Reporter’s Notebook

jason-miller-original“Reporter’s Notebook” is a weekly dispatch of news tidbits, strongly-sourced buzz, and other items of interest happening in the federal IT and acquisition communities.

Submit ideas, suggestions and news tips  to Jason via email.

 Sign up for our Reporter’s Notebook email alert.

ITA CIO Caron moving on to industry

Gerry Caron, the chief information officer at the Commerce Department’s International Trade Administration, is leaving federal service after more than two decades.

Federal News Network has learned Caron is heading to a new job in industry. The specifics about where he is going is unknown. His last day at ITA will be May 31.

Gerry Caron is leaving after more than a year as the ITA CIO.

Caron, who is well-known on the federal speaking circuit, has been the ITA CIO since February 2023.

Before that, he was the CIO for the inspector general office at the Department of Health and Human Services and worked for the State Department for 18 years, including the last two years as director of enterprise network management.

Caron also has played a big role in helping drive the development of zero trust concepts through the CIO Council’s Innovation Counsel for Zero Trust.

During his time at ITA, Caron focused on moving ITA to a more modern network and security infrastructure. For example, he implemented phishing-resistant multifactor authentication, in part, by sending each of ITA’s employees a “YubiKey” authentication device to meet MFA requirements.

“So we’re taking a lot of steps, we’re looking at some identity management things in order to mature identity management and automate our processes around that as well,” Caron said during a January 2024 panel.

He also has focused on ensuring ITA is managing its data so it’s protecting its most important and valuable data as part of its zero trust implementation.

Additionally, Caron said because ITA has been 100% in the cloud for several years, he has focused on understanding the costs of using cloud services and how to manage those costs.

“In the wake of the pandemic and the subsequent move to work from home, Gerry Caron was the right kind of leader at a critical time. Gerry helped galvanize the entire federal government around actual use cases for zero trust,” said Tom Suder, president of ATARC. “The effort led directly to several Technology Modernization Fund awards to agencies, specifically for zero trust that have been the model for funding cybersecurity.”

DISA executives move into new roles

Over the last few weeks, there also has been a few other noteworthy changes in the federal technology community.

Let’s start with the Defense Information Systems Agency where Sharon Woods, who led the agency’s hosting and compute center for the last almost three years moved to new role at the agency. She is now leading DISA’s Endpoint Services and Global Service Center.

Sharon Woods moved to a new role at DISA to lead the Endpoint Services and Global Service Center.

“We deliver networking and endpoint solutions at all classification levels to the Department of Defense. This is a crucial mission, connecting the department’s globally dispersed workforce, from the Pentagon to the edge, with unified communications,” Woods wrote on a post on LinkedIn. “Incorporating my experience with cloud technology, I hope to drive modernization and propel J6 forward as the premier communications provider to the department.”

In her place, Jeff Marshall, who has been vice director of the hosting and compute center since February, is now acting director.

During her tenure as the head of the HACC, Woods helped usher the Joint Warfighting Cloud Capability (JWCC) through the implementation phase, launched DISA’s own hybrid cloud instance, called Stratus, and led the effort to provide a DevSecOps platform, called Vulcan, for DoD users.

Bill Dunlap, the acting deputy chief information officer for the information enterprise at the Defense Department, said on Tuesday at the AFCEA Enterprise IT Day that the defense agencies and military services have made 84 awards under JWCC worth more than $634 million.

Marshall joined DISA in February after spending the last 20-plus years in industry. He also served in the Army for 13 years before moving to industry.

New cyber execs at CTIIC, EX-IM Bank

Moving to the intelligence community, the Cyber Threat Intelligence Integration Center (CTIIC) hired Chris Zimmerman as its first director of the Office of Strategic Cyber Partnerships.

In that role, Zimmerman will “further the integration of commercial cyber threat intelligence in the IC and take an innovative approach to partnering with the public and private sector,” Laura Galante, the director of CTIIC and the IC Cyber Executive, said in a statement.

Zimmerman comes to CTIIC from industry where he held leadership positions with Symantec, FireEye, Palo Alto Networks, Cylance and, most recently, as President of FedStarts, LLC, where he led the deployment of software technology to enable stronger cyber defenses.

Finally, the Export-Import Bank has a new chief information security officer and new chief privacy officer. Darren Death joins the agency after spending the last nine years as the vice president of information security and CISO for ASRC Federal.

Death has worked in and out of government during his career, including stints at FEMA, the Library of Congress and the Air Force.

He also is active with cybersecurity education groups like InfraGard MD and is a fellow with the Institute for Critical Infrastructure Technology (ICIT).


Exclusive

Education, DHS among agencies seeking new IT leaders

The exodus of federal technology leaders seemed to have started a bit later in 2024 than usual. But March seems to be the “go” date for several officials.

From the Education Department to the Homeland Security Department to the Air Force to the Defense Information Systems Agency (DISA), federal leaders are retiring or heading to new opportunities in the private sector.

Starting with the Education Department, Luis Lopez, the chief information officer since December 2022, is leaving on March 22 for a job with INOVA Healthcare.

An Education Department spokesman confirmed Lopez is leaving for the private sector.

“We are preparing for a smooth transition by posting the position before he departs,” the spokesman said.

It’s unclear who will be acting CIO when Lopez leaves. Education already put out the job announcement to hire a new CIO. Applications are due by March 14 so only a two-week opening.

Federal News Network has learned Lopez will be vice president of IT operations for Inova Health Care Services.

Lopez has worked in federal service since 2008 and been with Education since 2017.

Luis Lopez is ending his tenure as the CIO at the Education Department.

In his short time as CIO, Lopez said in a recent interview that he set up a customer advisory council last summer to help explain to non-IT executives why the 2014 law matters to them and it’s more than just a technology priority. He also led the effort to consolidate and standardize the number of video teleconferencing and collaboration tools used by Education Department employees.

Along with his work at Education, Lopez also worked at the Defense Health Agency and the Walter Reed National Medical Center.

Joining Lopez in heading to the private sector are two other technology leaders.

Federal News Network has confirmed Drew Malloy, the technical director for DISA’s Cyber Development Directorate, and Robert Wood, the chief information security officer at the Centers for Medicare and Medicaid Services, also are leaving for new positions outside of government.

Malloy, who has been with DISA for 14 years and served in government since 2003, will join a small systems integrator.

Malloy has led DISA’s cyber directorate since 2020 where he oversaw the agency’s portfolio of cybersecurity capabilities, including identity and access management, the Joint Regional Security Stacks, cybersecurity situational awareness and zero trust.

He wrote on LinkedIn that he also “developed the modernization strategy for our network and security architecture in accordance with zero trust principles resulting in Project Thunderdome for the DoD enterprise.”

It’s unclear when Malloy’s last day will be or who will replace him even on an acting basis.

In addition to running the cyber directorate, Malloy ran DISA’s services development directorate and was the chief engineer for the Cyber Situational Awareness and Analytics Division.

He also worked at Naval Research Laboratory before coming to DISA.

CMS CISO Wood taking new role

As for Wood, who has been CMS CISO since November 2020, he will join a new venture with Sidekick Security, while also continuing to invest in and grow the non-profit Soft Side of Cyber.

Federal News Network has learned that CMS deputy CISO Keith Busby will be stepping up to lead the program until a permanent CISO is hired.

During his time at CMS, Wood focused on improving the culture at CMS around cybersecurity, building a security data lake to break down silos and advancing the technology strategy through cyber enablement.

Before joining CMS in 2020, Wood spent most of his career in the private sector working in cybersecurity positions with Cigital, Simon Data and N95.

Retirements at DHS, Air Force

Two other federal technology leaders decided it was time to call it a career.

Ken Bible, the Department of Homeland Security’s chief information security officer, and Eileen Vidrine, the Air Force’s chief data and artificial intelligence officer, have submitted their retirement papers.

Bible said his last day will be March 29 and has no firm plans for his post-federal life.

“I am looking forward to taking some time to enjoy my home in Charleston, S.C. and perhaps engage in helping in both the education arena as well as helping at the state and regional policy levels in the future,” Bible said in an email to Federal News Network.

He has been DHS CISO since January 2021 and worked in government for almost 39 years. Bible, who received a 2023 Presidential Rank Award,  started his career in 1985 at the former Charleston Naval Shipyard, where he rose to be a nuclear qualified engineering supervisor for three engineering branches.

During his time at DHS, Bible launched a pathfinder last summer to begin evaluating existing contractors with cyber hygiene clauses in their contracts and focused on addressing broader supply chain risks through a strategy.

Before coming to DHS, Bible served under the headquarters Marine Corps Deputy Commandant for Information as the assistant director for the information command, control, communications and computers division (IC4). He also served as the Marine Corps’ deputy CIO and CISO. Additionally, he worked at the Space and Naval Warfare Systems Command (SPAWAR) for almost two decades.

Vidrine is retiring on March 31 after 38 years of federal service.

Eileen Vidrine, the Air Force’s chief data and artificial intelligence officer, is retiring after 38 years of federal service.

She has been the Air Force chief data officer since 2018 and CDO/CAIO since January 2023 when she returned to the service after a one-year detail serving as the senior strategic advisor for data to the Federal Chief Information Officer in the Office of Management and Budget.

Last March, Vidrine told Federal News Network that her new title reflects the central role data has in getting AI projects off the ground.

Vidrine said AI readiness for the department comes down to establishing a baseline set of data and AI skills for airmen and guardians, as well as making sure they have access to the digital infrastructure and tools needed to advance breakthroughs in AI research.

Vidrine began her government career in 1986 as an enlisted member of the Army where she received her commission in 1987 through the U.S. Army Officer Candidate School Program as an Army transportation officer.

From 2006 to 2012, Vidrine served in various positions of leadership at the Office of the Director of National Intelligence culminating as the chief of staff for the Assistant Director of National Intelligence for Human Capital.

Army PEO-EIS leader moving to new agency

Finally, one federal executive who isn’t leaving federal service, but is on the move to a new role.

Rob Schadey, the acting deputy program executive officer for the Army’s PEO-Enterprise Information Systems (PEO-EIS), is joining the Defense Counterintelligence and Service Agency (DCSA) to be the program manager of the National Background Investigation Services.

Federal News Network has learned Schadey’s last day will be in March and it’s unclear who will take over for him even in an acting role.

Before stepping into the acting deputy PEO-EIS role in January, Schadey served as the assistant program executive officer and as the director of the business mission area, both at PEO-EIS.

As the program manager for NBIS, Schadey will have to continue to modernize the systems that help federal employees obtain security clearances.

OMB recently approved the Personnel Vetting Questionnaire (PVQ) in November, according to the third quarterly update on the “Trusted Workforce 2.0” initiative from the Performance Accountability Council. The questionnaire consolidates the SF-86, “Questionnaire for National Security,” along with several other vetting questionnaires used for federal jobs, including public trust and non-sensitive positions.

DCSA is now working on plans to integrate the PVQ into the new “eApp” web portal for background investigation applications as part of its NBIS.


Exclusive

Federal CIO Martorana’s top 3 priorities for 2024

Since September, the Office of Management and Budget has been working in policy overdrive. Six draft or final memos came from OMB’s Office of the Federal Chief Information Officer.

