Reporter’s Notebook

Is the CIA’s new cloud procurement a signal to DoD to update JEDI?

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The CIA created quite a stir in the federal IT community as word spread over the last week that it’s ready to upgrade its commercial cloud offering called Commercial Cloud Services (C2S).

As the industry day documents spread like wildfire across industry and the media, the question we have to ask is the CIA, the intelligence community more generally, trying to give the Defense Department some top cover for its controversial and protest entangled Joint Enterprise Defense Initiative (JEDI) cloud procurement?

When you review the CIA’s market research survey as well as its industry day presentation, everything about it seems to be saying “Hey DoD, we have seen the light and multi-cloud, multi-vendor is the only way to go.”

The intel agency said in its market research survey that it “will acquire foundational cloud services, as defined in the scope section below, from multiple vendors.”

In industry day documents, the CIA said that the Commercial Cloud Enterprise’s (C2E) program objective is to “acquire cloud computing services directly from commercial cloud service providers…”

The CIA said it plans to award one or more indefinite delivery, indefinite quantity type contracts.

Industry experts said the message couldn’t be any clearer to DoD and it’s plans for JEDI.

Trey Hodgkins, president and CEO of Hodgkins Consulting, said the CIA’s C2E puts the conversation around DoD’s JEDI on a different trajectory.

“C2E puts the conversation on a different trajectory. It puts out there that the IC has identified new needs so the prudent person would go back and ask the question, ‘if they need hybrid, on premise and commercial cloud, does that change the thinking at DoD?’” said Trey Hodgkins, president and CEO of Hodgkins Consulting. “I don’t think there is any visibility into DoD’s thought process, but you’d have to think they are asking the same question at the department.”

DoD currently is conducting an internal review of JEDI after a bid protest from Oracle highlighted a potential conflict of interest. Additionally, DoD and JEDI are facing a potential FBI investigation.

Sam Gordy, the general manager of IBM federal, said the CIA strategy with C2E should not only inform DoD, but influence the Pentagon’s plans going forward.

“These [C2E and JEDI] are diametrically opposed approaches. Clearly the CIA has five-to-six years of experience in a single cloud environment and they are making a strategic decision to wholeheartedly move into multi cloud world. It’s a critical next step for the evolution of IT support for the IC,” Gordy said in an interview with Federal News Network. “DoD should take advantage of those five-to-six years of experience in the IC and the national security community to inform what they are doing going forward.”

Gordy said the CIA is taking the approach that the private sector has moved to over the last few years. He added that unlike JEDI, the CIA is making it clear why the multi-cloud approach is necessary because they are saying in the industry day documents and the market survey what they want to use the cloud for today and in the future.

Under phase 1, the CIA said it wants vendors to provide infrastructure-, platform- and software-as-a-service capabilities as well as support services.

Source: CIA industry day presentation from March 22, 2019.

“Knowing they have an enterprisewide cloud contract already and that they are using that capability, this tells me they need hybrid, on-premise and commercial solution and this creates a mechanism to do that,” Hodgkin said. “I didn’t see anything shocking or that caught me off guard. The CIA has clearly spelled out to the industrial base what they need, and one of them is to deliver some or all of the three types of cloud, and when they put their data into those clouds, it must be portable so they can move it to another cloud or somewhere else. Those are the two elements that are different than what they have now, and ones that you haven’t seen it called out in previous acquisitions, at least not at this level.”

CIA needs cloud diversity, data portability

John Weiler, the executive director of the IT Acquisition Advisory Council and an outspoken critic of JEDI, said the CIA’s approach for C2E is a recognition that the current C2S contract isn’t working like they expected.

“If it had worked they would’ve just resigned up with Amazon Web Services,” Weiler said. “One cloud can’t solve all your problems. When you look at workloads on Oracle or legacy Microsoft platforms, it makes no sense to move them to Amazon or Google or IBM. Those cloud are not designed for those environments. These strategies to be effective have to acknowledge that there are certain platforms that are legacy can move to a specific cloud and not just to any cloud.”

Industry experts said there is a growing desire inside the intelligence community for something more than C2S.

One industry source, who requested anonymity in order to talk about inner working of the IC, said there have been varying degrees of unhappiness with the Amazon contract, including at least two IC agencies rejecting the C2S cloud and building their own.

Another industry source said in many ways C2S was a long-term pilot and now the CIA and others in the IC recognize they weren’t happy with the price they were getting for cloud services, interoperability was more difficult than first imagined especially between C2S and existing data centers, and they were limited in the ability to add new features in a timely manner.

“They’ve had time to see what works and what doesn’t, and they’ve realized cloud providers are becoming specialized. It’s easier to move workloads from on-premise to the cloud with the same vendor. They realized migrations can be expensive,” the source said. “The CIA realized that cloud diversity and price competition help bring down costs. The industry and the CIA weren’t in a position to do that six years ago, but now they are, which is good.”

The first industry source added the IC had real concerns about vendor lock-in and how hard it was to move data between cloud infrastructures.

“I’ve heard that a lot that people didn’t expect going into Amazon to have the level of lock-in that they have. Once they migrated data to Amazon, it became much more difficult to lift and shift to say a Microsoft cloud because the systems was configured in way that was only good for the Amazon cloud,” the source said.

Implementation of cloud services is key

A third industry source was even more blunt about the C2S contract:

“AWS has relentlessly leveraged C2S since its inception, proclaiming to federal agencies that there was only one cloud service provider good enough for the CIA, so they needn’t look further. But like a handsy, insecure boyfriend, it seems like AWS held the CIA a little too close, proudly boasting about their exclusive relationship while competing suitors flexed their innovation muscles,” source said. “Not surprisingly, since the relationship first began, the CIA has noticed it has options and doesn’t need to commit. So while it’s understandable AWS wants to put a ring on it, the agency would clearly rather stay friends and play the field.”

An AWS spokesman said they are excited about C2E and the CIA’s intent to build on the existing C2S efforts.

“As a customer obsessed organization, we’re focused on driving innovation that supports the mission and spurs solutions that allow for missions to be performed better, faster, and in a more secure manner,” the spokesman said.

Weiler said no matter the strategy that the CIA or DoD chooses, the key is the implementation. He said nearly every agency needs to address legacy systems and the consistent challenge of cloud migration.

IBM’s Gordy said C2S shouldn’t be considered a failure by any means as it greatly helped inform the CIA’s current strategy.

“This does sync up with a recompete on C2S, but I don’t think C2E is in anyway a replacement for C2S,” he said. “The CIA will probably continue to have the need for a broad business application cloud which is what C2S is being used for today. And then they will need to have a mission oriented cloud, which is the reason they are going to C2E, which seems to be for the optimization of those mission workloads.”

Increasing threats against mobile devices force HHS, others to rethink protections

The first time the intelligence community issued public warning to government and industry executives traveling overseas came before the 2008 Summer Olympics in Beijing.

Joel Brenner, then the head of U.S. Counter Intelligence in the Office of the Director of National Intelligence and a former National Security Agency inspector general, said taking your phone, laptop or other device to China was dangerous and would end up with lost data and the real possibility of having your home network compromised.

“We suggested they take stripped down devices, if you are taking a device at all,” Brenner said in a recent interview with Federal News Network. “That advice was widely adopted by many companies as well as the government. I think it’s good, but tough advice to follow.”

