The Agriculture Department and the General Services Administration have been out in front of the federal government’s move to the cloud for a decade.

USDA was among the first agencies to take their email to cloud in 2010. It also was the first agency to test out the IT Centers of Excellence, which included a specific focus on data center consolidation and cloud adoption.

GSA, both internally and from an acquisition perceptive, has made cloud services a focus since it bucked the trend and moved to Google for office productivity tools and launched an email-as-a-service contract vehicle in 2011.

So like the old EF Hutton commercial — I know I’m dating myself — but when GSA and USDA talk, other agencies should listen.

The latest examples of where the federal cloud effort is heading next, what could be called the third phase of this journey, is focused on governance, or in less boring talk, controlling cloud sprawl or herding the cloud cats, or — well you get it.

“I do think agencies are trying to figure out what the governance model is and how can they manage all their different subscriptions,” said Susie Adams, the chief technology officer Microsoft federal sales, in an interview with Federal News Network. “What we are seeing is agencies are taking a hard look at DevSecOps, and what tools, what policies and procedures and how automation can be used to deploy software and capabilities into the different clouds. The trend we also are seeing is around Kuberneties clusters and running containers on multiple platforms and managing them through a single pane of glass.”

USDA’s new cloud working group is all about creating that single pane of glass.

Gary Washington, the Agriculture chief information officer, said the internal CIO council created the group in July.

“The USDA Cloud Working Group is an Office of the CIO and mission area collaboration effort to identify and document best practices and lessons learned regarding all aspects of cloud adoption, purchasing, implementation, management and impact on the USDA mission,” Washington said in an email to Federal News Network. “This working group is co-chaired by mission area assistant CIO Sergio McKenzie of the Market and Regulatory Programs (MRP) and associate CIO of Digital Infrastructure (DISC) David Peters, from my organization. All mission areas and OCIO centers are represented on this working group and will participate in the working group’s initial projects.”

While Washington didn’t identify the initial projects, he said the working group, generally, will meet every two weeks, particularly for the first 90-days where they are focused on cloud adoption and management deliverables.

“A USDA-wide cloud adoption and management vision along with its associated implementation strategies that advance mission delivery on behalf of every program throughout USDA,” Washington said. “We expect the work group to assess our cloud acquisition approaches and policies. We expect a cloud community of practice to be a logical outcome of this working group.”

Over the short and long term, the working group’s goals are trying to change cloud from a back office, network issue to one that is the mission or program areas’ charge.

“The group’s goal is to drive continuous improvement in the delivery of USDA’s mission through continued IT modernization and updated policies to support the technology. Cloud technology can improve USDA’s mission by improving the interfaces that USDA interacts with its stakeholders, accelerating the sharing and analysis of data, and reducing total cost of operations,” Washington said. “The increased awareness and standardization elements should also have strong incremental benefits that enable continued security management and Federal IT Acquisition Reform Act (FITARA) score improvement as well.”

Microsoft Federal’s Adams said while she is not specifically familiar with USDA’s working group effort, many agencies are trying to bring some sense of semblance into their cloud efforts.

“The main trend I’m seeing is how to grasp all of this and make it more prescriptive for people who are deploying services. How can we create landing zones or infrastructure-as-code and compliance-as-code so you are running scripts and put governance on top of it all,” she said. “It’s based on rules-based access so they can’t modify and change it. You are managing how folks are deploying and managing cloud instances and making sure it’s secure. We get a lot of questions about what is a good governance model, and how can it be managed so you are keeping your finger on the pulse in this hybrid world.”

Cloud marketplace RFI coming soon

This hybrid world that most agencies will continue to live in for the foreseeable future is driving GSA’s latest effort.

In the coming weeks, GSA will release a request for information (RFI) to create a cloud marketplace bringing together service providers, integrators and other vendors to create a one-stop shop for implementation and management of cloud services.

Laura Stanton, GSA’s assistance commissioner of the Office of the IT Category in the Federal Acquisition Service, said at the recent GSA industry day sponsored by FCW, said phase one of the marketplace should be in place in fiscal 2022.