On Sept. 23, OMB issued the long-awaited digital services memo to implement the 21st Century IDEA Act.

About a month later, OMB offered draft updates to the cloud security initiative called Federal Risk Authorization and Management Program (FedRAMP) for the first time since 2011.

A week after that, the draft guidance for implementing the executive order on artificial intelligence detailed a host of new requirements for agencies.

Then there is the annual Federal Information Security Management Act (FISMA) guidance that dropped in early December with a specific focus on operational technology and internet of things devices.

And finally, OMB offered an early Christmas present in the form of the new requirements to ensure agencies are meeting the accessibility standards under Section 508.

Hopefully, the OMB staff took a breadth and some time off after that sprint.

Two months into calendar year 2024, OMB is revving back up to finalize many of these policies.

Federal News Network checked in with Federal CIO Clare Martorana to see what stood out to her in 2023 and what her priorities are for 2024. The following email conversation is edited only for style and clarity.

FNN: 2023 was a busy year for the Office of the Federal CIO. What are some of your office’s efforts that may not have received as much attention or notice, but will have a big impact on federal IT sector in the years to come?

 Martorana: Above all else, our north star is delivering for the American people. We need to ensure that Americans’ experience with government matches the quality and experience of the private sector — and I think we have made great progress on this.

Clare Martorana
Federal CIO Clare Martorana.

One of the things I’m most proud of is the work we’ve done in partnership with other federal offices — that’s how we can make a big lasting impact on federal IT, which benefits how Americans interact with government. For example, the Executive Order on Improving the Nation’s Cybersecurity was released early in the administration and it called for a transformation of federal cybersecurity, based on universal adoption of strong authentication, encryption and zero trust principles across the government. As a result of the efforts of my office, our partners at the Office of National Cyber Director and the Cybersecurity and Infrastructure Security Agency (CISA), we are seeing significant cultural and technological change across the federal enterprise to strengthen our cybersecurity posture.

We also partnered with CISA on CyberStat, a holistic program which strengthens agency defenses by addressing individual agency challenges, reducing the potential for successful attacks, and bringing risks to the attention of executive leadership when necessary, all while maximizing limited OMB and CISA resources. With over 6,000 attendees across 16 engagements in 2023, we provided agencies with the information and tools necessary to achieve specific security outcomes in a more consistent manner.

My office also works closely with the General Services Administration’s Technology Modernization Fund (TMF) Program Management Office (PMO). The TMF works in complement with the appropriations process, allowing agencies to quickly access capital to tackle the IT modernization needed to keep up with the fast pace of changing technology. In fiscal 2023, the TMF invested more than $177 million in 18 projects that improve how the federal government provides services to the American people, increasing public trust and making it easier to get the services they need.

Over the past year, we worked closely with GSA Technology Transformation Service (TTS) to ensure an integrated approach to tackling our biggest IT challenges. We continue to meet with GSA leadership on a weekly basis and our teams are engaging daily to support the implementation of our policies, such as helping develop and provide agencies access to tools that will help them deliver a digital-first experience to the public.

Lastly, I want to highlight the strong connection my staff has established with our budget colleagues to ensure funding and resources are aligned so that agencies can best secure their infrastructure and be on the road to digital transformation.

FNN: Of the policies/guidance your office did issue in 2023, which ones do you think will have the biggest impact in 2024 and why?

Martorana: Building off the customer experience executive order and the President’s Management Agenda Customer Experience Priority Area, in September, we released digital experience guidance to help agencies move faster to deliver the simple, seamless, and secure experience that the American people deserve. Some 430 federal agencies and sub-agencies provide information and services to more than 400 million individuals, families, businesses, organizations and local governments each year.

Digital is increasingly becoming the primary way that the public interacts with government and accesses the information and services they depend on. In order to provide the best possible customer experience — we must fix the digital experience.

Right now, everyone is talking about artificial intelligence and the power and potential that it yields. Our pending FedRAMP guidance will significantly scale the size and scope of the FedRAMP marketplace.

Another piece of guidance issued in 2023 that is having an immediate, positive impact in 2024 is our Digital Accessibility guidance, which is based on the idea that all Americans should have equal access to government. Sixty-one million adults in the United States have a disability, an estimated 15 million or more people have a temporary disability, and an estimated 40 million people are caregivers who provide support to a person with a disability. There is nothing more heartbreaking than someone being unable to use accessible technology to complete what should be a basic task. That’s why our Digital Accessibility guidance is so important; it helps build and sustain an accessible Federal technology environment that delivers for everyone.

FNN: What are your top 3 priorities for 2024 and why?

Martorana: Strengthening Office of the Federal CIO’s foundation to enable our staff to grow and thrive. They are working on the front lines across the Federal ecosystem to drive progress and positively impact the way services are delivered to the public each and every day. And while there is a lot of external attention on our policies, there is often little discussion on the people behind the policy. As I look at 2024, I’m so excited by our team and what we will be able to achieve together.

Supporting agencies in operationalizing the policies we issued over the past few years. Every agency is at a different place on their journey — our job is to ensure they have the executive support, shared services and tech talent needed to deliver results.

Ensuring continuity so agencies and tech teams across government can continue making progress in modernizing technology. We’ve delivered and we’ve built a strong foundation of tech policies that will span from year to year and across administrations. The American people deserve good government every day. Technology is critical to delivering a government that meets today’s expectations — and we must continue moving forward.

FNN: There is a lot of excitement around artificial intelligence in the public sector, how is your office trying to balance the excitement with all the challenges that come with AI?

Martorana: AI presents tremendous opportunities to improve public services, such as making it easier to access benefits, preventing drug shortages, or fighting wildfires. While we harness AI’s power for good, we also need to protect people from its potential risks. My goal as the Federal CIO is ensure the federal government is a leader in both using AI and managing its risks. That’s why we’re issuing extensive guidance to federal agencies on their use and governance of AI, which will be finalized this spring.

In the meantime, the AI EO directed agencies to name a chief AI official (CAIO), a senior agency representative responsible for driving consistent implementation of AI practices across their agency. I recently convened and [led] the first meeting of the CAIO Council, a new executive council that will coordinate the development and management of AI across agencies. We know that innovation relies on great minds coming together to rethink what is possible. Ensuring that the U.S. is a world leader in AI will require all of us — across government, academia, civil society, and industry — to be successful.

FNN: There is a lot of excitement over the special salary rate for IT/cyber workers, but agencies are struggling to implement and fund it. How is your office, with your partners in OMB, addressing this opportunity to use the SSR to help agencies recruit and retain the best talent?

Martorana: Now more than ever, we need technologists at the table to collaborate with our nation’s leaders and provide expertise on how best to launch products and services that are secure by design, digital by default, and accessible to people of all abilities. There are many entry points to federal government and we are continually trying to reduce barriers.

Late last year, we launched a new page on CIO.gov to serve as a “front door” into government for technologists at all levels. When you navigate to CIO.gov, you will see a banner with a call to action to join us.

If you are thinking about a career in civil service, I encourage you to check it out and consider putting your tech superpowers to work for your families, friends and neighbors.

FNN: What is your message to non-technology federal IT leaders, such as those in the finance or acquisition or mission areas?

 Martorana: Technology today is deeply integrated into nearly every facet of our federal operations and services. It presents both opportunities and threats that we cannot afford to overlook. All leaders — regardless of background — need to make technology a core priority. We can deliver a government that rivals our favorite consumer brands.

What it takes is a C-Suite — leaders beyond CIOs, CISOs, and chief data officers (CDOs) — it will take chief human capital officers (CHCOs), chief acquisition officers (CAOs), CFOs, general counsels and public affairs teams to align their efforts to support an agency’s technology journey map to modernize how they deliver products and services. They’ll reduce administrative burden for their workforce, improve employee engagement and inspire others to join us in the effort.

FNN: What is your message to federal IT vendors?

 Martorana: Read our final guidance to understand the federal government’s requirements and our draft guidance to understand where we are heading.

Know where agencies are on their IT modernization journeys and sell them the appropriate tools, technology and solutions — meet them where they are.

Let’s collaborate: we get the best ideas when we share lessons, challenges, and opportunities for delivering faster.


3 takeaways from the FITARA 17 scorecard roundtable

The 17th iteration of the Federal IT Acquisition Reform Act scorecard was, once again, a very one-sided affair.

It wasn’t that Rep. Gerry Connolly (D-Va.), co-author of the 2014 law and ranking member of the Oversight and Accountability Subcommittee on Cybersecurity, IT and Government Innovation, didn’t let others speak, though he is prone to enjoy the microphone like most lawmakers.

It was that he was the only legislator at the FITARA 17 roundtable last Thursday.

Subcommittee Chairwoman Nancy Mace (R-S.C.), for a second time since September, didn’t agree to hold a formal hearing so Connolly was left to host a roundtable that had no Republican participation.

Congressman Gerry Connolly (D-Va.) held a FITARA roundtable on Feb. 1. (Photo credit: Jason Miller/Federal News Network.)

“First, I want to mention how disappointed I am that our Republican majority has turned its back on the FITARA scorecard,” Connolly said in his opening statement. “The scorecard has been a bipartisan oversight project for more than eight years with Republican champions like [Reps.] Mark Meadows (R-N.C.), Will Hurd (R-Texas) and Darrell Issa (R-Calif.). It has helped save nearly $30 billion, closed 4,000 unnecessary data centers, expanded the use of working capital funds as flexible vehicles for IT modernization funding, almost doubled the percentage of federal IT projects using incremental development to deliver functionality and empowered agency Chief Information Officers (CIOs) with greater budget and procurement authority and a more direct reporting relationship to agency leadership. The scorecard sits at the heart of this subcommittee’s mandate to oversight federal IT.”

There now has been no formal FITARA hearing since December 2022, the 15th iteration of the scorecard.

A House Committee on Oversight and Accountability spokesperson pushed back on Connolly’s notion that the majority has “turned its back on FITARA.”

“FITARA is a law concerning federal IT management and acquisition. Ms. Mace’s subcommittee has held a dozen hearings in the past year concerning not only federal information technology management and acquisition, but also pressing issues surrounding artificial intelligence, and cybersecurity. These hearings have been a critical vehicle for substantive oversight and the development of significant legislation,” the spokesperson said in an email to Federal News Network.

Mace held 12 hearings in 2023 looking at federal technology and cyber issues, with artificial intelligence receiving the most attention. She did hold hearing on legacy federal IT, the problems with Login.Gov and the continued struggles with the Defense Travel System program — all of which fall under the FITARA umbrella of oversight of federal IT projects.

Exactly why Mace will not hold a FITARA hearing is unclear. Maybe it’s not a “sexy” enough topic, like AI or ransomware, for her? Maybe it’s something different.

Either way, not holding a traditional hearing on FITARA is a missed opportunity for lawmakers, for agencies and for the overall goal of improving how agencies manage, spend and account for the nearly $100 billion spent on federal IT.

But getting away from the big “P” politics playing out between Mace and Connolly, the roundtable provided some important and new updates to federal IT oversight and progress.

