Reporter’s Notebook

jason-miller-original“Reporter’s Notebook” is a weekly dispatch of news tidbits, strongly-sourced buzz, and other items of interest happening in the federal IT and acquisition communities.

Submit ideas, suggestions and news tips  to Jason via email.

 Sign up for our Reporter’s Notebook email alert.

EINSTEIN and TIC never got along, and TIC 3.0 makes their break-up official

Don’t start playing a dirge for the 16-year old cybersecurity program known as EINSTEIN. But with the release of the draft Trusted Internet Connections 3.0 implementation guidance, industry experts agree, the end is near for the long-time and sometimes questionable-value intrusion detection, intrusion prevent program.

“Today’s concept of EINSTEIN is going away. It kind of has to happen,” said Stephen Kovac, vice president of global government and corporate compliance at Zscaler, said in an interview. “TIC 3.0 isn’t here to kill EINSTEIN, but decouple it from TIC. I think some form of EINSTEIN will still need to exist. Agencies and DHS still need to collect telemetry data.”

Kovac said what many federal chief information security officers and chief information officers have said over the years, “EINSTEIN today is not providing very useful data.”

Kovac said Zscaler collects 93 data fields through its sensors, while EINSTEIN is focused mainly on netflow data and blocking known threats and signatures.

Susie Adams, the chief technology officer for federal at Microsoft, said the draft guidance from DHS makes it clear that EINSTEIN’s shelf life is limited, even if it doesn’t specifically say that.

“The existing TIC architecture that’s in place is to protect agency networks as they were developed over the last 20 years,” Adams said in an interview. “But for the cloud, it looks like they are trying to go to the right place by storing data in the cloud and using machine learning or advanced analytics to understand what’s going on. This is why the traditional EINSTEIN will only exist for agency traffic coming out of their own network. I think DHS is trying to evolve EINSTEIN as well.”

The need to update TIC, and thus move away from EINSTEIN, became clear as agencies suffered from latency and other delays when integrating cloud services with these security tools and architectures.

The separation from EINSTEIN, however, is more like the cherry on the TIC modernization cake.

Kovac, Adams and other federal cyber experts said DHS’s five draft guidances to implement TIC 3.0 are well thought out and well-constructed, giving agencies a less prescriptive and more flexible approach to securing data and using the cloud. Comments on the draft documents are due Jan. 31.


Source: CISA

The guidance follows the updated memo the Office of Management and Budget released in September.

“Through the new guidance, agencies now can understand what risks they are trying to mitigate, what services they are trying to use and then the steps for how they can do it,” said Josh Moses, a former chief of the cyber and national security branch in the office of the Federal CIO. “I do think this makes moving to the cloud easier. The reference architecture shows that there now are many roads that lead to Rome versus the one or two ways under the previous TIC architectures. This new TIC architecture is much more flexible in the way agencies can access the internet as well as from a security and cost perspective. It frees up agencies to make better risk informed decisions.”

That has been the goal of many of OMB’s updated policies. Experts say the decision by federal leaders to have an “assume breach” mentality instead of a “protect everything” approach is clear in the TIC documents.

Cloud bottleneck should be gone

DHS isn’t so much telling agencies what to do, but more what outcomes agencies should aim to accomplish.

“Detection is the most important piece of this. If you assume you’ve been breached, then you need to spend time on detection and automating that detection, and this new TIC documents are a step in the right direction. It’s part of the zero trust framework,” Adams said. “The bad thing about not being prescriptive like TIC 2.0 was is it leaves a lot of things for agencies to decide and that could cause things to slow down because there may not be agreement on security control implementation and risk posture for the data and where it’s stored. We are hoping that being more subjective in how you meet TIC will provide more leeway for agencies and not inhibit cloud adoption.”

Adams said the new TIC approach removes the choke point that was EINSTEIN and the managed trusted internet protocol services (MTIPS).

“Agencies can now can define their own path to secure their internet connections, and that is huge,” she said. “It gets rid of the bottleneck.”

Kovac said the move away from MTIPS may be difficult for some agencies, and especially the telecommunications providers, because they have used it for so long and are comfortable with the security services. He estimates agencies spend about $1 billion a year on MTIPS.

Ross Nodurft, another former chief of OMB’s cyber branch and now a senior director for cybersecurity services at Venable, praised OMB and DHS’s work on TIC 3.0, but said the one thing that is missing is an incentive to move to the new architectures.

“The documents make assumptions that agencies already are motivated to adopt these new technologies and want to move to a new architecture, but what is motivating them to adopt these new tools? What is driving force?” he said. “The TIC memo rescinded the other TIC requirements and gives agencies the ability to build out a TIC architecture with more of a risk-based view. But why make the change unless you have a reason to? What are the drivers for agencies who are using MTIPS or another approach and not having any problems? I would like to see a more active solicitation of pilots to show why moving to 3.0 is worthwhile.”

Still need to connect programmatic dots

In the draft documents, DHS highlights two use cases, but also tells agencies how to develop and submit plans for additional proofs of concept.

Nodurft said he’d like to see vendors take a more aggressive role in developing use cases, which could help be a driving force to modernize TIC architectures.

Moses, the other former OMB cyber chief, said he’d like to see DHS and the federal CIO’s office clarify how all of the current cyber programs like TIC, continuous diagnostics and mitigation (CDM), high-valued assets and the Federal Information Security Management Act (FISMA) fit together and what benefits are agencies receiving from them all.

“How can agencies get to good, reduce their compliance burden and how do all of these controls come together and make a difference to secure agency systems and data?” he said.

Kovac said there is a lot of pent up demand for a more flexible approach to TIC. He said several agencies have or are preparing TIC 3.0 uses cases to begin to move out of the current approach.

“I think the vision of this will be a catalog of uses cases,” he said. “The remote worker, the traditional workers, the international users and the bring-your-own-device user. There are 5-to-10 solid use cases so people can find what they want to accomplish.”


These IT, cyber provisions in the NDAA may have flown under your radar

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The 2020 National Defense Authorization Act always is chalk full of interesting and impactful policy changes or updates. The thing with the 1,794-page bill is knowing where to look.

No one person can read through the roughly 8 pounds of paper without missing a few important nuggets. So with some help of some federal experts, I dug into the NDAA and found several provisions that likely flew under your radar:

A cyber adviser for all

Marine Corps Maj. Gen. Dennis Crall, the senior military adviser for cyber policy for the Defense Department’s chief information officer, offered simple advice at the recent AFCEA Northern Virginia luncheon: “Read the NDAA.”

Specifically, Crall wanted industry to look at the provision requiring each military service to create a principal cyber adviser — Section 905, if you are keeping score at home.

“Congress gave us very directed tasks and responsibilities for this new billet or this new role. There are also some implied tasks. The services need some time to go through this and decide how they are going to provide a level of sufficient implementation,” Crall said. “But here is what we know, the same things that happened at the Office of the Secretary of Defense level of the principal cyber adviser translate well. In fact, some of the responsibilities appear to be identical. One of the key ones is to oversee the implementation of service strategies and policies that are in place.”

He said the new cyber adviser likely will take on a role that the agency CIO, chief data officer or even cyber commands don’t do — look across the board at all cyber activities and advises senior leaders to ensure cohesiveness of all of these disparate efforts.

“If you don’t stitch these together, you end up potentially working across purposes and not at the priority level the service desires,” Crall said. “From Congress’ perspective, they are rightly in search of the single point of contact in a service to answers questions about things like budget and the adequacy of plans, policies and the budget that come out. Those are critical things.”

The goal, Crall said, is not to replace or usurp any specific leader in a service, but providing advice across all of the mission areas.

“It happens in my office right now. It’s the very same thing that happens at the OSD level to be able to look from one end of the spectrum to the other and provide a level of advice to make sure the left hand and the right hand know what each is doing and looking at offsets and strategy to make sure we are covering down the Secretary’s highest priorities” he said. “One of the key pieces is to review cyber budget proposals to make a determination of adequacy. Adequacy is not defined. We will define it. But one thing adequacy does do, I think very clearly, is takes a look at the sufficiency of the plan, meaning the funding, scope and nature that it’s desired to achieve. And where there is an inadequate or imbalance in that adequacy, however the services’ decide to define that, there is a requirement for that principal cyber adviser to come back to Congress annually and describe which plans are inadequate and why. That’s pretty significant.”

