“Reporter’s Notebook” is a weekly dispatch of news tidbits, strongly-sourced buzz, and other items of interest happening in the federal IT and acquisition communities.
Submit ideas, suggestions and news tips to Jason via email.
The U.S. Agency for International Development asked for the authority to establish a working capital fund for IT modernization in its budget request in 2019, again in 2020 and again in 2021. But as Congress finalized each fiscal year’s budget, appropriators ignored USAID’s request.
Jay Mahanand, USAID’s chief information officer, told members of the House Oversight and Reform Subcommittee on Government Operations during an April 16 hearing that despite support from the Trump administration and the Office of Management and Budget, it was unclear why the working capital fund request failed each year.
USAID isn’t alone. The departments of Education and Commerce also failed the appropriators’ gauntlet. So far, only the Small Business Administration persuaded lawmakers to give them the authority to set up a working capital fund and transfer unexpired funds into it. SBA says in its fiscal 2021 budget request it expects to have $4 million in 2020 and another $2 million in 2021 in the fund.
Sen. Maggie Hassan (D-N.H.), chairwoman of the Homeland Security and Governmental Affairs Subcommittee on Emerging Threats and Spending Oversight, plans to fix this long-standing problem.
At the subcommittee’s April 27 hearing on legacy IT, Hassan said she plans to introduce a technical amendment to fix the Modernizing Government Technology (MGT) Act, which initially authorized every agency to create an IT modernization working capital fund. Through the WCF, agencies can bank saved money, which then can be used for future IT modernization projects.
A Hassan aide told Federal News Network that expanding working capital fund authorities was one of the main pieces of feedback from the agencies that responded to Hassan’s legacy IT oversight letters last summer, and is one of the pieces that Hassan is looking at for potential legislation. The aide didn’t say how the Senator planned to fix the MGT Act.
“This hearing is the first in a series of hearings that Senator Hassan will hold on legacy IT as chairwoman of the subcommittee,” the aide added. “Our office is working to coordinate another hearing focused on specific ways federal agencies and Congress can work to advance IT modernization and save taxpayer dollars.”
In many ways, the WCF is the more powerful authority granted to agencies under the MGT Act, rather than the much-heralded and watched Technology Modernization Fund (TMF).
Max Everett, the former Energy Department CIO, told the Senate subcommittee having a working capital fund would take care of long-term budget planning challenges many agencies face.
“Much of my experience, to be very frank, was robbing Peter to pay Paul. In most cases to do those modernizations, you are going to have to take money from somewhere,” Everett said. “I know that there is long held concerns about WCF turning into slush funds and things of that nature. But I think that simply means they need to have the appropriate oversight, but they would allow that level of longer term planning.”
The lack of that long-term planning is another area where agencies have fallen short on.
Kevin Walsh, the Government Accountability Office’s director of IT and cybersecurity, said it was disheartening that when his office looked at 10 agencies in 2019, three didn’t have a long-term IT modernization plan, five had some aspects of a plan and only two had a firm idea of what needed to be done.
“Having these plans is valuable, just getting agencies to think about it. Agencies that don’t have a documented plan, we aren’t sure what kind of resources they are able to throw at it, what kind of timeframes, and even the scope of the project,” he said. “Having some idea of what needs to be done is the most fundamental step.”
Walsh pointed back to a 2016 OMB memo that would’ve required agencies to create and follow these plans as one reason for the problem.
Tony Scott, the former federal CIO, who authored that draft policy, said in an email to Federal News Network that the goal “was to institutionalize a set of practices that would, at budget formulation time, identify for agency leadership and for appropriators top priority systems for upgrade and replacement. What I was looking for was to force deliberate decision making at budget time to either A.) accept the risk that legacy systems presented, or, B.) put money in the budget to do something about it.”
He said the annual review of top-tier systems would’ve reviewed cybersecurity and privacy risk, whether the system was still serving the mission well, the cost and whether there was a way to reduce what an agency was spending to support the system and whether the system needed people or software that was harder and harder to find.
“The ideas was to force this exercise on a periodic basis (i.e. every budget year or two), so that no-one could hide and say, ‘we didn’t know, ‘or ‘no-one told us’ about these inherent risks,” he said.
Matthew Cornelius, the executive director of the Alliance for Digital Innovation, an industry association, and a former senior technology and cybersecurity advisor at OMB, said in an email to Federal News Network the draft policy received hundreds of comments, but OMB never finished reviewing them when the election of Donald Trump occurred.
“With a change in administration came a change in focus and priorities, including around IT,” he said. “Rather than take the focus the draft memo outlined, the Trump administration chose a different set of priorities to tackle first, including their own Report to the President on IT Modernization, which including lots of tasks and outcomes that drove modernization in the first half of his term. Then, with the MGT Act passing and the TMF getting stood up, OMB and GSA realized that the highest priorities for agencies in applying for TMF dollars wasn’t necessarily whole-cloth legacy system replacement, so they decided to give more flexibility to agencies in the application process (as provided in M-18-12).”
The Congressional budget process makes planning to move away from legacy IT even more difficult, former agency CIOs told lawmakers.
Hassan said she advocated for biennial budgeting, where Congress makes funding decisions in year one and does oversight in year two.
“The current one-year cycle often leads to hasty decision making and neglects capital investments that take several years to implement,” she said.
Renee Wynn, the former NASA CIO, said every time an agency crosses a fiscal year with an ongoing IT project, the risk increases because of possible loss of time and/or people.
“Now you’ve disrupted your project and most likely extended when you will get that project done. That extension, if it goes on too long, means you are potentially using software that is no longer considered modern, available or could reach end of life by the time you get that system back in operation after it has been modernized,” Wynn said. “I would take my total budget and create a reserve. That reserve would be used to make sure the most critical or highest risk projects would get funding for sure going into the secondary years of their project. That way I knew they could be able to continue. If I didn’t do that, I’d run the risk of work stoppage, and then I could lose the talent of my staff, of staff from other mission areas or mission support or even contractor staff, and that would again start to slow down and add more risk to my project.”
With little expectation that Congress will move to a biennial budgeting cycle, the WCF authority becomes more critical.
Cornelius said one thing Hassan should consider as the tries to fix the MGT Act is the need to convince the appropriators why the transfer authority is so important.
“The main thing agencies need to do is to keep making the case to their appropriations subcommittees on what their IT modernization priorities are, how they would ensure appropriate oversight and execution of projects funded by an IT working capital fund, and to provide appropriations staff opportunities to provide their own recommendations,” he said. “Building this trust is key to getting Congress to provide agencies the flexibility they need to manage their finances in a way that best help achieve their IT and security outcomes.”
It’s clear former Rep. Will Hurd (R-Texas), Rep. Gerry Connolly (D-Va.), Sen. Jerry Moran (R-Kan.) and former Sen. Tom Udall (D-N.M.) — the co-authors of the MGT Act — wanted to give all agencies the authority to create WCFs without appropriators’ approval. With a working capital fund, IT modernization planning becomes more critical, meaning agencies would have a clear path to solving two of the biggest remaining challenges to moving off legacy systems.
When the Cybersecurity and Infrastructure Security Agency released its third emergency cyber directive in the last five months, agencies were once again on notice to fix yet another critical vulnerability.
Last week’s directive detailed a potential major problem with the virtual private network software from Pulse Secure. CISA gave agencies until April 23 to identify all instances of the software and run the Pulse Connect Secure Integrity Tool. Along with this latest directive, CISA told agencies to patch Microsoft Exchange servers in March and another one for the SolarWinds vulnerability in December.
This type of fire drill is becoming far too common for agencies, and really every business, as the cyber threats seem to be ramping up, particularly against companies with global install bases.
“In thinking like an attacker, they go after Microsoft Windows because everyone has Windows. Now they are saying, who else has the biggest market share of infrastructure or products and let’s go after them,” said John Pescatore, a director at SANS. “With one exploit, they can get into 70% of the networks. That is a big target. ServiceNow is another one that we have been warning about.”