Here are my three takeaways from FITARA 17:

EIS under review

The Government Accountability Office is dusting off the cobwebs from its “why did this transition take so long?” probing tool. GAO will begin looking this spring at the continued delays agencies are having in moving to General Services Administration’s Enterprise Infrastructure Solutions (EIS) contract.

Carol Harris, GAO’s director of cybersecurity and IT, provides an update at the Feb. 1 FITARA 17 roundtable. (Photo credit: Jason Miller/Federal News Network.)

“We’ll be able to really dig in deep and ascertain progress and the reasons why agencies are not able to make this transition on time,” said Carol Harris, GAO’s director of cybersecurity and IT, in an interview with Federal News Network after the Feb. 1 roundtable. “We’ll also dig into the missed cost savings as a result as well because that’s a huge component of this. But when you take a look at the progress that’s been made, certainly over the past two years, agencies have done their best and but still we still have, I believe, 14 agencies that did not meet the deadline.”

GSA gave the departments of Justice and Homeland Security until May 2026, while 80 other agencies have until May to complete their transitions.

Of the four agencies that participated in the roundtable, the Office of Personnel Management, the Nuclear Regulatory Commission and the U.S. Agency for International Development all completed transition. The Department of Housing and Urban Development reached the 80% mark as of December, according to GSA’s EIS transition progress dashboard.

As a reminder, the transition from FTS 2001 to Networx took 33 months longer than planned and cost the government an estimated $395 million, according to an analysis by GAO in 2014.

It’s clear this Networx to EIS transition may not meet the 33 month record, but the cost will exceed $395 million.

Cloud grades vs. cloud progress

The string of “Fs” filling the cloud computing category showing a lack of progress is striking when you first look at the FITARA scorecard. Of the 24 agencies, 16 received the lowest grades and six others received “Ds.”

As GAO’s Harris and Connolly said during the roundtable, the grades are supposed to be low given it’s a new category.

“[We are] introducing a new category and a new grade, therefore, we were expecting that we started at a lower base. The object here is to move up. So whatever we started with, we will be measuring it,” Connolly said. “We need to put that into perspective that it’s not like every federal agency just regressed in the last few months because they took large holiday breaks. It’s because we are introducing metrics that really matter. We’re starting at an uneven point with a lot of federal agencies.”

The cloud category is measuring agency progress against several of the areas the Office of Management and Budget outlined in its 2018 federal cloud computing strategy.

These include:

  • Whether agencies are ensuring that the CIOs are overseeing modernization, Agencies have cloud service level agreements (SLAs) attached to all of their cloud deployments,
  • Agencies have standardized SLAs

Harris said GAO is currently reviewing how agencies are meeting these requirements and used the results of that work to give agencies initial grades.

“What we’re seeing is uneven progress across the agencies. None of the agencies have fully implemented the five categories with the exception of the Defense Department,” she said. “That’s something that we need to see improved progress in. When I cited the 47% average [for SLA compliance]. That’s what we’re not seeing across the agencies in the implementation of this area.”

At the same time, what the FITARA scorecard isn’t measuring, which may be equally important, is the actual use of cloud services.

Take the Office of Personnel Management for example. Guy Cavallo, the agency’s CIO, said over the last two years, OPM has deployed over 35 new cloud-based applications that were previously on-premise. OPM also migrated over 100 business applications to the cloud that previously ran in data centers.

“Our goal is to have the majority of OPMs applications operating in the cloud by the end of this year,” Cavallo said.” Now, one of the benefits of utilizing cloud computing is the implementation of enhanced cybersecurity capabilities, such as data encryption, real-time security updates and patching, centralized monitoring and robust access controls. Today, all of those are improving the security of OPM’s applications, data and cybersecurity. We’ve had a number of successes there by leveraging machine learning and artificial intelligence to enhance our cybersecurity capabilities, allowing us to have real-time situational awareness, which allows us to quickly respond to and defend against threats. We also implemented data driven cloud-based dashboards to provide better visibility into our cyber status.”

OPM CIO Guy Cavallo (left) and NRC CISO Jonathan Feibus took part in the FITARA 17 roundtable on Feb. 1. (Photo credit: Jason Miller/Federal News Network.)

Cavallo said OPM is far from done in moving to the cloud. But it’s clear that OPM’s “F” grade doesn’t entire reflect the real goal of moving data and applications out of data centers.

The same can be said for USAID, which received a “D”, and the Department of Housing and Urban Development and NRC, both of which received “F” grades.

NRC’s Feibus said the agency is transitioning legacy technology to the cloud.

“We’re developing solutions that focus more on current and future technologies, including artificial intelligence, machine learning and process automation to keep the agency innovative,” he said. “The NRC has also worked with the General Services Administration on a financial operations pilot. It is implementing the recommendations and best practices we learned to further enhance management of our cloud services. We have been able to locate additional workflows to the cloud to provide an additional layer of resilience to our technology operations.”

USAID’s Gray said by moving to the cloud, the agency has reduced the number of data centers from 87 to 2.

“Even technology refresh is something that historically would take weeks or months to do major upgrades. In my prior agency [Education], we were able to upgrade an entire data center over a weekend, that would never happen. There would’ve be a disruption, but that did not happen because of the cloud,” Gray said.

It’s clear that agencies need to improve how they oversee and manage cloud services, but let’s not confuse that area with the real impact of cloud services on IT modernization efforts.

Working capital fund compromise

If the Technology Modernization Fund (TMF) was the icing on top of the Modernizing Government Technology (MGT) Act cake, then the IT working capital fund (IT-WCF) is the cake itself.

Everyone can “ooh and aahh” over the icing, but when you dig into the MGT Act, authorizing IT working capital funds is what holds the act together and gives agencies hope that IT modernization is an achievable goal.

For the previous 16 iterations of the scorecard, Connolly and GAO graded agencies on whether they were meeting the spirt and intent of the MGT Act by implementing a specific IT working capital fund. Agencies received some partial credit for already having another fund that provides money for technology modernization.

For the 17th iteration, one of the major changes is giving agencies credit for having any working capital fund that supports IT modernization.

After nearly a five years, Connolly realized that it’s not the agencies who didn’t want the IT working capital fund, it’s the appropriators who were less than excited to approve them. Sen. Maggie Hassan (D-N.H.) had planned to try to fix the MGT Act with a technical amendment in 2021, but that bill never moved.

Only a handful of agencies, including OPM and the Small Business Administration, have received approval from Congress to set these up. Others like the departments of Treasury, Labor and USAID have requested Congress give them the green light, but had no luck so far.

HUD is the latest agency to try to run the appropriator’s IT-WCF gauntlet.

Sairah Ijaz, HUD’s deputy CIO, said not having access to a working capital fund has impeded their ability to modernize technology as quickly as they would’ve liked.

“We do see some hope of that coming into the fiscal 2024. We’re hopeful that is something that we will be able to leverage in order to be able to quickly address some of the issues that are part of our long underlying strategies,” Ijaz said.

Like several other agencies, HUD does have a working capital fund out of its CFO office, but it doesn’t specifically support technology modernization.

“We are working to be able to begin the use of that working capital fund, and that’s part of the conversations we’ve been having with all of our counterparts about looking toward that in future appropriations. Currently, our appropriations do not allow for the use of a working capital fund,” Ijaz said. “It has hindered our ability to be able to be flexible, and be able to work toward modernizing our platforms. We’ve had to look towards other areas in order to be able to support our ability to fund some cyber needs. We’ve gone to the TMF and received some funding there to be able to manage that. Then we looked at reallocating some other costs in order to be able to support our cyber needs because that is most important at the moment.”


Buzzword for 2024: AI; Biggest concern for 2024: Workforce

While the buzzword of 2024 may be artificial intelligence, or some derivative like generative AI or large language models, the biggest challenge and focus for federal IT community will continue to be the people.

The workforce, return to office, challenges to hiring and retaining qualified and skilled employees and all those things that come within this area trumps budget and continuing resolutions and even the impending presidential election.

Current and former federal IT and acquisition experts say agencies ability to demonstrate progress along the zero trust and customer experience journeys as well as taking the first steps to meet the Biden administration’s executive order around AI are top of mind. But without a doubt — and what has been the common refrain over the last decade plus — without qualified employees, many of these efforts will fall like a house of cards.

Federal News Network asked a panel of current and former federal executives for their opinions about 2024 and what federal IT and acquisition storylines they are following over the next 12 months.

  • The panelists are:
  • Gundeep Ahluwalia, chief information officer of the Labor Department
  • Jonathan Alboum, a former chief information officer at the Agriculture Department and now federal chief technology officer for ServiceNow
  • Steven Brand, deputy chief information officer for resource management, for the Department of Energy
  • Guy Cavallo, the chief information officer at the Office of Personnel Management
  • Kevin Cummins, a former Senate staff member on the Appropriations and Commerce, Science and Transportation committees and now a partner with the Franklin Square Group
  • Mike Hettinger, former House Oversight and Reform Committee staff member and now president of Hettinger Strategy Group
  • Renata Spinks, former assistant director and deputy chief information officer for information, command, control, communications and computers (IC4) and now founder of CyberSec

What are two IT or acquisition programs/initiatives that you are watching closest for signs of progress and why?

MH: The Cybersecurity Maturity Model Certification (CMMC) continues to simmer in the background, as it has for the last couple years. Now that the interim final rule for CMMC has been issued, that’s going to kick off a flurry of activity in government and industry that we will all be watching closely.

The second is software security requirements. How these are implemented — and how much of a burden they become for contractors — could have serious long-term consequences for the federal government.

SB: One of our top priorities for telecommunications continues to be the transition of services from the expired Network, WITS 3, and Local Telecommunications Services contracts to our Enterprise Infrastructure Solutions (EIS) contracts. Completing this transition in 2024 will provide our department with a flexible platform to support more modern telecommunications service offerings, new innovations, and overall cost savings.

Steven Brand is the deputy chief information officer for resource management, for the Department of Energy.

Additionally, while we are still in the pre-award phase, the department is also re-competing its CIO Business Operations Support Services (CBOSS) blanket purchase agreement. In the coming year, we expect CBOSS 2.0 to be a game-changing procurement vehicle, providing streamlined and cost-effective access to IT products and services across the DoE enterprise.

JA: Customer Experience — Even though the Biden CX executive order is a few years old, there is still plenty of focus on CX across government. Most agencies have customer experience leads and are looking at how to apply CX beyond the citizen. For example, agency employees are customers of IT, human resources, etc. These customer experiences (aka employee experience) is receiving more attention as are government-to-government customer experiences. Many agencies receive services from other agencies or are responsible for reporting information to agencies. These experiences are also receiving more attention. Combined with the IDEA guidance, I expect agencies to make big strides in 2024.

Zero Trust — All agencies are expected to implement zero trust architectures in the coming years. They should all have plans by now and be working on aspects of implementation. However, ZTA is not one project or product, it’s many projects and many products implemented over multiple years. These long-term projects in government are generally hard to execute. Add in government’s tech debt and it becomes even more complicated. In 2024, I’ll be watching for signs of demonstrable progress by agencies on their ZTA journeys.