The return of LSIs

Tucked into section 128, the Navy is given specific requirements for buying its next strategic sealift fleet vessel.

But this is really a procurement provision, according to one of my federal experts.

Congress wants a new vessel by 2026, but more interestingly, it’s how lawmakers want the Navy to go about buying the vessel.

The provision all but tells the Navy to return to the days of the “lead system integrator.” Under the LSI concept, the government gives its contractor broad responsibilities to do everything from developing requirements to source selection to construction to testing and validation.

The NDAA states, “The Secretary of the Navy may seek to enter into a contract or other agreement with a private-sector entity under which the entity may act as executive agent for the Secretary for purposes of the contract. The executive agent described in may be responsible for: selecting a shipyard for the construction of the sealift vessel; managing and overseeing the construction of the sealift vessel; and such other matters as the Secretary of the Navy determines to be appropriate.”

It seems lawmakers want the Navy to contract out the entire process, even where the ship is built.

This definitely raises some questions, including how much of this effort could be considered inherently governmental?

Why is Congress going backward in time and bringing the concept of a LSI back into the fold?

This is especially poignant given the LSI debacles of the 2000s. The Army’s Future Combat System (FCS) and the Coast Guard’s Deepwater program are two of the most well-known LSI failures.

More data, more problems

Turn to Section 1651 in your handy NDAA and you’ll find an interesting provision on DoD’s big data platform. It’s not too unusual, calling on the Pentagon to reorient its efforts around DoD’s cyber strategy.

But if you dig deeper into the provision, as Mike Hettinger, the CEO of Hettinger Strategy Group did, you’ll find Congress called out the Joint Regional Security Stacks (JRSS). JRSS is DoD’s initiative that started in 2013 to create a security infrastructure to reduce the number of network entry points that could be targeted by hackers. Let’s say over the last now almost seven years, JRSS hasn’t gone well. In 2019, the DoD inspector general released two audits raising serious questions about the future of JRSS, including the existence of critical security vulnerabilities, a lack of training for personnel who are tasked with operating the security stacks and that senior Defense officials have not adequately set and managed requirements for the system.

The NDAA tells DoD by Jan. 1, 2021, to develop a common baseline standard for collecting security data and processing it through a schema as a way to identify and mitigate cyber threats across the Defense Information Network (DoDIN).

“The Secretary shall take such actions as the Secretary considers necessary to standardize deployed infrastructure, including the Department of Defense’s perimeter capabilities at the Internet Access Points, the Joint Regional Security Stacks, or other approved solutions, and the routing of data laterally and vertically from Department of Defense Information Network segments and tiers, to enable standard and comprehensive metadata collection,” the law states. “[The Secretary shall] take such actions as the Secretary considers necessary to standardize deployed cybersecurity applications, products, and sensors and the routing of data laterally and vertically from Department of Defense Information Network segments and tiers, to enable standard and comprehensive metadata collection.”

The fact that Congress called out JRSS in the provision is interesting given the program’s struggles and this might be an initial push by lawmakers for DoD to move on from the current approach to JRSS.

Related to JRSS and another interesting tidbit in that section is Congress wants DoD to rationalize and standardize across its big data cyber platforms, including the Defense Information Systems Agency’s Acropolis, U.S. Cyber Command’s Scarif and others. Where JRSS is trying to consolidate and standardize, Congress here seems to be concerned that every cyber command is developing its own big data platform, meaning data and communication may be siloed.

Despite concerns about JRSS, Congress still allocated two buckets of funding for JRSS as well. The first is $88 million for acquisition of tools and the second bucket is $18 million for research, test and evaluation.

CMMC concerns

Quick turn to Section 1648 because DoD has less than 20 days to meet the initial requirement under this part of the NDAA.

Congress is giving the Pentagon a Feb. 1 deadline to “develop a consistent, comprehensive framework to enhance cybersecurity for the United States defense industrial base.” Military leaders then have to brief lawmakers by March 11 on the framework and expected pilot programs to test it out.

This, of course, is known as the Cybersecurity Maturity Model Certification (CMMC) initiative DoD started in 2019 and released its first draft of the requirement in September.

While the CMMC is hardly an “under the radar” provision of the NDAA, Gordon Bitko, the former FBI CIO and now the senior vice president for policy, public sector at the IT Industry Council, said the expedited timeframe both Congress and DoD wants is concerning for industry.

“Everyone is on board with understanding the cyber risks the defense industrial board (DIB) faces and needing to find ways to harden and secure their systems and data better. But the concerns ITI members have is what seems like the arbitrary rush to hit those dates laid out in the NDAA,” Bitko said in an interview. “Even though the bills and guidance are requiring DoD to do it in a collaborative way, none of our members feel like it’s happening well enough. We are providing feedback and ideas to DoD, but it seems like they will get to them later. If we go down the road of creating a process and infrastructure upfront without having gotten input from industry who spend a lot of time thinking about cyber, I’m concerned DoD will create a duplicative infrastructure and not apply lessons learned from things like the Federal Risk Authorization Management Program (FedRAMP).”

Bitko said DoD has not addressed several big picture questions such as the scope of CMMC and how it will filter down into the supply chain, the true cost and time to get more than 300,000 vendors through third-party accreditors and the value of the certification if it’s only an annual requirement or one that happens every three or five years.

A different kind of A-Team

On page 333, Section 802 seems to be one of those provisions where what’s old is new again.

It calls for DoD to run at least two and no more than five pilots where a cross-functional team of experts, known as “alpha contracting teams,” come together to work on a particularly complex acquisition.

“The conferees note that this construct revives in a modern context the ‘alpha contracting’ concept that is more than a decade old. Further, it brings together all government personnel involved in the functions that support acquisition actions, to include contracting staff as well as technical staff, operators and cost personnel,” the NDAA states. “This is intended to ensure that technical requirements are appropriately valued and that the most effective acquisition strategy to achieve these requirements is identified.”

Matthew Cornelius, the executive director of the Alliance for Digital Innovation (ADI), pointed out this provision.

“Done correctly, this pilot program and the initiatives DoD chooses for inclusions can truly bring together the best of government, academia and industry to collectively address complex procurements,” he said. “These initiatives should be broadly scoped so as to allow true collaboration and technical expertise to influence better buying decisions and not bias outcomes towards a single, established entity.”

Congress wants DoD to act quickly with deadlines of Feb. 1 to establish pilot criteria, May 1 to identify and notify Congress of the test cases selected and Dec. 1 to brief lawmakers on the pilots metrics, including how they are improving acquisition cycle time and other metrics.


Top 10 Reporter’s Notebooks of 2019

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Now in its eighth year, my Reporter’s Notebook continues to evolve into my weekly download of important analysis and people news across the IT and acquisition communities.

As I’ve said from the beginning, this is neither a column nor commentary—it’s news tidbits, strongly sourced buzz and other items of interest that have happened or are happening in the federal IT and acquisition communities.

As always, I encourage you to submit ideas, suggestions, and, of course, news to me at jpmiller@federalnewsnetwork.com. In 2018, the top 10 featured stories about change and turbulence in the federal IT and acquisition communities. In 2019, the top stories were more diverse and a mix of IT past, present and future.

Here are the 10 most viewed Reporter’s Notebook stories of 2019 in order:

  1. DISA eyes $170M in savings from Fourth Estate consolidation program

This story had all the makings of a number one rated story for 2019. The Defense Department, reorganization and change management, and major technology consolidations. The Defense Information Systems Agency’s Fourth Estate initiative faces a major set of milestones in 2020 so this story will continue to be hot.

  1. The end is near for the worst website in government?

I actually wrote two similar stories in 2019 about the end of FedBizOpps.gov, which many would agree was well overdue for a face-lift. GSA met its goal of retiring FBO.gov in November with the official launch of beta.sam.gov. While the new portal is far from perfect, and many in industry highlight ongoing challenges, the fact GSA accomplished this much-needed and four-time delayed goal is important to recognize.