Now, 11 years after that initial warning, the Department of Health and Human Services is taking it a step further. While most agencies prohibit executives taking devices to countries like China or Russia, HHS is not letting officials take any device with government information overseas no matter the country.

HHS Chief Information Security Officer Janet Vogel issued a memo in December addressing the increased level of risk and the need to safeguard government furnished equipment (GFE) while on foreign travel.

“Two key components of the memo are that while abroad, HHS employees must use loaner GFEs containing no sensitive information. Employees are also required to connect to secure, password-protected Wi-Fi, as well as a virtual private network (VPN) when accessing HHS resources with their loaner GFE,” Vogel told FNN in an email. “Increasing the strictness of our GFE procedure for travel was necessary to minimize the risk of increasing and new security threats. HHS has a global presence and often has representatives deployed around the world for reasons such as health conferences, responses to pandemics, etc. This approach to GFE use helps to ensure that the assets and data that travel around the globe are appropriately protected. By requiring HHS employees to use loaner GFE that do not contain sensitive information, the damage resulting from a cybersecurity incident would be lessened. Additionally, requiring secure Wi-Fi combined with a VPN, makes exploitation of GFE more difficult. Limiting the amount of exploitable information on a device, as well as decreasing the chance for such an exploitation, is an effective method of risk reduction for HHS.”

HHS detailed six basic rules to follow:

  1. Only loaner GFE encrypted devices are allowed on foreign travel.
  2. Devices received from foreign nationals/governments (i.e., conferences, gifts, etc.), and devices purchased while on travel are not permitted to conduct HHS business.
  3. Secure remote access via Virtual Private Networks (VPN) is required.
  4. No sensitive data (e.g. personally identifiable information [PII], protected health information [PHI], HHS intellectual property, etc.) are permitted on loaner GFE, unless the devices are encrypted.
  5. All GFE devices used while on foreign travel must remain powered off during travel to and from foreign countries, segregated from HHS networks/systems, and submitted to the IT Helpdesk immediately upon return for evaluation and sanitization.
  6. All devices must be sanitized upon return and before re-use.

This means whether an HHS executive goes to China or Germany or Canada, the device and information on it are considered at-risk.

HHS is ahead of the curve

One federal cyber executive, who requested anonymity in order to speak about their agency’s security requirements, said the HHS policy is one of the strictest in government.

“HHS is ahead of the curve and that’s a good thing because it is dealing with it in a prioritized manner,” the official said. “People who are traveling at all agencies are not low level and they have a lot of other important things to be worrying about so by giving them a new device, it makes it easier for them not to have to worry as much about the security, especially with cost of technology continuing to come down.”

The federal cyber executive added that in some ways HHS is solving a people problem with technology instead of the other way around.

“People are lazy. It’s as simple as that, and if it gets complicated people don’t want to deal with it. This is why a technology-first approach makes sense,” the executive said.

Brenner, who now teaches at the Massachusetts Institute of Technology and and runs his own consulting and law practice,  said it’s more than people are lazy, it’s a lack of understanding especially by executives.

“They don’t want to deal with the aggravation and having to take special steps before they go and when they get back,” he said.

Agencies are beginning to recognize the need to better secure mobile devices. Symantec reported in 2018 that new mobile malware types jumped 54 percent from 2016 to 2017

Vincent Sirtipan, a portfolio manager in the physical and cybersecurity division in Office of Mission and Capability Support in the Department of Homeland Security’s Science and Technology Directorate, said agencies have focused for a long time on mobile device management (MDM) software to protect their devices. But that is only one piece of the bigger puzzle.

“It has to be a MDM and other technology that enable security whether that’s identity management or mobile application vetting or a mobile threat defense solution,” he said. “When you are talking about mobile phones, we are still maturing as an enterprise as is the entire market. What controls and capabilities do we need on a mobile phone to secure it? We recognize it poses a broader threat landscape and a broader attack surface.”

NIST updating mobile security standards

Sirtipan said DHS recently completed is fifth review under the government cybersecurity architecture review (GovCAR) initiative that looked only at agencies’ mobile infrastructures.

“The review team identified if an employee’s multiple mobile security technologies, including application vetting and identity and access management means agencies have a greater security posture against mobile attacks,” he said. “They looked the attackers’ process and desire to move laterally based on mobile attacks. They are able to identify if agencies employ certain tools, they can see what their security posture looks like, and when they employ a compilation of more mobile security tools they are able to mitigate adversary actions and limit their ability to attack us.”

Jon Johnson, the former director of the enterprise mobility program at the General Services Administration, and now director at Redhorse Corp., said agencies have had standards from the National Institute of Standards and Technology to several years for their mobile devices. He said NIST 800-124, work by DHS S&T and others have increased awareness, and now it’s just matter of agencies understanding their risk postures.

Sirtipan said NIST and others in government are updating SP 800-124, and the draft revision should be out for public comment in the next few months.

“We are looking at things like leveraging the National Information Assurance Protection (NIAP) protection profiles, and talking about picking a device that has been trusted and secured,” he said. “We have rechartered and renamed the federal mobility services category management team and mobile security tiger team to be one federal mobility group. It includes 45 agencies and departments to help move us all toward a better security posture.”

Sirtipan said while adding more technology and standards are helpful, it comes back to the user.

And that takes us full circle to HHS.

Vogel, the HHS CISO, said since cyber threats cross all borders, more needs to be done.

“Cybersecurity threats exist outside of the United States, and United States citizens, especially government employees, are often targeted while traveling abroad. Employees are not allowed to connect to HHS systems or networks using unsecured networks — from internet cafes, coffee shops, etc. — regardless of whether they are in the United States or abroad,” she said. “That said, the United States has strong cybersecurity protections, while safeguarding in other countries may not be as robust. Requiring employees to connect to secure, password-protected networks and use a VPN help strengthen our cybersecurity posture and combat potential threats.”

Bid protest win continues to show fragility of multiple-award contracts

Right now, 81 small businesses are wondering why?

Why their ticket to a potential $15 billion lottery has been lost.

Why after waiting a year to begin marketing and promoting task orders through the Alliant 2 small business contract they may have to be even more patient and wait potentially another 12 months?

And why another multiple award small business contract is mired in a bid protest?

These, and probably a host of eye rolls, sighs of frustration and shakes of the head, came fast and furious last week when the General Services Administration announced it was rescinding all 81 awards made in February 2018 under the Alliant 2 Small Business governmentwide acquisition contract (GWAC).

And it left one small business thinking, “We told you so.”

GSA withdrew the awards after the Court of Federal Claims ruled in favor of Citizant in its protest of being excluded from Alliant 2 SB awards.

The judge found GSA erred in evaluating proposals, specifically around having a qualified cost accounting system and price reasonableness.

“The court presumes that Citizant was prejudiced because the record reflects multiple instances of the contracting officer evaluating proposals in an arbitrary, capricious, or irrational manner,” the court states. “Simply stated, the court finds that Citizant has shown that it had a substantial chance of receiving a contract if the contracting officer did not make the aforementioned errors.”

The judge told GSA to re-evaluate all bidders to address the errors Citizant pointed out.

GSA made the initial Alliant 2 awards in 2017 for the unrestricted track and February 2018 for the small business track.

Procurement experts say while GSA doesn’t have to necessarily start over, the re-evaluation could take six months and then the procurement would take another six months to get through the expected protests.

