork. He was committed to working with others to find solutions, and empowered his team to provide best in class services to the agency,” the agency states. “Through his passion for MCC’s mission, and dedication to his work, Vince embodied the finest values of MCC. Our thoughts and prayers are with his loved ones. He will be profoundly missed.”

Christopher Ice, MCC’s senior director of production operations in the office of the CIO, has been acting CIO since October.

Groh was a guest on Ask the CIO in August 2017 where he talked about how he was planning on moving MCC to the cloud and stop spending on commodity technologies.

Additionally, the Institute of Library and Museum Services is hiring a new CIO. Ben Sweezy, who started as the CIO in January 2018, changed positions and is now the deputy director of the Office of Digital and Information Strategy.

It’s unclear if Sweezy, a former Office of Management and Budget IT policy analyst, or Eugene Block, the deputy CIO at ILMS, is currently acting CIO.

The USAJobs.gov notice closes on Feb. 22 and states that the CIO role oversees both their office and the Office of Digital and Information Strategy.

Read more of the Reporter’s Notebook


IT modernization, CIO authorities and other nuggets from the 2019 funding bill

Now that another shutdown has been avoided, and agencies and contractors can get back to the real work of government, it’s time to dig deep into the fiscal 2019 omnibus spending bill for technology nuggets.

Like any worthwhile mining operation, it may be some time until we really know what we have, but at first glance, there’s a lot of gold in them thar’ hills.

The first nugget you’ve probably seen is the Technology Modernization Fund (TMF) receiving $25 million for 2019. That was a big drop from 2018 when the TMF Board had $100 million to loan out to agencies. By the way, the board still has about $10 million in 2018 funding that must go out the door – so we can say for this year the total amount is $35 million.

It’s a big drop from the Trump administration’s request of $210 million, and even from the House Appropriations Committee’s initial allocation of $150 million. The silver lining here is the Senate had zeroed out the fund so getting $25 million is progress.

Once you get past this initial TMF vein, the mining operation uncovers an interesting provision in the state/foreign operations section of the mountainous bill.

Lawmakers limited the State Department and the U.S. Agency for International Development’s use of the no-interest loan mechanism.

“None of the funds made available by this Act and prior Acts making appropriations for the Department of State, foreign operations and related programs may be used by an agency to submit a project proposal to the Technology Modernization Board for funding from the Technology Modernization Fund unless, not later than 15 days in advance of submitting the project proposal to the Board, the head of the agency (i) notifies the Committees on Appropriations of the proposed submission of the project proposal; and (ii) submits to the Committees on Appropriations a copy of the project proposal,” the bill states.

Additionally, legislators added that even if the board approves State or USAID’s project, the agency head must submit “to the committees on appropriations a copy of the approved project proposal, including the terms of reimbursement of funding received for the project; and (ii) agrees to submit to the committees on appropriations a copy of each report relating to the project that the head of the agency submits to the board.”

No other section of the omnibus spending bill has a similar provision, and there is no more discussion in the current omnibus bill nor the previous House or Senate reports issued in summer 2018 about why lawmakers have concerns about State or USAID using the TMF.

At the same time, miners uncovered another vein of gold that takes us in a totally different direction. This one seems to reiterate and reinforce the State Department’s chief information officer’s authorities.

Lawmakers wrote: “None of the funds appropriated in title I of this act under the heading “Administration of Foreign Affairs” may be made available for a new major information technology investment without the concurrence of the CIO, Department of State. (B) In complying with the requirements of this paragraph, the CIO, Department of State, shall consider whether a new major information technology investment- (i) is consistent with the department Information Technology Strategic Plan; (ii) maintains consolidated control over enterprise IT functions or improves operational maintenance; (iii) improves Department of State resiliency to a cyber-attack; (iv) reduces department of State IT costs over the long-term; and (v) is in accordance with the Federal 6 Acquisition Regulation (FAR), including FAR Part 6 regarding competition requirements.”

It’s well known in the federal IT community that the State CIO has struggled for decades to oversee IT investments by the foreign service.

Former State CIO Frontis Wiggins sought to create IT franchises where the headquarters’ CIO office acts like the parent company and provides the basic services to the franchisees. That idea never made much progress as Wiggins left before he implemented it. Now State is going down the more traditional path of trying to convince it’s powerful brethren that back-office shared services is a better approach to give the CIO more visibility and oversight.

Congress possibly just got tired of these approaches that made little or no difference, and brought down the hammer in a different way to empower the agency CIO.

CIO powers continued

It’s not just at State that lawmakers used the omnibus to reiterate and reemphasize the role and authorities of agency CIOs.

In the Agriculture Department’s section, lawmakers added a provision to ensure that the CIO, Gary Washington in this case, and the executive investment review board approves any new or significant upgrade of IT.

But then legislators took an interesting turn in the provision.

“None of the funds appropriated or otherwise made available by this act may be transferred to the Office of the CIO without written notification to and the prior approval of the committees on appropriations of both houses of Congress: Provided further, That, notwithstanding section 11319 of title 40, United States Code, none of the funds available to the Department of Agriculture for information technology shall be obligated for projects, contracts, or other agreements over $25,000 prior to receipt of written approval by the CIO: Provided further, that the CIO may authorize an agency to obligate funds without written approval from the CIO projects, contracts, or other agreements up to $250,000 based upon the performance of an agency measured against the performance plan requirements described in the explanatory statement accompanying Public Law 113- 5 235.”

So let’s break that down, the Appropriations Committees must approve any transfer of funds to the CIO, but the CIO may approve any IT purchases over $25,000 and in some cases up to $250,000.

Again, this is why miners don’t always know what they have until there is further inspection to know if it’s gold or pyrite.

Lawmakers also reiterated — in Section 623 — the authorities CIOs received in the Federal IT Acquisition Reform Act (FITARA), the Clinger-Cohen Act and several White House policies and executive orders.

It’s unclear why there is this need to reiterate a law in another law, but as miners, we have to keep on digging to find out what’s underneath this layer of rock.

IT modernization funding in different accounts

Sometimes you have to blast through other rock formations to reach new sources of minerals. This is the case for IT modernization. While the TMF is specifically designed to provide agencies with a loan to further existing initiatives, the Office of Management and Budget and the General Services Administration also have other accounts that can further the goals of getting off legacy systems.

OMB received a $9.5 million increase over 2018 in the IT Oversight and Reform (ITOR) fund to $28.5 million.

“OMB is expected to utilize the funding provided to continue oversight of federal IT activities and investments, including the management of the IT Dashboard, the OMB policy library, and IT policy compliance tracking,” the appropriators wrote.

While this funding can’t be used as a loan, OMB can provide agencies help in other ways to make IT modernization easier by updating acquisition policies for buying technology or the creation of training courses.

Additionally, GSA received a boost to the $55 million Federal Citizen Services Fund, which is $5 million more than it received last year.

GSA said in its 2019 budget justification that it will use the fund to pay for the Federal Risk Authorization Management Program (FedRAMP) and to further the Login.gov initiative.

Both could be key pieces to help agencies modernize services as we’ve seen with 128 cloud services approved through FedRAMP and another 73 in the process. Login.gov has been picked up on the SAM.gov, USAJobs.gov and Trusted Traveler websites.


« Older Entries