Reporter’s Notebook

jason-miller-original“Reporter’s Notebook” is a weekly dispatch of news tidbits, strongly-sourced buzz, and other items of interest happening in the federal IT and acquisition communities.

Submit ideas, suggestions and news tips  to Jason via email.

 Sign up for our Reporter’s Notebook email alert.

OMB’s Cornelius to lead industry association

The end of the calendar year usually brings a flurry of federal executives moving into new jobs or retiring, and this one is no different.

Among the biggest loses is Matthew Cornelius, who left the Office of Management and Budget after almost three years to become the executive director of the Alliance for Digital Innovation (ADI), an industry association. His first day at ADI was Dec. 9.

“Commercial innovation is essential for a modern digital government. While at OMB, Matthew was a true thought-leader driving cloud-forward technologies into the federal government,” said Rich Beutel, who is on the board of directors of ADI and helped get the association started, in an email to Federal News Network. “We welcome Matthew as the new executive director to drive our message on a full-time basis going forward.”

Cornelius is another one of those behind-the-scenes OMB policy folks who make a significant difference and important contributions that most people don’t realize.

Matthew Cornelius left the Office of Management and Budget to become the executive director of the Alliance for Digital Innovation (ADI), an industry association.

During his time at OMB, he worked on implementing the Modernization Government Technology Act and ensured the IT modernization goals of the President’s Management Agenda were met.

“I’m leaving at a good time for me and for the Office of the Federal Chief Information Officer,” Cornelius said in an interview. “I was looking for an opportunity to step away and take on a smaller and more nimble organization and this seemed like a good opportunity. I want to see what life is like outside of government.”

The one skill he will definitely take with him is the ability to herd cats. As an industry association executive, Cornelius is used to getting different organizations to see the way forward.

During his tenure at OMB, Cornelius said he was most proud of getting the MGT Act passed and then helping to implement it, including the Technology Modernization Fund (TMF).

“It is very rare you get to build new program with such a high level of visibility among Congress, the administration and industry. It was a tremendous learning experience,” he said. “TMF will benefit agencies far beyond the $125 million appropriated and the $90 million loaned out across the nine projects. It has changed the way agencies think about how to fund and how to bet better results for IT projects.”

He said he’s also proud of the progress and successes of IT modernization in the PMA in terms of helping agencies provide better and more responsive services.

At ADI, Cornelius says he wants to continue to improve the federal market’s capabilities for buying and using technology.

“The first thing I plan to do is talk with our member organization and understand the goals of those companies,” he said. “How can put in place better policies that lead to a new way of thinking about these technology and acquisition problems that have plagued government for so long. What are the best ways we can partner with the government to move in a cohesive direction.”

ADI launched in 2018 and there is concern among some in industry that it’s mostly to promote the view of Amazon Web Services and its partners. There currently are 17 members listed on ADI’s website, including Salesforce, Vertitas, Telos and VMWare.

Along with OMB, Cornelius worked at the General Services Administration and the Treasury Department during his five-year stint in government.

It’s unclear who will replace Cornelius at OMB.

VA, OPM, USDA tech leaders on the move

The Department of Veterans Affairs is losing a key technology executive, while the Office of Personnel Management, the Federal Communications Commission and the Agriculture Department are bringing new ones on.

Bill James, the deputy assistant secretary for development and operations at VA’s Office of Information and Technology, left the government after three years.

Bill James, the deputy assistant secretary for development and operations at VA’s Office of Information and Technology, left the government after three years.

A VA spokesman confirmed James left in early December and the agency hasn’t named a replacement yet.

James launched his own consulting firm to help companies sell to the federal government.

During his tenure at VA, James helped move VA toward a dev/ops culture, focusing on mission and customer engagement on the front-end.

One of his big successes was helping to launch the updated version of that sparked more code sharing that ended up increasing health care applications by 51%, and a more than 200% increase in utilizing the MyVA311 number.

At USDA, Tim McCrosson is joining as an associate CIO for the Client Experience Center in the Office of the CIO.

In that role, he will lead the delivery of technology, associated operations security and technical-support services to more than 45,000 USDA end users located in more than 3,400 field, state, and headquarters offices across the U.S. and its territories.

He comes to USDA from the Department of Homeland Security where he spent the last two-plus years as the Cybersecurity and Infrastructure Security Agency’s deputy chief of the cyber performance branch.

In that role, McCrosson worked in the Federal Network Resilience Division to help agencies understand cybersecurity challenges and support decisions to better protect government data and systems. He also worked with agencies to collect governmentwide Federal Information Security Management Act data, hold CyberStat sessions and consider new methods for making risk-informed decisions.

While McCrosson comes to USDA, Francisco Salguero is leaving the agency to become the FCC’s CIO.

Salguero replaces Christine Calvosa, who left in May to join the private sector.

He worked at USDA since 2004 in a variety of roles, including as CIO of the Rural Development bureau and eventually deputy CIO of the entire agency.

FedScoop was the first to report Salguero’s move.

Karl Alvarez, announced on LinkedIn, that he is the new associate CIO for management and policy at the Office of Personnel Management.

Alvarez’s arrival helps to rebuild an OPM CIO staff that has seen a fair amount of turnover in the last few years.

He comes to OPM from the Department of Health and Human Services, where he spent nine years working in assorted roles including the last two as the executive officer to the agency’s CIO.

In the acquisition community, Jaime Garcia is joining the IRS after spending the last two years as the section chief for Contract and Finance Management for the National Risk Management Center (NRMC) at DHS.

Garcia, who announced the new job at LinkedIn, will be an acquisition manager for the tax agency working to create innovative and agile contracts.

A couple of other noteworthy changes you may have missed over the last few months:

  • Ed Wilson, the deputy assistant secretary of Defense for cyber policy since February 2018 left on Nov. 15.
  • Earl Warrington left GSA after 24 years to join the Small Business Administration. Warrington is the IT program manager for SBA after serving in a variety of roles at GSA including as the assistant deputy associate administrator in the old Office of Citizen Services and Innovative Technologies and director of category management.
  • Marcy Jacobs left as the executive director of VA’s digital service to join McKinsey and Company as an associate partner. Jacobs, who also spent two years working for the U.S. Digital Service, won a 2018 Service to America medal for her work to improve

If you know of other “people on the move” in the federal community, don’t hesitate to send me a note.

SBA ‘beats the odds’ by finalizing several major contracting regulations

In November 2018, Federal News Network and procurement expert Larry Allen set some odds about whether certain acquisition regulations would be completed sometime in 2019.

For the most part, the odds makers were not optimistic, given the fact that during 2017 and 2018, the number of FAR rules that were either proposed or finalized were scarce.

So here we are a year later, and it’s nice to be able to report that the Small Business Administration, at least, may just have beaten the odds on several important procurement provisions.

Over the last few weeks, SBA finalized rules to improve the HUBZone program, to change the way the government calculates small business sizes based on earnings and a half dozen other rules that have been in the works since the 2015.

Each of these rules are trying to address some sort of systemic problem in the federal contracting market. Why it took, in some cases, three years to get through the system is unclear. The lack of a permanent administrator in the Office of Federal Procurement Policy or the dislike of regulations by the Trump administration or just the slow nature of getting a rule through the Federal Acquisition Regulations Council are all possibilities.

“We have been waiting for them to come out,” said Tony Franco, a senior partner with the law firm PilieroMazza. “They provide clarity on a number of issues, particularly how small businesses may comply with the subcontract limitation requirements and how independent contractors may be treated. There is a great deal of confusion in the community on those issues so this is helpful.”