KC: 2024 should be the year when the federal government is not just talking about AI but actually buying and deploying AI solutions. For all the focus on AI in 2023, there is not that much government use of AI disclosed by OMB to date.

Implementation of the AI executive order, including how the new White House AI Council and agency chief AI officers help accelerate adoption of AI tools.

GA: In 2024, we are looking forward to expansion of the Department of Labor’s Unemployment Insurance Identity Verification Program. To date, more than 90,000 people have benefitted from these expanded identity proofing services in six states. Thirteen more states will soon join them, with the ultimate plan to serve claimants nationwide. We developed an identity verification system that uses modern and emerging technologies to enhance security, reduce fraud and expand identity proofing services. We are hosting and maintaining the IT platform to reduce state infrastructure costs and personnel needs, as well as covering state transactional costs for the first two years of service.

We also expect to meet the White House deadline to address the cybersecurity executive order by the end of 2024. We are being very methodical, doing a gap analysis and identifying what our future end-state will be at the end of our zero trust journey. We are modernizing our systems while also maintaining our current capabilities. Most critically, we are enhancing our data and network security, which is important not only for our department staff but for the workers, job seekers and retirees who access our services.

GC: Everyone will be looking for AI resources — both as federal employees and as contractors. At OPM we will continue to update hiring practices to improve the hiring of AI Specialists, but the private sector also has a great demand for these limited experienced resources.

Continued evolution of key programs from the General Services Administration in fiscal 2024 is important, such as the FedRAMP program continuing to speed up its approval process and Login.gov continuing to enhance its authentication solution, and additional enhancements to the implementation of high speed cloud connections through its telecom programs.

I have now moved three federal agencies to the cloud and in all three cases the log pole in the tent was getting our high speed connection established in less than six months.

RS: Long-range hypersonic weapon. The Defense Department developing a hypersonic missile that will travel at least five times the speed of sound and strike targets at ranges of at least 1,400 miles allows increased preservation of life, avoids costly or impractical manned aircraft attacks and deters the adversary’s aggression. It also allows the US and its allies to build trust amongst each other by way of an increased arsenal of missile defense capabilities.

IT Enterprise Solutions 4 Services for the Army. On the heels of ITES 3, this pending solicitation for March 2024 with an anticipated value of $12.1 billion is one to watch. With the many lessons learned shared by the Army Program Executive Office (PEO) over the past few months, an area to watch is how this range of services and solutions for enterprise infrastructure as well as info-structure goals with information technology services worldwide and how it would be secured. There was no real emphasis during the PEO lessons learned on how zero trust will be included as well as the cybersecurity of services. What is important is to ensure cyber is called out specifically and not lumped in as years past have shown as a service that is not critically measured against due to driving of costs, lack of critical thinking for implementation and playbook for modernized hybrid environment defenses and what the response protocols are when such infiltration occurs. This is especially important for congressional reporting, US Cyber Command reporting and to posture for the increased accountability for cyber attacks throughout industry, the defense industrial base and government contractors.

Rank in order among budget (think CR and appropriations process), workforce (think return-to-office, retirements, hiring challenges) and the presidential election (think run up to November), what will impact the federal IT/acquisition community the most and why?

SB: I would rank the run up to the election as third, the budget as second and the workforce as first, but only because you asked me to rank all three. Otherwise, the workforce could occupy all three positions. The appropriations process and impact of CRs have become commonplace. That does not mean that there are no impacts, of course, but we have had to learn to plan for those, much as we have with the impact of recurring election cycles. However, given the ever-evolving world of IT, coupled with significant demographic changes in the population of federal employees, and the trends introduced by the pandemic, workforce concerns are of vital importance. Issues with recruiting, developing, and retaining IT and cyber talent are not new, but the issues will continue to intensify and demand deliberate planning to mitigate the risks.

RS: Impact Ranking:

  1. Return to Work –Workforce
  2. Budget
  3. Presidential Election

Everything starts with the people. Even amongst a continuing resolution, there are statistical references to productivity and accomplishments in the federal workforce.  The hiring is still not as quick as it should be and the talents needed are continually trending gapped. If the federal government does not find ways to acquire and retain talent we will continue to have a readiness issue.

Within a CR, it is not a new occurrence. Culturally. CRs are expected, not wanted but definitely expected and as such, most financial leaders operate within those expectations. However, with a fully funded budget, we still experience wasteful spending, poor execution, delayed acquisitions due to workforce burn out and expertise, the domino effect will continue to stem from the PEOPLE.

JA: Budget will have the biggest impact on the federal IT/acquisition community in 2024. There is a chance for a full year continuing resolution, which would allow a 1% across-the-board spending cut per the prior debt-ceiling deal. If this cut becomes a reality, IT programs would likely be affected. Further, a full-year CR would prevent agencies from starting new projects, further slowing the government’s digital transformation.

Jonathan Alboum is a former chief information officer at the Agriculture Department and now federal chief technology officer for ServiceNow.

Workforce will remain a challenge as always. There’s an ongoing battle for tech talent inside and outside of government. Further, agencies still have differing return to office policies. Some agencies are requiring employees to be in the office for set days every pay period. Other agencies remain focused on building on the success of telework during the pandemic. Workplace choice and flexibility are now an expectation for many workers. Agencies that push against the grain may have higher rates of attrition and find it harder to recruit replacements.

In my experience, the presidential election years have not had a big impact on federal IT. Agencies continue to execute their core missions and implement administration initiatives during an election, meaning that projects and operations continue as usual.

MH: Budget — As we head into 2024, we still don’t have any of the fiscal 2024 appropriations bills signed into law. A shutdown is certainly not out of the realm of possibility and as we know this slows contracting and creates a lot of uncertainty for employees and contractors alike.

Workforce — Return to office is largely a bust. Where and how we worked has changed forever over the last four years, so what we need to figure out is how best to ensure that we manage what is now a geographically diverse hybrid workforce and more effectively plan for their success.

Presidential election — The 2024 election and its potential impact of the federal government sits largely in the background at this point, but clearly federal employees could be impacted positively or negatively, depending on the result.

KC: Budget

Workforce

Presidential election

Budget will impact the acquisition community the most as Congress and the White House seek to find agreement on what government funding should look like in the post pandemic era. The federal government will begin the new year operating under a continuing resolution (CR) and could face a potential, partial shutdown after Jan. 19. The 2023 budget deal to avoid a national debt default includes a provision to incentivize Congress to pass full-year appropriations instead of CRs by automatically revising budget authority if a CR is in effect in January 2024. All of this creates additional uncertainty for agencies and the federal acquisition community alike.

GC: Budget — An approved fiscal 2024 is crucial and key to continue IT modernization; we must know how much money we need to invest.

Presidential election — Presidential election may influence the decisions on the 2024 budget, which may have a significant impact on IT modernization and being able to plan on long term IT project initiatives.

Workforce — The average age to the federal workforce continues to be closer to retirement than at any time in the past. An increase in meaningful in-person work while maintaining telework flexibilities will allow federal agencies to compete with private sector on hiring new talent and retaining talent, especially in technology, IT and AI.

GA: Without a doubt, the workforce. People are at the heart of our mission and our success. We want to bring in the best minds to develop and maintain the technology that delivers that mission to America’s public. That’s a challenge when the private sector is competing for the same talent pool, especially at a time when we are balancing the recruiting demands for younger, tech-savvy employees and retirement waves of an aging workforce. We are addressing ways to attract — and retain — staff. We are offering reskilling and upskilling. We are recognizing employees when they go above and beyond. We are also being mindful as we address the OMB memo on the return to office. We are providing the IT support and network capability for our staff to work successfully, whether in person, remotely, or in a hybrid environment.

As for ranking budget and the presidential election, they are pretty closely tied when it comes to priorities and what will ultimately get funded and how.

If 2022 and 2023 has been all about zero trust and customer experience, what do you think will emerge as the buzzword of 2024?

GC: No question that it is artificial intelligence.

Gundeep Ahluwalia, Labor Department
Gundeep Ahluwalia is the Labor Department’s chief information officer.

GA: Generative AI is already playing a pivotal role in content creation, and it’s gaining traction with natural language processing (NLP) to support customer service with chat bots and call center routing. But there is also a potential for misuse. A newly released OMB memo focuses on the risks of relying on AI to carry out agency actions and decisions. We must remember, GenAI uses data to retrain the model so we must make sure to provide quality data and monitor against biased algorithms. That requires human oversight.

JA: Generative AI will remain be the hottest topic in 2024. Everyone is talking about how GenAI will change the world. It definitely has the potential to radically change how government operates. There are clear use cases in customer service, document intelligence like Freedom of Information Act (FOIA), fraud detection, administration and IT. However, like all emerging technologies, its successful implementation at a government agency will be challenging. The framework set forth in the AI EO will help, but there are likely more headwinds to GenAI taking hold in an agency than in the commercial sector, including employee unions, Congressional oversight, and agency imposed restrictions.

MH: It’s already emerged but the biggest buzz as we heard into 2024 is artificial intelligence. The AI executive order, followed by the draft OMB AI implementation memo set in motion a flurry of activity that surpasses even what we saw 10-12 years ago with cloud. If you’re an AI company, it is business critical to understand how the plethora of proposed policies and regulations is going to impact your business and if you’re not an AI company, you’re about be.

KC: Safe, secure, and transparent AI is the new buzzword. While some of the novelty of AI since the release of ChatGPT has worn off, AI solutions will be increasingly adopted and used to help agencies meet their missions.

RS: Buzzword for 2024 — if it were up to me — it should be accountability.

However, it will likely be some other technology word that will drive industry to develop solutions/technical tooling versus the more difficult part of this cyber warfare fight we are continually in, which is strategy, governance, critical decision making, metrics and execution. It appears when accountability is prioritized and funded, leaders will have what they need to further invest in leadership, people, training, and simulation technology/test bed environments. This will provide leaders with what it is they need to ensure their level of accountability matches their ability to lead with day in and day out support to the defenders, operators and securers of the network and its real time threats.


From AI to zero trust, how 2023 will be remembered by federal IT experts

When federal IT historians look back on 2023, they will underline the beginning of the federal revolution with artificial intelligence and the next step in the continued evolution of IT modernization.

Now if you said to yourself, “wait, there are federal IT historians?” Maybe I’m projecting my retirement job a little.

But either way, when we all look back at the year that was 2023, we all can point to several federal IT and acquisition markers of progress.

The AI executive order and draft memo from the Office of Management and Budget was a common highlight from current and former federal executives.

The progress around the Federal Risk Authorization and Management Program (FedRAMP), the continued focus on customer experience, in part through much-anticipated release of the IDEA Act guidance, and the advancement of cybersecurity through zero trust and other tools and capabilities all were top of mind across federal experts.

Federal News Network asked a panel of current and former federal executives for their opinions about 2023 and what federal IT and acquisition storylines stood out over the last 12 months.