“The problem here is multi layered. It goes back to the issue of GSA’s self-scoring system and this whole idea of trying to make it easier for agencies to go through the proposal process and take the next step in the procurement,” said Tony Franco, a partner with the law firm PilieroMazza, which specializes in small business procurements. “The reason why GSA has to go back and fix this is because it looks like the agency messed up on the front end with regard to that first step of the evaluation process, self scoring. It resulted in a number of contractors thrown into the equation that maybe should’ve been disqualified earlier.”

Another federal procurement attorney familiar with the case, who requested anonymity because the sensitive nature of the proceedings, said the judge expected GSA to hold everyone to the same requirements and during the discovery part of the case, it became clear the contracting officer didn’t do that.

“I can’t imagine GSA will re-evaluate all 500-plus proposals,” the attorney said. “I think GSA will redo the self-scoring checklist, and they may just throw out those companies that shouldn’t have been qualified in the first place. And that could cause more protests. This is the song that doesn’t have an end. That’s the problem with large procurements, they are so important and valuable to vendors that they are willing to protest.”

A spokesman for Citizant declined to comment on the judge’s decision.

Alliant’s faced more than 40 protests

Alliant 2 SB remains under protest even with the Citizant decision.

Three more cases from RX Joint Venture LLC, TISTA Science and Technology Corp. and Metrica Team Venture are before the appeals court.

So far over the last three years, the Alliant GWAC process has faced more than 40 protests.

“Whenever agencies trying to create these multiple award contracts with so many different companies, it will be very hard for them to treat everyone consistently the way they are supposed to,” Franco said. “With complicated proposals and solicitations, and multiple offerors, procurement shops with limited resources struggle, and it will inevitably lead to protests like this where you can always find some flaw in procurement.”

Franco said as GSA and other agencies continue to develop these large multiple award contracts, agencies will create problems that these types of contracts were trying to avoid in the first place.

“This makes me question whether agencies should be using these MACs with so many offerors. Wouldn’t it make more sense to issue separate solicitations or go through the schedules?” he said. “Why create these complicated procurements that at the end of the day are designed to make the source selection process easier downstream when on the front end you may spend years figuring out who are the right contractors? There is so much potential for fallibility when you have humans involved and issues fall through cracks.”

Foreshadowing problems for other MACs?

The Alliant 2 small business experience is the perfect precursor to what is likely to happen to several procurements that are just getting off the ground.

GSA and the Air Force’s 2GIT multiple award contract with a ceiling of $5.5 billion is just getting started and could face a pre-award protest right off the bat. Industry sources say vendors are concerned about violations of the Small Business Act of 2010.

Then there is GSA’s Center of Excellence Discovery blanket purchase agreement, which is entered the second phase of the acquisition process. Last week, the Federal Acquisition Service posted seven challenge questions for each of the areas with a due date of April 1.

In no more than 1,500 words, FAS wants vendors to outline their approach to determine where things stand now, the path forward for implementation and how they will ensure modernization efforts continue beyond implementation.

Both of these procurements as well as the others that are coming over to GSA schedules as blanket purchase agreements, including those MACs from the FBI and the Homeland Security Department, have the strong potential to face protests from unsuccessful bidders. And like the Alliant 2 small business GWAC, it’s to ask if all the time and resources that go into these contracts is worth it. Maybe it’s time to think of another way like having Congress modernize the GSA schedules so this need to create BPAs on top of the schedules or standalone GWACs can go away. This would be a huge step toward getting agencies and vendors alike out of this protest merry-go-round.

After 2 years, OMB still lacks permanent controller and that’s a problem

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The government hasn’t had a permanent chief financial officer, or in government talk, a controller, for more than two years.

Dave Mader, now at Deloitte, was the last person to hold the title of Office of Management and Budget controller and he left in January 2017.

The Trump administration is now considering its nominee, Fred Nutt, who had been waiting since September 2017 for Senate confirmation, for another position in the government, according to a senior administration official.

This means the administration will be three years old before it has a permanent CFO.

A Senate Homeland Security and Government Affairs Committee staff member said Nutt never received a vote in the full Senate because there were concerns about his qualifications. The aide offered no further details about the concerns. The committee held Nutt’s confirmation hearing in May 2018.

And like I said with the administrator of the Office of Federal Procurement Policy last summer, and the Federal Chief Information Officer before that, Where art thou, OMB controller?

“Not having a controller has a very negative effect when it lasts so long,” said Mark Reger, who worked in the federal financial management community for more than 40 years. “The controller is the financial community’s window into Congress. If Congress wants to know what’s going in the financial management community, the controller is intimately involved in issues, develops a relationship and fosters better communications and understanding, especially in these times when we want to do things differently and we have great opportunities to streamline, gain efficiency and combine operations. Right now, we don’t have that advocate. We just miss that advocate.”

The controller’s role is even more significant when you consider that nearly every initiative under the President’s Management Agenda has a financial component to it.

These include the obvious ones like getting payments right or federal IT spending transparency, but there also ones like moving from low-value to high value work where so much of that work is being done in the financial management community through robotics process automation (RPA) at places like the General Services Administration and the Department of Housing and Urban Development, or sharing quality services, where key milestones are around things like payroll modernization and other back-office functions.

“The PMA is one of the best ones in terms of what it covers and I’ve been impressed with Margaret Weichert’s leadership. But I would like to see more about financial management in the PMA. It’s heavy on IT and other areas,” said one federal financial management official, who requested anonymity because they didn’t get permission to speak to the press. “What the financial management community has done is the Treasury’s vision for financial management and that has filled one gap. But it’s not ideal to have that vacancy open for so long.”

Treasury released that document in August seeking to improve federal financial management across four areas.

Another federal financial management official said the CFO community is tightly coordinated and understands the path it must follow.

Is the OMB controller even necessary anymore?

So that leads us to the question of whether a Senate-confirmed controller is even needed anymore?

Similar to what I heard from the procurement community, federal financial management experts say there are definitely things having a Senate confirmed controller helps with, but CFOs and deputy CFOs know what they have to do to get the job done and move things forward.

Experts praised deputy OMB controller Tim Soltis for both is leadership and accessibility to the community.

“Tim has been an invaluable asset to not only OMB but also to the entire government financial management community. In the absence of a controller, Tim has stepped in to fill both the role of controller and deputy controller of OMB,” said Ann Ebberts, CEO of the Association of Government Accountants. “There is a lot going on and he’s bound to be pulled in multiple directions to fulfill the needs of both roles. He does a great job at balancing the external and internal demands of the job, but I do remember in prior administrations both controller and deputy controller being extremely busy working with other CFOs across the government to push new initiatives in financial management.”

Reger said while Nutt, serving as a senior advisor to the OMB director, can participate in meetings and can influence priorities and plans, he can’t, however, draw people together, be the public face of the financial management community or lead the CFO community like a permanent controller would be able to.

“CIOs are making great progress, but other administration initiatives containing cost, about being more efficient, federal financial people have lot of information that can help with that,” Reger said. “I’m not sure how well those things being married because there is no controller to help direct, coordinate and foster those changes. I don’t see it as a position that particularly effects the day-to-day operations of the government, but it’s a position that effects directional things, enforces and encourages change, and puts the initiatives in the face of people. The financial community acts well when asked to do something, but they need a leader.”