“We are beginning to understand more about how agencies need to be able to buy cloud and once they buy it, how they need to govern and manage it,” she said. “We want to put together a framework and a contractual vehicle that will allow the agencies to buy these core cloud services that we are seeing them need more and more.”

The need for support services can been a common theme across this journey to the cloud

The evolution of cloud buying started back in 2011 with the e-mail-as-a-service blanket purchase agreement, which for all intents-and-purposes came about too soon and struggled. GSA soon after created a cloud special item number (SIN) under its schedules program. And then it developed blanket purchase agreement on top of the schedules for things like the Defense Department’s Defense Enterprise Office Solutions (DEOS) contract.

Stanton said the marketplace will provide agencies a more agile framework for buying and managing cloud services.

“We’ve learned a couple of things. There is a whole post-award governance that agencies need to manage their cloud services. We know that there are professional IT services agencies need when they buy the licenses,” she said. “So instead of having to do those separately or each agency having to build in the necessary requirements, or even having to build in their own separate baseline security requirements with FedRAMP, we are looking at what are those foundational set of requirements, say FedRAMP moderate, and how do we build them into the marketplace so agencies don’t have to worry about it. They can get everything they need to be able to develop an entire cloud solution. Part of the reason for that is we keep hearing agencies have to go to multiple places to buy cloud.”

What GSA and USDA’s initiatives continue to demonstrate is that there is no one approach to managing cloud services. But, as Microsoft Federal’s Adams said, no matter if an agency is taking a centralized or a decentralized approach, many of the questions are the same: How best can you secure the cloud? How best can you manage the services? And, how can use cloud to support mission goals?

“A lot of times IT shops are still run as traditional IT shops where they control the modernization projects, so the next thing we will start to see is a change where the mission owners will get funding to be able to modernize and the IT shop will provide governance and management of the environments.”

It’s clear the future of cloud services will be drive by the mission needs, putting the pressure on the CIO shops to create the guardrails to ensure success.

Industry frustrations are rising. Whether it’s a lack of communication from agencies or a lack of patience from contractors, the honeymoon for the Biden administration seems to be ending with the late summer heat.

Two recent letters from industry associations demonstrate this waning patience.

First, the Coalition for Government Procurement sent the General Services Administration a letter in late August detailing more specific concerns with the OASIS contract vehicle replacement strategy.

Then just on Sept. 9, three associations — the IT Industry Council, the Professional Services Council and the National Defense Industrial Association (NDIA) — sent the Defense Department a letter detailing new and long-standing concerns about the Cybersecurity Maturity Model Certification (CMMC) program.

“Here we sit eight months into the administration, we had that summer lull and now as folks are coming back they expect things to move forward and that is where we are,” said Mike Hettinger, managing principle of Hettinger Strategy Group and a former Hill staff member. “If you look back over previous years, there is a hype cycle to a new administration. I remember feeling this way during [the] Obama administration, nine or 10 months in, there is a sense with every administration, let’s get going.”

That feeling is clear in the ITI Council, PSC and NDIA letter to Kathleen Hicks, the deputy secretary of Defense.

“Currently, our collective members are facing critical decision points that will impact their budgets, strategic planning and resource allocation without the benefit of knowing the status of DoD cybersecurity policy implementation. Further, the continued proliferation of federal cybersecurity requirements at the agency level compounds this uncertainty as it remains unclear how DoD requirements will align with those required by other federal agencies. This causes operational impacts that result in procurement inefficiencies and contractual modifications that are passed on to the government,” the associations wrote. “Without a statement of support for cybersecurity assurance, we are concerned that some companies may continue to delay implementation of important security practices pending an understanding of the final requirements.”

The Defense Department basically has gone dark in providing updates about CMMC.

The Pentagon launched a review of the program in April and offered a bit of an update during speeches and congressional testimony through June.

But since late June, there has been little, if any, public discussion about CMMC, leaving industry holding their collective breadths.