The panelists are:

  • Gundeep Ahluwalia, chief information officer of the Labor Department
  • Jonathan Alboum, the former chief information officer at the Agriculture Department and now federal chief technology officer for ServiceNow
  • Steven Brand, deputy chief information officer for resource management, for the Department of Energy.
  • Guy Cavallo, the chief information officer at the Office of Personnel Management
  • Kevin Cummins, a former Senate staff member on the Appropriations and Commerce, Science and Transportation committees and now a partner with the Franklin Square Group.
  • Mike Hettinger, former House Oversight and Reform Committee staff member and now president of Hettinger Strategy Group.
  • Renata Spinks, former assistant director and deputy chief information officer for information, command, control, communications and computers (IC4) and now founder of CyberSec.

What are two specific accomplishments in 2023 within the federal IT and/or acquisition community? Please offer details about those accomplishments and why you though they had an impact and what changes they brought.

JA: The guidance issued on the 21st Century Integrated Experience Act (IDEA) is an important accomplishment by Office of the Federal CIO. The guidance creates at 10-year roadmap to making government experiences simple, seamless, and secure by creating common standards for delivering online tools and experiences. Even though IDEA became law in 2018, its implementation has been uneven across government. The new standards will create consistency so as the public interacts with the federal government, they have a common experience that rivals experiences in the private sector. If properly funded, this has the potential to re-build trust in government.

The executive order on artificial intelligence is an important step forward for making generative AI solutions part of how government is delivered. We all know that AI has significant potential. I believe the Biden administration has shown global leadership by putting forth a roadmap for government agencies and critical sectors. The AI EO creates the framework to responsibly adopt and integrate AI into agency operations to improve government service delivery, while managing risks. These actions to advance trustworthy AI are imperative to fostering public trust in this emerging and exciting technology.

MH: First, I think the issuance of the 21st Century IDEA implementation guidance is going to be a game changer. The law, which is now five years old, has been implemented very inconsistently across government and the hope is that with the new guidance those agencies that had been lagging behind on implementation will step up to the plate. CX overall has been on the agenda for the last decade or so but this should really push it to the top. Second has to be zero trust. We have talked a lot about zero trust over the last few years but I think 2023 is the year it really got over the hump. If you look across the federal government today, as opposed to three-years ago, you’d be hard pressed to find a large federal agency that hasn’t invested in and embraced zero trust principles to improve their overall cybersecurity posture.

SB: Early in 2023, the Office of Personnel Management appeared to be on track to establish a new Special Salary Rate (SSR)—a new governmentwide pay model—for federal IT and cybersecurity personnel. The intent of the SSR was to close the gap between what IT and cybersecurity professionals can earn in federal agencies, as compared to what they can earn in the private sector. This pay gap has been a long-standing challenge for federal agencies, and with OPM’s decision to pause its SSR implementation, the challenge will extend into 2024.

GC: One of the largest impacts on federal IT was the emphasis on all federal systems implementing phishing-resistant multi-factor authentication (MFA) and encryption of data in transit and at rest, a requirement by Executive Order 14028.

Guy Cavallo is the CIO at the Office of Personnel Management.

At OPM, the EO required us to develop an innovative authentication method utilizing cloud services to implement MFA in front of many older legacy mainframe applications. We also developed virtual desktops in the cloud to implement the cyber requirements supporting those legacy applications.

Another accomplishment for 2023 was OMB’s issuance of Executive Order 13589 on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, and the draft implementation memorandum. With AI being rapidly deployed by the technology industry, a deployment of a new technology faster than any previous technology transformation in our lifetimes, this guidance and memorandum helped set the boundaries of how the federal government can safely and effectively leverage AI to improve providing critical services to the American people.

RS: The Cybersecurity and Infrastructure Security Agency (CISA) published its AI roadmap. The lines of effort outlined in the roadmap sets conditions for Executive Order 14110, “Safe, Secure, And Trustworthy Development and Use of Artificial Intelligence (AI). This is noteworthy and much needed to avoid stagnancy as cybercriminal increase their sophistication of tactics, techniques and procedures (TTPs) with a laser focus on debilitating critical infrastructure. Couple this with the need to increase automated defense and zero trust proactive offensive operations, the roadmap includes policy, agency collaboration guidelines, provides outcomes in a more aligned and congruent manner and lastly calls out specifically workforce training, which is outside of the norms in the past years of technical publications throughout the government.

Additionally, the launch of the National Security Agency’s AI security center within the Cybersecurity Collaboration Center provides securely integration of AI in national security systems and the defense industrial base which supports a much-needed whole of government approach to security. Silos are a haven for cyber criminals as well as increases challenges for procurement strategies and execution.

The Department of Defense prioritizing the presence in the Indo-Pacific region is noteworthy and the right thing. It is home to nearly two-thirds of the world’s economy, several of the world’s largest militaries, and many of the United States’ allies.  The geographical locations itself presents barriers in each category of warfighting –air, ground, land sea and cyber. Considering the span of miles that data and communications have to traverse, terrestrial, subsea and satellite infrastructure all have to be secure and reliable as well as logistics for equipment and personnel and to ensure information is available at the time of need in a secure and streamlined manner is critical and is no easy feat. DoD is focusing in on service-to-service partnerships and pilots to address infrastructure, redundancy and resiliency shows the commitment to this prioritization and the support to thinking differently. Secure communication continually growing alongside an ever-expanding-constantly-under attack global network, DoD’s visible focus on the Indo-Pacific service-by-service not only supports warfighting assurance abroad but also ensures safety here in the US.

GA: I’m proud to say we brought together 14 federal agencies, exhibited more than 90 technology displays, and recruited 26 expert panel speakers for Federal Tech Day 2023. More than 3,000 people experienced the governmentwide expo, both in person and online with our custom-built virtual platform. Two-thirds of the attendees told us they discovered technology that could benefit their own agencies. These are government innovations – and when IT solutions are shared across government, it can impact mission delivery for the public we serve.

We also identified and addressed a need for people who file for unemployment insurance (UI). The Labor Department’s identity verification program provides streamlined and equitable identity proofing services, as well as a secure process to reduce fraud and abuse in the UI program. No more barriers because of unreliable internet service. No more driving long distances to an unemployment office. A claimant can now go in person to a local U.S. post office to upload their identity documents. Or they can go online to verify their identity through the General Services Administration’s Login.gov. Those verified documents then go back to the states so they can process a UI claim knowing it’s for a genuine resident in need.

What technology or acquisition initiative or program surprised you based on how much progress it made or how the pieces and parts came together and why?

GC: The rapid worldwide deployment of AI from the technology industry was surprising.

Competition between the technology giants may have played a significant role to push all of them to get AI in the hands of their customers as fast as possible.

GA: We’ve made incredible progress on the move toward zero trust. The Department of Labor was already working on this, though EO 14028 did accelerate our timeline. We received our fourth Technology Modernization Fund investment (out of five total) to support our work, which includes robust cybersecurity measures, such as advanced threat detection to safeguard our data and systems, and employee cybersecurity awareness training to foster a culture of vigilance throughout the government.

JA: I was pleasantly surprised by the Office of Management and Budget’s draft memo for modernizing the Federal Risk Authorization Management Program (FedRAMP) that followed the passage of the FedRAMP Authorization Act by Congress at the end of last year. Since its inception, FedRAMP has maintained a goal of making it easy for agencies to utilize cloud services by minimizing administrative burden associated with authorization and continuous monitoring. However, the marketplace for cloud services has dramatically increased and FedRAMP leadership recognized the need to add capacity to the authorization process. I am intrigued by the idea of an alternate authorization processes, including the possibility of using Defense Department authorizations. Notably, OMB’s memo the implementation of the AI executive order directs agencies to prioritize critical and emerging technologies in FedRAMP’s authorization process, particularly generative AI. There are also opportunities to streamline continuous monitoring processes using automation. The administration has proactively sought industry feedback on FedRAMP modernization and there’s currently a healthy dialogue happening. I’ll be watching to see how the conversation evolves and what alternative authorization processes emerge.

KC: I was shocked by DoD’s decision to cancel its planned replacement of the Defense Travel System (DTS), given how long the existing DTS has been a subject of scrutiny and criticism from civilian and active duty users.

Renata Spinks is the former assistant director and deputy chief information officer for information, command, control, communications and computers (IC4) and now founder of CyberSec.

RS: After multiple rounds of protests, CACI was awarded the $2.4 billion NSA FocusedFox contract in May 2023. This follows a five-year, $284 million contract awarded in January 2023 to provide mission expertise and systems engineering support for NSA’s Cybersecurity Directorate. Former incumbents Leidos and Booz Allen Hamilton challenged the NSA’s best value determination and cost evaluation, respectively. According to the Government Accountability Office (GAO), it appears Leidos’ staffing approach lost the award. Leidos’ labor rates on average were 2% lower than the internal government cost estimate, while CACI’s rates either met or exceeded it. These lower labor rates presented a low-to-moderate risk of unsuccessful performance. I was not able to find details of the Booz Allen Hamilton protest.  I was surprised to see the lowest cost technically acceptable company –Leidos –did not win the award. This is a strong indicator of how the assessment teams are now looking more critically at the probability of success. In this effort, that is driven by skill sets, high level clearances and the ability to onboard skilled and capable personnel. Consequently, for the critical skills often required by these kinds of contracts, the costs are often an eyesore for an acquisition team who are often looking for ways to save the government money, which is great but I like to see the realistic approach being considered in contract awards.

What emerged as the biggest challenge of 2023 that will have an impact into 2024 and beyond?

GA: The development and use of AI is accelerating rapidly. It has the potential to be help

Gundeep Ahluwalia, Labor Department
Gundeep Ahluwalia is the Labor Department’s chief information officer.

ful and hurtful. It’s why we are quickly responding to the executive order that not only calls for building a responsible AI framework, but for positioning the U.S. as a global AI leader. We have stood up an AI Center of Excellence to test standards and implement AI in an ethical and responsible way. We are forming an AI advisory board that oversees governance and responsible AI frameworks, which means we build AI tools in a way that minimize bias and assure accessibility. We are using AI to support our cybersecurity posture to analyze data and prioritize threat response – and to thwart hackers and U.S. adversaries who may be using AI to launch their cyber-attacks.

MH: I’ve got a couple here. One is the Technology Modernization Fund, which is now over six years old. The program, has struggled, particularly in the eyes of Congress. It’s been interesting to watch the TMF program respond positively to some of the criticisms and concerns about project status and transparency, updating the website and trying to do a better job of highlighting the program’s successes. As we head into 2024, future funding for TMF remains an open question, and what happens in Congress in February could determine whether or not TMF continues to exist.

Another is FedRAMP, which is going through some fairly significant and needed changes as a result of the FedRAMP authorization legislation enacted last year.  How those changes are implemented and how industry – both large and small players – react, will play a large role is shaping the future of federal cloud adoption.

Finally, and this is an important one is software security. Over the past year we have been inundated with software security regulatory proposals, largely flowing from Biden’s cybersecurity executive order. The proposed software security self-attestation form, combined with the proposed software security Federal Acquisition Regulations (FAR) cases, and a host of agency specific requirements are poised to significantly increase the cost of doing business with the federal government, probably to the point where some companies will simple choose not to participate. This could have a ripple effect.