Move out of the compliance mindset

The first federal financial management executive said having that leadership in the community would be especially critical right now.

“There is a big opportunity for us to get away from being so heavy on compliance by using innovative technologies. We need to define what high-value work is for the financial management community and that’s where the controller position is pivotal,” the executive said. “Now more than ever, a federal CFO is needed. We need that leadership to take the community to the next level. Right now we are a little too heavy on compliance and not doing enough to emphasize the value that a strong controller could bring.”

Add to the need for a leader becomes more critical now that the Government Accountability Office is performing a review of the CFO Act of 1990.

“As part of our study, we are seeking information from the CFOs and deputy CFOs of federal agencies to assist us in obtaining information on progress in federal financial management as we approach the 30th year anniversary of the CFO Act and in identifying challenges and leading practices,” the GAO letter to the financial community states, which Federal News Network obtained.

And to take this discussion one step further, the lack of permanent CFOs across the agencies is dramatic.

Of the 24 CFO Act agencies, at least six agencies don’t have permanent CFOs.

AGA’s Ebberts said the lack of permanent CFOs across the government is as big of a problem as not having a permanent controller.

So the question comes back to whether the Trump administration will comprehend the importance of the OMB controller and get someone in place before 2020, or will it continue to under estimate the impact and critical role this and other management positions play in making the government run well?

What does ‘best-in-class’ really mean for federal contracts?

Forgive me for a minute while I play a little semantics. What does the term “best-in-class contracts” really mean?

If you are NASA and your SEWP contract is “best-in-class” does that mean the rest of your contracts are, say, “worst-in-class” or “meh-in-class?”

I bring this up now because the new category management memo from the Office of Management and Budget strongly encourages agencies to use “best-in-class” contracts to help meet the initiative’s goals.

Among the things OMB told agencies to do is: “Annually establish plans to reduce unaligned spend and increase the use of BIC solutions for common goods and services, consistent with small business and other statutory socioeconomic responsibilities.”

Additionally through the President’s Management Agenda, OMB is setting specific spending goals for each agency to use those vehicles like NASA SEWP or the General Services Administration’s enterprise infrastructure solutions (EIS) contract.

“The BIC goal is a reflection of the many benefits that have been realized from increasing the visibility and use of model contract solutions – including billions in cost avoidance aided by reduced contract duplication for identical products at wide price variations, increased use of common specifications, and greater reliance on government and industry best practices,” the memo states.

There currently are 38 BICs, including 25 that GSA runs, ranging from IT services to IT products to leasing cars to booking hotel rooms to body armor to hearing aids.

Several are duplicates, including four different “best-in-class” contracts for IT products and seven for IT services as well as seven BICs that OMB decided were “mandatory.”

OMB put out a definition of “best-in-class” when the term first came up a few years ago. Best-in-class criteria is:

  • Rigorous requirements definitions and planning processes
  • Appropriate pricing strategies
  • Data-driven strategies to change buying and consumption behavior (i.e., demand management)
  • Category and performance management strategies
  • Independently validated reviews

I — and real procurement experts — contend that the term “best-in-class” in-and-of itself is problematic for many reasons.

“What are you buying when you use a BIC?” Roger Waldron, president of the Coalition for Government Procurement and host of the Federal News Network podcast Off the Shelf, asked. “The use of BIC is confusing for contracting officers. The Federal Acquisition Regulations have priorities already, and this is another way to articulate priorities? The language around BIC, I think, sends the wrong message. A single agency contract might provide better outcomes than a governmentwide vehicle or vice versa. So much of this really depends on the agency’s mission and what they are trying to accomplish through the procurement action.”

And even OMB admits the definition could be improved.

“Initial designations of BIC contracts have been based largely on demonstrated use of strong contract management strategies. Designations will become more outcome-based as prices paid, performance and other information about agency vehicles within a given category becomes more readily available,” OMB writes in a footnote of the memo.

Same mistakes as strategic sourcing?

Larry Allen, president of Allen Federal Business Partners, took the question about “best-in-class” one step further, asking if the use of BIC is an attempt to reduce the supplier base, similarly to what started as strategic sourcing and eventually turned into category management.

“If you follow logic of the memo, it will result in a reduced supplier base in the federal market. What you are really talking about is reducing channels for acquisition and reducing the lanes where contractors have to supply services and products,” he said. “Just like there are winners and losers when bidding on acquisition vehicles there will be winners and losers among contractors because of the BIC designation. The administration has to be okay with that.”

In the memo, OMB was clear about giving agencies flexibility to consider BIC contracts first and then others as needed to meet small business or other mission-related goals.

But experts warn that aggregation of contracts around this term “best-in-class” could lead to unintended consequences like what happened with strategic sourcing where the office supplies industrial base dropped by 24 percent over six years.

“If the goals of category management is to buy smarter through the use of preexisting vehicles, then those are all good goals and things industry shares and are worth pursuing. The question still gets to process and how the government should go about buying smarter,” Waldron said. “How does that translate into requirements development? I’m not sure it does. Perhaps BIC should be a concept around requirements development where OMB is identifying organizations and processes that deliver sound requirements development. I think getting to that fundamental level is where BIC should evolve to at some point.”

Without a doubt category management is evolving. The thinking behind this concept initially was governmentwide strategic sourcing, which failed under the office supplies effort and had limited other successes around wireless and desktop/laptops bulk purchases.

Over the last few years, OMB brought in the concepts of spend under management (SUM), addressing inefficient buying methods and finally workforce development—all areas where OMB provides agencies with new goals around in the memo.

Memo replaces the 2016 circular

The new category management policy was more than a year in the making. The Trump administration is putting its mark on the initiative that started in 2014 with a series of pilots.

At one point, the Obama administration wanted to make category management a circular so it would be more institutionalized than just a memo. But that draft circular never got any legs in the Trump administration.

This memo, for all intents-and-purposes, replaces that circular and carries with it many of the same goals.

“Teams of experts in each category of spending help agencies increase their use of common contract solutions and practices and bring decentralized spending into alignment with organized agency- and government-level spending strategies by sharing market intelligence, government and industry best practices, prices paid data, and other information to facilitate informed buying decisions,” the policy states. “This memorandum is designed to build on these activities in order to help the government buy as a coordinated enterprise and avoid the waste associated with duplicative contract actions.”

OMB is hosting a question and answer session this Thursday on the new memo and category management with industry.

Jack Coley, president and CEO of Coley and Associates, which consults with small businesses on government contracting, said while he doesn’t have too much concern about the term “best-in-class;” the potential impact on small businesses is similar to that of strategic sourcing.

“Under the Office Supplies 3 vehicle, GSA was able to claim and did meet all small business and socio-economic goals, but tens of millions of dollars went to only a limited number of small businesses. We saw a number of small businesses going out of business who were doing well before getting shutout of strategic sourcing,” Coley said in an interview with Federal News Network. “My concern is that any effort by the government that starts to consolidate spending like category management using BIC contracts, what they are going to do to ensure they aren’t just funneling contracts to fewer and fewer small businesses. That will limit the number of small businesses available, which will negatively impact bringing new and innovative solutions to the government.”

Coley said OMB needs to improve how it defines what common goods are and services as well as what is threshold for a common good or service.