Increased level of uncertainty

The three associations asked DoD for more clarity about the review process because it has increased the level of uncertainty throughout the defense industrial base.

“Changes to CMMC, for example, would conceivably impact the timeline, scope, and manner of implementation for program requirements. Considering this uncertainty, contractors, subcontractors, and suppliers may defer substantial investments pending communication and greater certainty about the program’s requirements,” the letter stated. “Simultaneously, companies will find it easier to develop innovative services, technologies, and processes to fit their needs if they clearly understand requirements, practices and operational efficiencies. The initial public announcement of CMMC and the interim DFARS rule motivated many companies to work diligently to improve their cybersecurity practices. We believe that increased communications and reinitiating collaboration in the areas detailed below will build on the initial success to further improve our nation’s security posture across the dynamic threat landscape.”

Hettinger said DoD’s lack of update about its plans for CMMC also is causing rumors to swirl, such as the Pentagon may delay implementation for a few years.

“There is the sense, particularly around CMMC, that we have been waiting for guidance or updates and nothing has come,” he said. “There is a sense that contractors are ready to take the next step and want more information from DoD.”

ITI, PSC and NDIA offer six recommendations for how DoD could improve CMMC.

“[W]e see an increasingly urgent need to standardize and improve the marking practices for the department’s controlled unclassified information (CUI) requiring protection and dissemination instructions. Currently, DoD agencies must only list what the department has described in the National Archives and Records Administration (NARA) CUI registry as CUI requiring protection,” the letter stated. “Recently, however, DIB members have been encountering DoD agencies that require the protection of all the 100-plus federal agency specific categories in the NARA CUI Registry without an attempt to identify the particular categories that relate to contract performance. For the CUI program to work, it is imperative that all DoD agencies involved in all acquisition contracts clearly, accurately, and correctly identify, define, and describe the CUI requiring protection.”

Another area of concern that the associations want DoD to address is around the Defense Federal Acquisition Regulations (DFARs) interim rule from September 2020 to implement CMMC. The groups say DoD officials indicated that an updated DFARS rule for CMMC would not be ready until the end of calendar year 2021 — more than one year since public comments to the interim rule were submitted.

“It is unclear how those comments from 2020 on DFARS 252.204-7012, -7020, and -7021 have been or will be adjudicated. If there will be significant changes to CMMC, we encourage DoD to share those changes via a proposed rule rather than an immediate final rule,” the letter stated. “We also encourage DoD to conduct virtual public hearings if the department contemplates material changes to the present structure and methods. Such steps would demonstrate to industry that DoD is receptive to new perspectives and aware that input in the fast-moving IT industry may have changed since late 2020. It would also alleviate some of the uncertainty that the ecosystem is facing while the department completes the adjudication of received comments.”

GSA’s new services vehicle concerning

Industry input and better understanding of GSA’s plan is at the heart of the Coalition for Government Procurement’s letter to Jeff Koses, the agency’s senior procurement executive.

The CGP said GSA’s plan for the OASIS follow-on, called the services multiple award contract, is perplexing and would run contradictory to the agency’s stated goals of its Federal Acquisition Service’s IT category and the administration’s category management initiative.

“The unintended consequences of the current strategy are significant. The follow-on acquisition strategy eliminates the highly successful dual contract vehicle structure, eliminating OASIS SB and OASIS in favor of a single, overarching contract vehicle for professional services. The follow-on strategy also eliminates the best value evaluation methodology for contract award that has been foundational to the success of OASIS SB and OASIS in delivering strategic mission support to customer agencies,” CGP wrote. Finally, the follow-on strategy essentially duplicates GSA’s Multiple Award Schedule (MAS) program, increasing operational costs and complexity for customer agencies, the General Services Administration, and its industry partners.”

The duplication of the schedules program is one of the most significant concerns the association outlined.

The CGP found the services MAC would duplicate the schedules program in 14 of 15 areas, ranging from continuous open seasons, to large and small businesses in a single contract, to being able to do firm fixed price, labor hours and time and materials-type contracting.