KC: A big challenge that emerged in 2023 is a decline in Congressional support for the Technology Modernization Fund (TMF), which previously received a big boost of $1 billion in the American Rescue Plan Act but now faces a more grim funding picture for 2024 and beyond. A Senate 2024 appropriations bill even proposes rescinding $290 million in unobligated TMF money, and the less draconian House version would zero out any additional 2024 funding. While the TMF had made positive impacts across the federal government, there is a lot of work to do to make this funding mechanism work as originally intended as a better mechanism to fund IT modernization and cloud initiatives that improve performance and lower costs–similar to how a corporate capital committee in the private sector chooses which IT investments to fund.

JA: The arrival of high-quality, consumer-facing generative AI made an impact in 2023 on par with the launch of the iPhone in 2007. As commercial organizations integrate GenAI tools into their operations, there will be an expectation by the public that government does the same. However, the stakes for government are much higher, making adoption a challenge in 2024 and beyond. GenAI tools built on general purpose Large Language Models (LLMs) pose the risk of producing inaccurate or biased information, which is unacceptable in a public setting. The draft Executive Order on AI creates the beginning of a good framework for agencies to use as they evaluate AI tools and manage these risks. As the EO is implemented, I expect agencies will look to GenAI tools that are based on domain-specific LLMs with smaller and more narrowly focused data sets. These models are designed for specific tasks in specific industries and are much less prone to generating incorrect or offensive content. These models are also faster and more cost-effective for agencies.

GC: While the requirements of the cyber EO being more effectively implemented across the government, the sophistication and use of AI by hackers and attackers will continue to threaten government applications and websites. In order to combat such attacks, the government will need to leverage AI in all of our cyber defenses.

RS: Securing government-issued devices, devices accessing government programs, devices that are outdated and/or not connected to the network in a continual manner with certainty are all statuses for endpoint management. The best solution to do so starts not only with identity, access, credential management, but a multi-pronged approach coupled with the ability to see what is occurring in and around your network at each endpoint and respond in real time with minimal impact to the operations and with efficient automated actions—not just as a defense mechanism but also a proactive way to support secure by design system development and postures.

Network and endpoint attacks and meeting security mandates alongside system audits will be areas of accountability not only to agencies but with leaders as well as we are noticing by most recent Security and Exchange Commission (SEC) rulings, involvement, and regulations that right now, have many chief information security officers talking about this accountability approach. Accountability will be an area of emphasis. Reporting and creating the anatomy of attack will require extensive credible visibility which also means acquiring newer technologies, training the workforce on the technology, partnering with others with an information sharing mindset as well as shifting the mindset within the values of bureaucracy to increase funding and culturally adopting and implementing emergent technology.

Agencies need the ability to centrally manage and configure its end points and devices alongside remotely locking down devices, recover data if a breach occurs and increase continuity of operations exercises to ensure preparedness and real time training like what we often see in the aviation community for pilots. Additionally, intelligence-driven posture will need to be partnered with automated support to the network. Without intelligence-driven decision making on the network, operator error, areas of focus and time to resolve will be gravely impeded. What we need to avoid is spending time on outdated information while we modernize our defenses.  This will require larger investments in the intelligence space, integrating it with enterprise IT, which is highlighted in the Defense authorization bill for 2024.


Three new story arcs of ‘As GSA’s Acquisition World Turns’

The General Services Administration got out from under one protest of a major acquisition initiative, only to be sucked right back into another protest.

Thus is the always entertaining world of federal procurement — on step forward, one step back.

Welcome to another installment of “As GSA’s Acquisition World Turns.”

This episode starts with the departure of a leading man, Sonny Hashmi, the commissioner of the Federal Acquisition Service on Dec. 29, and addition of a new (yet to be known major or minor) character, Eric Mill, as executive director for cloud strategy in GSA’s Technology Transformation Service, and the ongoing story arc of the status of several new governmentwide contracts.

New players appear, in this case ePS- National Diversity Veteran Small Business with its protest of the follow-on contract for the Commercial Platforms Initiative.

Foes are vanquished, in this case Boston Consulting Group, losing its OASIS+ bid protest at the Government Accountability Office.

And a new branch of the story line emerges with the release of the draft performance statement of work for the ASCEND cloud service blanket purchase agreement after “being in a coma” for almost 18 months.

The new player

GSA had hoped to award the next generation Commercial Platform Initiative (CPI) contract before Dec. 23 when the current contracts with Amazon, Fischer Scientific and Overstock expired.

In an expected plot twist, GSA is facing a new protest of the new contract.  ePS-National Diversity Veteran Small Business filed a complaint on Dec. 21 over their disqualification from next generation competition.

On top of that, awarding contracts tends to take longer than expected and GSA, had to extend the current three contracts through March.

GSA is expected to make anywhere between 6 and 8 awards. Along with ePS-NDVSB, other bidders may have included Amazon and Granger.

As for the new protest, ePS-NDVSB filed the protest on Dec. 21 and the Government Accountability Office has until April 1 to decide.

David Saroli, the CEO of ePS-NDVSB, said GSA’s decision to disqualify his company is perplexing. He said GSA disqualified his company around three deficiencies, even after submitting a bid, going through a live demonstration and going back and forth with email questions and answers during the fall.

The three deficiencies were: GSA said ePS-NDVSB didn’t provide the ability to have a minimum order quantity; didn’t demonstrate a data dashboard; and didn’t have a marketplace unique for government use.

Saroli said that ePS-NDVSB already provides its e-procurement platform to the Army, Air Force and two Navy commands and they meet and exceed the solicitation requirements.

“It’s clear that they misevaluated our bid. They had our capabilities in writing and visually, and they still missed it,” he said. “When you say deficiency, it means we didn’t have the capability. But we did and that means they made a big mistake on their review.”

Saroli said being left off the next generation CPI effort would not only be disheartening but it would impact small businesses.

“We are a small business,” he said. “On the platform now, we have mostly small businesses and where Amazon charges businesses 12%-15% per transaction, we charge 5% per transaction, which is important for the government and the small businesses on our platform.”

This is the second protest GSA has to contend with around the CPI solicitation. GSA took corrective action after the National Industries for the Blind, the Association for Vision Rehabilitation and Employment and the National Association for the Employment of People who are Blind filed a pre-solicitation protest in February over the mandatory sourcing requirements for products provided under the AbilityOne program.

Written out of the script, for now

Just when the plot twist around the CPI acquisition threw you for a surprise, the soap opera storyline takes a turn toward the OASIS+ acquisition.

In this part of the narrative, GSA comes out like the good looking leading character winning a climatic fist fight.

In this case, GAO denied Boston Consulting Group’s protest, which it filed in August.

GAO decided shortly after Thanksgiving that BCG’s pre-award protest didn’t have merit. BCG protested several evaluation factors in the solicitation, including the requirement for offerors disclose breakdowns of their proposed labor rates. GSA said this requirement was to ensure price reasonableness of the services any one company is offering.

BCG complained the requirement violated the Federal Acquisition Regulations and the Federal Acquisition Streamlining Act (FASA) for commercial items.

In denying the protest, GAO wrote the agency reasonably determined that assessing the individual cost drivers associated with each offeror’s unique labor rates was the only acceptable method for making reliable and accurate cost/price reasonableness determinations.

GAO also found the solicitation is consistent with FASA’s stated preference for the acquisition of commercial items as GSA took action to accommodate commercial item contractors and to encourage their participation. GAO also said no other vendor filed a protest and BCG did bid on OASIS+ in the end.

Back to the frontburner

After almost 18 months of being a backburner character, the cloud contract known as ASCEND remerges to launch a new storyline for 2024.

GSA issued its second draft performance work statement for pool 1, which is for infrastructure-and platform-as-a-service, and detailed initial thinking for pool 2, software-as-a-service, and pool 3, for cloud IT services, in late December.

Comments on the draft PWS and details about pools 2 and 3 are due by Feb. 21.

The ASCEND program first burst onto the scene back in April 2022 and GSA released the first version of draft PWS in May 2022.

“The ASCEND BPA will establish baseline requirements for acquisition, business, data, environmental, sustainability, operational and technical requirements,” GSA wrote in the draft PWS. “The BPA establishes baseline governance requirements ensuring procured cloud services and cloud related IT professional services are procured through streamlined acquisitions procedures, maximize cost avoidance and cost savings, are effectively/efficiently operated and managed and leverage the full capabilities and investments of the federal government.”

GSA is planning for a three-year base contract with one three-year option and two one-year options for a total of eight years.

The desire to use cloud services is clear across government. Deltek forecasts that agency demand for vendor-furnished cloud computing goods and services will grow from $15.9 billion in fiscal 2023 to $23.5 billion in 2027.

This is where the soap opera story arc could take a turn: Will industry and agencies see the need for another cloud BPA?

One industry source, who requested anonymity to talk about an ongoing procurement, said BPAs must be based on a bona fide need that is specifically spelled out in the solicitation. GSA says there is such a bona fide need but hasn’t yet detailed which agencies are expected to use the vehicle.

The source said agencies regularly ignore the bona fide need rule.

“It’s hard for companies to bid when there is no there. What incentive is there for people to bid on it? Why spend the money to bid if there is no guarantee anyone will use the BPA?” the source said. “GSA has a track record of BPAs that were flops. There is a lot of concerns around whether this BPA is unnecessary duplication of contracts because what the BPA is potentially offering can be bought under the schedules or other contracts today.”

GSA could still answer the bona fide need question more specifically in the final solicitation, adding some drama to the soap opera.

There are, of course, many more players in this soap opera. The new year brings more excitement over Alliant 3 and COMET version 2, and whether Polaris gets out from under the protest albatross.

So tune in next time for another edition of “As GSA’s Procurement World Turns.”


Investigations into DoD struck a chord in 2023

The Reporter’s Notebook turns 10 years old in January and I’ll admit, that caught me by surprise.

Back in 2013, I started with an idea of pulling tidbits and short items that were interesting or newsworthy, but there wasn’t quite enough there yet for a story. Like many things, it evolved into a long-form analysis driven, and sometimes investigative, feature.

The top Reporter’s Notebooks of 2023 continue to demonstrate the interest and desire for in-depth reporting, digging out more than the tidbits, but the stories behind the news.

Four of the top 10 stories focused on the Defense Department, while three followed the theme of people, jobs and agencies changing the role of agency technology leaders.

As always, I encourage you to submit ideas, suggestions, and, of course, news to me at jpmiller@federalnewsnetwork.com.

Here are the top 10 Reporter’s Notebooks of 2023:

Air Force’s corrective action fails to satisfy unsuccessful bidders for EITaaS contract

Synopsis: Bidders for the $5.7 billion enterprise-IT-as-a-service (EITaaS) wave 1 contract continued to press their case over the Air Force’s award decision to CACI the contract.

Key fact: Peraton and Accenture again have raised conflict of interest challenges stemming from CACI’s allegedly having hired former Air Force employees. The companies also allege that these individuals provided CACI with inside knowledge of, and access to, non-public competitively useful information. Through that information, Peraton and Accenture allege that CACI gained an unfair competitive advantage and therefore CACI should be excluded from the competition.

Current status: The Air Force awarded CACI the Wave 1 contract again in April and the unsuccessful bidders didn’t file new protests. Current Air Force CIO Venice Goodwine said in December EITaaS will roll out to 17 bases in fiscal 2024.