The large install base combined with the greater reliance on technology, specifically software, means agencies aren’t necessarily facing more cyber attacks, but the potential for serious harm is much greater. This is especially true as agencies relay on connected devices and internet of things sensors or control systems that are connecting to the network or public internet.
Pescatore and other cyber experts agreed that the current cyber threats are no worse today than they have been, but with the sharp increase of supply chain attacks combined with the pandemic forcing employees to work from home, CISA and agency chief information security officers seem to be constantly on high alert.
“Vulnerabilities have been and will continue to be a long standing problem. There aren’t more vulnerabilities than before, but there is more software and as our dependence on it grows those vulnerabilities are more wide spread. Solarwinds is a perfect example where a single vulnerability created a massive exposure,” said John Banghart, the senior director of technology risk management at Venable and the former National Security Council’s director for federal cybersecurity during the administration of President Barack Obama. “We saw the same thing with the Heartbleed vulnerability in 2014. That was the first time the government, and really everyone, had to think about cybersecurity attacks at this kind of scale. We knew there was a vulnerability, but we didn’t know who was or wasn’t vulnerable.”
Banghart said CISA is in better shape today than in 2014 with the authority to scan civilian agency networks and issue directives. At the same time, however, the agency’s insight into civilian agency networks remains limited.
“DHS is more effective in recognizing and sharing what the vulnerabilities are and how to fix them. But currently their only course of action right now is the ‘hair on fire’ approach where they push out this directive and rank it high because they don’t know how vulnerable agencies are so they just have to push out because it’s severe and everyone is in this worse-case scenario,” he said. “That is why we need a lot of effort to get to the fundamental problem of who is vulnerable and who isn’t and what the potential impact is. We need to be able to score it in a way that is more nuanced and more applicable to a specific organization. We have a lot of different scoring systems today and the problem isn’t just for the U.S. government, but a problem across the entire internet.”
Banghart said he is organizing a group of private sector companies and other experts to come up with a new standard vulnerability scoring system.
“Our goal is to help ensure that end user organizations have the ability to influence the standards on which they depend. If you look at a lot of work Common Vulnerabilities and Exposures database or the Common Vulnerability Scoring System (CVSS), a lot of it is being done by academics and security tool vendors and government folks but other critical sectors are all underrepresented. How do we ensure they are getting valuable and meaningful information?” he said. “We need a better refined and more nuanced scoring system that is not just a number that says this is a 9.5 out of 10. That isn’t super helpful, but that is what we have today.”
This type of scoring system would help address other challenges these emergency directives highlight.
Frank Cilluffo, the executive director of the McCrary Institute at Auburn University, said there is some concern over alert or threat fatigue.
“The threats are dictating the pace, but from another perspective we need to be able to walk and chew gum because other shoes may have dropped that we are unaware of or could drop soon enough,” he said. “In a weird way, we are letting our adversaries define our strategy. We are shaping our strategy around them, and it should be the other way around. To do that, it’s partially a matter of greater awareness, partially more clarity around incidents because of situational awareness improvements and partially the adversary has a vote in how they are acting.”
Banghart added any new directive will interrupt a security office’s workflow and force them to make resource decisions that may have unintended consequences later on.
“A good chief information security officer is ensuring the mission of their agency is able to function. That can sometimes mean making a decision to patch something or not,” he said. “When you get back to back to back directives, that is on top of other vulnerabilities that don’t just come from an emergency directive, you have decide what else doesn’t get done today or this week”
Pescatore said the directives highlight the workforce challenge agencies, and really every organization, faces for cyber talent.
The Center for Strategic and International Studies says in 2019, CyberSeek, an initiative funded by the National Initiative for Cybersecurity Education (NICE), estimated the United States faced a shortfall of almost 314,000 cybersecurity professionals. CSIS also says according to data derived from job postings, the number of unfilled cybersecurity jobs has grown by more than 50 percent since 2015.
In the public sector, the workforce challenge is even bigger. The Cyberspace Solarium Commission says more than one in three cybersecurity jobs in the public sector go unfilled.
“Private industry was hit hard to apply the same patches, but the government, in particular, is suffering from brain drain with skilled security people leaving. They have not invested in hiring or training people. They have spent a lot of money that has been budgeted for cyber buying products for initiatives under the Continuous Diagnostics and Mitigation (CDM) or EINSTEIN programs, which focused on detecting the bad guys but not focused on fixing the computers. The patching is something an IT organization does and the government has been slow to address the patching side of the problem because patching needs skilled people and agencies don’t have enough of them.”
Cilluffo said the directives are forcing agencies to improve their situational awareness. While CDM and other tools have helped over the years, the urgency of these threats gives agencies a more granular view.
“You have to understand what is the real intent behind the adversary’s attack. Is it IP theft or secrets from espionage or criminal enterprises using for ransomware? You’ve got to look at it through these lenses and then decide how to respond,” he said. “From an adversarial perspective, what is the cost and the consequences of an attack that will induce change? People have been getting away with cyber murder and I’m hoping to start to see actions and steps that are not only reacting, but proactively shaping our deterrence mechanisms.”
The Oversight and Reform Committee on Friday celebrated the 11th version of the Federal IT Acquisition Reform Act (FITARA) scorecard, which it released in December.
The good news abounded from cost savings and avoidance — $22.8 billion from PortfolioStat — to no agency receiving a grade below a “D” to the retirement of the software licensing category because every agency received an “A.”
It’s clear that FITARA is having the intended impact Reps. Gerry Connolly (D-Va.), Darrell Issa (R-Calif.) and others had hoped for when Congress passed and President Barack Obama signed the bill into law in 2014.
The latest hearing on April 16 highlighted some of the ongoing challenges that agencies, Congress and the Government Accountability Office haven’t been able to solve in the six-plus years of FITARA.
Here are three takeaways from that hearing:
It wouldn’t be a FITARA hearing unless some member — usually Connolly — moaned about the Office of Management and Budget’s decision in 2019 to, once again, change the definition of data centers.
It’s been eight years and two administrations that the Office of Management and Budget and Congress haven’t seen eye-to-eye on the definition of data centers. A quick history reminder: At the heart of the matter is OMB has floated between having agencies focus on savings and optimization over the last eight years under the data center consolidation and optimization initiative and it removed the requirement to track and close non-tiered, or smaller, data centers. Meanwhile, Congress and GAO have wanted agencies to close down these facilities to both save money and address potential cyber vulnerabilities.
It’s unclear where the Biden administration’s OMB, and Federal Chief Information Officer Clare Martorana, will weigh in on this topic. She was scheduled to testify on Friday, but was unable to because of a family emergency. Martorana’s efforts on data center consolidation and optimization at her former agency, the Office of Personnel Management, provides little insight. OPM has only one data center so consolidation isn’t necessary an option, but optimization has resulted in saving more than $36 million, according to the IT Dashboard.
If the Biden administration comes down in favor of closing more data centers along with optimization and bringing back the requirement to track and close non-tiered data centers, then a bill from Rep. Katie Porter (D-Calif.) may not be necessary.
Porter said the subcommittee may have to consider legislative solutions to ensure OMB is following through Congress’s intent under FITARA.
Connolly, who has been banging the data center drum for several years, piled on.
“You don’t get to come into compliance with FITARA by redefining what a data center is and you don’t get to come into compliance by substituting a word in the law with another that suits your purposes better and gets you off the hook,” he said. “We will insist with compliance with the law. If we have to further refine legislative language to make it very clear and unfortunately more restrictive, we will.”
Kevin Walsh, the director of Information Technology and Cybersecurity Issues at GAO, told the subcommittee agencies saved $5 billion since 2015 by closing and optimizing data centers.
He said GAO continues to encourage OMB to track and emphasize the need to close non-tiered data centers. Porter went a step further and asked whether OMB is even paying attention to GAO’s recommendations.
“It’s a push-pull. We work as collaboratively as we can but sometimes it does feel like it’s more us talking and them not listening,” Walsh said. “There are times when we have worked very collaboratively, and I don’t want to disrespect OMB or the good work they do, but on certain issues we don’t see eye-to-eye.”