  1. Industry group asks Senate Appropriations Committee to rein-in FFRDCs

This is one of those stories that highlighted an ongoing controversy in industry, but it was surprising how popular the story was with our readers. I’m not sure if it hit a specific chord with industry and/or federal agencies, or just because it focused on a contentious topic — federal funded research and development centers (FFRDCs) — but it showed us that these concerns with the influence of federal research organizations are growing.

  1. New details from Oracle point to former Navy official as third executive caught up in JEDI controversy

While the FFRDC story was surprising, I would’ve expected this one to have done better. The Defense Department’s JEDI acquisition was a story that kept on giving all year long. In this chapter, we were the first news organization to name Victor Gavin as the so far unnamed person caught up in this controversial procurement. The JEDI saga will continue with new chapters as we enter 2020.

  1. HHS puts more than $1B in contracts at risk by shutting down assisted acquisition services

This was one of several exclusive reports in the notebook this year. It shined the light on a decision by the Department of Health and Human Services that remains questionable today—to immediately stop offering assisted acquisition services. Agencies and vendors alike have been dealing with the fallout of HHS’s decision for the last several months.

  1. Why a ‘satisfactory’ rating is bad thing for contractors

Vendor ratings is one of those stories that will have long legs in 2020 and beyond. This story caught the eye of our readers because it’s been one of those issues that many have known about, but maybe were afraid to discuss publicly. But with efforts by the Department of Homeland Security and the Office of Federal Procurement Policy, it’s clear change is coming.

  1. How a simple tweet opened frustration floodgates over security clearances

Stories on security clearances just keep giving and giving. This one, however, came unexpectedly because Rep. Will Hurd (R-Texas) offered up an opinion that many would agree with, but caused an outburst of comments, both positive and negative, that was surprising. The good news is the new National Background Investigations Services is making progress in reducing the backlog, but not enough to tamp down the frustration.

  1. RPA more than a passing fad, just look at the data

There may be no new technology over the past two decades that caught on like robotics process automation. This story was an early-year look at the trends from fiscal 2018 and the prospects for 2019 through now well-known use cases. NASA, the General Services Administration and the Bureau of Fiscal Service at the Treasury Department were among the agencies out in front showing the real savings of RPA.

  1. GSA, DoD kick off first test with new streamlined acquisition approach

With all the talk about the use of Other Transaction Authority (OTAs), the Commercial Solutions Opening authority that GSA received in the 2017 defense authorization bill came to the forefront last summer. GSA issued the first CSO solicitation for the Defense Department’s Joint Artificial Intelligence Center (JAIC). It’s unclear if GSA ever made the award, but there is a lot of excitement over what many see as an easier approach to federal acquisition.

  1. Why DoD’s decision to make cybersecurity an ‘allowable cost’ matters

There was no surprise that this story made the top 10 list. Vendors are concerned about the implementation of the Cybersecurity Maturity Model Certification (CMMC) in fiscal 2020 and beyond, and the announcement that the Pentagon will allow this effort as an allowable cost was significant. Now how that process will work and how much DoD will allow still is unknown, but the fact is the CMMC is coming and any news about it attracts readers.


After six years, OMB, GAO still at odds over data center initiative

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The 9th version of the Federal IT Acquisition Reform Act (FITARA) scorecard brought some of the highest marks in five years. But it also reminded the House Oversight and Reform Subcommittee on Government Operations that some old habits don’t die easily.

Every agency chief information officers still are not reporting directly to the secretary or deputy secretary.

Disagreements over data center consolidation versus optimization continue and likely will heat up over the next six months.

And agencies continue to struggle implementing a key piece of the Modernizing Government Technology Act.

Carol Harris, the director of IT management issues at the Government Accountability Office, said her three priorities for 2020 are:

  • Data center consolidation
  • CIO reporting structure
  • Establishment of working capital funds under the Modernizing Government Technology Act

So with those three in mind, here are my three takeaways from the FITARA 9.0 hearing.

Working capital funds are not working

Rep. Will Hurd (R-Texas), one of the authors of the MGT Act, has said for years the real achievement with the law is not the Technology Modernization Fund, but the authority for each agency to set up technology savings accounts.

While the TMF gets a lot of the attention, Hurd, Rep. Gerry Connolly (D-Va.) and others who created the MGT Act believe agencies will get out of technical debt only by modernizing technology, saving money from that effort and repurposing the savings for other projects.

The problem so far is few agencies have taken steps to set up these new savings accounts, partly because so many already have some sort of working capital or revolving fund.

So far, only four agencies — the departments of Agriculture, Labor and Homeland Security and the Small Business Administration — plan to or have set up a MGT Act authorized fund.

And it looks as though NASA may not be joining that list anytime soon.

At the hearing, Renee Wynn, the NASA CIO, said that the space agency completed an initial analysis last summer, but wouldn’t make a decision until next summer.

The timing of the final decision seemed much longer than necessary. But Wynn said in an interview after the hearing that analysis detailed the working capital authorities, both current and potential ones.

“We’ve laid all of that information out and now are trying to figure out what information our senior leaders will need to make the decision, and we are looking at staffing plans associated with it. I think we will need some top-notch accountants, she said. “So pulling together an entire implementation plan with a presumption that they will say ‘yes’ is what we want to get ready for when we go to decision.”

Wynn said it’s unclear whether NASA will need new legislative authority.

In the meantime, Wynn said NASA received a $10 million line item from Congress in fiscal 2019 for IT modernization and a similar request is part of the fiscal 2020 budget.

Wynn said that money is specifically for the CIO to use to do the analysis and run the IT modernization process.

Of course, $10 million to make decisions and run processes is far different than having a dedicated savings account specifically for transformation efforts.

Six years of debating data centers

Since 2013, the Office of Management and Budget and the Government Accountability haven’t agreed on the goals of the data center consolidation initiative.

GAO, for the most part, has been consistent banging on the cost savings drum.

OMB, on the other hand, has floated between savings and optimization over the last six years. In fact at the June FITARA hearing, OMB rolled out the latest data center policy that Connolly said was too focused on optimization and not enough on savings and inconsistent with the law.

Six months later, OMB and GAO remain at odds.

Carol Harris, GAO’s director of IT management issues, said because of the policy change, GAO didn’t grade agencies on their data center efforts in June.

“OMB’s guidance is now final and unfortunately the concerns I raised at the last hearing about the revisions remain unchanged,” Harris told the subcommittee. “Among other things, OMB’s guidance revises the classification of data centers and data center optimization metrics. For example, OMB’s new data center definition excludes 2,300 facilities that agencies previously reported on in fiscal 2018. Many of these excluded facilities represent what OMB itself has identified as possible security risks. Some are also large facilities that agencies will keep operating but will no longer be reporting on.”

Harris pointed to the Social Security Administration and the Department of State as two of those examples. SSA has five data centers over 8,000 square feet and State has two over 10,000 square feet that OMB will stop tracking the progress against the policy’s goal.

“There are 194 data centers over 1,000 square feet for which closure progress will no longer be reported as a result of the redefinition,” she said. “The changes will likely slow down or even halt important progress agencies should be making to consolidate, optimize and secure their data centers.”

At the heart of this debate is the reality of agency needs and the belief by GAO and lawmakers that agencies are leaving billions of dollars in savings on the table, much of which could be used for other IT modernization efforts.

In fiscal 2019, the governmentwide total for data center savings was only $68.8 million, according to the federal IT dashboard. That was way down from the previous three years when the governmentwide total was between $634 million and $856 million. Over the last four years, agencies saved more than $2.2 billion.

Source: Federal IT Dashboard.

Connolly and Rep. Mark Meadows (R-N.C.) both pushed GAO to place a deeper focus on implementation and compliance with FITARA, particularly around data center consolidation.

“That [data center consolidation] is where the savings are. If we are going to retire these legacy systems; If we are going to reinvest in the enterprise, that’s why we are concerned about OMB’s guidance on what will be acceptable. We want explicit language that says close them and consolidate them,” Connolly said. “We were worried, and we thought we had gotten reassurance that this new guidance that included the vague term optimization would allow people to avoid consolidation and achieve these savings.”

Harris said the new OMB policy is a significant step backwards from where the government was four years ago.