“It’s like the definition of a commodity, are we talking about something like printing paper or pens, if so, buying them on lowest price is fine. But when you get to services and solutions, those need to be defined clearly as what’s commodity,” he said. “I know they have category definitions for many of these services and products, but not everything fits into the category nice and clean, and agencies need some flexibility to create their own contracts.”

Hard to commoditize services

Give credit to OMB for recognizing the one-size-fits all approach of the previous administration doesn’t work.

In the memo, OMB told agencies that they still must meet their statutory small business goals and that the agency’s Office of Small and Disadvantaged Business Utilization (OSDBU) should use the small business dashboard and other information to help the agency achieve the best balance of BIC, governmentwide, agencywide and local contracts.

Additionally, agencies must develop a vendor management plan that includes pre-award and post-award strategies as well as a communication plan.

The bigger question is how OMB will hold agencies accountable. The latest data on category management shows agencies achieved several goals last year, including exceeding governmentwide goals around spend under management, using BICs and cumulative cost avoidance through more efficient buying.

Another big question is the prices paid portal and the inherent problems that comes with creating such as database and promoting widespread use.

Coley said data leakage is especially concerning particularly around proprietary information for vendors.

Allen tagged back to the Coley’s concerns around commoditization of services and no two purchases are exactly alike.

“This memo and this decision making process does raise questions about whether or not we are regulating by memo. Much of what’s going on here was articulated in circular back end of last administration and we continue to have questions that we raised back then,” Waldron said. “At the core of one of those questions is whether this type of micro management of agency procurement is consistent with the Office of Federal Procurement Policy Act and administrative authority. Asking to give comments before issuing memos is a fair thing to ask for, especially on something that directly impacts contractors and frames their opportunities to bid and win work. OMB should’ve put the memo out for comment first.”

OMB, GSA set table for next round of payroll services consolidation

At first glance, the Technology Modernization Fund Board’s $20.7 million loan to the General Services Administration made perfect sense. GSA’s proposal to modernize its federal payroll system checked off many of the boxes the board was looking for — updating legacy IT and processes, improving a shared service and addressing a high-value program that others could learn and benefit from.

But when you dig a little deeper into the board’s decision to lend GSA money that by law they have to pay back, it seems as though something bigger and possibly more disruptive is at play.

Industry and former government officials said all signs point to the Office of Management and Budget consolidating several existing federal payroll providers either into GSA or through the use of quality service management offices through GSA.

Experts said the fact is GSA can only pay the loan back through a limited number of ways:

  • Fewer people
  • Greater IT efficiencies
  • More customers

And many also said it’s only through the third option that GSA can attain the savings necessary to pay back almost $21 million over the next five years.

“I think it will be major consolidation of payroll providers in civilian market because I’m not sure how you go any other way,” a former federal official with knowledge of payroll and shared services, who requested anonymity because they didn’t get permission to speak to the press, said. “I could see either a movement of agencies onto a new platform or GSA is going to contract with companies A and B and set up these platforms and agencies are going to move to it and then charge agencies a fee. The fee usually is per head for all processing, and that would create a revenue stream to include a payback percentage for the TMF loan. They clearly cannot take it from appropriated funds or the revolving funds at GSA. So to pay back the loan it’s either through more customers or fewer people, so it very much looks like consolidation of payroll providers.”

GSA did not respond to repeated requests for details on how it plans to pay back the TMF loan or what are its plans for NewPay.

A senior administration official said in an email to Federal News Network that GSA submitted its proposal last summer to the TMF Board to help with the implementation of NewPay.

“As was evidenced during the lapse, the current complexity of the payroll environment showcased a critical need for modernization. We hope to apply the success of the NewPay program across the government and to other payroll providers,” the official said. “For many years agencies have been directed to develop strategic plans regarding specific common administrative functions. As agencies continuously evaluate performance, security and status of their current solutions for these functions, they will consider more modern solutions as part of their individual strategic planning processes. In the example of payroll, accelerating the availability of modern payroll solutions through NewPay will provide more timely solution alternatives for consideration.”

Margaret Weichert, the deputy director for management at OMB and acting Office of Personnel Management director, said in an interview with Federal News Network it’s too early to know exactly how many payroll providers will exist in the end, but it will be fewer than the four today.

“There are agencies today who provide services that don’t want to be in that business and want to focus on that mission. So GSA, their core mission is to support others in government,” Weichert said. “NewPay is an absolute priority. The proof will be in the pudding in terms of how quickly and how effectively we can roll out the new program before I can answer the final question about how many.”

Draft RFI for payroll modernization

Another industry source highlighted a potential fourth way GSA could pay the money back, which is through appropriations.

A little known provision in the Modernizing Government Technology (MGT) Act lets agencies restructure their appropriations requests.

The law states, “An agency may reduce out-year budget requests in existing IT accounts and restructure the agency’s request to instead include an appropriations request in the IT WCF that will then be used to repay the TMF.”

Of course that approach may not be too popular with folks on Capitol Hill given Reps. Will Hurd (R-Texas) and Gerry Connolly (D-Va.) push to save money and use it for IT modernization efforts.

This theory of consolidation is underscored in the recent draft request for information GSA issued to the two teams of payroll modernization providers under the $2.5 billion blanket purchase agreement it awarded in September.

The draft RFI to the two teams, which Federal News Network obtained, states a potential forthcoming task order would be limited to “GSA and a component of a second shared service provider, to be identified. The scope of this acquisition is to migrate federal employees from the agencies…to modern, secure, cost-effective SaaS solutions.”

Later on in the RFI, the consolidation plan becomes clearer with GSA asking for services ranging from its 21,000 customers up to hundreds of thousands of customers.

“The contractor shall provide approximately 300,000 Integrated Payroll and WSLM software-as-a-service subscription for a to-be identified SSP and its customers,” the RFI states.

GSA only has about 21,000 customers under its payroll and time-and-attendance services, meaning the other 279,000 customers must come from one of two places: The National Finance Center at the Agriculture Department or the Interior Business Center. NFC currently serves more than 600,000 federal employees, while IBC serves about 150 large and small agencies.

NFC bracing for change

An industry source familiar with the NFC said the shared services provider has been bracing for big changes over the last six months.

“The NFC has been under a hiring freeze of sorts. It may not be official, but they haven’t been able to fill open positions and there is a feeling that the NFC as they know it is going away,” the industry source said. “If you just changed the NFC’s reporting structure, but it still continues to be NFC, I don’t think it’s a big deal. But it could take five to 10 years to move into NewPay based on the current complexities of the system that is run on mainframes and serves more than 100 different types of payroll functions.”

This source and others said the most likely first step of consolidation is through the quality service management organization approach outlined in the President’s Management Agenda, which also would give GSA additional revenue to pay back the TMF loan.

“GSA could charge NFC or IBC for those NewPay services and act as a third party of sort,” the source said.

Source: President’s Management Agenda December 2018 update.

Another industry source, who also requested anonymity because their current company is involved in federal shared services, said a good way to describe the QSM approach is IBC or NFC would be subcontractors to GSA, which is acting as the prime contractor with the NewPay vendors.

“I don’t know if the end game is consolidation, but they have to get started someplace and this hub-and-spoke model where IBC will still be part of Interior or NFC will still be part of Agriculture, but they will work closely with GSA,” the third industry source said. “Historically, no one has owned oversight over the federal shared service providers. The agency CFOs didn’t want them. They were orphans in some sense. This new model at GSA gives them a home where they can work together to improve.”