It seems it’s time for OMB to have a hard conversation with the committee and GAO about the definition it will use going forward and if it’s not the one lawmakers and GAO believe is correct, then what can be done about it beyond legislation. The fact that this debate has been going on for almost eight years may be good fodder for reporters, but it’s ludicrous that a compromise can’t be struck.
Eight agencies, including the departments of Justice, Labor and State, still do not meet the spirit or intent of the Clinger-Cohen Act of 1996. These eight do not have their chief information officer report directly to the head of the agency.
Lawmakers often point to this shortcoming as a reason why agencies struggle with managing technology.
While GAO said five agencies improved their reporting structure over the history of the FITARA scorecard, only the Department of Health and Human Services improved its CIO reporting structure between the 10th and 11th versions.
Connolly said 21 of 24 still not have established policies detailing the role of their CIO as required by law and guidance.
Despite this limited progress, GAO’s Walsh said FITARA has given CIOs a larger voice in the oversight and spending of the IT budget. He said there is no better example than the accumulated savings or cost avoidance of $22.8 billion from the PortfolioStat program.
“We also have seen incremental progress with CIO authorities. It’s harder to measure which have a seat at table that they didn’t have before, but five who are now reporting to the head of the agency is the most important metric,” Walsh said.
Connolly asked if he’s seen any backsliding of CIOs standing. Walsh said he was not aware of any, mostly due to the attention of the committee.
It’s clear over the last year that technology makes the agency run smoothly.
“The coronavirus pandemic has highlighted that CIOs are more essential now than ever before,” Connolly said. “Nearly every federal program, service, and function relies on IT to work. It is among the duties of the CIO to plan for agency IT needs, including the resources required to accomplish the mission. Outdated legacy systems, software and hardware, however, continually prevent agencies from providing the service the American public expects and deserves.”
But the question, then, has to come back to whether agencies have outgrown the need to mandate CIO’s have a seat at the table.
Labor CIO Gundeep Ahluwalia doesn’t report directly to the secretary, but he’s managed to revamp the agency’s approach to IT modernization, save more than $70 million and centralize common functions.
He said during the pandemic 95% of Labor’s workforce moved remote without any interruptions, and the agency onboarded 1,500 new staff virtually. Labor also closed 73 data centers, is tracking tiered and non-tiered data centers and disconnected 70% of their telecommunications and network circuits from the expiring Networx contract.
“Under the agency CIO authority enhancements category, the department has ensured IT projects use an incremental development methodology. This facilitates a regular cadence of new functionality and continuous feedback to ensure the desired outcome of program areas during the development stage,” he said in his written testimony. “The goal is to deliver value over time. In the Transparency and Risk Assessment category the department re-evaluated and refined its risk assessment criteria for major IT investments to allow the department to apply an appropriate level of focus based on the varying level of risk.”
It’s true that Labor may be an outlier when it comes to CIO authorities, but the pandemic proved the critical role technology plays and it’s hard to believe anyone will soon forget it.
Congress is ready to take another bite at getting agencies to measure the performance of their programs. This attempt has a distinct IT modernization flavor.
Connolly and Rep. Jody Hice (R-Ga.), the ranking member of the Subcommittee on Government Operations, introduced the Performance Enhancement Reform Act on April 16. It would be at least the third major bill to attempt to get agencies to develop metrics and success factors in a new way.
“This important piece of legislation would require agency’s performance goals to meet the demands of the ever-changing performance management landscape and include data, evidence, and IT in their performance plan,” Connolly said. “The bill would also require agencies to publish their technology modernization investments, system upgrades, staff technology skills and expertise, and other resources and strategies needed and required to meet these performance goals.”
The bill also would:
“You’d think the things this bill requires would be common sense — when making an agency performance plan, use the people with the right expertise and take into account what it’s going to take to set realistic performance goals and make the plan work,” said Hice in a statement. “But that’s not always the case. This costs valuable resources, and it has to change if we want to stop wasting time and money. [W]ith the Performance Enhancement Reform Act, we are taking a step forward in bringing the federal government into the modern era by requiring agencies to coordinate better with key agency leaders and best utilize resources when creating annual performance plans. This will help maximize agency human capital, technology, and time in order to better serve American families and businesses.”
The bill comes as the debate over how valuable performance metrics are heated up over the last few months. First OMB, under the Trump administration, removed the section of Circular A-11 that required these measures. Then OMB, under the Biden administration, put the section back into A-11.
Despite all of these efforts, GAO found in 2018 that the use of performance information to make policy decisions hadn’t changed much between 2013 and 2017.
Another bill doesn’t sound like the answer to driving performance. It sounds like a combination of training, data and consistent oversight by Congress and OMB would be more effective.
On the surface, the difference between the Biden administration and the three previous ones’ focus on IT modernization may seem like $1 billion — the amount Congress approved for the Technology Modernization Fund as part of the American Rescue Plan.
But taking a step back and digging beneath the TMF’s pot of gold, you’ll see how the last 15 years of this journey toward IT modernization is culminating under the Biden administration’s purview.
Take, for example, digital signatures. This technology has been around since the late 1990s, but only in the last year did agencies fully realize its potential. Now the Office of Management and Budget is telling agencies in the budget passback, which Federal News Network obtained, to “accelerate the adoption and utilization of electronic signatures for public facing digital forms to the fullest extent practical in alignment with OMB Memorandum M-19-17 and OMB Memorandum M-00-15.”
Keep in mind, M-00-15 is from 2000 — 21 years ago. That is how long agencies have been looking at electronic signatures. But it was only since the COVID-19 pandemic began that the government realized, “hey, this digital signature thing actually works and we, for the most part, already own the technology.”
Electronic signatures is one of four areas OMB wants agencies to focus on when it comes to modernizing websites and digital services. The others include:
“Agencies should continue to prioritize and identify funding for the modernization requests on websites and services that are highly utilized by the public, or have been identify as a high impact service provider (HISP), or are otherwise important for public engagement, as outlined in the 21st Century Integrated Digital Experience Act, (P.L. 115-336),” the passback document states.
The push for digital signatures is illustrative of how the IT modernization pieces are coming together for the Biden administration. Without the pandemic, there is no reason to believe agencies would implement digital signatures on a broader scale given the rebuffs of the last two decades.
The experience during the pandemic, combined with the financial support from Congress and the continued evolution of technologies like cloud, robotics process automation and data analytics opens the door wider for the Biden administration than any of the others in the last 20 years.
The TMF and the even more powerful, but less celebrated, working capital funds from the Modernizing Government Technology Act are among the most important tools Congress has given agencies in the last 25 years. This is especially true if OMB relaxes the payback model for the TMF so the loans become more like grants.
These are all reasons why IT modernization is such a bull market across agency and vendor communities.
Maria Roat, the deputy federal chief information officer, said at the recent CompTIA webinar that the TMF is about accelerating projects and enabling multi-year funding.
She said the $1 billion in the TMF coffers today will go for a variety of projects including those that focus on protecting “high value assets, improving public citizen services across the federal government, as well as improving and balancing some of the foundational technical maturity across the federal government and those common scalable services that can really drive cost efficiencies across the federal government.”
Roat pointed to one of the TMF funded projects for the Department of Housing and Urban Development as an example of the type of projects the board is looking for. HUD received $13.8 million to modernize five legacy mainframe systems.
“HUD mainframe modernization, there’s a playbook coming out of that. So other agencies, they’re going through their mainframe modernization, they can take lessons learned from HUD and apply that,” she said. “As we as we look to scale and accelerate the board, there’s a lot of things that we’ve already done over the last three years, as we’ve matured, that we can apply to the future funding.”
The maturity that Roat talks about has soared during the pandemic when all of the non-IT leaders realized the importance of online services, applications and systems.
Roat said the TMF is not a CIO program. It’s one for CXOs who want to “drive the success of the program.”
That comes clear in the passback language.
OMB doesn’t just highlight technology initiatives, but agency goals that are underpinned by technology.
Another hot button issue that rose during the pandemic was customer service and specifically the way agencies reach citizens.