The new calculation of small business earnings is among the most important new rules.

This final rule, which takes effect Jan. 6, changes the calculation of average annual receipts for all of SBA’s receipts-based size standards to a five-year average from the current three-year average.

“SBA adopts a two-year transition period through Jan. 6, 2022. During the transition period, a firm may choose between calculating receipts using a three-year average or a five-year average,” the agency states in the rule. “With an expanded pool of small businesses, the federal government will have more qualified small businesses to choose from, and as a result, likely will set aside more contracts for small businesses. SBA also agrees with commenters that the five-year averaging period will allow more small firms to benefit from SBA’s small business assistance programs by extending their small business status for a longer period. The change would also enable small businesses that have just exceeded their size standards to regain their small business status and to benefit from federal small business assistance. SBA believes that the change to a five-year averaging period will expand benefits to all small businesses over the long-run, although the proposed change would have led to some negative impacts in the short-run.”

Matt Schoonover, the managing partner of Koprince Law, said there are two big takeaways from this final rule. The first is the move to five-year calculations rather than three-year.

Second, he said, through this rule the SBA is clarifying its plans to implement the Runway Extension Act which became law in 2018.

“Some were concerned that some businesses would be hurt by the law if they had declining revenues over the five-year period, but because years four and five were higher, they would make the company ineligible as a small business,” Schoonover said in an interview. “I think it’s good that SBA has given companies a choice to elect to go with three- or five-year revenues for a two-year period, through January 2022.”

Major update to HUBZone program

Next on the list is the HUBZone final rule, which becomes effective on Dec. 26.

This comprehensive revision is trying to fix many of the problems that plagued the 1997 law.

“The rule is intended to make it easier for small business concerns to understand and comply with the program’s requirements and to make the HUBZone program a more attractive avenue for procuring agencies,” SBA states in the final regulation. “SBA recognizes the challenge many firms face in attempting to meet the requirement that at least 35% of the firm’s employees live in a HUBZone. Firms with a significant number of employees may have a hard time meeting this requirement because it is often difficult to find a large number of individuals living in a HUBZone who possess the necessary qualifications. Smaller firms also have a hard time meeting this requirement because the loss of one employee could adversely affect their HUBZone eligibility.”

Agencies have never made the governmentwide goal of awarding at least 3% of all contracts to HUBZone companies. In fiscal 2018, SBA said agencies awarded just 2.05% up from 1.65% the year before.

“The SBA is doing what they can or what they think is appropriate to help make compliance with the program easier while still making sure the goals of the program are met. Sometimes, those two inclinations can conflict, but I think SBA is doing a good job of trying to say what can we say to give some assurance to the program so people can trust it when they issue awards,” Schoonover said. “There definitely are some changes that are needed for the HUBZone program. A lot of times HUBZone small businesses are spending so much time and effort to maintain compliance that at the end of the day, some questioned whether the hassle was worth the benefit.”

Schoonover added the final rule should help both HUBZone companies and contracting officers and, in the end, increase the number of companies receiving awards.

SBA said the final rule requires only annual recertification that the company qualifies rather than proof after every award.

“This reduced burden on certified HUBZone small businesses will allow a firm to remain eligible for future HUBZone contracts for an entire year, without requiring it to demonstrate that it continues to meet all HUBZone eligibility requirements at the time it submits an offer for each additional HUBZone opportunity,” SBA states. “The concern would be required to come into compliance with the 35% HUBZone residency requirement again at the time of its annual recertification in order to continue to be eligible for additional HUBZone contracts after the one-year certification period.”

Schoonover said changing the residency requirement also is a big deal.

“The SBA is trying to put some level of objectivity now by helping to define what it means to attempt to maintain residency compliance,” he said. “If a company falls below 20% of employees who live in HUBZone, SBA has determined that the company is not attempting to maintain eligibility. The former requirements were more subjective.”

Bundling and subcontracting changes

The third and final set of regulations have been a long-time incoming, some dating back four years.

Among the areas this regulation addressed are more public contract bundling notifications, procurement center representatives will get expanded oversight, and agencies can earn double credit for disaster contracts.

Among the most significant is the new requirement for agencies to publish within seven days the details of a substantial bundling of contract requirements.

Another update authorizes agencies to receive double credit for small business goaling achievements on SBA’s scorecard when they award contracts to local area small businesses in connection with a disaster.

A third change lets procurement center representatives review any acquisition regardless of whether it is set aside, partially set aside, or reserved for small business.

PilieroMazza’s Franco said the rule also “tightens up and clarifies subcontracting plan requirements for large firms that need to meet small business and socio-economic goals. Because the SBA had issued proposed rules a year ago — on Dec. 4, 2018, the government contracting community is not particularly surprised by the final rules which go in effect at the end of this year.”

Franco added while these final rule are important, SBA continues to make other major changes to small business contracting programs.

Amazon’s protest of GSA’s e-commerce platform RFP tells us why the silly season is in full swing

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

This story was updated on Dec. 10 with a comment from Amazon.

There may be no better indicator that the General Services Administration’s e-commerce platform solicitation is facing a host of uphill challenges than the fact that the company many believe will be the ultimate winner filed the first protest.

Federal News Network confirmed that Amazon fired the first salvo in the federal e-commerce war.

Government sources say the Seattle, Washington company submitted an agency-level, pre-award protest in November.

Sources say Amazon challenged whether GSA’s market research was sufficient, and it questioned some of the terms of the solicitation, particularly around the compliance of laws like the Competition-in-Contracting Act, the Federal Acquisition Streamlining Act and even the provision in the 2018 defense authorization bill requiring GSA to set up an e-commerce marketplace in the first place.

Government sources confirmed GSA has dismissed the protest and will take corrective action to clarify and strengthen the request for proposals to further meet the expectations of commercial e-marketplace platforms.

“We applaud the GSA for transforming the conversation and reevaluating the solicitation to ensure the procurement process is fair for all participants,” said Anne Rung, director of public sector, Amazon Business, in a statement on Dec. 10 to Federal News Network. “Thousands of government customers are already purchasing commercial items from e-marketplaces, including Amazon Business, to streamline their procurement and save taxpayers’ dollars.”

The fact that Amazon decided to submit a pre-award protest doesn’t bode well for a program some believe is already in trouble.

Roger Waldron, the president of the Coalition for Government Procurement and who hosts Off the Shelf on Federal News Network, said Amazon’s decision to submit a pre-award, agency-level protest is significant.

“To the extent the protester argues that the RFP terms are inconsistent with commercial practice, the law has been clear for a quarter of a century.  FASA prescribes the use of commercial terms/practices to the maximum extent practicable. Section 846 likewise prescribes that sales be made, to the maximum extent practicable, under the standard terms and conditions of the portal provider. This language (to the maximum extent practicable) reflects the government’s obligation to balance its responsibilities to the public against a vendor’s terms and conditions,” Waldron said in an email to Federal News Network. “That is why transparency is paramount. The public needs to understand the nature of any RFP changes and whether they are consistent with the law. This is especially important here given the lack of analysis in GSA’s Phase II Report of e-commerce portal standard terms and conditions in context of government requirements.”

Waldron added he believes schedule contractors will closely watch how GSA resolves Amazon’s challenge because whatever they do could have a major impact on how agencies apply the concept of the “maximum extent practicable” standard. He said it will directly impact multiple award contracts which operate under FASA and FAR Part 12.