“With this redefinition of data centers, we are losing visibility into 2,300 facilities and that’s a problem because agencies are going to lose focus on consolidation being a top priority. In addition to that, there are security risks associated with not monitoring these facilities, even if you aren’t going to consolidate them,” she said. “We have ongoing work right now evaluating the OMB guidance. We do expect to issue that report sometime soon. We will make recommendations to OMB which will include taking another look at the policy and the classification of the data centers.”

Respect my authority

One reason why both NASA and the Homeland Security Department received improved grades on the scorecard is due to changes both agencies made around their CIO’s reporting authorities.

NASA Administrator Jim Bridenstine recently signed off on a memo changing the CIO’s reporting structure.

“I have access when needed,” Wynn said. “The NASA CIO and most of the center CIOs sit on all key NASA decision-making councils, and the CIO has direct authority and oversight over center CIO including their IT and acquisition decisions. Within NASA, IT is now regarded as a strategic agency resource with the CIO having clear authority to approve the agency’s IT spend plan.”

Source: GAO testimony on FITARA 9.0 hearing.

Wynn said the best example of the change happening across NASA is with the Artemis Program, which is the effort to return to the moon.

“In order to address the new and unique cyber risks and challenges posed by human spaceflight generally, and in particular by Artemis, OCIO is partnering with the Human Exploration and Operations Mission Directorate (HEOMD) and its Advanced Exploration Systems Division at Headquarters. An OCIO representative will attend vital staff-level and leadership meetings, providing immediate OCIO input on programmatic matters,” Wynn said in her written testimony. “This partnership will allow the OCIO representative to better understand HEOMD’s programs and processes, while helping HEOMD identify and resolve any cyber gaps. The OCIO representative will directly support the Artemis team in evaluating cybersecurity requirements; ensuring an integrated approach to addressing cybersecurity risks; and making certain that cybersecurity considerations are included at the outset of this groundbreaking work.”

The Homeland Security Department CIO has had authority over IT spending worth more than $500,000 for almost the entire life of the department. In 2019, acting CIO Beth Cappella said her office reviewed more than 530 procurement requests.

“In conjunction with our counterparts in Office of the CFO and Office of the Chief Procurement Officer, we are working to expand CIO visibility into all IT expenditures,” Cappella said in her written testimony. “As a first step, we are using the Technology Business Management (TBM) taxonomy as a mechanism to enhance visibility. To date, the department has completed an alignment of its IT investments through the capital planning and investment control (CPIC) process to the TBM taxonomy to provide more transparency into IT planned spending for fiscal 2021. This was submitted to the Office of Management and Budget (OMB) on Sept. 20. This alignment will enable DHS to better track all IT spending across the department and benchmark spending, identify opportunities for improvement, and help increase the taxpayer value of IT.”

Despite progress at NASA and DHS, there still are five agencies—the departments of Health and Human Services, Justice, Labor and State and the Nuclear Regulatory Commission—whose CIOs do not report directly to their agency’s top leadership.

The Government Accountability Office said DHS and the U.S. Agency for International Development received partial credit because of changes they made in the reporting structure. Overall, GAO says CIOs still not have the full set of authorities FITARA and other laws give them.

“Laws such as FITARA and related guidance assign 35 key responsibilities to agency CIOs to help address longstanding IT management challenges. In August 2018, GAO reported that none of the 24 selected agencies had established policies that fully addressed the role of their CIO. GAO recommended that OMB and the 24 agencies take actions to improve the effectiveness of CIOs’ implementation of their responsibilities. Although most agencies agreed or did not comment, none of the 27 recommendations have yet been implemented,” GAO states. “According to FITARA, covered agencies’ CIOs are required to review and approve IT contracts. Nevertheless, in January 2018, GAO reported that most of the CIOs at 22 covered agencies were not adequately involved in reviewing billions of dollars of IT acquisitions. Consequently, GAO made 39 recommendations to improve CIO oversight for these acquisitions. Since then, 23 of the recommendations have been implemented.”


GAO’s report on the Technology Modernization Fund puts OMB on the offensive

When it comes to reports from the Government Accountability Office, a strong majority of the time agencies go along to get along. Disagreeing with auditors just isn’t worth the effort, most federal managers would agree.

But when there are cases where aggressively pushing back is almost mandatory, well, watching from the sidelines—like most of us do—is a fascinating experience.

This is the case with GAO’s recent report on the implementation of the Technology Modernization Fund (TMF).

The Office of Management and Budget and the General Services Administration didn’t just dispute GAO’s conclusions, but sought to discredit the report altogether.

In one case, OMB’s Deputy Director for Management Margaret Weichert said in a letter responding to the draft report that GAO’s facts, assumptions and recommendations are misleading, at best, and paints an incomplete picture of the TMF.

GSA Administrator Emily Murphy, a former Congressional staff member, used a lighter touch in her response letter, but still used words like “shortsighted” about GAO’s findings and expressed “concerns” over auditors’ conclusions.

While the forcefulness of the response likely is because OMB and GSA truly disagree with the results and methodology, there is a definite part of the response because of how the Senate, in particular, has not supported the TMF over the last two years.

$25 million for 2020

In fiscal 2019, the administration asked for $210 million. The House approved $150 million in its initial allocation and the senate zeroed out the fund totally. In the end, the TMF Board had $25 million to loan out.

In 2020, the White House asked for $150 million and so far the House approved $35 million and the Senate, once again, zeroed out the funding.

So a negative GAO report may not bode well as lawmakers finish up the 2020 spending bills this week. The final version of this year’s spending bill includes $25 million for TMF.

“OMB will continue to leverage the TMF to drive administration and congressional IT modernization priorities,” Weichert wrote in response to GAO’s report. “We encourage Congress to provide the necessary funds to the TMF so OMB and GSA can more effectively manage the legitimate operational issues caused by underfunding the TMF, and most importantly, to ensure that the TMF will remain a key lever to drive transformational change in citizen service delivery that taxpayers deserve.”

OMB also told GAO that some of the TMF’s challenges were because Congress hadn’t approved the $438 million the administration requested in fiscal 2018 and 2019.

GSA’s Murphy furthered the case for Congress to fund the program.

She wrote, “The TMF is operating as intended by Congress—agencies are using the awarded funds from the TMF for critical modernization projects that will enhance mission performance and the high quality of citizen-facing applications.”

The need to make their case both through their likely coordinated response to GAO and in public is clear as auditor’s assessment of the TMF wasn’t pretty.

Cost recovery is delayed

In the highlights of the report, GAO says GSA is spending $1.2 million to oversee and manage the fund, but fees charged to the agencies receiving the loans totaled about 3% or $33,000 leaving the program management office deep in the red. GAO says GSA will not cover its administrative costs for the TMF until 2025 based on the current rate of fees collected.

But it’s more than concerns about GSA’s ability to pay for the program management office, if you dig deeper into the report—which is questionable whether lawmakers and their staff actually will—you will see four of the projects are delaying the requesting of funds from the board. The Agriculture Department’s Farmers.gov portal will not ask for the final $6 million of its $10 million loan until 2020. USDA also is asking for only $500,000 total out of the $4.5 million the board awarded for its infrastructure optimization project.

The departments of Energy and Housing Urban Development also are either delaying the payout of their loans or now asking for less overall.

This means four out of the nine projects already are facing scope changes. This seems to support GAO’s claim that agencies didn’t do a good enough job estimating costs and savings.

“Based on our analysis of the cost estimates for the seven TMF-funded projects, the reported savings estimates that were derived from those estimates cannot be considered reliable. Officials responsible for developing the cost estimates for each of the projects did not incorporate all of the best practices for a reliable cost estimate, as defined in the GAO guidance and OMB Circular A-11,” GAO states.

The entire premise of the TMF is for it to be a revolving fund where agencies pay back the loans so others can apply for money in the future.

“Agency officials responsible for developing the cost estimate for each of the seven projects all confirmed that they were instructed to use the project cost estimate template to report their projects’ cost and savings estimates,” GAO states. “In addition, these officials acknowledged that they did not follow their own internal cost estimate development processes or GAO best practices when developing their estimates.”

Cost estimating guidance under debate

This is also one area where GSA and OMB pushed back against GAO’s conclusions.