To that end, Hill and government sources confirmed the Office of Management and Budget is expected to issue a new shared services memo in the coming month or so that details this QSM strategy.

A Hill source said the memo also coincides with IBC, NFC, the Defense Financial Accounting Service and GSA had to submit plans in 2018 for how they would improve their shared service offerings through NewPay.

More than $20M requested for modernization

And add to that, the 2020 budget request that went to Capitol Hill earlier this month, IBC and NFC asked for money to modernize their payroll services.

USDA asked Congress for an increase of $7.5 million in 2020 “to begin to transition USDA employee payroll accounts from the current legacy system to the NewPay system, which will be more user friendly, improve data security, and save future costs.”

Interior, meanwhile, requested $12.5 million “to support implementation planning and transition activities for the governmentwide payroll and Work Schedule and Leave Management modernization initiative entitled NewPay.”

This takes us back to the TMF loan. GSA’s request for any extra funding for NewPay in 2020 is unclear.

“The request includes $5.2 million to support agency reform priorities including the OPM transition and the NewPay million to support initiative, offset by a decrease in the working capital fund contribution,” GSA budget justification states. “OPM and GSA will be one of the first agencies to join under the blanket purchase agreement in FY 2019, which will start the configuration phase of NewPay, followed by migrations scheduled for FY 2020.”

But how much of that $5.2 million is for going for NewPay isn’t known, and even if a majority of it goes to NewPay, it will not provide for enough efficiencies to pay back the $20.9 million loan.

Now add to the fact that GSA states in the budget document that each of the payroll shared service providers will migrate “at least one agency (approximately 10,000 employees) to the new platform, and adoption of a Talent Management suite by four agencies.”

It becomes clearer that GSA will pay back the TMF loan through the management of the QSM organizations.

The irony in all of this is GSA got out of the financial management line of business services business in 2015, moving its financial management solution to USDA, and it wanted to stop providing human resources services in 2013. Now through the QSMs, it looks like GSA is getting deeper into providing these services and managing the future of shared services both at the tactical and operational levels.

“GSA will leverage the new-shared service model that focuses on data standardization, modernization and security into service offerings. This will benefit the American people by transitioning government back office operations to modern technology, reducing costs and risk, and leveraging commercial best practice,” GSA states in its budget justification.

Experts said there are definite concerns about consolidating to one major payroll provider for civilian agencies as DFAS and the State Department — the other two providers — will continue to serve their specific customer bases.

But at the same time, GSA has to get started because no one argues that federal payroll systems are working well.

“To move 2 million accounts and move it in a way that no one can screw it up will take five or six years. So the TMF giving them the ability to get started now as opposed to waiting for the 2020 or 2021 budget is good, but I don’t know how far $21 million will go,” one industry source said. “I know people are concerned about the change, but when I look at the physical placement of the providers, it makes sense they are and continue to be distributed in different parts of the country. This is for a number of reasons including for continuity of operations and for workforce considerations because you can over-saturate an area in terms of finding workers. So the QSM is an ideal model in many ways.”

Agencies likely to miss March 31 deadline to release RFPs under new telecom contract

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The news that CenturyLink passed the last major hurdle to begin offering services under the $50 billion Enterprise Infrastructure Solutions (EIS) contract isn’t necessarily going to set off a tidal wave of solicitations from agencies.

CenturyLink is the first vendor to receive its authority to operate for its business systems, meaning it can accept and process task orders or service orders, provision or deliver services and bill for services. Other incumbent vendors such as Verizon and AT&T aren’t far behind, and the six other “new” companies should be completed in the coming month or two.

Until those vendors receive their ATOs, EIS will remain on a slow roll as agencies are hesitant, maybe even a little fearful of bid protests, to make awards until they feel like there is adequate competition.

“We can award before the ATOs are done, but we can’t execute the order until the ATOs are done. I think most organizations will wait until most or all the ATOs are done to award,” said one agency EIS transition executive, who requested anonymity because they didn’t get permission to speak to the press. “If you don’t wait for all nine vendors, there is a chance you will you go into a protest situation. I think there is some anxiety for how vendors will handle that. Some say only the incumbents have advantage in dealing with ATO, but I think that thinking is full of crap. All the vendors have known what the requirements are to get an ATO for years. But at the same time if I’m going to award, then I want to execute and not wait until there is an ATO because I’m still paying higher rates while I’m waiting for the approval.”

While this is only one expert’s opinion, others in and out of government believe most agencies will wait until the vendors have their ATOs, thus putting the General Services Administration’s March 31 deadline for agencies to release their EIS solicitations further in doubt.

As you may remember, GSA changed the transition timeline for agencies with the caveat of March 31 and Sept. 30 deadlines for releasing solicitations and making awards, respectively. GSA is extending the current Networx contract to May 2023.

“Agencies need to release their solicitations to industry and make timely task order awards so they can make the transition within the four-year window to modernize their IT infrastructure,” writes Bill Zielinski, the acting assistant commissioner in GSA’s Office of Information Technology Category in the Federal Acquisition Service, in a March 14 blog post. “To be clear, GSA intends to extend expiring telecommunications contracts so agencies have enough time to complete the transition and modernize, not to extend the time for the solicitation and task order award process. Agencies need to keep their foot on the gas to ensure they have time to transition their telecom services from their existing contracts and providers to EIS. For example, agencies should issue their solicitations to industry by March 31, 2019. If you don’t issue your solicitations to industry by this date, GSA may cease providing one of our transition support tools for solicitation development — the Transition Ordering Assistance program.”

Source: GSA blog post from March 14.

Additionally, Zielinski said since the 35-day government shutdown didn’t impact most agencies, GSA is keeping to its schedule, but will work with agencies on a case-by-case basis if they need additional help or time.

Bob Woods, a former GSA telecommunications official and now president of Topside Consulting, said GSA should instill and agencies should have a sense of urgency into the entire EIS effort.

“Sometimes you have to create a crisis and that hasn’t happened yet,” Woods said at the recent Independent Telecommunications Pioneer Association (ITPA) lunch in Vienna, Virginia. “GSA has the tools to help agencies, but they can’t issue an edict. They tend to go through the Office of Management and Budget and/or the President’s Management Council (PMC). When the secretary or deputy secretary comes back and asks, ‘why are we behind?’ that’s brings the pressure and gets the attention on the transition.”

Multiple government sources involved in the transition say OMB hasn’t sent any memos, guidance or instructions related to EIS transition, and it hasn’t come up too often during CIO Council meetings.

“The last time for Networx, the communications were more frequent and more structured from OMB,” said another government official involved in EIS transition. “GSA, I think, is getting pushed really hard by OMB to meet the transition dates. GSA said it would work with agencies who are behind.”

And so far as of Jan. 31—the last time GSA updated the transition chart—large agencies released 25 out of an expected 104 solicitations. The Defense Department accounts for 58 out of those 104 total RFPs.

Source: GSA EIS website.
Source: GSA EIS website.

The medium-sized agencies are further behind with only 5 of 40 solicitations out to vendors.

“There is a tsunami of solicitations coming because you are taking Networx, Washington Interagency Telecommunications Services (WITS), the regional contracts and saying we will combine them all into EIS, and that creates the tsunami in-and-of itself. Then GSA is saying do it fast,” the second federal executive said. “Then there are the changes in terms of how GSA is able to handle ordering and billing of the services, which is not nearly as flexible from a workload standpoint than it was previously under Networx.”