This is another example of a long-time goal, dating back to at least 1993 with the Government Performance and Results Act, which had a stated goal to “improve federal program effectiveness and public accountability by promoting a new focus on results, service quality, and customer satisfaction.”
While OMB has made customer service a cross-agency priority goal, issued more than a half a dozen memos and directives, playbooks and executive orders, and Congress has passed the GPRA Modernization Act and the E-Government Act, progress toward real improvements have seen its fits and starts.
The pandemic, however, helped drive home the old ways agencies dealt with citizens — coming into the office, massive call centers and even the old Pueblo, Colorado public service announcement from the 1980s just weren’t cutting it any more.
So OMB is building off the digital transformation COVID-19 forced many agencies to undertake by requiring agencies to spend money on these services.
“The administration is implementing a comprehensive approach to improving the equity, access, and overall delivery of federal services, which includes improving customer experience management,” the passback stated. The “levels included in passback support your High Impact Service Providers (HISPs) implementing the actions identified in their CX Action Plan. As a HISP, [your agency ] should leverage funding provided to prioritize the alignment of customer feedback efforts with governmentwide measures and other activities that increase their programs’ ability to design and deliver services for the American public, consistent with the maturity model and governmentwide measures provided in Section 280 of OMB Circular A-11.”
You can talk all you want about technology and customer experience, but the pandemic, once again, provided a stark reminder that agencies are only as good as their people. It’s trite to say “people are our greatest asset” when time and again actions taken by Congress or the administration undercuts that idea.
This is another opportunity for the Biden administration to build on the Trump administration’s upskilling and reskilling programs, pick up the Obama administration’s hiring reform effort and add its own mark on the process that many point to as the one main reason the government struggles in so many ways.
To this end, the Biden administration is set to take the first steps by setting up a new Hiring Assessment Line of Business and requiring agencies to fund it in 2022.
“The LoB will support the implementation efforts of effective assessments and related efforts including governmentwide hiring actions and shared certificates. These contributions must not come from existing HR budgets,” the passback stated.
The Office of Personnel Management and OMB will jointly manage the Hiring Assessment LoB and the program office will reside in OPM.
Along with the new LOB, OMB wants agencies to spend money on “rebuilding their HR workforce to support recruitment and hiring efforts.”
“Agencies are expected to allocate funds in FY 2022 for: (1) dedicated employees to form talent teams (ideally at the agency component level); (2) tools to improve hiring assessment processes; and (3) internship and Pathways Program improvements,” the passback stated. “By June 30, 2021, agencies are required to send a plan to OPM and OMB that includes milestones and expectations, broken out by components, as appropriate, for how they will form a dedicated team responsible for transitioning to using effective hiring assessments for all competitive actions as well as steps to improve their internship/pathways program.”
Few would argue that these policy directives are a good first step, but the real test will be how OMB and its new deputy director for management, Jason Miller (I know, it’s weird to write that) — once the Senate confirms him — supports, oversees and encourages agencies to not just build on the lessons of the pandemic, but normalize these and other efforts that worked so well over the last year and not take a step backward.
The White House finally moved to fill two of the remaining and most important technology leadership roles in government.
President Joe Biden said yesterday he plans to nominate Chris Inglis, the former deputy director of the National Security Agency, to be the new national cyber director in the White House, and Jen Easterly to lead the Cybersecurity and Infrastructure Security Agency in the Department of Homeland Security.
These two positions, along with the Energy Department’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER), were among the most prominent unfilled roles in the Biden administration.
Energy also announced yesterday Puesh Kumar will serve as acting principal deputy assistant secretary for CESER.
The president also plans to nominate John Tien to be deputy secretary and Robert Silvers to be the undersecretary for strategy, policy and plans at DHS.
Both Inglis and Easterly come from the private sector, but have deep ties in government. The Senate has to confirm both to their respective roles.
“If confirmed, Chris and Jen will add deep expertise, experience and leadership to our world-class cyber team, which includes the first-ever Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, as well as strong, crisis-tested professionals from the FBI to ODNI to the Department of Homeland Security to U.S. Cyber Command and the National Security Agency. I’m proud of what we are building across the U.S. government when it comes to cyber,” said Jake Sullivan, the National Security Advisor, in a statement. “We are determined to protect America’s networks and to meet the growing challenge posed by our adversaries in cyberspace — and this is the team to do it.”
Along with Senate confirmation, the next step is for the White House to complete its 60-day review of the new cyber director position.
Rep. Jim Langevin (D-R.I.) said in an interview with Federal News Network that the White House’s review will help better outline the scope of the new cyber position.
“Looking at this holistically, what I know is important to Chris and to me, is we now have a point person in charge that will coordinate our cyber defensive strategies and a person who now has the policy and budgetary authority to reach across government and compel departments and agencies to step up their game on cybersecurity and make sure they are addressing vulnerabilities,” he said. “The closest we had before was a cyber coordinator, but they lacked policy and budget authority or any teeth. It was more of a coordinating role. This is a position with the right authorities and will make a big difference for the country writ large.”
Langevin praised both pending nominations, having worked with Inglis in the past both during his time at NSA and as a commissioner on the U.S. Cyberspace Solarium Commission.
Easterly also worked at NSA as the deputy for counterterrorism as well as the White House during the Obama administration as the special assistant to the president and senior director for counterterrorism.
Before returning to federal service, Easterly was the head of firm resilience and the fusion resilience center at Morgan Stanley where she was responsible for ensuring preparedness and response to operational risks to the firm.
She also served as the cyber policy lead for the Biden-Harris Transition Team.
Easterly takes over for Chris Krebs, who was forced out by the White House in November.
She will run a CISA organization that has transformed over the last decade. It now has more authorities to oversee federal networks through tools like Binding Operational Directives (BOD) and threat hunting, which came to CISA in January as part of the Defense authorization bill.
CISA also is the beneficiary of Congressional support to the tune of $650 million in new funding from the American Rescue Plan. The Biden administration also is asking for another $110 million for CISA in the fiscal 2022 budget.
Even with both Inglis and Easterly’s nominations and expected confirmations, they still do not answer the question of who is ultimately responsible for federal cybersecurity.
Lawmakers in February called the current approach clunky and inadequate.
“I am encouraged to see the intent to nominate a director for the helm of our nation’s lead federal civilian cybersecurity agency. Ms. Easterly brings substantial credibility and a reputation of working productively between government and the private sector to increase the cybersecurity resilience of the nation,” said Rep. John Katko (R-N.Y.) ranking member of the Homeland Security Committee, in a release. “On the heels of the SolarWinds cyber campaign and the compromise of the Microsoft email server, CISA has found itself at the forefront of two significant, national cyber incidents in just the last few months. As a nation, we are at a crossroads in our strategy to defend and secure the .gov cyber space, and strong leadership is essential. I continue to call on President Biden to support desperately-needed changes to allow CISA more centralized, real-time visibility into the entirety of the civilian .gov and put CISA on a much needed path to becoming a $5 billion agency.”
Langevin said the White House cyber director has been a position he has been trying to create for more than a decade, in part to address the lack of centralized oversight and authority. He said Inglis will be the point person dealing with both internal and external to government cyber threats and challenges.
He said Easterly needs to focus on building CISA cyber capabilities.
“Right now they rely heavily on defense support of civil authorities, which is fine because they get the support they need,” Langevin said. “But going forward, we can’t and we should not rely on defense support civil authorities. For CISA to effectively fulfill their mission, it needs to grow its own cyber capabilities and we look forward to supporting that.”
If the federal acquisition workforce is ever going to make contractor evaluations meaningful, it’s going to happen this year.
The General Services Administration and Department of Homeland Security are offering two different, but equally important initiatives that either will prove that the federal community cares about past performance as a key evaluation factor or has been playing lip service to the issue since 2009.
Over the past 11 years, successive memos from the Office of Federal Procurement Policy encouraging agencies to do more research and evaluation of contractor performance on contracts have had little impact.