“During [a July 22] industry day, FAS also indicated that it would rely on a dedicated team of contracting officers, including those with MAS experience. To the extent this management approach shifts services MAC workload to MAS contracting officers or otherwise diverts contracting staff from the MAS program, it raises questions about the allocation of resources and contracting support for GSA’s governmentwide contracting programs,” the letter stated. “A plan that utilizes MAS contracting officers to help administer the OASIS follow-on contracts prompts concerns about the overall impact on contracting operations and the support and development of the contracting officers. Coalition members are very concerned that already overtaxed MAS contracting officers will now be faced with additional workload, as this additional work could impact the integrity of the Schedules program. This risk of harm is not speculative. Though unquestionably successful and the single largest source of overall small business contracting, there are current workload challenges in the MAS program to be addressed. For example, concerns have been raised about the time it takes for vendors to receive a contract award or secure contract modifications.”

The coalition also said it’s unclear why GSA wants to move away from the approached used under OASIS, with one contract for large businesses and one for small businesses. And despite asking for industry input, the association said it’s apparent that GSA has all but made its decision on its approach for the services MAC.

“This decision has been made despite the fact that, as FAS announced during an industry day presentation on July 22, 2021, the business case for the follow-on strategy has yet to be completed to support its plan for the Services MAC. Under these circumstances, the credibility and utility of the business plan may be perceived, not as a discipline to identify the best contracting approach, but as a shield to defend a pre-determined contracting approach,” the letter stated. “That the OASIS follow-on strategy is a 180-degree departure from the IT Category approach raises significant questions regarding FAS’s overall market strategy and its continuing support of small business opportunities. It is difficult, from an industry partner perspective, to see how FAS reconciles the two diametrically opposed approaches. Finally, as noted, the planned elimination of a specific channel for small and disadvantaged businesses, and the associated increase in difficulty of use for agency customers and those businesses, appears to run contrary to the express goals of this administration.”

The coalition asked for a meeting with Koses to further explain its concerns and understand GSA’s plans.

These two letters are just a small sample size of what portends to be a growing frustration between industry and government on this governmentwide initiatives. Hettinger said the honeymoon may be over in some areas like CMMC and the services MAC, but in others, like cybersecurity, industry, generally speaking, is quite pleased with what they have seen from agencies.

Memorial service for Rob Coen

The family of Rob Coen, a long-time federal acquisition executive who recently and unexpectedly passed away, is holding a memorial on Sept. 18 in Annapolis, Maryland, at the Calvary United Methodist Church at 12 p.m.

The memorial service will be held only in person.

“We will gather to share some of our favorite stories and to honor Rob’s memory,” the invitation states.

Coen, who worked at the General Services Administration and the National Institutes of Health’s IT Acquisition and Assessment Center, was 51 years old. In lieu of flowers, donations may be made in his memory to the David J. Coen Scholarship Fund c/o St. Agatha School, 440 Adams St. Milton, Massachusetts, 02186.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

About the time the Office of Management and Budget released its draft zero trust strategy last week, Mittal Desai, the chief information officer at the Federal Energy and Regulatory Commission (FERC) was presenting his fiscal 2023 technology budget submission to the agency’s chairman and other leadership.

Desai said the first question FERC Chairman Richard Glick asked wasn’t about topline numbers or the significant increases to modernize applications and networks.

“The first question he asked was ‘do we have enough adequate security protections and do we have enough services in there to make sure we can protect our assets?’ Just hearing that from him is something that we know from the top just how important security requirements are,” Desai said during Sept. 8 panel sponsored by AFCEA Bethesda chapter. “They fully understand IT budgets are going to increase, these threats are frequent, these threats are constant and how do we adapt to be agile to protect our data assets?”

And it’s not just the leadership who are recognizing the need for better cyber protections. Desai said the program offices also better understand the importance of cyber protections for protecting not just agency data and networks, but their users too.

That understanding is what will make OMB’s zero trust strategy successful. Not the technology from the dozens of vendors who love to talk about zero trust; not the agency technology leaders making zero trust a key talking point and definitely not lawmakers asking ill-informed questions about “this zero trust thing.”