$6 billion market for e-commerce

GSA has recognized the e-commerce program will not be easy to implement. Laura Stanton, GSA’s deputy assistant commissioner for category management in the Office of IT Category in the Federal Acquisition Service, told me in October that the RFP is all about creating a proof-of-concept to test out its theories.

GSA estimates that the e-marketplace platform will help agencies get their arms around as much as $6 billion in spending that is happening through government credit cards and other micro-purchase buys.

The Wall Street Journal reported in late November that Amazon, Walmart and eBay were among the companies which have expressed interest in bidding on the e-commerce solicitation.

Rung, the former administrator in the Office of Federal Procurement Policy, said in a June 2018 interview that the e-commerce platform will benefit the government in several ways, including better transparency and meeting customer expectations in a more commercial-like way.

Still, the fact Amazon submitted, what many would say, is a warning shot bid protest—the agency-level isn’t public like it would be if they filed with the Government Accountability Office or with the Court of Federal Claims—doesn’t bode well for the long-term health of the program. This is especially true given how much research, time and industry feedback GSA has received over the course of the last few years. It means either GSA isn’t listening, industry isn’t clearly explaining its needs or desires or the program just doesn’t make sense the way it is designed today.

This brings us back to the idea that maybe enhancing GSA Advantage is the better approach and one even Congress could accept with only a little explanation given the supporters of this program, Rep. Mac Thornberry (R-Texas), is not only no longer the chairman of the Armed Services Committee, but is leaving office in 2020.

The protest silly season

Amazon’s agency-level, pre-award protest is just one of several impacting high profile procurements—let’s not even mention the four-letter Defense Department cloud program that Amazon also is unhappy about.

Some federal procurement lawyers say the fall is their busy season as contractors are reacting to awards made by agencies in the federal fourth quarter.

“Protests increase when contract awards increase, and because most awards happen toward the end of the fiscal year, you usually have protests in the next fiscal year after the briefings happened,” said Eric Crusius, a partner with Holland and Knight in Washington, D.C. “This year is on par with previous years in terms of the number of protests we are seeing.”

Big, multi-billion dollar RFPs from GSA, the Homeland Security Department and the Air Force, to name just three, have come under protest in the last few months alone.

GSA’s second generation IT services (2GIT) contract awards are facing protests from three companies. Red River Technology and Blue Tech, Inc., each filed four and three separate complaints, respectively, with GAO, while Coast-to-Coast Computers continues its fight to force GSA restructure the contract by submitting a complaint to GAO as well.

Emails to Red River and Blue Tech seeking comment and details of their complaints were not returned.

Air Force cloud contract delayed

Rick Vogel, the federal government sales manager for Coast to Coast Computer Products in Simi Valley, California, said in an email their protest is not of the awards, but a perceived violation of the Federal Acquisition Regulations and asking GAO to limit 2GIT use only to the Air Force and not allow GSA to make it a governmentwide contract.

GAO says it will decide the protests no later than late February or early March depending on when the company filed its complaint.

Over at the Air Force, Leidos submitted a complaint to GAO over the service’s $728 million award to SAIC to run its common cloud environment.

GAO says it will decide the protest no later than Dec. 30.

And finally, DHS may be facing a protest of its financial systems RFPs. Industry sources say Savantage has filed or is considering filing a complaint. GAO isn’t showing any protest on its docket, and an email to Savantage was not returned.

This wouldn’t be the first time Savantage expressed concerns over DHS’s plans to upgrade its financial systems. The company protested DHS’s 2010 RFP called TASC, and in 2016 it filed a complaint in federal court over the agency’s decision to move its financial management system to the Interior Department’s shared services center.

Crusius said the biggest difference this year when it comes to bid protests is there is less of a concern by vendors about suing their customers.

“I think part of issue with protests is it’s become much more accepted by the government,” he said. “There used to be a huge concern that the agency wouldn’t want to do business with a contractor anymore if they sued them. But I hear much less concern from contractors about that. I think there is a recognition that protests aren’t personal, and because the customer understands protests are a part of the system.”

More boring cyber training? Not for these 72 HHS employees

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Let’s face it, no one likes cybersecurity training.

The fake phishing attacks have made us all paranoid. The online courses are boring and, even though cybersecurity is critical, the time it takes to complete the training courses take away from the mission.

But what if—think about it for a moment—cybersecurity training was interactive, collaborative and — hold on — even fun?

That’s what the Department of Health and Human Services attempted to do by hiring a vendor to run a cybersecurity escape room during Cybersecurity Awareness month.

Janet Vogel is the chief information security officer at HHS.

“We [did] an escape room to teach the basics,” said Janet Vogel, the HHS chief information security officer, at a recent AFCEA Bethesda event. “We have these windows of opportunities that we have to take advantage of like where people will rotate and observe at the security operations center or network operations center and get some experience so they understand it better. That sparks some excitement and they’ve learned something that they can apply. It also gets cyber into the language that everyone is using and their habits.”

HHS had eight teams, 72 employees, participate in the escape room training from eight operating divisions.

“Each escape room training session was one hour, consisting of a five minute introduction briefing, 20 minutes to complete the hands-on exercise, a five minute quiz and 30 minutes of discussion on how to implement cybersecurity best practices covered in the training, into daily work tasks,” a HHS spokeswoman said in an email to Federal News Network. “The escape room challenges included how to identify and use two factor authentication, recognize phishing emails, identify personally identifiable information, find unsecure WiFi access points and physical computer security.”

Conrad Bovell, the director of information system security for the Financial Management Systems Group at the Centers for Medicare and Medicaid Services, said after the AFCEA event that the escape room concept was intriguing.

“It got my folks excited. They asked if they could do it,” Bovell said. “It’s a good thing to put them in a situation where they have to make decisions under a little bit of pressure.”

HHS hired Living Security to conduct the escape room exercise.

Not your typical training sessions

The HHS spokeswoman said the escape room concept is part of the agency trying to use different approaches to training.

“The idea to explore using a live interactive training exercise to reach more HHS employees is an expansion on the HHS Cybersecurity Awareness program, which already includes online training modules, in-person lunch-and-learn sessions, webinars, cybersecurity awareness articles, question of the week and ethical phishing exercises,” the spokeswoman said.

HHS followed the lead of the Federal Housing Finance Agency (FHFA), which also hired Living Security to conduct an escape room training earlier this year.

The HHS spokeswoman said the CISO’s office met with Taryn Jones, the senior IT specialist and cybersecurity awareness training lead at FHFA, to better understand how FHFA implemented the escape room concept.

Jones “provided a wealth of insight and knowledge about how to successfully operate the escape room experience. She also provided an outstanding demonstration to HHS Leadership, which was very well received,” the spokeswoman said. “Taryn emphasized the importance of all team members to participate in the training exercise and added value to the group discussion after the activity. Group discussion gave the participants an opportunity to discuss real scenarios where they had encountered the cybersecurity topics reviewed in the training and how the scenario played out.”

A FHFA spokesman declined to comment on its cyber escape room experience.

Along with Living Security, there are a handful of other federal cyber companies offering similar experiences. The Thales Group offers a “mobile box” that is a 10-minute experience that uses clues, hints and strategy to help participants complete the puzzle. The SANS Institute also offers a similar experience to reinforce and teach cybersecurity best practices and principles.

This concept is becoming more and more attractive to other agencies.