“We think there is a clear appetite for Contractor Performance Assessment Reporting System (CPARS), but contracting officers and industry also know the current CPARS process is broken. I think OFPP hears it from contracting officers that it’s burdensome, and they hear from contractors that it’s not resulting in fair and accurate ratings,” said Mike Smith, a former DHS director of strategic sourcing and now executive vice president at GovConRx, which has been leading the effort to revamp CPARS for much of the past two years or more. “Agencies can use CPARS data to strategically manage procurements, but there needs to be wholesale relook at it. We need to make sure it results in good information and the information is more strategic and tactically used.”
DHS and GSA will see firsthand this year if that appetite is strong enough to address the systemic problem of CPARS — too many contracting officers are saying a vendor’s performance is satisfactory for two main reasons: A lack of time to explain why the contractor was outstanding or exceptional, and to avoid any lengthy back-and-forth if a rating is below average or poor.
DHS is trying to address these shortcomings by applying artificial intelligence tools to the CPARS process.
Its program is in the middle of phase 2 where five companies are building a production-ready software tool. DHS awarded these companies — IBM, CORMAC, TrueTandem, Strongbridge and Hangar — $125,000 to demonstrate their technologies this year.
“The user community will take a look during these demos to make sure they feel like they are trustworthy solutions. We want the value to be proved out,” said Polly Hall, director of DHS’ Procurement Innovation Lab (PIL). “The demos are focusing on harder issues. They built these to be commercial solutions and using software-as-a-service (SaaS). We don’t want the federal government to buy the AI and own it. We want to buy licenses and for the tools to ingest the information and present it to us in [a] way that is useful.”
DHS and nine agency partners: The departments of Commerce, Energy, Interior, Veterans Affairs, and Health and Human Services, as well as GSA, NASA, the Air Force and the U.S. Agency for International Development — are reviewing the pilot. The agencies gave the five companies 50,000 procurement records, which they anonymized, to help train the AI.
Hall said by July DHS and its partners will decide which of the technologies should move into phase 3 and will get the software tools an authority to operate in time to launch January.
“If we can solve some of the challenges with policy and security accreditation, we will move into phase 3 where the agency partners will test the technologies on actual solicitations. They still will do a human review, but also bring in the AI solution and compare them on real procurements to validate and compare,” she said. “The final phase would be to move into full production, and maybe create a governmentwide contact so agencies can choose which tool they want to use.”
Hall said offering the AI tools as a shared service is another possibility. She said the more agencies that use the tools, the lower the cost will be and the more value it will provide all agencies.
She said the contracting officers who have tested out the AI tools have found them valuable.
“We are cautiously optimistic and we believe everyone will see the value. This is the year where our hard work comes to bear and we either get it or not,” she said. “We need our partners and OFPP to step up and work with us to make this happen. We feel good that there has been a lot of discussions with agency CIOs and at the governmentwide level about getting through the challenges of the ATO and about addressing the hard policy issues.”
For GSA, it’s a matter of whether contracting officers pick up on the ability for vendors to provide self-assessments on specific projects.
GSA senior procurement executive Jeff Koses issued a memo in February promoting the use of vendor self-assessments as one step in the overall CPARS process.
This is something Smith and GovConRx have been promoting for the past few years.
Jim Williams, a former federal executive with GSA, the IRS and the Department of Homeland Security — now a principal with Williams Consulting LLC and an advisor for GovConRx — said contractors feel they aren’t being judged fairly and have no input into the process. He said the GSA memo is a permission slip for contracting officers to start asking for a self-assessment as part of the broader CPARS process.
“We believe this will give CPARS more balance because of the input by contractors, and it will alleviate [the] burden on contracting officers. It will produce a more accurate and fair rating,” he said.
Williams and Smith said the self-assessment would be just one piece to the puzzle, but would open the door to a wider conversation, similar to an employee doing a self-assessment for their boss. Smith said this self-assessment approach is common in the human resources sector, and no reason the same approach can’t be used by the acquisition workforce.
“Contractor self-assessments can save time while allowing contractors the opportunity to make their case about their performance. Getting the contractor’s point of view early on in the process may reduce the back and forth during the 60-day period contractors have to respond to a CPARS notification following the assessing official’s evaluation in the system,” Koses wrote in the memo. “A contractor actively tracking its performance may have fewer performance issues. If nothing else, editing someone else’s work is much easier and faster than creating an evaluation from scratch.”
GSA recommended contracting officers use the contract kickoff meeting after award to have initial discussions about self-assessments so the contracting officers can track performance during the full life of the program and correct any issues on an ongoing basis.
“The memo is a good first step for GSA. We would like to see OFPP issue something on a more governmentwide basis that encourages the use of contractor self-assessments,” Smith said. “You wouldn’t believe how many contracting officers refuse to take input from industry because they think they aren’t allowed to. As a contacting officer, I’d rather have a back and forth at least by midyear, if not before, so we can adjust course and have a common understanding at the end of the performance period and there are no surprises about ratings and the basis of that rating.”
Williams added that good contractors will jump at the opportunity to do a self-assessment because they will finally be able to have input into the process.
“We think this will help small businesses particularly because when contracting officers see they have done larger jobs and done them well through relevancy search and high CPARS, then they are more likely to feel comfortable with awarding them a contract,” he said. “It also will help contracting officers because they will make better decisions through data, use it as a tool to have discussions that can also be used at the task order level.”
If both initiatives turn out to be successful over the next year, it’s time for OFPP to not just issue another memo but mandate its use and actively promote its use through the frontline forum, at industry events and on Capitol Hill. And they shouldn’t wait until there is a confirmed OFPP administrator.
Final results aren’t in yet, but in all likelihood, agencies missed another deadline under the Enterprise Infrastructure Solutions (EIS) telecommunications and network modernization program.
The General Services Administration set a March 31 deadline for agencies to transition at least 50% of all services to the new contract from the Networx program.
But this deadline, unlike the previous ones, will have consequences.
The Office of Management and Budget is requiring a report from each agency by July 1 on its EIS progress.
In its budget passback guidance, which Federal News Network obtained, OMB told agencies to submit a report detailing “how it will make progress on past-due milestones and actions it will take to complete the transition before the legacy contracts expire on May 31, 2023.”
While it’s unclear if this is the first time OMB mentioned EIS in the passback, the fact they are doing it now and combined with the pressure from House Oversight and Reform Committee members through the Federal IT Acquisition Reform Act (FITARA) scorecard, agencies may be feeling a little more pressure than normal.
“I do believe with the new administration coming in the focus on security and the need to secure our national data, the emphasis is not just to get to the cloud, but how we get it to our customers and in our users. The combination of the passback is one influencer, in addition to FITARA,” said Allen Hill, the deputy assistant commissioner for category management in the Office of the IT Category (ITC) in GSA’s Federal Acquisition Service, in an interview with Federal News Network. “But more so what I consider most important is getting outdated technology off the infrastructure, it can’t do zero trust architecture. For you to get there, you have to eliminate that technology. It’s not just about saving money, it’s also about securing that national security interest, and you can’t have access to the cloud without the network, you can’t get that information to your end device without the network. You have to have security built into it from end to end, and that’s where zero trust architecture comes into play. It’s important for agencies to say ‘what is that North Star that we’re going to?’ The zero trust architecture is that, and where we can be able to work in a mobile environment because of what’s happened with the pandemic, but do it securely.”
The House committee added EIS transition as a grading factor in the 11th version of the scorecard that came out in December. The General Services Administration, the United States Agency for International Development, the Commerce Department and the Small Business Administration also saw whole letter grade drops because of their lack of progress with EIS. Five agencies — Commerce, the Department of Homeland Security, NASA, SBA and the Office of Personnel Management — received Fs on their EIS transition progress. GSA and the departments of State and Defense received D grades.
Hill said GSA will not know whether agencies met the March 31 deadline until the May timeframe when the new EIS data comes in. But even then GSA’s insight into the progress is limited.
“In terms of where agencies are, it’s hard to gauge all the agencies and where they’re at because we don’t necessarily get to see that information. We can only see it purely from an inventory perspective,” Hill said. “I do think that this is not something that is going to happen where you see steady decline of inventory. You’ll see bulk changes and inventory has been reduced as they do the necessary infrastructure updates for their network and move over to the new technologies.”