“As security threats continue to grow in frequency and magnitude, federal IT and cyber leaders have a responsibility to collaborate with non-IT stakeholders to meet OMB’s goals. When speaking with program managers about these mandates, I encourage federal IT and cyber teams to illustrate how the improvements in security that come with a zero trust architecture directly benefits their agency’s mission, resiliency and digital acceleration,” said Jonathan Alboum, a former CIO for the Agriculture Department and now a principal digital strategist for the federal government at ServiceNow.

Additional funding for 2022?

Like many new cybersecurity initiatives, agencies don’t necessarily have immediate funding to pay for the first year of the effort, and year two and three are dependent on Congressional appropriations. While lawmakers have shown a propensity to fund cybersecurity efforts, it’s unclear whether every agency will receive enough money to meet OMB’s goals.

Karen Evans, the former administrator of e-government and IT at OMB and CIO at the Homeland Security and Energy departments, said there are ways to fund the cyber priorities within current and upcoming budgets.

“Due to the new administration and because of the SolarWinds incident, departments would have updated their budget request, different than what was submitted during the previous administration. So, additional funding should have been added to the fiscal 2022 request, which we will see what is appropriated by Congress and they have been supportive of increasing budgets for cybersecurity,” Evans said in an email to Federal News Network. “If a department did not modify their 2022 request when they could have, then they need to reprioritize on the basis of the cyber executive order and the strategy. Then, OMB is asking for a budget estimate, this is what would need to be updated and/or what they are going to submit now for 2023, which then, will go into the review cycle for the President’s budget 2023.”

In the Biden administration’s 2022 budget request to Congress, agencies asked for more than $20 billion for cybersecurity efforts, including $9.8 billion for civilian agencies, which this draft zero trust strategy is focused. The civilian agency request is 14% higher than in 2021.

Evans has said many times over the last 20 years that while it’s hard to move money from one initiative to another, it’s possible and takes leadership from the CIO, CFO and other executives.

Drive the cyber conversation

Alboum added that while OMB promotes the use of the Technology Modernization Fund to help fund these cyber changes, that approach will not be nearly enough.

“As part of this process, all CIOs should consider investments in automated tools for hardware and software asset management. Deploying these capabilities create greater visibility across the enterprise, allowing agencies to account for all their IT resources. This is foundational to successfully implementing zero trust architectures,” he said.

Shane Barney, the chief information security officer at the U.S. Citizenship and Immigration Service within DHS, said at the AFCEA Bethesda event that the draft memo gives him and others in the technology community the ability to drive the cybersecurity discussion in a new direction for leadership.

“What I appreciate most about the OMB memo, which is out for draft and comment right now, it pulls back to more of an architectural-based discussion. It’s really driving us toward understanding what our enterprise looks like, what we understand the defined trust to be, what we understand to be important within our enterprise, and, ultimately forcing us to recognize the end state goal of a zero trust model is to place your entire enterprise on a public internet,” he said. “It has been something that I’ve said numerous times and get various levels of reaction from. But having OMB state it even in a draft policy is revolutionary and welcome because it’s going to give us the ability to drive those discussion with our networking teams and talk with our leadership about what this means.”

The architectural discussion with senior leaders is never an easy one, but necessary when it comes to implementing zero trust, which impacts everything from identity and access management to application access and protections to data sharing. All of these changes will directly impact mission or programs.

Mark Forman, the first OMB administrator for e-government and IT and now executive vice president of Dynamic Integrated Services, said the draft strategy does a good job extending the discussion beyond just the zero-trust architecture to take a more comprehensive look at modern network and application design.

“Security guidance has always helped in government IT by forcing a true accounting of assets, applications and devices and this memo should result in the same,” Forman said in email to Federal News Network. “I think it also signals a clear shift in funding away from architectures built on the basis of the ‘cyber kill chain,’ which was expensive and ultimately ineffective. The shift back to systems instead of networks is probably good since, at the end of the day, Solar Winds showed us that if systems are not secure, neither is our data or government processes running in systems on those networks.”