The federal executive added their agency is having to hire more people and processing the orders and dealing with the billing will be more costly for the agency.

“I can’t say enough about how well it worked before and how efficient it was,” the executive said. “We are not sure how many more people we will need. We hope we can keep it to 10 people, but some of the estimates say it may be more than that. We previously had about three people doing the ordering and maybe two doing the billing, and we had a defined and automated workflow in with GSA’s workflow.”

The first executive said they expect their transition to EIS to take two years in part because they expect the provisioning of services to take longer due to the complexity of the EIS contract’s approach using task orders.

Experts also say whenever the tsunami of solicitations come out, vendors and GSA alike likely will be overwhelmed.

“Some of industry struggled on Networx to put together quality packages. It was a little embarrassing. We knew we couldn’t call them out and tell them the bids were horrible, but they weren’t good,” said the second executive. “We want everyone bidding, but we may not get that as vendors will have to make hard choices on which opportunities they will cherry pick.”

Transportation, State, CIA experiencing change in CIO roles

Quietly, two agencies are making moves in their chief information officer shops.

The Transportation Department didn’t wait long to fill its vacant CIO role, hiring Ryan Cote without much fanfare. Cote, who started Feb. 4, came to DOT from Gartner where he was an executive partner.

Ryan Cote started as the Transportation Department’s CIO on Feb. 4.

He replaces Vicki Hildebrand, who left in December after just over a year on the job.

While Transportation filled its role quickly, the State Department hasn’t had a permanent CIO for more than 15 months, and now its acting CIO, Karen Mummaw, is retiring in April.

Sources confirm to Federal News Network that Mummaw announced her plans to leave in February.

State hasn’t had a permanent CIO since Frontis Wiggins retired in December 2017, and may not until the Senate confirms State’s undersecretary of management nominee, Brian Bulatao, who has been stuck in the nomination process since July.

Cote comes to Transportation after spending four years in the Marines and then his entire career in the private sector. He worked as the CIO and senior vice president of IT at iForce, a staffing and recruiting company, and for IBM as a senior practice consultant.

As the DOT CIO, Cote likely is picking up where Hildebrand left off in reshaping how the agency uses technology through the nine BHAGs—big, hairy, audacious goals—that focused on everything from cybersecurity to shrinking the IT footprint to implementing intelligent software.

DOT has a $3.7 billion IT budget, with 78 percent of all projects are on schedule and 68 percent are on budget, according to the federal IT dashboard.

Among his biggest challenges will be to continue the partnership with the modal organizations, particularly the Federal Aviation Administration.

Over at State, Mummaw caps a 31-year career at State where she spent her first 10 years as part of the Foreign Service working in technology and telecommunications roles at various embassies around the world and has spent the next 21 years working at both headquarters and overseas as an IT executive.

During her tenure, Mummaw helped led State’s continued transformation to the cloud. State has two main goals as part of its modernization plan: the centralization of back-office or commodity IT and consuming IT-as-a-service.

State still faces several challenges with its $2.2 billion IT budget, of which Mummaw’s office controls only about $725 million. The federal IT dashboard says 84 percent of State’s projects are on schedule, but only 52 percent are on budget. Additionally, State continues to recover from a recent breach of its unclassified email system.

CIA, NIST put out help wanted signs

The National Institute of Standards and Technology and the CIA also are looking for new CIOs. NIST posted a job opening on in late February. Resumes are due March 27.

The CIA announced its CIO, John Edwards, received a promotion to be the deputy chief operating officer. On March 19, the agency named Juliane Gallina, a former CIA officer currently at IBM, as its new CIO.

She will start April 1.

Gallina served as a naval officer with a specialization in cryptology and information warfare. In 2013, she retired from the Navy (Reserve) as a commander. Gallina graduated with honors from the U.S. Naval Academy in 1992. She graduated from the Naval Postgraduate School in 1998 with a Masters Degree in Space Systems. She earned a Masters Degree in Electrical Engineering from George Washington University in 2006

NextGov first reported the CIA’s hiring of Gallina.

Edwards has been the CIA CIO since March 2016 and served 14 years as a communications and technical operations officer within the Directorate of Science and Technology (DS&T) and five years serving as the chief of staff to the CIA’s executive director.

During his tenure, Edwards led the CIA’s move into the commercial cloud hosted by Amazon Web Services, and making it a part of the broader intelligence community IT modernization effort.

Additionally, he implemented what he has called a “franchise” model for IT where CIA offices must adhere to a strict set of standards and security requirements, but are able to operate their own IT infrastructures.

Among his long-term priorities, Edwards focused on mobility, interoperability, data management and ensuring capabilities at the edge.

Additionally, the Government Accountability Office is looking for a chief data scientist, the Agriculture Department’s Agriculture Research Service is looking for an assistant CIO to run its technology efforts, and Washington Headquarters Services in the Defense Department is seeking a new CIO.

Finally, Somer Smith is the new permanent chief of staff for Federal CIO Suzette Kent. She had been acting chief of staff since August.

Smith had been a performance analyst for the Office of Management and Budget since August 2017.

This also means OMB is hiring a new supervisory policy analyst.

“The position performs duties related to IT reform efforts, consistent with the Information Technology Oversight and Reform (ITOR) fund. Additionally, the incumbent will collaborate with agencies and policy teams in terms of the CIO Act, cyber policy initiatives, Evidence Based Policy and relevant executive orders,” the job listing states.

How a simple tweet opened frustration floodgates over security clearances

A single tweet on Thursday about something Rep. Will Hurd (R-Texas) said at the IBM ThinkGov event in Washington, D.C. created quite a bit of discussion and debate.

Hurd said he’d like to see the government be able to complete a security clearance in a week instead of six months or, in many cases, more than a year.


“Why does it take 10 months? Does talking to my neighbor who lived next to me 10 years ago have a better idea of me versus what I’ve clicked on over the past few weeks?” Hurd asked. “Why are we doing security clearances the same way as we did 100 years ago? We should be able to do a security clearance in one week. If you do that, you must make sure people [they’re] collaborating with in the private sector have the ability to share information.”

That single comment and ensuing tweet opened a torrent of frustration about the security clearance process that, while the feelings aren’t new, contractors and agencies seem to be getting less patient with the government’s efforts.

Rep. Will Hurd, R-Texas, wants to test out an approach to see if a federal employee can get a security clearance in a week. (AP Photo/Pablo Martinez Monsivais)

It’s not like the last three administrations haven’t recognized this problem, trying an assortment of approaches. The most recent statistics show progress against the backlog, which is a good sign, but far from a fix.

The National Background Investigations Bureau said the number of pending investigative matters stands at 542,000, down from 725,000 a year ago.

The Trump administration is transferring the NBIB to the Defense Security Service any day now, an executive order has been stuck in the ubiquitous “soon” of government talk for what seems like six months.

At the same time, agencies from the Air Force to the Office of the Director for National Intelligence to the Defense Information Systems Agency are testing new approaches or fixing the technology to accelerate the security clearance process but not lose any rigor.

The Air Force, for example, worked with the NBIB to establish temporary centralized interview hubs at 11 key locations where there is a high concentration of investigator case work and the mission in those areas needs immediate relief. Hubs are areas where security clearance interviews can take place without requiring someone to go to Washington to be vetted.