The Labor Department is one of the outliers with EIS among large agencies. It says in an April 5 tweet that it transitioned 70% of its telecom network circuits to the new contract, easily besting GSA’s goal.
Hill said the Social Security Administration is another large agency that has made significant progress in moving to EIS.
But Hill and EIS vendors acknowledge there is still a lot of work to do between now and September 2022 — agencies next deadline to move 100% of their network inventory to EIS.
As of Jan. 31, Hill said out of the 212 fair opportunity solicitations expected, agencies have released 164 to industry. Of those 164, agencies have awarded 93 task orders and 48 still need to be released.
Additionally, 9 of 17 large agencies and 11 of the 25 medium agencies have awarded all of their task orders.
Hill added agencies under EIS have awarded about $14.5 billion in task orders over the last few years, and eight of the nine vendors have won some form of work under the program.
Vendors supporting the EIS program said the release of solicitations and corresponding awards picked up steam over the last three to six months. But, at the same time, the program continues to be a slog.
Several vendors said some agencies are sitting on proposals for more than a year, calling into question whether the government is missing out on cost savings and better services.
“The elongation of the award cycle is brutal. We’ve submitted bids over a year ago on some solicitations that haven’ been awarded. It makes us wonder that when the government finally does make the award, are they getting today’s technology and the appropriate cost structure?” said David Young, the senior vice president of public sector at Lumen. “We’ve attempted a couple of times on some of the more lengthy awards to ask for best and final offer, but we haven’t achieved that. If the government has a desire to get a lower cost structure, they are missing because of elongated award cycles.”
Young said in his 30-years in the federal telecommunications market, he’s doesn’t remember seeing timelines to award being this long. He said the fact the government isn’t asking for best-and-final offers is frustrating and surprising.
Tony Wellen, the president at BT Federal, added that when agencies are making awards, their transition schedules are aggressive.
“The fast response times are not an indictment of the process, but just fact. Agencies have a short fuse for when we are to respond to questions, and depending on the nature of the questions, it can make it difficult to get it done on time to meet deadline for bid,” he said. “The short timelines seem to benefit the incumbent contractors too.”
Young, Wellen and others say they have brought the elongated schedules to GSA’s attention.
Hill said GSA is in regular contact with agencies that haven’t awarded or released their solicitations.
“We talked about the remaining inventory that’s left for them to understand the complexity of their transition. But if they have a solicitation that has not been awarded, we especially have been reaching out, and we do suggest that they go back and update since it’s been a while,” Hill said. “The vendors have communicated to me too that they are getting better prices, understanding things a lot better and being more innovative. The competition is really good with the vendors, and it’s not just from the pricing perspective, but they’re being very innovative with what they’re offering in terms of modern solutions to eliminate the legacy technology and help us move to where we can better secure our information that is going through those circuitries.”
While vendors are offering innovation, some say agencies are not always taking full advantage of it.
Chris Smith, AT&T’s vice president for civilian and shared services, said agencies are trying to find the right balance between moving existing technologies and circuits — known as “like-for-like” — and implementing new technologies like software-defined networking (SD-WAN).
“A majority of the bids we are looking at are asking for SD-WAN and other newer technologies. We still are early on implementation, but SD-WAN is mainstream now,” he said. “Cybersecurity advanced solutions has always been something individual agencies are looking at, and with the SolarWinds hack, and that incident doesn’t stand alone, we are seeing the demand for newer cybersecurity solutions as well as solutions around mobility and 5G.”
Hill said several agencies are planning for innovation over the medium term, but following the like-for-like approach more immediately. But he said the term “like-for-like” is a bit of a misnomer.
“There are some agencies that are saying ‘let’s just start out with modernization,’ while other agencies are saying, ‘let’s get it moved over, and then let’s rebaseline of what we modernize in a more sequence fashion.’ I understand that approach too because if you take a moving from a legacy voice system to a modernized voice system, you don’t want your phone not working. You want to make sure that it’s updated,” he said. “If you’re taking voice and data circuits and collapsing them where they’re being leveraged, there’s a lot of tweaking that has to be done to make sure that the Voice Over IP (VOIP) works the way it’s supposed to, and making sure you have a good quality of service. Agencies are going out and asking for software defined wide area network solutions, but they may not move to it immediately because there’s a lot of infrastructure for you to move to a software defined wide area network. In addition, working with CISA and TIC 3.0 guidance also is helping to drive how Trusted Internet Connections (TIC) is being done to support the past, but also the support the new the zero trust network architectures that are needed.”
Robert Dapkiewicz, senior vice president and general manager for MetTel Federal, said some of the more recent task orders have asked for more transformational technology, but not at the expense of mission effectiveness.
“With one customer, they wrote their solicitation as a like-for-like transition with the understanding that they will transform at a later date. But coming out of the gate during the pandemic, they started to move to SD-WAN right away,” he said.
BT Federal’s Wellen added agencies have been more open to new or different acquisition strategies, such as splitting up large task orders into smaller ones in order to work with multiple vendors as well as asking for managed security and network services.
Dapkiewicz pointed to the Department of Homeland Security as an example of an agency taking the smaller bit approach.
Lumen’s Young and several others continued to express concerns about solicitations, particularly large RFPs, either favoring incumbents or agencies awarding incumbents follow-ons.
“EIS is packed with opportunities for agencies and GSA did an incredible job in putting the vehicle together so if an organization isn’t moving along fast enough, they should reach out to vendors or other agencies for help. And if you put together your procurement or plan a while ago, you need to look out over the horizon about what capabilities are available today and tomorrow, and how you can make the best investment in security, resilience and increase productivity and collaboration,” AT&T’s Smith said.
When the Defense Department confirmed that Deputy Secretary Kathleen Hicks decided to review the Cybersecurity Maturity Model Certification (CMMC) program, initial reactions were mixed.
Some experts said this is a significant sign that the Biden administration wants to rethink major aspects of CMMC.
Others say it’s a perfunctory review and one any new administration would undertake given the importance of the program. They say these reviews likely are happening across DoD.
A DoD spokeswoman offered little insight into the review and what its goals are.
“In light of increasingly frequent and complex cyber intrusion efforts by adversaries and non-state actors, the department remains deeply committed to the security and integrity of the defense industrial base. As is done in the early stages of many programs, the DoD is reviewing the current approach to CMMC to ensure that it is achieving stated goals as effectively as possible while not creating barriers to participation in the DoD acquisition process,” said Jessica Maxwell, the DoD spokeswoman in an email. “As this internal assessment is ongoing, we are not able to provide further detail. This assessment will be used to identify potential improvements to the implementation of the program.”
One former CMMC Accreditation Board member downplayed the review saying it likely was just part of the administration changeover.
Another source familiar with CMMC, who requested anonymity because they didn’t get permission to talk to the press, offered an even more restrained opinion.
“There is more support in the department and more impetus to do this than ever before based on what DoD leadership is saying the resources they are willing to commit to it,” the source said. “One of [the] things that CMMC recognizes is that they did things fast, and things will come up that they will have to course correct.”
Stacy Cummings, who is currently performing the duties of the Under Secretary of Defense for Acquisition and Sustainment, issued a memo a few weeks ago outlining two specific review areas, including CMMC implementation.
FedScoop first reported the DoD’s decision to review CMMC.
On top of this review, DoD is in the middle of delivering reports to Congress and working with the Government Accountability Office on CMMC reports and analyses. The 2021 Defense Authorization Act required the DoD chief information officer to assess each department component against the CMMC framework and report findings to congressional defense committees by March 1. Lawmakers want details on how each component “will implement relevant security measure to achieve a desired CMMC [level] or other appropriate capability and performance threshold.”
Congress also asked the Government Accountability Office to independently assess and brief Congress within six months of the CIO report’s issuance.
The NDAA also requires DoD to withhold 60% of its CMMC appropriated funding until its Office of Acquisition and Sustainment (A&S) submits a plan to Congress detailing timelines for pilot activities, the relationship with auditing or accrediting bodies, planned funding and involvement of the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and its plans to train acquisition staff to implement CMMC.