Adrian Monza, the deputy CISO and chief security architect in the Information Security Division at the U.S. Citizenship and Immigration Services, said after the AFCEA event Vogel’s mention of the escape room concept was the first he’d heard of it.

“It seems to create engagement and the opportunity to form relationships that may not happen otherwise,” Monza said. “I plan to reach out to Janet to find out more.”

The Massachusetts National Guard also hired a vendor to create a cyber escape room earlier this year.

Gathering feedback on escape room

As for HHS, the spokeswoman said the agency will measure the impact of the escape room exercise in a variety of ways.

She said the CISO’s office took participant feedback and conducted an online survey shortly after the exercise finished.

Some of the participants offered these comments:

“It was extremely interactive and I very much liked the discussion at the end. The discussion reinforced and explained some of the rules that I would have otherwise discarded as too burdensome or no true added security.”

“Very involved and nuanced; it showed that a lot of work had gone into the training and developing the tools; let me cover the content of a normal training in a much more engaging way.”

“The activity was fun and I liked working with a team. I also liked the post-test and discussion that followed the exercise.”

The spokeswoman said HHS will continue to elicit comments from participants.

“HHS will again survey the participants three weeks later by sending the participants 10 knowledge check questions to gauge retention of training concepts covered in the escape room exercise. Surveys will be emailed to each participant to obtain feedback and interest in this interactive learning approach,” she said. “Participant feedback will play a large part in the long term decision to continue the initiative. If participants provide positive feedback, I believe the escape room will become a part of the long term HHS cybersecurity awareness training and education strategy.”

When it comes to shared services, Labor isn’t eating the apple in one bite

Let’s get the obvious out of the way first — making shared services work governmentwide is hard.

Over the last 20 or so years, the number of successes you can point to could be counted on one hand. There’s the payroll consolidation effort under the Bush administration, the Department of Housing and Urban Development’s move to the Treasury Department’s financial management provider on a limited basis, Treasury’s electronic invoicing program and there are a few others in the cybersecurity realm with small and micro agencies.

But generally speaking, unless there is a mandate from the Office of Management and Budget — see payroll and e-invoicing — then getting agencies to give up control, change business processes and trust public or private sector providers is, well, hard.

As OMB and agency leaders kick off the latest shared services effort, the Quality Service Management Organizations (QSMO), maybe it’s time to revisit some historical concepts because the administration seems to be reluctant to mandate change in this realm.

Success in shared services comes back to simple sayings from the early 2000s. As Mark Forman, the former OMB administrator for e-government and IT, used to preach, “Don’t try to boil the ocean,” and “Don’t try to eat the apple in one bite.”

To translate, start small and build off of successes.

Commerce avoids spending $50 million

In the case of shared services, the idea is to start internally and expand externally, and there are more examples of this concept working than the let’s-move-to-a-public-or-private-sector-provider-in-one-fell-swoop concept.

The Commerce Department’s shared service efforts is an example of that. In the agency’s fiscal 2018 performance report to Congress, it says some of the benefits of enterprise services included taking ownership of the learning management system to standardize and reduce duplication, transitioned every bureau without procurement authority into the ES procurement line of business, which sped up acquisition of goods and services and resulted in nearly $50 million in cost avoidance through strategic sourcing; and processed nearly 2,500 contract transactions with an average requisition-to-order time of 19.5 days or less.

NASA is another example of taking on internal consolidation and shared services before looking outside. The space agency, for example, consolidated data centers and provides one financial management system for the entire agency through its shared services center at the Stennis Space Center in Mississippi.

And now the Labor Department is finding success with an internal consolidation of back-office functions first.

“We are creating a shared service environment within our department. That would position us well, very well in some future period of time to then look at external providers that may be able to do this even better than we can provide it to ourselves,” said Traci Smith, a program manager at the Labor Department, during the 2019 Shared Services Summit, sponsored by the Association of Government Accountants, the Shared Services Coalition and ACT-IAC in Washington, D.C. “But in order to get there, we need to have standardization from within. I can’t even imagine how we would get to the table today and negotiate thirteen different human resources offices moving one provider. It would be a difficult process for that provider and it would be challenging for us.”

To that end, Labor is consolidating all back-office operations:

  • 13 different HR organizations into one
  • 26 or so IT application organizations into one
  • Three to four different procurement organizations into one
  • Numerous personnel security organizations that provide part of the security clearance and background investigation process into one.

“The basic methodology that we utilized was agile and modifiable throughout the process because every agency within DoL is very different,” Smith said. “We had a huge engagement effort. It almost took an entire year to engage all the stakeholders. Even when we thought we were done, we weren’t done. We had so much more feet on the pavement to talk to people, and even then we didn’t feel like it was enough. We did a lot of strategy, analysis and discovery to understand how these organizations operate today.”

Workgroups and the voice of the customer

Since 2017 when Labor started this consolidation effort, Smith said all HR offices should be transitioned to one service provider by the end of the calendar year. Procurement and IT also are making significant progress with completion scheduled for early-to-mid 2020. She said the integration of the personnel security offices also is mostly complete.

“IT is the largest piece with 26 or so sub-organizations within the department. While we have made a lot of headway, we have the rest of this fiscal year to really make significant change and finalize it,” Smith said. “We have been very thoughtful as to who we incorporate into which phase. We mix it with some of the more challenging agencies or maybe the resisters to change with maybe some of the change advocates or those who are not adverse to the idea.”

Smith said one reason Labor has been making progress is it relied on workgroups in each back-office area with subject matter experts to address business process changes.

“Everyone starts and ends the process the same way, but how we get there is vastly different, so we really are coming up with that one best way that we can all live with,” she said. “What we are finding now, post-implementation, what we thought maybe was the best way, we need to dust off, look at it again and refresh. Now that people are in their permanent placements within the organization, we can get a little more traction and impact more change.”

Smith added that the amount of change management her office needed to do was much more than expected. She said creating the trust relationship with the organizations was, in many cases, more important that the data around saving money and better services.

“We aren’t asking for more money or additional funding. The agencies coming into shared services are being asked to pay whatever they would pay normally for these services in their agency is what they will be paying initially,” Smith said. “Then in fiscal 2021, the plan is to transition to a working capital fund. We anticipate the costs will decrease because we will be saving money whether it’s through contract rationalization or economies of scale or other things where we will not have duplicative activities competing against each other.”

It’s important not to overlook Labor’s steps. There’s no discussion about moving off premise. There was no discussion about forcing the proverbial square peg into the round hole. Labor started small, brought together those who are effected to reach an agreement on what the future state of HR or IT will look like, and then started the consolidation.

The QSMOs are trying to replicate many of the things Labor found successful, but the concern is the scale. It’s one thing to bring almost two dozen bureaus and offices from the same agency together, but it’s a much bigger lift to bring 24 separate departments together to agree to grants processes or human resources processes.

It would make sense to follow Commerce, NASA and Labor’s leads and have OMB require internal consolidation first before pushing for external shared services.

Bid protests, suspension and debarments continue to drop, but for how long?

The number of protests filed by contractors in fiscal 2019 is significantly down.

The number of vendors suspended or debarred by agencies in fiscal 2018 also dropped considerably.

But what agencies and industry need to really pay attention to is the fine print in the new reports issued last week by the Government Accountability Office and the Interagency Suspension and Debarment Committee, respectively.

Let’s start with the suspension and debarment committee’s report. While the number of suspensions, proposed debarments and debarments dropped for a fourth straight year in fiscal 2018 — the latest data that the committee released in late October — that trend may be over by 2020.