ODNI started to use a continuous evaluation approach in 2017 to supplement and enhance the current process, but not replace it.

While these two examples show change is possible, Hurd wants to transform the security clearance process even more quickly.

“I’ve had some conversations with smart people in the government about whether we can do a pilot project to try to streamline this process, and do it alongside people who already are getting their clearances to see if we can make it work,” Hurd, who became member of the Intelligence committee this session, said in an interview after his speech. “When I look at my initiative on the cyber national guard, one of the things that is getting in the way is the security clearance process.”

Hurd said the arduous clearance process impacts many of the issues he works on, which is why the he asked whether a week to get a security clearance is possible.

“My goal and my time will be spent on going out there to figure out a test case to do this and let’s introduce this,” he said.

Public, transparent standards needed

Hurd’s comments came as two other initiatives — one on Capitol Hill and the other from the Defense Department — kicked off to put more focus on security clearances.

Sens. Mark Warner (D-Va.) and Susan Collins (R-Maine) introduced the Integrity in Security Clearance Determinations Act to “ensure that the security clearance process is fair, objective, transparent, and accountable by requiring decisions to grant, deny or revoke clearances to be based on published criteria. It explicitly prohibits the executive branch from revoking security clearances based on the exercise of constitutional rights, such as the right to freely express political views, or for purposes of political retaliation. It also bans agencies from using security clearances to punish whistleblowers or discriminate on the basis of sex, gender, religion, age, handicap, or national origin.”

Warner and Collins said the bill also lets federal employees appeal decisions to deny or revoke a security clearance, and requires agencies to be more accountable and transparent about the results of those appeals.

Finally, the bill would apply more rigor and accountability of to the process to prevent abuses.

“The security clearance system is critical to protecting our country from harm and safeguarding access to our secrets. Americans should have the utmost confidence in the integrity of the security clearance process,” Collins said in a press release. “This bipartisan bill would make the current system more fair and transparent by ensuring that decisions to grant, deny or revoke clearances are based solely on established adjudicative guidelines.”

A major reason why Collins and Warner introduced this bill can be traced back to the Trump administration’s handling of security clearances for the president’s son-in-law Jared Kushner as well as the administration’s decision to withdraw security clearances from former intelligence officials over political disagreements.

But if you take a step back from the big “p” politics of the bill, the move to continuous evaluation or using social media and other public information as part of the basis for a decision requires more transparency and accountability in the process.

And the need for transparency leads us to the second initiative around security clearances from last week. The Defense Digital Service released a request for white papers to collect ideas to develop a prototype for automated background and reviews.

DDS wants help transforming the process

“The Defense Digital Service (DDS), in coordination with OUSD(I), will direct the creation of a prototype system that successfully collects a subject’s information, executes a background investigation (with automated and manual parts), and records an adjudication decision,” the request states. “This prototype will require integration with a wide variety of U.S. government and commercial databases to verify the subject’s identity and background information. Development of the prototype will be rapid and agile in nature, fielding new functionality to users for feedback every two weeks.”

Questions are due March 19 and white papers are due March 26.

DDS said it eventually will award a nine-month contract worth no more than $5 million to a vendor to build the prototype system.

The DDS efforts come as DISA has been modernizing the current online background investigation form for the last nine months and has been working on new technology to support the security clearance process since 2016. DISA recently transferred the technology infrastructure and employees to the Defense Security Service in early March as part of the consolidation effort.

With all this attention, the administration must not only make progress, but communicate how the security clearance process is improving while not losing any rigor. The opaqueness of NBIB’s efforts over the last year — aside from a recent update from ODNI’s Bill Evanina — has undoubtedly led to the frustration we saw when Hurd’s comments were spread to a broader audience.

How two efforts are trying to improve feds’ skills

The Trump administration’s initiative to reskill and retrain federal workers is picking up steam.

Federal Chief Information Officers Suzette Kent announced last week that the Federal Cyber Reskilling Academy received more than 1,500 applications, of which half of the employees were GS-5 to GS-11s.

Kent launched the academy in November to address the shortage of cybersecurity expertise across government through hands-on training. The first class is expected to hold 25 people who will be given a “cyber essentials” course, followed by four weeks of “follow-on learning, exercises and exams” over a four-month period.

At the same time, the Defense HR Activity issued a RFI for industry and other experts to submit white papers around six topics:

  • An approach to talent acquisition, talent development, talent analytics and talent management.
  • Describing software/technologies used to support talent acquisition, talent development, talent analytics and talent management.
  • Using advance technologies such as machine learning, artificial intelligence, simulations, virtual advisors, interactive autonomous programs, mobile applications and gaming.
  • Addressing Federal Risk Authorization and Management Program (FedRAMP) certifications, federal cloud computing, security and interoperability with existing federal IT systems.
  • Approaches to career pathing, competency identification and management, job roles, progression models and management, workforce and succession management, position management, performance management.
  • Providing operations and maintenance for software, mitigation and contingency operations.

“The key area of focus for this requirement is to gather information on industry best practices in the talent management and talent development arena and explore the new and future technology to support competency gap identification, employee re-skilling and agile workforce career management, while enacting best practices to elevate employee experience and engagement,” the RFI states.

Responses are due March 15.

The Defense HR Activity may be a part of the Trump administration’s broader effort to modernize the workforce, which is a key cross-agency priority goal under the President’s Management Agenda.

In December, the cross-agency goal leaders reported “OMB and the Office of Personnel Management are working with agencies to analyze workforce data and develop reskilling plans and test methods to reskill and redeploy existing federal talent. Interactive tools to assist executives, managers and employees are currently under development including a reshaping playbook, a reskilling toolkit and video vignettes featuring agency successful practices.”

Source: December 2018 report.

Additionally, the goal leaders say agencies want better technology and automation tools to make career paths easier to understand for employees.

“Respondents noted that career paths have the potential to yield improved outcomes in recruitment, retention, succession planning, talent development and reskilling. An industry day is planned for January 2019 to engage leading private sector career-pathing providers to explore how to better serve agency and employee needs, preferably through an enterprise service available to all agencies,” the goal leaders write.

Additionally, the National Science Foundation launched a reskilling challenge soliciting prototypes that NSF — and later all of government — can use to match existing federal employees and their skills to other kinds of work.

Public and private sector experts say agencies can move thousands of people out of low-value work and use automation to make up for that work.

OMB estimated in 2018 that about five percent of all federal occupations could be automated entirely, while 60 percent of all occupations could have at least 30 percent of their work automated. Overall, OMB says 45 percent of all “total work activities” could be automated.

Deloitte’s Center for Government Insights found government has the potential to free up anywhere from 266 million hours to 1.1 billion hours a year by retraining employees and using automation.

The appetite and potential for federal employees to move into new fields, whether it’s cybersecurity, data science or many of the other emerging occupations is real. The administration shouldn’t waste this opportunity because of big “P” politics and reach out to House lawmakers and employee union officials. The reality is change is happening, it’s just a matter of how quickly it can come and if OMB and OPM aren’t inclusive and strategic about all of this potentially impactful and needed work, agencies either will be stuck manually inputting data into Excel spreadsheets or they will make change on their own, which tends miss the important point of moving everyone forward together.

« Older Entries