Draft strategy still needs work

Forman, Evans and others generally praised the memo, but also recognized it still needed some work.

For example, Forman said even with one of the draft strategy’s pillars being application security, it doesn’t talk about the need to build zero trust concepts into the DevSecOps process.

“I think this is obvious lesson learned if the government is to improve cybersecurity,” he said. “There are three issues facing agencies in adopting and deploying zero trust architectures where the memo needs some better guidance. Transitioning agency applications to use zero trust instead of role-based access controls (RBAC) is a huge and expensive endeavor, and although the memo never specifically calls for replacing RBAC with zero trust it is inferred throughout. In addition, a core problem in the applications arena is custom interfaces that are hard to manage and keep secure (e.g. patches). The interfaces are key in deploying a zero trust architecture, but few applications owners are willing to give up their customizations let alone pay to replace them. And, of course, having agency political and program leaders maintain active support for this transition is almost impossible without a strong governance model or innate desire and knowledge by the department or agency head.”

Alboum added the focus on data throughout the memo is important because if agencies don’t know what exists, where it exists and how valuable it is to the mission, they can’t protect it.

“Federal cyber teams may not have the right safeguards in place if they don’t understand how information is used within their organization. They must understand how the work flows to accomplish the mission, so they can apply the appropriate zero trust architecture protections,” he said. “CIOs need to prioritize zero trust architecture projects based on risk, data sensitivity and related security priorities. An agency can’t adopt a zero trust architecture all at once. By leveraging their existing high-value asset program, agencies can prioritize systems and datasets that are most in need of zero trust architecture protections and apply the right security measures that can mitigate threats against our nation’s critical infrastructure.”

Need to add some teeth to the strategy

USCIS’s Barney said from his perspective there are parts of the draft strategy that need clarification, particularly the part about segmentation of networks.

“If you are in cloud you already are pushing that boundary and you need to manage that or you will pay a terrible price. I would love to see requirement for no humans in the production along those lines. Humans in production should be a break glass event, something that is an emergency. You are moving product into production should be an automated pipeline. That is what we should be doing as good organizations,” he said. “I would like an extra layer added for token-based authentication, not just multi-factor but multi-tier. In other words, if you have certain accounts, like domain-level accounts, people that have rights to your organization, adding another layer of tokenization there really adds to the level of security and it’s removed and separate from your regular based privileged user access.”

He said this added token would help protect against another SolarWinds style attack.

Barney also said he would like to see OMB clarify language about privileged agent use, especially with specific cyber tools, and what mitigation factors, including the monitoring and risk-based scenarios are needed.

“There is probably some need here … to add teeth,” he said. “Giving me the ability to go to my leadership and say ‘we need to make this a priority because OMB says we have to make this a priority,” really does help us at different levels. It helps us prioritize funding levels, and in meetings with budget folks.”

Evans said that “teeth” should come from the Cybersecurity and Infrastructure Agency (CISA) with OMB’s assistance. She said it’s clear the memo is different from the past in giving CISA the authorities to manage this initiative.

Funding, constant and consistent oversight and long-term accountability are what will make agencies change, let’s see if OMB and CISA has it in them this time around.

The federal acquisition community is mourning the loss of Rob Coen, the General Services Administration’s Federal Acquisition Service’s acquisition program director for professional services PS-MAS and OASIS.

Coen died unexpectedly last Thursday in his home in Maryland.

The funeral will be held on Friday in Massachusetts.

“We are deeply saddened by the news of Rob’s sudden and unexpected passing. Rob was a friend, supportive colleague, and consummate professional. His passing has left us both shaken and heartbroken,” said Tiffany T. Hixson, the assistant commissioner for GSA’s Office of Professional Services and Human Capital Categories in FAS. “As the director of FAS’s Professional Services Program Management Division, he led the MAS-Professional Services and OASIS contract programs, using his deep knowledge and vast connections in the government contracting community to benefit both our customers and industry partners. Rob deeply believed in his work, but most importantly, he believed in the people he worked with—often serving as a mentor to those around him. Whether lending an ear or taking the time to chat, Rob was always available. While Rob’s professional accomplishments cannot be overstated, it was his humanity that made him uniquely special. Our thoughts are with his family and friends during this very challenging time.”