Source: Interagency Suspension and Debarment Committee 2019 report to Congress.

The committee created a cybersecurity subcommittee to track and report contractor compliance issues and developments.

“This should be a signal to the contractor community. Cybersecurity compliance activities are not only for national security reasons, but for the sake of your company and you need to be attentive to these requirements because noncompliance has significant ramifications,” said Fred Levy, a partner with the law firm Covington and the co-chairman of the firm’s Government Contracts Practice Group. “Anecdotally, we are handling more cyber compliance related cases. We have had debarment matters related to cyber matters and cyber as supply chain issues already. It will become an ever-increasing matter of focus as it becomes a greater item for focus for agencies.”

Levy and other procurement lawyers pointed to the “qui tam” case brought against Cisco that came to light earlier this year around cybersecurity flaws in equipment. Cisco settled the case by agreeing to pay $8.6 million.

Eric Crusius, a partner with the law firm Holland & Knight, said this is another example of how the government is concerned enough about cybersecurity that it’s attacking it on as many different angles as it can.

“It shows cyber is not just a contract administration issue anymore. It’s an issue that could render a company not fit to do business with the government,” Crusius said. “And, of course that can lead to a company going out of business. Even short of that, I wouldn’t be surprised to see cyber impacting contractor performance assessment ratings (CPARS) and resulting in termination for convenient and default.”

The Defense Department’s plan to develop and implement a cybersecurity maturity model certification will add another wrinkle to the suspension and debarment oversight.

Even if an agency receives approval from a third-party, experts say vendors are concerned about the liability of the flow-down provisions to second, third and fourth tier subcontractors.

“No one wants to be accused of not doing enough so every vendor wants to do everything so there is a bit of a gold rush of trying to make sure companies are doing everything they can to protect the data and systems,” Crusius said. “I think there are two reasons why there is this focus now. The first is it takes time for the bureaucracy to catch up after the cyber breaches. The second is what has been going with Kaspersky Lab, ZTE, and Huawei. I think the provisions were a wake-up call as was the creation of the Federal Acquisition Security Council.”

Along with the focus on cybersecurity, the suspension and debarment report also highlighted the continued increase of pre-notice letters, which has almost tripled in use over the last decade and increased by 37 since 2016.

Rob Burton, a partner with Crowell & Moring’s government contracts group and a former deputy administrator in the Office of Federal Procurement Policy, said these numbers reflecting agencies are giving vendors a better chance to explain any concerns.

“There’s never been due process at the suspension or proposed debarment stage and that’s been a real problem. The regulations have never been changed because politically it’s hard to do because it looks like you are soft on contractors,” he said. “Pre-notice letters are just a good practice. I think agencies realize it’s not fair to debar someone for a period of time without any ability to respond in a timely manner.”

Angela Styles, a partner with the law firm Akin, Gump, Strauss, Hauer and Feld and a former OFPP administrator, said the goal is not to keep companies from doing business, but for them to do business in an ethical way.

“Pre-notice letters help agencies to be more proactive versus suspension and debarment, which is really punishing companies,” she said. “It also makes for better outcomes because the agency can be more comfortable with how the company is doing business with the government.”

Bid protests down by 16%

GAO’s annual bid protest report to Congress shows an overall decrease in the number of cases filed as well as downward trends in nearly every other category.

Source: GAO’s 2019 bid protest report to Congress.

But the one area that didn’t increase is the number of task or delivery order bid protests. GAO reported vendors filed 373 complaints last year, up from 356 in 2018 and 256 in 2017.

Congress first gave GAO the authority to hear task or delivery order protests in the 2008 defense authorization bill.

Procurement experts didn’t agree on why the number of protests increased.

Crowell & Moring’s Burton said agencies are driving more and more procurement dollars through task orders and since unsuccessful bidders can’t protest anything under $10 million, it’s an attractive path.

Akin Gump’s Styles said she would be surprised if the protest limit is driving agency acquisition strategies.

Holland & Knight’s Crusius said the increase in task and delivery order protests comes from the basic reason that agencies are spending more money through those vehicles.

For instance, the General Services Administration reported record sales in fiscal 2018 of $68 billion, which is 23% more than in 2017. GSA expects 2019 to reach similar heights.

“I think the limit on $10 million needs to be changed,” Burton said. “I think protests are a great check on the system, especially for small companies. There are a lot of their contracts that are below that $10 million threshold, and they have no redress or recourse, and it’s unfair to these companies.”

Hunter Bennett, a counsel with Covington, said the overall drop in protests can be attributed, in part, to the new filing fee GAO instituted. GAO charges vendors $350 per protest.

“My sense is that the fee is discouraging some of the people who file protests outside the box,” he said.

At the same time, Bennett said because the overall effectiveness rate, which measures how often the protestor receives some sort of relief, whether through the agency taking corrective action or by winning the protest, remained steady at 44%, the number of protests with merit remains strong.

“Agencies are willing to take a hard look at claims raised and the agency is willing to take corrective action and take another look,” he said.

DISA forecasts a busy 2020 by turning pilots into operational capabilities

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The annual Defense Information Systems Agency’s forecast to industry typically is a must attend event, and one other agencies would be smart to replicate.

DISA brings together in one place nearly every senior executive running programs and offices to tell industry what to expect over the next year or more.

This year’s event, at Martin’s West in Baltimore—yes, the place where you probably had your senior prom if you grew up in Maryland—was well attended by more than 1,000 contractors and didn’t have the parking problems like the 2018 event.

While the overall content was a bit lackluster as it felt like the format focused more on getting through the presentations than providing the expected depth and breadth, it was clear DISA has a lot on its plate.

Here are my three takeaways from the forecast to industry day:

MilCloud 2.0 growing

Despite some challenges and potential hesitations, the Defense Department services and agencies are moving to DISA’s internal cloud offering.

MilCloud 2.0 is growing each month as the military services and agencies aren’t waiting for those four-letter cloud efforts to be ready. While the Joint Enterprise Defense Infrastructure (JEDI) or Defense Enterprise Office Solutions (DEOS) programs are mired in protests, DISA, the Army Materiel Command and the Defense Contract Management Agency are among those DoD components to have moved applications to the MilCloud 2.0

Army Maj. Gen. Garrett Yee, DISA’s senior procurement executive, said Army Materiel Command just committed to moving more than 100 applications to the cloud instance, while DCMA migrated 29 applications in less than 90 days.

Army Maj. Gen. Garrett Yee (right), DISA’s senior procurement executive, talks with a participant at the 2019 Forecast to Industry event.

DISA also moved 28 of its own apps to MilCloud 2.0 earlier this year.

“It will continue to be viable capability for mission partners now and into the future. The department recognizes that we will continue to be in a multi-cloud environment,” Yee said. “The reality is there will be a combination of a lot of cloud capabilities. It’s a matter of finding right capability for an application to be hosted some place.”

Dave Bennett, DISA’s director of the Operations Directorate, said moving DCMA’s applications in 90 days is both a big win and an example of the maturation of the platform.

“We are showing the ability to migrate cloud ready capabilities and progress at scale and at speed as opposed to taking a year or a very lengthy period to move to the cloud,” he said.

Additionally, Bennett said the classified version of MilCloud 2 should be ready to start accepting applications no later than January.