High per-license cost pushed many military services, Defense agencies away from DEOS

Synopsis: The Defense Enterprise Office Solutions (DEOS) is struggling to live up to expectations as many of the military services and defense agencies have found better and cheaper ways to accomplish the same goals.

Key fact: Multiple former government sources and industry experts say the price negotiated through the DEOS contract for O365 licenses is as much as 20% higher than what the services and Defense agencies could get through the Navy enterprise software initiative (ESI) contract.

Current status: The Defense Information Systems Agency, which runs DEOS, says it is working with the DoD chief information officer’s office and the acquisition and sustainment office to address enterprise software buying from a policy perspective. Chris Barnhurst, the deputy director of DISA, said in November that the goal is to “speak with one voice with vendors, especially for tools or software where we are using it as an enterprise. We want to buy as one and not subdividing to our own detriment.”

What to expect from the new IT/cyber/innovation House subcommittee

Synopsis: Throughout the federal technology community, there were tiny celebrations and the undercurrent of a sense of dread with the reconstitution of the House Oversight and Accountability Subcommittee on federal IT, cybersecurity and government innovation.

Key fact: Rep. Nancy Mace (R-S.C.), chairwoman of the subcommittee, offered a little insight in her press release announcing her new chairwomanship, “Securing our nation’s data, protecting our cyber infrastructure, and studying emerging technologies of the future like artificial intelligence, quantum computing, and blockchain integration is more important today than ever.”

Current status: Mace’s subcommittee held about 11 hearings, most of which focused on artificial intelligence and cybersecurity. She did not hold a Federal IT Acquisition Reform Act (FITARA) hearing at all in 2023, much to the dismay of Rep. Gerry Connolly (D-Va.), the ranking member of the subcommittee.

The reason why the Air Force pulled the plug on a huge cyber contract may surprise you

Synopsis: The Air Force took the unusual step of pulling the plug on the Enterprise Cyber Capabilities acquisition for reasons that may make sense on the surface, but was baffling to long-time acquisition experts and especially to the vendors, who spent more than a year and hundreds of thousands of dollars or more on proposals.

Key fact: Long-time acquisition experts say they can’t remember a time when an agency cancelled an acquisition because there was too much interest.

Current status: The Air Force hasn’t publicly discussed its next steps for an enterprisewide cyber capabilities contract. There are currently no open solicitations or even sources sought notices on SAM.gov that have the key words “cybersecurity services” or “cybersecurity capabilities.”

NIH breaks up its technology executive roles

Synopsis: NIH decided to separate its chief information officer role from the director of the Center for Information Technology and create two distinct positions after almost 25 years of combining the roles.

Key fact: NIH formally created the CIT in March 1998 bringing together functions and missions of its Division of Computer Research and Technology, Office of Information Resources Management, and the telecommunication branch. The position of CIT director and CIO has been one since 1998 with a handful of acting directors holding only one of the roles.

Current status: Nearly a year after splitting up the roles, NIH still doesn’t have a permanent CIO or permanent CIT director. Dennis Papula, who has been the acting CIO, and Ivor D’Souza, who has been the acting CIT director, both since January, remain their respective roles.

Login.gov’s problems further break down confidence in TTS, and now GSA

Synopsis: The third scathing inspector general report since 2016 once again reinforced how GSA headquarters can’t make the Technology Transformation Service play by the government’s rules, in turn leading agency chief information officers and other technology executives to question whether GSA, as a whole, can be trusted.

Key fact: While many technology executives said they weren’t surprised by the IG’s findings that TTS misled agencies for four years about how Login.gov met certain identity proofing requirements under the National Institute of Standards and Technology Special Publication 800-63-3, the IG report signals TTS remains a horse that cannot be broken, despite multiple attempts across multiple administrations.

Current status: GSA has detailed several changes to the management of Login.gov, including in October outlining several ways it will meet the National Institute of Standards and Technology’s 800-63-3 IAL2 guidelines. GSA says all cabinet agencies now using Login.gov for at least one program or application.

NSF joins a growing list of agencies reconfiguring its CIO’s office

Synopsis: The National Science Foundation is joining a small but growing number of agencies remaking their CIO’s office.

Key fact: Both the NSF and NIH decisions to reconfigure their CIO and technology oversight offices are the latest step in this 25-plus year evolution of the agency’s lead technology role.

Current status: Terry Carpenter became the CIO and chief technology officer at NSF in July. He came over to NSF from the Defense Counterintelligence and Security Agency where he was the CTO and program executive officer.

GSA joins EPA in putting the brakes on how employees use generative AI

Synopsis: The General Services Administration issued an instructional letter (IL) to provide an interim policy for controlled access to generative AI large language models (LLMs) from the GSA network and government furnished equipment (GFE).

Key fact: GSA’s instructional letter is one of several similar policy-like documents issued by agencies over the last few weeks. The Environmental Protection Agency in early May sent a note to staff saying it was blocking ChatGPT, OpenAI and similar sites.

Current status: President Joe Biden signed out an executive order in late October and the OMB issued a draft policy around AI on Nov. 1. Included in the proposed requirements is one that directs agencies to explore the use of generative AI tools, like ChatGPT, with “adequate safeguards and oversight mechanisms.”

Navy CDO Sasala jumps ship to the Army

Synopsis: The Navy is losing its chief data officer. Tom Sasala is joining the Army as the deputy director of the Office of Business Transformation.

Key fact: Sasala has been the Navy CDO since October 2019 after coming over to the service in April of that same year as the director of data strategy.

Current status: Duncan McCaskill remains the acting CDO nearly a year after Sasala left the position under unusual circumstances, to say the least.

GSA’s commercial platforms gaining steam, but data, other concerns persist

Synopsis: Three years into the Commercial Platforms Initiative, the vision Congress had for the initiative isn’t necessarily coming to fruition. But new data and analysis shows that doesn’t mean it’s a failure by any means. The number of agencies using the platform more than quadrupled between 2020 and 2022 to 27 and the spending, while far below initial estimates of $6 billion have increased to $40 million last fiscal year.

Key fact: The top agencies using the commercial platforms are the departments of Veterans Affairs and Agriculture.

Current status: GSA is facing a new protest over the CPI program, and had to extend the current contracts with Amazon, Fischer Scientific and Overstock an extra three months to March 2024.


FedRAMP draft memo elicits optimism, but more details needed

There is little disagreement among agency and industry technology leaders that the overhaul of the cloud security program known as FedRAMP is necessary and appropriate.

For much of the last decade, experts have mostly agreed with the spirit and intent of the Federal Risk Authorization and Management Program — to standardize and make the use of secure cloud services easier.

At the same time, over the last decade since the Office of Management and Budget launched FedRAMP in 2011, challenges have emerged like barnacles attached to a boat.

In many ways, the new draft FedRAMP memo is symbolically scraping those crustaceans off the bottom of the program to increase speed and reduce the burden on agencies and industry alike.

“I think this will be a huge improvement to FedRAMP. The improvements I’m talking about are who is managing the cloud security approvals, the resources for [the General Services Administration] and the end results if it is done in standard way,” said one agency chief information officer, who requested anonymity because they didn’t get permission to talk about a draft memo. “FedRAMP is a good program. I love the idea of a standard, but over the years there are concerns about the risk appetite among agencies depending on their missions and data. There always are concerns about whether the sponsoring agency or the Joint Authorization Board (JAB) has provided right risk assessment or a decision over the amount of risk. There usually is a pretty good amount of risk assessment and identification, and what decision you make over that. The way the memo is written, there will be a group of subject matter experts working that to come up with a more consistent way to determine and assess risk. That will help agencies make their own assessments and determine whether additional controls are needed.”

The CIO was one of six federal and industry experts to weigh in on the draft memo about what parts hit the target and what parts may have fallen a bit short. OMB is accepting comment through Dec. 22.

FedRAMP draft more than a patch

By and large, the experts applauded the draft memo for taking on some of the systemic problems with FedRAMP. At the same time, however, all wanted to see more details about how GSA’s program management office will implement the new approaches outlined in the draft memo.

Willie Hicks, the public sector chief technologist for Dynatrace, summed up why many agency and industry experts are excited for the new approach to FedRAMP after years of smaller changes like FedRAMP Ready or Tailored.

“I think those were attempts to make the process easier, more attainable for more companies and software-as-a-service (SaaS) providers, but, for lack of a better term, they were almost like patches or Band-Aids. They really didn’t address the fundamental problems,” Hicks said in an interview. “When I say problems, I go back to originally what FedRAMP was being geared toward: the infrastructure- and platform-as-a-service type of offerings and not as much geared towards SaaS. I don’t think it accounted for a lot of the problems that we see today, especially when you look at the vast number of SaaS platforms out there.”

When OMB released the draft memo, Drew Myklegard, the deputy federal CIO, specifically called out SaaS as one of the driving factors for these changes. Out of the 321 current FedRAMP authorized cloud services, 286 are SaaS, and another 125 are in process or in the ready stage. This is out of a total of 453 cloud services in all three stages in all three service types.

Source: Fedramp.gov December 2023

But experts say to get many of the small or medium businesses into the program, FedRAMP must address the cost and time commitment. By some estimates, to get a moderate authorization, it can cost several hundreds of thousands of dollars and take 12-18 months — if you are lucky.

OMB, recognizing the increasing desire by agencies to use SaaS, is focused on using automation and continuous monitoring to reduce cost, and accelerate time to approval without losing any rigor.

John Harmon, who leads the Elastic U.S. public sector cyber solutions business, said automation should help drive down costs and should make things go faster to let more SaaS companies into the market.

“How do we get SaaS-based companies excited about getting FedRAMP? I hear more small companies who don’t want to do it because it’s just too much of a headache, too expensive for them to do. And for any kind of new innovation, it’s a lot to ask,” Harmon said. “How do we make sure your federal stack is like your commercial stack? I’m really curious as to how much that could be done and honestly that’s one of the biggest things in the memo. That, plus the automation piece, if those things are really figured out properly that could solve making sure everything goes a little bit faster because it really is the problem.”

Automation is more than technology

The automation of the assessments and of continuous monitoring consistently came out as part of the memo experts lauded.

Jason Weiss, the chief operations officer of TestifySec, a software startup focused on securing the software supply chain, and former Defense Department chief software officer, said automation of controls and continuous monitoring also must include the reeducating of chief information security officers, authorizing officials and others about how these processes work.

He said the use of Open Security Controls Assessment Language (OSCAL), which is something FedRAMP has piloted, could be a key piece to this automation effort.

“The devil is in the details and the number of tools that support OSCAL, and more importantly, the number of tools across the federal government that can actually integrate and share that information,” Weiss said. “I think the challenge with the automation is if somebody uploads a machine readable format like OSCAL to FedRAMP, where is that going to be stored in the FedRAMP environment? How does a member of [the departments of Defense, Veterans Affairs or Homeland Security] gain access to that so that they can ingest it into their internal systems, and actually make sense and make a risk informed decision?”

He added figuring out the transparency and visibility through OSCAL or other machine readable formats will really affect the change most people want.