Weichert said agencies do not have to necessarily follow GAO’s cost estimating guide, and instead must follow those requirements set out in Circular A-11.

Weichert said in her letter that in regards to the requirement to follow GAO’s cost estimating guide, “we informed GAO at every available opportunity that simply isn’t true.”

Similar to what OMB said with the Antideficiency Act, GAO can make suggestions, but that’s all they are because of the constitutional doctrine of the separation of powers between the different branches of government.

GAO rebuked this change in policy.

“Since OMB first introduced its cost estimating appendix to Circular A-11 in 2006, the circular has stated that the appendix is based on the GAO cost estimating guide,” auditors wrote. “Specifically, the circular stated that the appendix is based on GAO’s ‘guide to their auditors on how to evaluate an agency’s cost estimating process, and the reliability and validity of the data used to develop the cost estimates. Following these guidelines will help agencies to meet most cost estimating requirements.’”

The other data that stands out in the report is when the nine projects will begin paying back their loans. Under the TMF rules, agencies have five years to use cost savings to reimburse the fund.

GAO says Energy’s move to cloud email will take all five years—three years longer than first estimated–to pay back the money, while USDA’s infrastructure optimization and GSA’s NewPay projects are unsure of when they will be able to repay the fund.

Meetings cancelled

The disagreement in the report goes deeper than just processes. GAO and OMB spar over the sharing of information, meetings and overall methodology of the review.

“First, in meetings with staff from OMB’s Office of E-Government and Information Technology, we obtained information from the staff in all of the areas noted by OMB in its letter. In our report, we discuss OMB’s role in the fund’s administration and the approval process for TMF proposals, as well as OMB’s guidance in these areas,” auditors state. “Further, we made ourselves available to engage with OMB throughout the course of the audit. For example, we arranged a meeting with the Federal CIO and her staff to discuss the administration of the TMF and to present our preliminary observations, but the meeting was cancelled by the Federal CIO’s office due to scheduling constraints and not rescheduled.”

GAO also stated OMB disagreed with its characterization of the TMF repayment process and the assumptions about potential insolvency of the fund.

“Our report did not make a conclusion that the fund was insolvent, or that the fund was on track to being insolvent,” GAO stated. “Rather, our report discusses the factors affecting administrative fee collection and the impact these ongoing challenges have on the TMF Program Management Office’s ability to pursue a full cost recovery model and recover all costs by fiscal year 2029, as GSA intended. In addition, we acknowledged the Program Management Office’s efforts to reduce its operating costs in fiscal year 2019 (to under $1 million).”

OMB, on the other hand, said GAO rejected many of its suggested changes to the statement of facts, which “we believe contributes to inaccurate conclusions regarding how the TMF is administered.”

The back and forth between OMB and GAO demonstrates a larger problem that this administration and the two before it suffered from, a lack of communication with lawmakers and their overseers. OMB wouldn’t have to worry about potentially damaging GAO reports if it just spent more time on Capitol Hill talking about all the good the TMF is doing beyond just the loaning of a few dollars.


Should you be concerned over OMB’s decision that GAO’s antideficiency determinations are non-binding?

Back in September the Government Accountability Office released a 25-page report to House and Senate leaders describing nine new violations of the Antideficiency Act, some dating back to spending in 2000.

The Government Accountability Office said the Defense Department, including the Army, had three violations worth more than $13 million, and the Commerce Department had two violations worth more than $35 million. The departments of Justice, Veterans Affairs and Agriculture also reported breaches of the law.

On the same day, Sept. 23, GAO also wrote to Congressional leaders about the Office of Management and Budget’s change to Circular A-11 in which the administration departed from long-standing policy. In the June circular, OMB tells agencies if GAO finds a possible violation of the law, agencies must submit a report to lawmakers if, in consultation with OMB, they agree with the findings.

Six weeks later, OMB General Counsel Mark Paoletta sent a letter to agency general counsels further clarifying the A-11 change and the administration’s expectation going forward.

“When an agency of the Legislative Branch interprets a law differently than the Executive Branch, the Executive Branch is not bound by its views. ADA reporting requirements should reflect this principle,” Paoletta wrote. “OMB respects GAO’s opinions as those of an agency of a coequal branch of government. However, under the constitutional doctrine of separation of powers, a legal opinion by a Legislative Branch agency cannot bind the Executive Branch.”

OK, so what does all this mean? Well as agencies are finalizing their fiscal 2019 financial statements and face the possibility of another government shutdown — though a lot less likely than previously thought — the Antideficiency Act becomes front-and-center.

And OMB’s policy change will impact decisions made by CFOs and deputy secretaries as well as program managers and many others in government.

The Antideficiency Act underpins federal spending processes and violating the law puts agency managers at risk.

First, let’s start with the definition of the Antideficiency Act, which has origins dating back to 1884 and which was updated twice: In 1950 and again in 1982. The Congressional Research Service offered this helpful explanation in a 2018 report:

“The act, which evolved over time and is located in Title 31 of the U.S. Code, prohibits federal officials from obligating funds before an appropriations measure has been enacted, except as authorized by law. The act also prohibits federal officials from accepting voluntary services or employing personal services exceeding what has been authorized by law. Therefore, the Antideficiency Act generally prohibits agencies from continued operation in the absence of appropriations.”

$5,000 fine, 2 years in jail for violation

Before you roll your eyes and say this is some archaic minutiae of appropriations legislation, keep in mind, federal employees who “knowingly and willfully” violated the law “shall be fined not more than $5,000, imprisoned for not more than 2 years, or both.”

The American Action Forum, which describes itself as a center-right think tank on economic, domestic, and fiscal policy issues, writes that GAO says while no federal employee ever appears to have been prosecuted or convicted under this statute, the mere potential for criminal, indeed felony, prosecution does appear to enhance compliance with the act.

Some in Congress want to increase the penalties for violations. In 2018, Rep. Paul Mitchell (R-Mich.) introduced the Antideficiency Reform and Enforcement Act, which would’ve let agency leaders fire or suspend employees who violated the law and offered cash incentives for those who report violations. The House Oversight and Reform Committee passed the bill, but it never advanced to the full body.

Let’s go back to OMB’s decision now that we’ve established why you need to know about this law.

Multiple current and former federal officials say OMB’s decision is questionable at best and bad government at worst.

Shirley Jones, the GAO’s managing associate general counsel, said there are examples going back as far as 1987 of agencies having to report to GAO violations of the Antideficiency Act so for OMB to change course is unusual.

Shirley Jones, Government Accountability Office
Shirley Jones is the GAO’s managing associate general counsel.

She said the decision by OMB hasn’t changed how GAO will analyze and report violations to Congress.

“OMB did not come to GAO before it revised A-11, which specifically sets out how the executive branch will report violations,” Jones said. “What is striking for me is the fact that OMB sites opinions and Supreme Court cases that go back over 30 years. They speak to separations of powers, but GAO has always been in the Legislative Branch, but OMB’s own guidance for years has said they should report to the President and Congress when GAO determined there was a violation.”

Historically, OMB gave deference

David Walker, the former Comptroller General of the U.S., said the OMB memo is another example of the Trump administration’s continued resistance to providing timely information to oversight bodies.

“Technically OMB is accurate that GAO opinions are not legally binding, but the same can be said about OMB’s general counsel opinions. Historically the executive branch has given great deference to GAO opinions,” said Walker in an interview with Federal News Network. “Any federal employee should be very concerned if they are doing something that may violate the law given the civil and criminal penalties that come from violating the Antideficiency Act.”

Doug Criscitello, a former CFO at the Department of Housing and Urban Development and now a managing director of the public sector for Grant Thornton, said OMB’s decision may put agencies in a tough place of spending in a manner that is inconsistent with GAO’s views.

“More broadly, the emphasis on the principle of separation of powers seems a bit overblown in the memo. Clearly, the notion of separation of powers isn’t absolute given that executive and legislative powers and responsibilities intentionally intersect and are too interconnected to be completely separate,” Criscitello said in an email to Federal News Network. “To illustrate the point, when GAO reports Antideficiency Act violations to the Congress, the transmittal letter is sent to the Speaker of the House and the President of the Senate – who is the Vice President of the U.S. Rather than full separation of powers, the branches compete and disagree on various matters under their perceived purviews. The budget process is one area where there’s obvious overlap given Congress has the power of the purse and the President is responsible for budget execution. Having GAO serve as an agent of the Congress in ensuring funds are spent in accordance with the Antideficiency Act would appear to be a reasonable check on the executive branch.”