“Between MilCloud 2.0, the JEDI solution and other cloud solutions, we are working with the DoD CIO and others to establish a group of cloud shared services that are back-end capabilities that cloud providers and application owners would be able to leverage so they don’t have to create their own back-end services. It’s a way to speed the movement to the cloud, reduce the cost and get a more consistent look and feel in terms of delivering and leveraging services within the cloud,” he said. “We just implemented another instance of a cloud access point so as we are increasing the bandwidth to the access points, we also are increasing the diversity of the access points so everybody will be able to leverage the capabilities in the cloud without bandwidth being a constraint.”

4th estate on the move

If each program and project is a plate DISA is spinning, consider the 4th Estate consolidation and modernization effort one of those plates that Italian restaurants serve family style.

The initiative will add 1,200 employees, almost $1 billion in new work and 14 agency customers to make happy.

Air Force Col. Chris Autrey, the chief of the Defense Enclave Services Office, at DISA, may have the most fingers trying to balance that spinning plate.

Autrey said the first generation of the 4th Estate Consolidation is to bring DISA and four other smaller agencies onto a single network called DoDNet by the end of 2021.

“We are doing that initial contract award to do the support and migrate those folks. The source selection is underway right now,” Autrey said in an interview after his speech at the industry day. “In addition to that, we also did the global services contract consolidation, which is allowing all of the agencies to use a single, larger competed support desk contract for cost efficiencies. They will all come onto that contract over the next year or so to help them reduce their costs while still giving them a source of someone to do their services desk work.”

Just this past August, DoD’s CIO signed out the 4th Estate execution guidance, making the effort an actual program.

The memo grants DISA the official authority to direct the transition of the 14 agencies into a shared services environment by the end of 2024 and it lists all the common use IT services that DISA will now manage.

Along with DISA, those first four agencies to transition in 2021 include Defense Technical Information Center (DTIC), Defense Media Activity (DMA), Defense POW/MIA Accounting Agency (DPAA) and the Defense MicroElectronics Agency (DMEA).

Additionally, Autrey said DISA set up a products contract with NASA SEWP to standardize the purchase of hardware devices.

“Part of what we are doing is gain efficiencies in the workload so I can put less money against contracts to do this level of work. One of the ways we need to do that is standardized images for like desktops across the 4th Estate. Today if I have 40 different types of laptops, that’s 40 types of baselines and images that I need to keep for those. I can’t afford to do that in the future. That’s a bridge too far,” he said. “By bringing the agency into a pre-competed set of equipment that is approved, meets all the cybersecurity requirements, we have a known good baseline to work with and if you are buying off that list we can support it.”

The products work with NASA SEWP is one of 10 IT services and capabilities DISA will assume responsibility for over the next few years. The other areas include storage, cybersecurity and network access services, according to the Aug. 15 memo.

DISA expects to release the solicitation for the larger DES contract for the remaining agencies in early 2021 with an award in early 2022.

“With the initial pilot, we will see how the initial capability will work. We hope the DES contract provider will come forward with innovative solutions for how to deliver services better and more efficiently,” Autrey said. “We would like to take that innovation and expertise to create a better solution as we migrate the majority of the 4th Estate to the solution.”

One of the biggest challenges with the 4th Estate consolidation is getting every customer agency to agree to the path forward.

Autrey credits the DoD CIO’s office in creating a transparent and collaborative process.

“Danielle Metz [the principal director for the deputy CIO for Information Enterprise, meets with the seniors from the agencies and everything we are doing is an open book to these agencies, everything with the finances, with the plan for schedules, everything with our hardware buy so that open transparency,” he said. “In the end, it’s the same story that everyone gets, no one has a question and can say they haven’t been told, and has the opportunity to contribute to the conversation.”

Pilots everywhere

One of the common themes that emerged during industry day is DISA’s excitement over new and emerging technologies.

Diane Phan, DISA’s endpoint security program manager, said the agency plans to update an endpoint detection and response capability pilot from 2017 looking at new technologies like machine learning and automation in the cloud.

She said the agency will release a request for information in early 2020 and plan to make a contract award by the third quarter of the fiscal year.

Similarly, Phan said DISA is planning acquisitions for application containment capabilities and to expand the comply-to-connect effort across all of DoD.

Tinisha McMillan, the program manager for cyber situational awareness and network operations at DISA, said one of her major efforts is to look at tools and ensure they have an effective and consolidated approach to network defense.

“We need to align analytics to get after defense cyber operations space and ensure we have a rapid incident response,” she said. “That is a critical capability, but we haven’t had a lot of response from industry on it.”

McMillan said DISA will release a follow-on contract in early 2022 for continuous monitoring and risk scoring capabilities as part of obtaining more advanced tools.

Another technology DISA wants to build more capabilities around is mobile security.

Neil Mazuranic, the chief of the services development office, said DISA is developing a mobility prototype to improve how it is developing mobile applications and adhering to standards.

“Having such an environment will give us an opportunity for mission partners to develop applications and put them out to be used by soldiers more quickly,” he said.

Mark Long, who leads DISA’s mobility portfolio management office, said one of his goals is to bring managed mobile services to the secret and top secret levels for government-owned devices.

“We are looking for the next generation enterprise management mobility tool,” Long said. “Expect to see that soon.”

Securing the browser

And then there is Steve Wallace, who leads DISA’s emerging technology directorate.

Wallace is at the forefront of a majority of DISA’s testing and piloting of efforts.

His team has tested several prototypes for transform the way DoD ensures the identity of its users.

Wallace called the assured identity effort part of how DoD is modernizing its traditional approach using the common access card to ensure the right people have access to the network and data. He said the question this initiative is trying to answer is how can DoD continually monitor a user’s interaction with the military’s systems?

“Over the last year we were working with chip set manufacture to integrate the capabilities. Now we are working with a handset manufacture to integrate those capabilities. So we are working our way up the stack,” Wallace said. “We did one prototype that is all software based that is nine months into the cycle. The prototype with handset manufacture is integrating the capabilities focused on Android devices. In about a year, I would hope we will be much further along and have that continuous authentication going on in the background on the handset.”

Another initiative that Wallace expects to pay dividends in 2020 is the browser isolation pilot.

DISA awarded two Other Transaction Agreements in 2019 to look at better ways to defend the DoD Information Network (DoDIN).

“We have two vendors that we are baking off against each other. The challenge is this area is still fairly green in terms of technology so we wanted to see where the technology landed,” Wallace said. “We are at about 15,000 end points right now. Our goal is to reach 100,000 end points within the next 3-to-6 months, and then we will move into a transition period where we hopefully will move the entire department into this type of solution.”

He added the feedback so far has been positive with an equal or better browser experience for the users.

“I don’t want to rush into a selection until we have had time to properly exercise it. We wanted a large cross section of the department to get experience with it and give us the feedback so we could make a more educated decision,” Wallace said.

A third area where DISA is just wading into is distributed ledger technology. Wallace said he believes blockchain is a useful technology and he wants to see how DISA could offer blockchain-as-a-service.

“The answer right now to every IT problem is not blockchain. We are finding useful areas to leverage it,” he said. “We are testing it in our Mechanicsburg data center. It’s really allowing us to explore the technology. There’s been a lot of attempts over last few years to use blockchain in any number of ways, and, more often or not, it can be solved with a simple relational database and you don’t need all that overhead. But where it gets interesting is in the logistical space where you potentially want to share that dataset out among multiple groups of folks and you don’t want to give them access to a database or web service. But you can have this ledger that you can distribute and it’s secured in a cryptographic manner so that everyone has the ability to read if not potentially write to it. But we can make it more robust than it needs to be. Logistics is a good use area for something like blockchain.”