Finally by September, DoD needs to submit a report on whether it makes sense to develop a cybersecurity threat hunting program to work on defense contractor systems. While the provision didn’t specifically called out CMMC, it’s related to the entire supply chain security effort.
The source said DoD is busy developing those reports for Congress and likely Hicks will reviews a lot of the same information.
“This is a holistic review and not just some document drill. I think they will take [a] thoughtful look at the program to make sure everyone is comfortable,” the source said. “The team they have stood up is very knowledgeable, and the CMMC PMO isn’t concerned they will find anything wrong.”
The source said DoD expects to turn the review around quickly and not impact the program’s timeline for CMMC’s initial roll out.
The review also comes as the CMMC-AB named Matt Travis as its new CEO. Travis comes to the board after spending two years as the deputy director of the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security.
“This is an opportunity I was excited about for two reasons. This obviously allows me to continue to continue the cyber evangelization work that I feels strongly about. But more importantly I really wanted this position for two reasons. This is really the first opportunity to stop talking about cybersecurity and actually do something about it. I hope you all appreciate how trailblazing and what a new frontier this is with CMMC and what the department is doing,” Travis said at the town hall. “This is really the long game, and doing a lot of work to together to build the resilience and raising the cybersecurity baseline. The second reason I’m excited because this is where the risk is. When you think about the DIB as one of the 16 critical infrastructures, we know the nation’s adversaries are targeting this sector and we know there are vulnerabilities, this is where the risk is. So it’s incumbent on all of us to raise our game, and this is a collective effort.”
Matt Gilbert is a principal with Baker Tilly’s government contracts advisory practice who leads a team that conducts reviews under National Institute of Standards and Technology special publications 800-53 and 800-171. He said that while he couldn’t offer any insight into the DoD review, there are several areas where DoD need to accelerate its efforts.
“The area in which the DoD should focus is making sure there will be adequate assessors to handle the volume. The DoD might want to consider announcing a gating mechanism. A gating mechanism could restrict assessments to only those contractors that will be awarded one of the pilot contracts with the new DFARS 252.204-7021 clause,” Gilbert said in an email to Federal News Network. “Adding to the challenge, if the certified third-party assessment organizations (C3PAOs) are not timely assessed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), then significant portions of the provisional assessors will be on the sideline. Since all assessments need to be registered with the CMMC-AB, the DoD could give instructions that only those contractors that have the 7021 clause in a pending award should be allowed to proceed with the assessment.”
At the CMMC-AB town hall on March 30, the board reported 109 total C3PAOs and 100 provision assessors.
The AB continues to review C3PAO applications with 332 still pending.
Ben Tchoubineh, the chairman of the CMMC-AB training committee, said the process for the C3PAO is the most complex one and still requires the level 3 assessment from the Defense Contract Management Agency
“There is only CMMC level 3 assessment that has been completed so far. It will take some time for the C3PAOs to be ready to go,” he said.
Part of the reason is the DCMA’s ability to conduct the level 3 assessments through its DIBCAC program.
The AB doesn’t expect the full training and certification program to be fully ready until the fall.
Two other challenges that the DoD review may address is how to improve the markings of controlled unclassified information (CUI) and to accelerate the release the scoping guidance to address reciprocity.
Gilbert said without the scoping guidance, C3PAOs and contractors s are likely to run into challenges and differences of opinion without authoritative literature to reference.
As for CUI, Gilbert said if contracting officers mistakenly label CUI inaccurately there could lead to some unintended consequences.
“If the requirement is tied to taking possession of CUI, this would allow a prime to issue a laptop to a sub to minimize their CMMC obligations. The sub would be saved from possessing CUI in their systems and therefore would necessitate only a level 1 certification,” he said. “The more flexibility that the DoD can provide the DIB, I think the more likely their estimates of greater than 50% of contractors only requiring level 1 will hold true.”
DoD already is seeing some delays in its CMMC roll out. Several of the initial pilots it outlined are either pulling back because the service or agency’s timelines don’t match with CMMC being ready. DoD has said the goal is not to harm the acquisition process as it stands up the CMMC program.
The source said some of the initial pilots may look at requiring their vendors to be CMMC certified in a specific amount of time after it has awarded the contract.
“Contractors are frustrated because they want a list of pilots, but DoD doesn’t want to put pilots out there because it’s changing day to day,” the source said.
It’s hard to say what impact Hicks’ review will have on many of these issues. But as a first step, reviewing the program and bringing a fresh set of eyes to CMMC can only help to accelerate it, and, as Travis said, actually do something about cybersecurity and stop just talking about it.
Let’s get the jokes about the General Services Administration’s working title of its new services governmentwide acquisition contract out of the way. Today it’s known as a BIC MAC—Best-in-Class Multiple Award Contract.
Go ahead have some fun.
It’s a contract brought to you by McDonald’s.
It’s a contract, no it’s a new pen.
April Fool’s Day is coming so Larry Allen, who’s always up for some fun, is probably already hard at work developing some fake press release about how Burger King already submitted a protest over the BIC MAC that he will send out to his friends and colleagues for a good laugh.
Whatever name GSA eventually comes up with that is not BIC MAC, the new approach to services contracting aims to shake things up in a way the federal contacting community hasn’t seen in at least five years.
GSA released the first of at least two requests for information on March 2 seeking industry feedback on some of the basic ideas around the contract like socioeconomic reserves, the initial list of functional domain areas, contract structure and much more. Responses to the 27-page survey are due March 17.
Jill Akridge, the director for Customer Account Management for the Office of Professional Services and Human Capital Categories (PSHC), an office within GSA’s Federal Acquisition Service (FAS), said at a recent ACT-IAC webinar that the goal is to reduce friction in the services market and possible consolidate existing services contracts like the Human Capital and Training Solutions (HCATS) and the Building Maintenance and Operations vehicle to make it easier for customers.
“All of these things are concepts and they are in flux. If feedback shows that we missed the mark, we will come back and say how we pivoted our assumptions. We do want to build this with both industry and customer agencies in mind. That is the approach we will be taking moving forward,” she said. “We are trying to make the future, create better data and we are using this contract to get us there in the world of services.”
Akridge said FAS is just at the beginning of a nearly two-year effort to get new contract in place before the OASIS vehicle sunsets. The next date is April 1 for an industry day. She said FAS will release a second RFI in the May timeframe looking at functional capabilities and source selection criteria. In the meantime, Akridge said FAS will continue with an assortment of industry and agency customer discussions.
She said as of now the schedule is for the final request for proposals would come out in early fiscal 2022 and initial awards would come in early calendar 2023.
The goal of the BIC MAC is to replace the OASIS contract, which is set to expire in 2024.
“It’s both an evolution and a departure from the OASIS contract. It’s an evolution because it’s clearly a follow on contract put out by the same team at GSA that runs OASIS. But it is a departure in that it’s broader in scope, likely include many more vendors than OASIS and is based on less distinct capabilities to let vendors on the vehicle,” said Alan Thomas, the former commissioner of the Federal Acquisition Service at GSA and now chief operating officer at IntelliBridge. “It’s ambitious for sure, but since it’s still early I think GSA is starting by putting everything on the table and as they hear from industry and other customers, they will whittled it down and reduce any potential risks they face.”
But some wonder if GSA is trying to fix something that isn’t broken. OASIS unrestricted and small business are hugely successful contracts for professional services with more than $10 billion in sales in fiscal 2020 and $9 billion in 2019.
Roger Waldron, the president of the Coalition for Government Procurement, said on his program Off the Shelf on Federal News Network that GSA should consider the impact of making major changes to OASIS as it’s become a strategic contract for many agencies.
“The current thinking just raises lots of questions I get from industry partners about the approach. I think GSA is thinking about a larger contract with hundreds if not, 1000s of companies on the contract. It’s thinking about continuous open seasons. It’s would combine the two contracts so rather than have an OASIS small business and OASIS unrestricted, they would have a single contract. I think they’re looking at whether they’re going to have a pool structure or develop some sort of domain structure around NAICS codes and sub NAICS codes around the project. And they’re also looking at using section 876 so the evaluation or price will take place at the task order level rather than at the contract level,” he said. “So the companies are trying to understand what’s the business case for moving to really what is a fundamental different approach than the current OASIS approach.”