OMB is clear in the memo that agencies still must report violations of law, but only based on Executive Branch determinations.

“It is silent as to how an agency is to act when the agency disagrees with GAO’s finding of an ADA violation,” the OMB letter stated. “This silence does not constitute or equate to OMB directing the agency to refrain from responding to GAO or to Congress. Rather, the intent of the change was to emphasize the fact that providing a report to Congress under such circumstances is at the agency’s discretion. The agency is free to correspond with Congress to address these matters, and Congress is free to inquire of the agency to ask for the agency’s views on any such GAO report.”

The decision not to report or if OMB disagrees with the agency’s conclusion becomes much more risky and probably not worth endangering your career.


OMB’s Cornelius to lead industry association

The end of the calendar year usually brings a flurry of federal executives moving into new jobs or retiring, and this one is no different.

Among the biggest loses is Matthew Cornelius, who left the Office of Management and Budget after almost three years to become the executive director of the Alliance for Digital Innovation (ADI), an industry association. His first day at ADI was Dec. 9.

“Commercial innovation is essential for a modern digital government. While at OMB, Matthew was a true thought-leader driving cloud-forward technologies into the federal government,” said Rich Beutel, who is on the board of directors of ADI and helped get the association started, in an email to Federal News Network. “We welcome Matthew as the new executive director to drive our message on a full-time basis going forward.”

Cornelius is another one of those behind-the-scenes OMB policy folks who make a significant difference and important contributions that most people don’t realize.

Matthew Cornelius left the Office of Management and Budget to become the executive director of the Alliance for Digital Innovation (ADI), an industry association.

During his time at OMB, he worked on implementing the Modernization Government Technology Act and ensured the IT modernization goals of the President’s Management Agenda were met.

“I’m leaving at a good time for me and for the Office of the Federal Chief Information Officer,” Cornelius said in an interview. “I was looking for an opportunity to step away and take on a smaller and more nimble organization and this seemed like a good opportunity. I want to see what life is like outside of government.”

The one skill he will definitely take with him is the ability to herd cats. As an industry association executive, Cornelius is used to getting different organizations to see the way forward.

During his tenure at OMB, Cornelius said he was most proud of getting the MGT Act passed and then helping to implement it, including the Technology Modernization Fund (TMF).

“It is very rare you get to build new program with such a high level of visibility among Congress, the administration and industry. It was a tremendous learning experience,” he said. “TMF will benefit agencies far beyond the $125 million appropriated and the $90 million loaned out across the nine projects. It has changed the way agencies think about how to fund and how to bet better results for IT projects.”

He said he’s also proud of the progress and successes of IT modernization in the PMA in terms of helping agencies provide better and more responsive services.

At ADI, Cornelius says he wants to continue to improve the federal market’s capabilities for buying and using technology.

“The first thing I plan to do is talk with our member organization and understand the goals of those companies,” he said. “How can put in place better policies that lead to a new way of thinking about these technology and acquisition problems that have plagued government for so long. What are the best ways we can partner with the government to move in a cohesive direction.”

ADI launched in 2018 and there is concern among some in industry that it’s mostly to promote the view of Amazon Web Services and its partners. There currently are 17 members listed on ADI’s website, including Salesforce, Vertitas, Telos and VMWare.

Along with OMB, Cornelius worked at the General Services Administration and the Treasury Department during his five-year stint in government.

It’s unclear who will replace Cornelius at OMB.

VA, OPM, USDA tech leaders on the move

The Department of Veterans Affairs is losing a key technology executive, while the Office of Personnel Management, the Federal Communications Commission and the Agriculture Department are bringing new ones on.

Bill James, the deputy assistant secretary for development and operations at VA’s Office of Information and Technology, left the government after three years.

Bill James, the deputy assistant secretary for development and operations at VA’s Office of Information and Technology, left the government after three years.

A VA spokesman confirmed James left in early December and the agency hasn’t named a replacement yet.

James launched his own consulting firm to help companies sell to the federal government.

During his tenure at VA, James helped move VA toward a dev/ops culture, focusing on mission and customer engagement on the front-end.

One of his big successes was helping to launch the updated version of VA.gov that sparked more code sharing that ended up increasing health care applications by 51%, and a more than 200% increase in utilizing the MyVA311 number.

At USDA, Tim McCrosson is joining as an associate CIO for the Client Experience Center in the Office of the CIO.

In that role, he will lead the delivery of technology, associated operations security and technical-support services to more than 45,000 USDA end users located in more than 3,400 field, state, and headquarters offices across the U.S. and its territories.

He comes to USDA from the Department of Homeland Security where he spent the last two-plus years as the Cybersecurity and Infrastructure Security Agency’s deputy chief of the cyber performance branch.

In that role, McCrosson worked in the Federal Network Resilience Division to help agencies understand cybersecurity challenges and support decisions to better protect government data and systems. He also worked with agencies to collect governmentwide Federal Information Security Management Act data, hold CyberStat sessions and consider new methods for making risk-informed decisions.

While McCrosson comes to USDA, Francisco Salguero is leaving the agency to become the FCC’s CIO.

Salguero replaces Christine Calvosa, who left in May to join the private sector.

He worked at USDA since 2004 in a variety of roles, including as CIO of the Rural Development bureau and eventually deputy CIO of the entire agency.

FedScoop was the first to report Salguero’s move.

Karl Alvarez, announced on LinkedIn, that he is the new associate CIO for management and policy at the Office of Personnel Management.

Alvarez’s arrival helps to rebuild an OPM CIO staff that has seen a fair amount of turnover in the last few years.

He comes to OPM from the Department of Health and Human Services, where he spent nine years working in assorted roles including the last two as the executive officer to the agency’s CIO.

In the acquisition community, Jaime Garcia is joining the IRS after spending the last two years as the section chief for Contract and Finance Management for the National Risk Management Center (NRMC) at DHS.

Garcia, who announced the new job at LinkedIn, will be an acquisition manager for the tax agency working to create innovative and agile contracts.

A couple of other noteworthy changes you may have missed over the last few months:

  • Ed Wilson, the deputy assistant secretary of Defense for cyber policy since February 2018 left on Nov. 15.
  • Earl Warrington left GSA after 24 years to join the Small Business Administration. Warrington is the IT program manager for SBA after serving in a variety of roles at GSA including as the assistant deputy associate administrator in the old Office of Citizen Services and Innovative Technologies and director of category management.
  • Marcy Jacobs left as the executive director of VA’s digital service to join McKinsey and Company as an associate partner. Jacobs, who also spent two years working for the U.S. Digital Service, won a 2018 Service to America medal for her work to improve Vets.gov.

If you know of other “people on the move” in the federal community, don’t hesitate to send me a note.


SBA ‘beats the odds’ by finalizing several major contracting regulations

In November 2018, Federal News Network and procurement expert Larry Allen set some odds about whether certain acquisition regulations would be completed sometime in 2019.

For the most part, the odds makers were not optimistic, given the fact that during 2017 and 2018, the number of FAR rules that were either proposed or finalized were scarce.

So here we are a year later, and it’s nice to be able to report that the Small Business Administration, at least, may just have beaten the odds on several important procurement provisions.

Over the last few weeks, SBA finalized rules to improve the HUBZone program, to change the way the government calculates small business sizes based on earnings and a half dozen other rules that have been in the works since the 2015.

Each of these rules are trying to address some sort of systemic problem in the federal contracting market. Why it took, in some cases, three years to get through the system is unclear. The lack of a permanent administrator in the Office of Federal Procurement Policy or the dislike of regulations by the Trump administration or just the slow nature of getting a rule through the Federal Acquisition Regulations Council are all possibilities.

“We have been waiting for them to come out,” said Tony Franco, a senior partner with the law firm PilieroMazza. “They provide clarity on a number of issues, particularly how small businesses may comply with the subcontract limitation requirements and how independent contractors may be treated. There is a great deal of confusion in the community on those issues so this is helpful.”