What FEMA is to disaster response, CISA should be for cyber response

Chris Krebs, the director of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, admitted he had a lot of sleepless nights earlier this summer. He spent long hours worrying about how Baltimore City, five school districts in Louisiana and 22 jurisdictions in Texas would get out from under a ransomware attack.

During those long nights where DHS provided technical and operational support to those and other cities who fell under the scourge of the latest cyber assault, Krebs said it occurred to him that the government doesn’t have the same doctrine for a large-scale cyber event as FEMA has for man-made and natural disasters.

Chris Krebs is the director of CISA at DHS.

“If you look at FEMA, they have operational plans, exercises and drills. They have an incredible wealth of doctrine, experience and understanding of who does what and when,” Krebs said at the CISA cyber summit in August. “We have to develop that underneath the National Cyber Incident Response Plan (NCIRP).”

The NCIRP and Presidential Policy Directive (PPD)-41, which the Obama administration released July 2016, was supposed to serve as that detailed response plan. Experts say the goals of the NCIRP and PPD-41 never materialized, and, in fact, some say the government is in a more precarious position today than it was four or five years ago.

Krebs seems to realize that and is calling for an implementing doctrine that more specifically details how CISA, the FBI and law enforcement and the intelligence community can work together to respond to a major cyber attack against the country’s critical infrastructure or federal networks.

“The NCIRP is not an actionable plan. It’s more of something closer to a framework that gives a broad overview of the general responsibilities across all federal agencies,” he said. “We have to know what if all 254 counties in Texas get attacked by ransomware. What should states anticipate come from the government, from CISA, from the National Guard? We just need to be clear on expectations and what we will do to solve issues together.”

Krebs added unlike FEMA, which drills and gets to know the first responders and others who would help during a hurricane or wildfire, CISA doesn’t do the same thing. The closest thing is the biannual cyber storm exercise, which happens every two years to test the NCIRP.

Industry experts say while the cyber storm exercise is helpful, it is not enough.

“The one thing we are looking for is a consistent and repeatable way for the government to engage with industry. Previously there was the unified coordination group (UCG) that included each of the critical infrastructure sector on it. Its primary role was to staff and support the UCG. This was a forum if there was a national level cyber incident we could work through how to respond to that incident,” said Scott Algeier, executive director of the IT-Information Sharing and Analysis Center (IT-ISAC). “When DHS updated the cyber incident response plan at the end of the Obama administration, they took out the industry role with the UCG and said they would reach out to industry as needed. Considering the interdependencies across critical infrastructure community and the large amount of subject matter experts industry has, we hope to get to the point to restore industry representation in the cyber UCG as part of any updated response plan.”

Seat at the table disappeared

Bob Dix, an industry cyber expert and former vice present of government affairs and public policy at Juniper Networks, said the incident response plan triggers certain activities depending on the threat or attack, but there isn’t a defined role for critical infrastructure owners and operators.

“DHS brings owners and operators in on an as-needed basis and at the will of the government, particularly who they invite to the table. I think that is a flawed approach,” Dix said. “There should be a designated representative from various sectors who can work with the government to identify the companies and stakeholders who are impacted and need to have seat at the table during a cyber attack.”

Dix said in the early 2010s, critical infrastructure providers had that seat at the table, but for some reason the Obama administration decided to change that approach.

“The notion of a cyber exercise program is a perfect candidate for testing out this approach with relevant stakeholders federal, state and local leaders and critical infrastructure providers,” Dix said. “We need to organize the scenario, test it and get recommendations and lessons learned and then apply them so we can prepared for any major cyber incident.”

Algeier said one of the key findings from the 2018 cyber storm exercise was the need to have an industry representative on the UCG. But he said national exercises are not a substitute for monthly or quarterly interactions between government and industry experts.

Algeier added in the past the cyber UCG brought the right people together to create relationships that made the sharing of threats and vulnerabilities easier and created that all-important familiarity during times of crisis.

“The relationships have been lost as have the opportunities to develop a playbook for responding to different types of attacks,” he said. “You need an ongoing framework for how to respond. You can adjust and adopt as you go. You have to know who the right people are that need to respond to an incident. But right now, there is a huge gap because there is no standard way for industry and government to engage during a crisis.”

Dix added that the critical infrastructure providers and the government are so interconnected that by not including the private sector more broadly, predicting and reacting to potential and real cyber threats will fall woefully short.

Based on what Baltimore, Texas and Louisiana suffered through earlier this year, and that many cybersecurity researchers expect the threat of ransomware and other disruptors only to increase, it would seem that the time is right for Krebs to reconstitute the cyber UCG with full critical infrastructure sector participation.

DHS’ 2-RFP plan to modernize financial systems draws criticism

The Department of Homeland Security definitely has it right this time. Correct?

After four unsuccessful attempts to modernize and consolidate as many as 22 financial management systems, DHS’s latest approach is a winner.

For the sake of the almost 17-year-old agency, let’s, once again, hope so.

DHS released two solicitations last week seeking industry help to provide system integrator services and financial management software-as-a-service.

The request for quotes for the integrator services is a multiple-award blanket purchase agreement worth as much as $1 billion over 10 years. The solicitation is asking for a host of services including implementation, service desk operations, operations, and maintenance and data cleansing.

“The current ‘as is’ state consists of multiple ‘legacy’ standalone financial systems and a developmental system being configured for three components. Transition to a future state target solution for the financial services management (FSM) program requires systems engineering and integration in order to achieve shared, joint FSM objectives without imposing a singular, pre-determined design,” the RFQ, which Federal News Network obtained, stated. “Instead, integration of qualified commercial off-the-shelf business application software is intended to streamline and standardize business processes and procedures across the entire organization providing more accurate, timely and useful financial, procurement and asset data to managers. An integrated business software application layer implemented on as few EFiMS systems as is practicable shall enable DHS to more efficiently derive and report on financial statement data both at the consolidated and component levels.”

The second RFQ is for financial management software-as-a-service.

“The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface,” the RFQ stated. “At the time of the multi-award vehicle, vendors must either (i) demonstrate that they have a documented plan to migrate existing software to SaaS or (ii) meet one of the following three FedRAMP requirements: (a) Provisional Authority to Operate (P-ATO), (b) Agency Authority to Operate (ATO), or (c) FedRamp Ready. At the IDIQ level, vendors will be evaluated based on whether they meet one of the requirements under (i) or (ii), above.”

Bids are due for both RFQs on Nov. 26.

Concerns about approach arise

Multiple previous attempts to modernize and consolidate as many as 22 existing financial management systems have failed for an assortment of reasons. Previous attempts by DHS to consolidate and modernize its financial management system fell short with the commercial solutions twice and once with the federal provider.

This latest attempt isn’t getting positive reviews with the release of the RFQs.

“I think separating the software acquisition from the integrator acquisition is inherently flawed and opposite of how most IT projects are acquired today,” said Mike Hettinger, a former staff director for the House subcommittee that oversaw federal financial management and current founding principal of Hettinger Strategy Group. “This, combined with the requirement that the software piece be bid as an integrated stack, seems to limit the potential bidders and is likely to eliminate best-in-breed procurement and asset management solutions from consideration.”

The IT Acquisition Advisory Council (IT-AAC) also wrote to DHS executives detailing its concerns about the project plans, specifically with the lack of integration of existing capabilities for asset management, procurement systems management and financial systems management.