Waldron said there are a lot of questions that still need to be answered about how the BIC MAC program will work, including how it will complement the schedules program and the overall management of the contract.
GSA’s Akridge said there are some specific differences between this new vehicle and the schedules, including the initial requirements for vendors to earn a spot on BIC MAC.
“There’s capabilities that we can’t do on schedules and we tried to get authorities for it that we know are needed in the world of services like cost-type contracting, non-commercial services and unpriced aspect,” she said. “There are scope areas that schedules don’t cover as well today. We want to set this up in a way that thinks through contracting from purely a services perspective. Schedules is designed in a way that also has to accommodate products so it has some rules in there that maybe aren’t the best for services acquisitions.”
She said there are some similarities with the schedules, so FAS wants to take the best of all worlds and bring them into the new vehicle.
Akridge said there already are some discussions about adding an unpriced aspect to schedule contracts.
Intellibridge’s Thomas said he did ask about changing the schedules program to allow for different contract types when he ran FAS.
“It’s a different workforce that manages the schedule contracts than the one that runs OASIS so the skill-sets are different, which may be a challenge for them to manage cost-plus contracts,” he said. “It was a perspective that I hadn’t thought about. Schedule contracting officers have good set of skills that are well established. The schedules program also is based on commercial offerings, while OASIS is not necessarily commercial.”
Tris Carpenter, the director of capture for Red Team Consulting, said with the changing nature of the services market and how it’s becoming more complex, GSA’s thinking for its BIC MAC is an important recognition of the changes that are happening in the federal services sector.
“The right step toward increasing integration, reducing duplication and eliminating the ‘race to qualify’ for sporadic award/on-ramp milestones,” Carpenter said. “Although the claw back of the Alliant 2 Small Business GWAC was a blow to many in the industry, it has also now created the opportunity to synchronize the major GSA GWAC portfolio (including STARS III, Polaris, and BIC MAC) into an integrated federal acquisition approach. However, GSA needs to be continuously aware of the need for transparency and representation across all industry partner types and business sizes. Most firms want to deliver and support agency missions, while growing their profitability and employee base. This includes having a fair opportunity to compete for opportunities in their specialized domain areas at a reasonable price that align with operating market conditions. GSA’s exploration of eliminating price at the master IDIQ level and setting a minimum set of domain award qualifications/criteria is encouraging; however, it must be clearly defined how it will be reliably applied on an ongoing basis.”
Intellibridge’s Thomas added there are three things FAS should consider as they continue to develop the BIC MAC program.
First, he said strong industry engagement must continue.
Second, FAS should continue to talk to agency customers, particularly those who are big users of OASIS and those that haven’t been to find out why and what FAS can do to make BIC MAC more attractive.
Third, Thomas said the most difficult conversations will be internally where they have to deconflict the scope with other contracts, address contract access fees and using common tools so customers receive a standard message about how to work with GSA.
The Coalition’s Waldron added GSA must also consider the impact on small businesses if it decides to go down the path of having one contract. Small firms have thrived under the OASIS small business contract, but would having one contract impact how agencies issue task orders?
“When you start combining into a single contract, then you get into all the stuff like whether the rule of two applies,” he said. “I think it behooves GSA to provide a clear statement and business case as to what it’s trying to achieve here and how it will meet customer agency missions through this vehicle because OASIS is hugely successful and meeting fundamental requirements for customer agencies like the Air Force every day. Could it be refined and are there other areas where it could be improved? Yeah, absolutely. There’s nothing that’s perfect out there. But BIC MAC seems to be, as we currently understand it, a 180-degree turn to a different approach and that raises questions.”
Questions that GSA will spend much of the next year answering.
You could see the momentum to finally push real funding to the Technology Modernization Fund building all last week.
Three nominees for key positions at the Office of Management and Budget specifically mentioned the need to put serious money behind federal agency cybersecurity and IT modernization efforts. Senate lawmakers did more than casually mention it or offer to submit questions for the record.
A draft of the Senate’s version of the American Rescue Plan — labeled a manager’s amendment — leaked out finally offering some specifics: $1 billion for the TMF, $650 million for cybersecurity and another $350 million for other related IT modernization efforts.
But it wasn’t until the Senate Budget Committee released its initial version of the bill did reality set in. Real, impactful funding for the TMF was closer than ever to crossing the finish line.
By March 6, the Senate sealed the deal with a vote of 50-49 passing the American Rescue Plan with the $2 billion for federal technology and cybersecurity efforts.
“Having $1 billion dollars in the Technology Modernization Fund is a good first step and will be critical to helping address many of the common challenges still hampering effective IT transformation across the government, such as identity management, secure data sharing, leveraging AI and other emerging technologies to enhance citizen service delivery and expanding critical cybersecurity shared services to combat persistent threats,” said Matthew Cornelius, the executive director of the Alliance for Digital Innovation, an industry association, and a former senior technology and cybersecurity advisor at OMB, in an email to Federal News Network. “Because these funds are being provided as part of this relief bill and should be used to deal with immediate challenges, it is incumbent upon OMB and the General Services Administration to use the authorities they have under the MGT Act to suspend repayment and quickly make targeted investments to the most high priority projects in one or more agencies.”
The TMF and other funding are not a done deal. The House still must pass the Senate’s version of the American Rescue Plan. That, however, is a strong likelihood given the House’s long-standing support of the TMF.
Once the House passes the legislation and President Joe Biden signs it into law, along with the TMF receiving $1 billion — it never received more than $100 million at a time — the Cybersecurity and Infrastructure Security Agency in the Department of Homeland Security would receive $650 million to shore up federal networks from cyber vulnerabilities, the U.S. Digital Service would receive $200 million and the Federal Citizen Services Fund would get $150 million.
The Biden administration called for $9 billion for the TMF and another $1 billion for cybersecurity and IT modernization efforts to address the “urgent national security issue.”
“The American Rescue Plan emphasizes the importance of modernizing federal information technology and bolstering governments’ cybersecurity. These investments in technology infrastructure and tools are an important down payment on helping to deliver modern and secure citizen services and critical networks. We commend the U.S. Senate for prioritizing this vital need and urge the U.S. House of Representatives to approve the measure,” said Jason Oxman, president and CEO of the IT Industry Council, in a statement.
ADI’s Cornelius added that while the initial funding is a great start, Congress and the administration must continue to work toward addressing the legacy technical debt.
“We fully expect that any forthcoming jobs package will include digital infrastructure and technology investments to spur economic growth and improve digital service delivery in both the public and private sectors,” he said.
In addition to the funding for the TMF and other cybersecurity and IT initiatives, the Senate bill included the extension of the Section 3610 authorities to let agencies pay contractors if they cannot work during the pandemic.
Industry associations pressed lawmakers to move the sunset date from March 31 to Sept. 30.
Professional Services Council president and CEO David Berteau praised the work of Sens. Mark Warner (D-Va.) and Marco Rubio (R-Fla.), the chairman and vice chairman, respectively, of the Intelligence Committee.
“With so much uncertainty around safe access to workplaces, now is not the time to let up on COVID-19 protections. If enacted, this extension will help the federal government continue to access the highly skilled, cleared and trusted contractor workforce needed to meet mission needs,” Berteau said in a statement.
National Defense Industrial Association also applauded the Senate’s passage of the 3610 extension.
“Extending 3610 and safeguarding the defense industrial base workforce is critical to our national security today and, more importantly, into the future,” said Hawk Carlisle, NDIA president and CEO.
The fact that the Senate is supporting $1 billion for the TMF means that OMB must do its part and figure out what their version of transparency looks like and offer 110% of it. This is the Biden administration’s big opportunity to reverse decades of neglect and mistrust, let’s hope for every agency’s sake they don’t revert to the actions of the last three administrations when it comes to communicating about the funding.