The new calculation of small business earnings is among the most important new rules.

This final rule, which takes effect Jan. 6, changes the calculation of average annual receipts for all of SBA’s receipts-based size standards to a five-year average from the current three-year average.

“SBA adopts a two-year transition period through Jan. 6, 2022. During the transition period, a firm may choose between calculating receipts using a three-year average or a five-year average,” the agency states in the rule. “With an expanded pool of small businesses, the federal government will have more qualified small businesses to choose from, and as a result, likely will set aside more contracts for small businesses. SBA also agrees with commenters that the five-year averaging period will allow more small firms to benefit from SBA’s small business assistance programs by extending their small business status for a longer period. The change would also enable small businesses that have just exceeded their size standards to regain their small business status and to benefit from federal small business assistance. SBA believes that the change to a five-year averaging period will expand benefits to all small businesses over the long-run, although the proposed change would have led to some negative impacts in the short-run.”

Matt Schoonover, the managing partner of Koprince Law, said there are two big takeaways from this final rule. The first is the move to five-year calculations rather than three-year.

Second, he said, through this rule the SBA is clarifying its plans to implement the Runway Extension Act which became law in 2018.

“Some were concerned that some businesses would be hurt by the law if they had declining revenues over the five-year period, but because years four and five were higher, they would make the company ineligible as a small business,” Schoonover said in an interview. “I think it’s good that SBA has given companies a choice to elect to go with three- or five-year revenues for a two-year period, through January 2022.”

Major update to HUBZone program

Next on the list is the HUBZone final rule, which becomes effective on Dec. 26.

This comprehensive revision is trying to fix many of the problems that plagued the 1997 law.

“The rule is intended to make it easier for small business concerns to understand and comply with the program’s requirements and to make the HUBZone program a more attractive avenue for procuring agencies,” SBA states in the final regulation. “SBA recognizes the challenge many firms face in attempting to meet the requirement that at least 35% of the firm’s employees live in a HUBZone. Firms with a significant number of employees may have a hard time meeting this requirement because it is often difficult to find a large number of individuals living in a HUBZone who possess the necessary qualifications. Smaller firms also have a hard time meeting this requirement because the loss of one employee could adversely affect their HUBZone eligibility.”

Agencies have never made the governmentwide goal of awarding at least 3% of all contracts to HUBZone companies. In fiscal 2018, SBA said agencies awarded just 2.05% up from 1.65% the year before.

“The SBA is doing what they can or what they think is appropriate to help make compliance with the program easier while still making sure the goals of the program are met. Sometimes, those two inclinations can conflict, but I think SBA is doing a good job of trying to say what can we say to give some assurance to the program so people can trust it when they issue awards,” Schoonover said. “There definitely are some changes that are needed for the HUBZone program. A lot of times HUBZone small businesses are spending so much time and effort to maintain compliance that at the end of the day, some questioned whether the hassle was worth the benefit.”

Schoonover added the final rule should help both HUBZone companies and contracting officers and, in the end, increase the number of companies receiving awards.

SBA said the final rule requires only annual recertification that the company qualifies rather than proof after every award.

“This reduced burden on certified HUBZone small businesses will allow a firm to remain eligible for future HUBZone contracts for an entire year, without requiring it to demonstrate that it continues to meet all HUBZone eligibility requirements at the time it submits an offer for each additional HUBZone opportunity,” SBA states. “The concern would be required to come into compliance with the 35% HUBZone residency requirement again at the time of its annual recertification in order to continue to be eligible for additional HUBZone contracts after the one-year certification period.”

Schoonover said changing the residency requirement also is a big deal.

“The SBA is trying to put some level of objectivity now by helping to define what it means to attempt to maintain residency compliance,” he said. “If a company falls below 20% of employees who live in HUBZone, SBA has determined that the company is not attempting to maintain eligibility. The former requirements were more subjective.”

Bundling and subcontracting changes

The third and final set of regulations have been a long-time incoming, some dating back four years.

Among the areas this regulation addressed are more public contract bundling notifications, procurement center representatives will get expanded oversight, and agencies can earn double credit for disaster contracts.

Among the most significant is the new requirement for agencies to publish within seven days the details of a substantial bundling of contract requirements.

Another update authorizes agencies to receive double credit for small business goaling achievements on SBA’s scorecard when they award contracts to local area small businesses in connection with a disaster.

A third change lets procurement center representatives review any acquisition regardless of whether it is set aside, partially set aside, or reserved for small business.

PilieroMazza’s Franco said the rule also “tightens up and clarifies subcontracting plan requirements for large firms that need to meet small business and socio-economic goals. Because the SBA had issued proposed rules a year ago — on Dec. 4, 2018, the government contracting community is not particularly surprised by the final rules which go in effect at the end of this year.”

Franco added while these final rule are important, SBA continues to make other major changes to small business contracting programs.


Amazon’s protest of GSA’s e-commerce platform RFP tells us why the silly season is in full swing

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

This story was updated on Dec. 10 with a comment from Amazon.

There may be no better indicator that the General Services Administration’s e-commerce platform solicitation is facing a host of uphill challenges than the fact that the company many believe will be the ultimate winner filed the first protest.

Federal News Network confirmed that Amazon fired the first salvo in the federal e-commerce war.

Government sources say the Seattle, Washington company submitted an agency-level, pre-award protest in November.

Sources say Amazon challenged whether GSA’s market research was sufficient, and it questioned some of the terms of the solicitation, particularly around the compliance of laws like the Competition-in-Contracting Act, the Federal Acquisition Streamlining Act and even the provision in the 2018 defense authorization bill requiring GSA to set up an e-commerce marketplace in the first place.

Government sources confirmed GSA has dismissed the protest and will take corrective action to clarify and strengthen the request for proposals to further meet the expectations of commercial e-marketplace platforms.

“We applaud the GSA for transforming the conversation and reevaluating the solicitation to ensure the procurement process is fair for all participants,” said Anne Rung, director of public sector, Amazon Business, in a statement on Dec. 10 to Federal News Network. “Thousands of government customers are already purchasing commercial items from e-marketplaces, including Amazon Business, to streamline their procurement and save taxpayers’ dollars.”

The fact that Amazon decided to submit a pre-award protest doesn’t bode well for a program some believe is already in trouble.

Roger Waldron, the president of the Coalition for Government Procurement and who hosts Off the Shelf on Federal News Network, said Amazon’s decision to submit a pre-award, agency-level protest is significant.

“To the extent the protester argues that the RFP terms are inconsistent with commercial practice, the law has been clear for a quarter of a century.  FASA prescribes the use of commercial terms/practices to the maximum extent practicable. Section 846 likewise prescribes that sales be made, to the maximum extent practicable, under the standard terms and conditions of the portal provider. This language (to the maximum extent practicable) reflects the government’s obligation to balance its responsibilities to the public against a vendor’s terms and conditions,” Waldron said in an email to Federal News Network. “That is why transparency is paramount. The public needs to understand the nature of any RFP changes and whether they are consistent with the law. This is especially important here given the lack of analysis in GSA’s Phase II Report of e-commerce portal standard terms and conditions in context of government requirements.”

Waldron added he believes schedule contractors will closely watch how GSA resolves Amazon’s challenge because whatever they do could have a major impact on how agencies apply the concept of the “maximum extent practicable” standard. He said it will directly impact multiple award contracts which operate under FASA and FAR Part 12.

$6 billion market for e-commerce

GSA has recognized the e-commerce program will not be easy to implement. Laura Stanton, GSA’s deputy assistant commissioner for category management in the Office of IT Category in the Federal Acquisition Service, told me in October that the RFP is all about creating a proof-of-concept to test out its theories.

GSA estimates that the e-marketplace platform will help agencies get their arms around as much as $6 billion in spending that is happening through government credit cards and other micro-purchase buys.

The Wall Street Journal reported in late November that Amazon, Walmart and eBay were among the companies which have expressed interest in bidding on the e-commerce solicitation.

Rung, the former administrator in the Office of Federal Procurement Policy, said in a June 2018 interview that the e-commerce platform will benefit the government in several ways, including better transparency and meeting customer expectations in a more commercial-like way.