The other hot topic during several conversations revolved around the moving to the FedRAMP board and way from the JAB. Similar to the Technology Modernization Fund (TMF) board, the FedRAMP board will include seven senior officials from across the government including OMB, GSA, DHS and DoD who will establish requirements and guidelines for security assessments of cloud services.

One agency CIO, who called themselves a reluctant user of FedRAMP, said the restructuring and augmenting of the governance process is one of the most important changes. The CIO said the JAB started out strong, but over the last few years, whether it was the pandemic or other reasons, it’s been a challenging organization that hasn’t been agile as it needs to be.

Future of JAB authorizations unclear

Stephen Kovac, chief compliance officer and head of global government affairs at Zscaler, added there are some concerns about losing the marquee of the JAB authorization and what that would mean to folks who have spent millions of dollars to earn that approval.

Underneath the new FedRAMP board will be the Technical Advisory Group (TAG). Six subject matter experts will lead the TAG to provide additional expertise to FedRAMP and advise on the technical, strategic and operational direction of the program

The first agency CIO said the TAG also will be an important change because, they hope, it will come up with a more consistent way to assess risk and one that agencies can easily understand and accept to relieve some of the burden that has built up over the years.

The second CIO added the TAG should help bring more consistency to third-party assessors by identifying areas to focus on.

“How much risk am I really accepting with the cloud security package? We’ve got to the point where  teams have to go through and evaluate how the third party assessor assessed things, and almost every time in the mapping of vulnerabilities to the security controls it was completely different,” the CIO said. “I want to know that if something has a FedRAMP authorization, I want to know I can trust it and don’t have to worry about it.”

Another common theme that emerged among experts is while the draft memo is a good start, they want to see more.

While it could be another 60-to-90 days until OMB finalizes the memo after the comment due date, government and industry experts say they are looking for some sort of strategy or implementation plan from the FedRAMP program management office.

Jim Rivas, the CEO of the Cloud Security Alliance, said a key metric he will be paying attention to over the next year or more is an increase in the number of cloud providers getting through the low and moderate accreditation process.

Zscaler’s Kovac added he’d like to see more details about where the Cybersecurity and Infrastructure Security Agency fits into this discussion. There is little to no mention of CISA specifically, and Kovac said as CISA’s role in cybersecurity management and oversight has increased significantly over the last five years, leaving them out would be a grand oversight.

Finally, the second agency CIO said they will be looking for better interoperability and collaboration among agencies and the FedRAMP program office, to further decrease burdens of time and increase reciprocity.

“One challenge I’ve seen is not all agencies approach things the same when it comes to cloud services. Some are more mature and if the service they wanted couldn’t go through the JAB, it could go through the agency authorization process. While other agencies are less mature and if a service is not FedRAMP authorized, forget it, they will not use it,” the CIO said. “I would like to see more education and shepherding of the process to ensure the approach is consistent whether the cloud services goes through the JAB or agency authorization process. I think the enhanced guidance makes it consistent for all vendors too; as some say, one agency is easier than another.”

 


COMET recompete, Polaris protests keep acquisition exciting in early fiscal 2024

Just over a month into fiscal 2024 and there is no shortage of excitement and intrigue across the federal acquisition community.

The General Services Administration’s Federal Acquisition Service, which reported a record 2023 with over $100 billion in sales, is once again, at the center of a lot of the activity.

Planning for version 2 of its COMET vehicle kicked off with an industry day in September, attracting 400 companies and more than 750 registrants. GSA already is expecting COMET to play a much larger role in providing the outlet to continue to modernize their systems with a ceiling over more than $1 billion.

A current COMET contractor, who requested anonymity to talk about an active procurement, said the move toward a product mindset is a good change to the vehicle.

“With the current modernization efforts, there are some good successes because of product lines like the GSA fleet contract. For fleet, as an example, GSA asked vendors to show how you would’ve developed the product and then center the presentation around that with a big emphasis on how your team works,” the industry executive said. “GSA gave you a problem set and said ‘go work it for week and present to us how you would do this. User experience plays very much into the product line effort and that is a key feature of COMET 2.”

Dave Shive, the GSA chief information officer, said at the industry day that the scope of the follow-on contract will be larger and will build on the lessons learned over the past few years.

“Please take a look at our requirements that we express out to you very carefully. You’ll see some themes in there that are very important to the government. An example of that is GSA is pretty far along with our zero trust implementation across the four main pillars. For users and devices, we’re 100% implemented here at GSA. Across data and applications, we have considerable maturity in those spaces. We’re looking for partners who understand the basic principles of zero trust, especially at the application layer, where a lot of this work in the next generation of COMET is going to be prevalent,” Shive said. “We’re looking for partners who are going to be able to understand the application level security. Zero trust principles injected at the application level are critically important. Same thing at the data layer, knowing that the applications we build are going to have to know everything and anything about data and who’s using it so that we can apply our zero trust principles to that is going to be critically important. Same thing for customer experience.”

GSA’s COMET almost $1 billion in awards

The current COMET has been a success, according to GSA and vendors involved. So far, the agency has awarded 21 task orders worth more than $950 million to 11 different companies. The largest task order went to Booz Allen Hamilton for $247 million to create the cloud infrastructure that a lot of applications now reside on. GSA awarded COMET in 2019 to 12 companies.

“We’ve been really thankful to work with many of you in the past to develop some skill in that space so that we’re not learning how to move things to the cloud, we’re not learning how to do DevSecOps and we’re not learning how to do agile. We’re actually practicing and refining that process. We learned how to do that very well under COMET, and then the next iteration, you’ll see some reflection in our requirements about that maturity, which I think is going to be great to continue that public, private partnership,” Shive said. “One of the primary goals of COMET was to focus on modernizing, using our cloud smart strategy. We moved things to the cloud as a matter of course, it’s become our de facto norm. But we also listened to our industry partners, when we co-developed solutions to say, ‘what is the right place to host something?’ Usually, the answer is the cloud, but not completely. We’ll be smart about how we move to the cloud. Do we consider a managed service, which is another offering thing we consider? We’re looking for partners who have that broad mindset, that cloud smart mindset, with helping us do our work.”

Source: GSA industry day slides, Sept. 2023

The current COMET contractor said one big question they will be paying attention to as the acquisition continues to develop is how GSA will evaluate small businesses. The executive said under the current COMET vehicle two of the four small business winners did so well they were sized out of the contract quickly.

At the same time, industry continues to closely watch GSA’s Polaris small business contract, the OASIS+ recompete and what will happen with the ASCEND cloud blanket purchase agreement, which has been in the discussion phase for more than 18 months.

Sonny Hashmi, the FAS commissioner, said in a September interview that ASCEND continues to evolve.

“There’s a lot more to be done that front and more to come on us. I know I’ve said this before about ASCEND, I will say one blanket statement, we want to do the right thing. Rather than the expedient thing on ASCEND. There is a business case to be made for us, and we want to do it in a way that actually adds value to agencies and for the industry, so that requires some thinking,” he said. “More to come on that. This will require more engagement with industry. We’re going to be coming out with more engagement opportunities for industry partners to tell us how we structure it so that it actually adds value.”

Polaris bogged down

So while industry waits for GSA to finalize its ASCEND acquisition strategy, its other big governmentwide acquisition contract, Polaris, is facing another protest.

At issue this time is GSA’s handling of mentor-protégé and joint ventures. Akima Data Management filed a complaint with the Government Accountability Office on Oct. 31.

Akima is challenging the latest amendment, the ninth, around letting mentor-protégé joint ventures submit revised experience examples as part of their self-scoring proposal. Akima claims that change is unfair and improper. GAO has until Feb, 8 to decide the protest.

Absolute Strategic Technologies filed a second protest around Polaris on Nov. 7. This one also is focused on amendment nine, but is around changes GSA made to the proposal for cost and price, changes to the evaluation methodology and the experience of the vendors.

Absolute’s protest alleges GSA unreasonably limited the scope of what offerors may revise in their proposals and that the agency will not allow companies to update their offers beyond what they submitted on Oct. 7 with current past performance and experience information. Finally, Absolute says amendment nine unreasonably limits revisions to specific parts of proposals ignoring other parts of offerors’ proposals they should be allowed to modify.

GAO has until Feb. 15 to decide the case.

This is the second around of protests against Polaris. The small business contract received a pre-award complaint in March, and GSA took corrective action around the mentor-protégé and joint venture requirements.

Veterans Affairs $60B contract awarded

While GSA tends to receive a lot of attention around acquisition — and rightfully so —  two recent awards from the Department of Veterans Affairs also deserve some notice.

The first from VA made 30 awards under the much-anticipated Transformation Twenty-One Total Technology Next Generation 2 (T4NG2) IT services contract vehicle.

And as of Nov. 13, GAO hasn’t received any bid protests over the award — which is good news so far, but that doesn’t mean VA is out of the woods yet.

Under T4NG2, which is a 10-year contract with a $61 billion ceiling, the mix of small and large contractors will provide a range of IT services including technical support, program management, strategy planning, systems/software engineering, enterprise network engineering, cybersecurity, operations and maintenance, and other services.

The current T4NG contract has been a popular vehicle across the agency. GAO reported last December that from 2017 to 2021, VA spent about $6.4 billion.

In addition to T4NG2, VA also made an interesting award to TransUnion to help fight fraudster targeting veterans and their families.

TransUnion and Four Points Technology will provide technology to improve VA’s ability to brand and verify its calls to veterans and their families from both landline and mobile phones.

Jeffrey Huth, senior vice president of TransUnion’s public sector business, said in an email to Federal News Network, said the contract addresses the VA’s Veterans Experience goals.

“The VA currently has a challenge with reaching out to veterans and their caregivers because of incorrect or missing caller ID across the enterprise. This challenge affects all facilities and contact centers who perform outbound calling on a consistent basis to engage veterans for the purpose of informing them of relevant information and available benefits,” VA stated in its solicitation. “Outbound calling could be more successful if veterans or their caregivers knew that the number calling was a trusted VA employee.”

VA says its annual outbound call volume is about 100 million a year, and wants the services to be able to handle as much as 310 million outbound calls a year.

Fraud against veterans growing

Huth said it’s difficult to know exactly how big a problem scams are for veterans, data collected fraud in the name of other agencies demonstrates the challenge VA and every agency faces.

He said a Government Accountability Office report in 2019 found the IRS reported that from October 2013 through March 2019, the agency was contacted more than 2.4 million times by taxpayers who reported calls from fraudsters posing as the IRS, and more than 15,453 taxpayers reported losing about $75.1 million in such scams.

Combating fraud continues to be a focus areas for the agencies. Just Saturday, the White House launched the Veteran Scam and Fraud Evasion (VSAFE) campaign and task force with the Federal Trade Commission (FTC) serving as a central hub for reports of scams targeting veterans and service members.

Huth said TransUnion and Four Points Technology piloted this technology for 10 weeks in the fall of 2022 with Veterans Affairs Solid Start Program and applied the technology to more than 82,000 calls.

“The VA experienced a 20% increase in weekly successful contacts. Average call attempts for a successful contact decreased from about 2.5 to 1.9,” Huth said about the pilot. “The VA is rolling the service out across the country over the next several months and to additional programs.”


« Older Entries