“Many DHS Components currently operate on modern acquisition and asset management systems that are predominantly used across the federal government and federal shared service providers. In addition, DHS already owns perpetual licenses to several of the existing systems,” the council’s Sept. 18 letter to Randolph Alles, the acting under secretary for management at DHS. “IT-AAC remains concerned that it would be an imprudent use of taxpayer-provider resources, and potentially be in violation of existing federal statutes related to the elimination of wasteful and duplicate spending, to replace existing federally-proven best-of-breed solutions for these functions. To our knowledge, there has been no data-driven analysis or business case developed that would justify a ‘rip and replace’ approach related to existing providers in order to award a new contract otherwise. Further, to our knowledge, there has been no substantive analysis conducted to determine what level of integration effort would be needed in order to leverage current capabilities to achieve the desired ‘One DHS’ view and operational effectiveness of these functions, while also identifying current gaps.”

The council says a data aggregation strategy would help DHS design an acquisition approach that would address identified gaps, reduce risk and increase the likelihood of a successful project.

IT-AAC also told Alles that the two separate procurements—for systems integration and for SaaS—would increase risk and costs.

“DHS is proposing use of the fast track DHS Procurement Innovation Lab (PIL), which was established to pursue ‘experimenting with innovative acquisition techniques across the DHS enterprise.’ While IT-AAC supports an agile acquisition approach to procurement in order to leverage innovation and reduce time to implementation, an initiative that has a history of at least four previous failures and substantial waste of taxpayer dollars should not be the test bed for experimental acquisition and thereby increasing risk. PIL might be appropriate for commodity buys or smaller purchases, but a highly technical, complex and sophisticated procurement such as the one required to achieve a successful outcome to a true financial management systems modernization result requires: informed rigor; an opportunity for full and open competition as required by law, regulation and executive branch guidance; leveraging innovation being delivered by the market; meeting mission requirements for the end user; and achieving cost savings and best value for the American taxpayer,” the council wrote.

Give DHS credit for not giving up and just continuing with its legacy systems. At the same time, how many more failures can Congress put up with? In this age of dev/sec/ops and agile procurement, let’s hope the systems integrators come to the table with the innovations that put DHS over the top once and for all.

Frictionless federal acquisition? It’s possible and a new online tool can help

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

One of the best questions that came up at the recent 2019 Imagine Nation ELC conference in Philadelphia, Pennsylvania was during a panel on acquisition. It went something like this: If the Federal Acquisition Regulations are a Frankenstein monster of cobbled together rules and requirements, why not just start over?

A question many federal acquisition and program managers probably have asked themselves at least a dozen times a year.

While the 2,000 page FAR probably has some body parts that agencies could do without, there is no reason to kill the monster.

Meagan Metzger, founder and CEO of Dcode, which promotes the use of commercial technology in the public sector, said there are important concepts that the FAR promotes that every contracting officer or program manager needs to know.

Chris Hamm, the director of FEDSIM at the General Services Administration, offered a common refrain—the FAR lets you do almost anything, especially under Parts 8.4 and 12.

Then why are agencies and vendors alike so excited about Other Transaction Authorities (OTAs) or Commercial Solution Openings (CSOs) as a way to avoid—get around—using the FAR?

New data from the Professional Services Council’s 2019 Vision Forecast found the Defense Department’s use of OTA’s mushroomed by 40% in 2018 over 2017 and some estimates say the Pentagon could spend as much as $7 billion through this approach in 2019.

GSA and the Department of Homeland Security also have begun using similar authorities.

GSA, for instance, has done eight awards under its CSO authority. Tom Howder, the acting deputy commissioner of the Federal Acquisition Service, said at the PSC event that 75% of the awards went to companies without a GSA schedule, meaning non-traditional contractors.

It’s clear agencies want to find a way around the both real and perceptive arduous requirements of the FAR.

But if the only way to reduce the friction of the federal acquisition process is by not using the FAR, then something more has to be done.

Dr. Michael Wooten, the administrator of the Office of Federal Procurement Policy, seems to recognize this fact as the calls for expanding OTA and CSO authority continue to grow.

Michael Wooten is the administrator of the Office of Federal Procurement Policy.

At the PSC Forecast event, for instance, Howder said he’d like OFPP to continue to focus on the simplification of federal procurement and even roll out the tools like OTAs and CSOs more broadly across government.

Wooten’s response is to call on technology such as artificial intelligence and robotics process automation to begin to reduce the friction causing requirements like market research or paperwork requirements.

“Things like professional services and IT development can be managed better. Customers should understand what it takes to deliver the solution that is required and we should have a reliable dialogue with industry to make that happen,” Wooten said at the ImagineNation ELC conference. “The power and potential of AI, machine learning and natural language processing is real and imagine what we can do to manage customer expectations of our customers. We can harvest data and return value to the taxpayer.”

Elements of acquisition innovation

In the short term, OFPP and ACT-IAC are trying to reduce the friction of acquisition through a new Periodic Table of Acquisition Elements.

Lesley Field, the deputy administrator of OFPP, said at the ImagineNation ELC conference that the goal a year ago when this project started was to come up with approaches to help the workforce be more creative and innovative.

“How do we make the FAR come to life?” Field asked. “We have a lot of flexibility in the FAR. Contracting officers have more authority than they think they do.”

The Periodic Table, which Gissa Sateri, an account executive with REI Systems and one of the team leaders, credited David Zvenyach, the former executive director of GSA’s 18F organization, with creating, details steps in each of the five phases of federal acquisition to promote innovation, creativity or just remind acquisition workers of the tools they have at their disposal.

Each entry includes a description of the item, the problem to be solved, the benefits of using this approach and any use cases or documentation that would be helpful to accomplish the goal.

“We are looking for wormholes through the FAR to get from point A to B faster, with less friction and with fewer obstacles,” said Tim Cooke, another project lead and president and CEO of ASI Government. “The bigger picture of this initiative is to speed up adoption of things that have been working. We have been finding those things, describing those to the workforce and giving them a place to find and learn so then they can begin to try them on their own.”

Not another playbook

Sateri said the group wanted to steer away from another playbook or white paper “that no one would ever read,” and create a public facing website that can be updated and improved over time.

“We laid out the stages of acquisitions, the steps under each phase, what is behind each of those steps, the description of those steps and what the benefits are for the use of that step and the samples we found,” she said.

Field said over the next year the working group will continue to look for innovative approaches that they can add to the periodic table. Additionally, she said OFPP will promote the website across the acquisition community. Field said OFPP and the Chief Acquisition Officer’s Council know it’s difficult to reach frontline acquisition workers so they want to raise the level of visibility of the new tool.

“We will work through the agency innovation advocates, industry liaisons, directors of Offices of Small and Disadvantage Business Utilization, category managers and others to create networks to share and let acquisition workers be more innovative,” she said. “We also will meet with the procurement lawyers and provide a demonstration to them and others as another way to promote the tools.”

The most important thing Wooten, Field and other federal acquisition leaders can do is provide contracting officers with the top cover to use the FAR without having to worry about auditors or Congress coming down on them for problems or failures. The best thing Wooten could do is share the Periodic Table with auditors and other overseers, explain to them OFPP’s goals and ensure agencies are working with them throughout the entire process of using an innovative method. If OFPP just puts the website out there, the “Field of Dreams” approach will not work.

« Older Entries