Still, the fact Amazon submitted, what many would say, is a warning shot bid protest—the agency-level isn’t public like it would be if they filed with the Government Accountability Office or with the Court of Federal Claims—doesn’t bode well for the long-term health of the program. This is especially true given how much research, time and industry feedback GSA has received over the course of the last few years. It means either GSA isn’t listening, industry isn’t clearly explaining its needs or desires or the program just doesn’t make sense the way it is designed today.

This brings us back to the idea that maybe enhancing GSA Advantage is the better approach and one even Congress could accept with only a little explanation given the supporters of this program, Rep. Mac Thornberry (R-Texas), is not only no longer the chairman of the Armed Services Committee, but is leaving office in 2020.

The protest silly season

Amazon’s agency-level, pre-award protest is just one of several impacting high profile procurements—let’s not even mention the four-letter Defense Department cloud program that Amazon also is unhappy about.

Some federal procurement lawyers say the fall is their busy season as contractors are reacting to awards made by agencies in the federal fourth quarter.

“Protests increase when contract awards increase, and because most awards happen toward the end of the fiscal year, you usually have protests in the next fiscal year after the briefings happened,” said Eric Crusius, a partner with Holland and Knight in Washington, D.C. “This year is on par with previous years in terms of the number of protests we are seeing.”

Big, multi-billion dollar RFPs from GSA, the Homeland Security Department and the Air Force, to name just three, have come under protest in the last few months alone.

GSA’s second generation IT services (2GIT) contract awards are facing protests from three companies. Red River Technology and Blue Tech, Inc., each filed four and three separate complaints, respectively, with GAO, while Coast-to-Coast Computers continues its fight to force GSA restructure the contract by submitting a complaint to GAO as well.

Emails to Red River and Blue Tech seeking comment and details of their complaints were not returned.

Air Force cloud contract delayed

Rick Vogel, the federal government sales manager for Coast to Coast Computer Products in Simi Valley, California, said in an email their protest is not of the awards, but a perceived violation of the Federal Acquisition Regulations and asking GAO to limit 2GIT use only to the Air Force and not allow GSA to make it a governmentwide contract.

GAO says it will decide the protests no later than late February or early March depending on when the company filed its complaint.

Over at the Air Force, Leidos submitted a complaint to GAO over the service’s $728 million award to SAIC to run its common cloud environment.

GAO says it will decide the protest no later than Dec. 30.

And finally, DHS may be facing a protest of its financial systems RFPs. Industry sources say Savantage has filed or is considering filing a complaint. GAO isn’t showing any protest on its docket, and an email to Savantage was not returned.

This wouldn’t be the first time Savantage expressed concerns over DHS’s plans to upgrade its financial systems. The company protested DHS’s 2010 RFP called TASC, and in 2016 it filed a complaint in federal court over the agency’s decision to move its financial management system to the Interior Department’s shared services center.

Crusius said the biggest difference this year when it comes to bid protests is there is less of a concern by vendors about suing their customers.

“I think part of issue with protests is it’s become much more accepted by the government,” he said. “There used to be a huge concern that the agency wouldn’t want to do business with a contractor anymore if they sued them. But I hear much less concern from contractors about that. I think there is a recognition that protests aren’t personal, and because the customer understands protests are a part of the system.”


More boring cyber training? Not for these 72 HHS employees

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Let’s face it, no one likes cybersecurity training.

The fake phishing attacks have made us all paranoid. The online courses are boring and, even though cybersecurity is critical, the time it takes to complete the training courses take away from the mission.

But what if—think about it for a moment—cybersecurity training was interactive, collaborative and — hold on — even fun?

That’s what the Department of Health and Human Services attempted to do by hiring a vendor to run a cybersecurity escape room during Cybersecurity Awareness month.

Janet Vogel is the chief information security officer at HHS.

“We [did] an escape room to teach the basics,” said Janet Vogel, the HHS chief information security officer, at a recent AFCEA Bethesda event. “We have these windows of opportunities that we have to take advantage of like where people will rotate and observe at the security operations center or network operations center and get some experience so they understand it better. That sparks some excitement and they’ve learned something that they can apply. It also gets cyber into the language that everyone is using and their habits.”

HHS had eight teams, 72 employees, participate in the escape room training from eight operating divisions.

“Each escape room training session was one hour, consisting of a five minute introduction briefing, 20 minutes to complete the hands-on exercise, a five minute quiz and 30 minutes of discussion on how to implement cybersecurity best practices covered in the training, into daily work tasks,” a HHS spokeswoman said in an email to Federal News Network. “The escape room challenges included how to identify and use two factor authentication, recognize phishing emails, identify personally identifiable information, find unsecure WiFi access points and physical computer security.”

Conrad Bovell, the director of information system security for the Financial Management Systems Group at the Centers for Medicare and Medicaid Services, said after the AFCEA event that the escape room concept was intriguing.

“It got my folks excited. They asked if they could do it,” Bovell said. “It’s a good thing to put them in a situation where they have to make decisions under a little bit of pressure.”

HHS hired Living Security to conduct the escape room exercise.

Not your typical training sessions

The HHS spokeswoman said the escape room concept is part of the agency trying to use different approaches to training.

“The idea to explore using a live interactive training exercise to reach more HHS employees is an expansion on the HHS Cybersecurity Awareness program, which already includes online training modules, in-person lunch-and-learn sessions, webinars, cybersecurity awareness articles, question of the week and ethical phishing exercises,” the spokeswoman said.

HHS followed the lead of the Federal Housing Finance Agency (FHFA), which also hired Living Security to conduct an escape room training earlier this year.

The HHS spokeswoman said the CISO’s office met with Taryn Jones, the senior IT specialist and cybersecurity awareness training lead at FHFA, to better understand how FHFA implemented the escape room concept.

Jones “provided a wealth of insight and knowledge about how to successfully operate the escape room experience. She also provided an outstanding demonstration to HHS Leadership, which was very well received,” the spokeswoman said. “Taryn emphasized the importance of all team members to participate in the training exercise and added value to the group discussion after the activity. Group discussion gave the participants an opportunity to discuss real scenarios where they had encountered the cybersecurity topics reviewed in the training and how the scenario played out.”

A FHFA spokesman declined to comment on its cyber escape room experience.

Along with Living Security, there are a handful of other federal cyber companies offering similar experiences. The Thales Group offers a “mobile box” that is a 10-minute experience that uses clues, hints and strategy to help participants complete the puzzle. The SANS Institute also offers a similar experience to reinforce and teach cybersecurity best practices and principles.

This concept is becoming more and more attractive to other agencies.

Adrian Monza, the deputy CISO and chief security architect in the Information Security Division at the U.S. Citizenship and Immigration Services, said after the AFCEA event Vogel’s mention of the escape room concept was the first he’d heard of it.

“It seems to create engagement and the opportunity to form relationships that may not happen otherwise,” Monza said. “I plan to reach out to Janet to find out more.”

The Massachusetts National Guard also hired a vendor to create a cyber escape room earlier this year.

Gathering feedback on escape room

As for HHS, the spokeswoman said the agency will measure the impact of the escape room exercise in a variety of ways.

She said the CISO’s office took participant feedback and conducted an online survey shortly after the exercise finished.

Some of the participants offered these comments:

“It was extremely interactive and I very much liked the discussion at the end. The discussion reinforced and explained some of the rules that I would have otherwise discarded as too burdensome or no true added security.”

“Very involved and nuanced; it showed that a lot of work had gone into the training and developing the tools; let me cover the content of a normal training in a much more engaging way.”

“The activity was fun and I liked working with a team. I also liked the post-test and discussion that followed the exercise.”

The spokeswoman said HHS will continue to elicit comments from participants.

“HHS will again survey the participants three weeks later by sending the participants 10 knowledge check questions to gauge retention of training concepts covered in the escape room exercise. Surveys will be emailed to each participant to obtain feedback and interest in this interactive learning approach,” she said. “Participant feedback will play a large part in the long term decision to continue the initiative. If participants provide positive feedback, I believe the escape room will become a part of the long term HHS cybersecurity awareness training and education strategy.”


« Older Entries