Coen joined federal service in 1995, working for the Small Business Administration. He later joined the National Institutes of Health Information Technology Acquisition and Assessment Center (NITAAC) as its deputy director and moved up to be the GWAC program director.

In his role at NITAAC, Coen oversaw the roll out of CIO-SP3 and CIO-SP3 small business procurements and substantially increased the organization’s outreach to industry and increased their business. Agencies have spent more than $19 billion on CIO-SP3 and $13 billion on CIO-SP3 small business since 2012.

In joining GSA in 2016, Coen oversaw the OASIS multiple award professional services contract. Agencies have spent more than $22 billion on more than 900 task orders through this vehicle since 2015.

“I worked with Rob when he was at both NIH and GSA. He was always a thorough professional and someone who could be relied upon to give industry the straight story,” said Larry Allen, president of Allen Federal Business Partners and a federal acquisition expert. “Rob seemed to get new energy from his role managing the GSA OASIS program. He was exceptionally responsive to customer and industry questions to ensure that agencies got the most out of OASIS. He was a tremendous asset to GSA and a great colleague. Rob will be sorely missed.”

Coen often was a guest on Federal News Network. He was patient in explaining the minutiae of federal acquisition, and brought excitement and passion to his job — which showed in every interview.

His death leaves a hole in the federal acquisition community that will not be filled anytime soon.

Our condolences to Coen’s family and friends.

CIOs land new jobs

Dominic Cussatt is the new chief information officer at the State Department’s Bureau of Intelligence and Research.

Bob Costello is coming back to government to take over as the CIO of the Cybersecurity and Infrastructure Security Agency in the Homeland Security Department.

These are just two of the latest changes in the federal technology community.

Cussatt joins State from the Department of Veterans Affairs where he has been since 2016 and their acting CIO since January.  His last day at VA was Aug. 27.

VA named Dr. Neil Evans, the chief officer for the Office of Connected Care in the Veterans Health Administration, as the acting CIO.

The move for Cussatt isn’t as surprising as some may think. He started his federal career with the Defense Department as deputy chief information security officer. He also served as co-chairman to the U.S. Committee on National Security Systems Subcommittee and national co-chairman to NATO Information Assurance/Cyber Defense Capability Panel in Belgium for almost two years.

Cussatt also has spent time in industry with IBM, SAIC and other contractors.

Cussatt replaces Juan Conde; it’s unclear when Conde left.

As the CIO of the INR, Cussatt will support the bureau’s mission “to harness intelligence to serve U.S. diplomacy.”

Cussatt will lead the Technology and Innovation Office, which “manages intelligence IT operations and the innovation and change management processes of the Bureau. The TIO originates new ideas and innovations generated by others to include technology and production activities that support INR and IC objectives and missions.”

Costello rejoins DHS after a short stint in industry. He worked at U.S. Customs and Border Protection for nine years and Immigration and Customs Enforcement for four years, respectively.

He replaced Dave Epperson, who moved from CIO to CISO of CISA in October. Sam Vasquez had been acting CIO since then.

At CBP, Costello served as the executive director for the Enterprise Networks and Technology Support Directorate for almost four years as well a yearlong detail as the executive director of the Border Enforcement and Management Systems Directorate.

He did a five-month stint in the private sector with World Wide Technology as a strategy adviser in their law enforcement and civilian agency division.

Joining Cussatt at State is Donna Bennett, who became the new CISO in April.

Bennett joined State from the Commerce Department where she was deputy CISO for almost three years. She also worked at FEMA as its CISO and DoD as a senior information assurance officer.

She replaces Al Bowden, who had been CISO since 2016

And speaking of FEMA, the agency promoted Greg Edwards to be its CISO. He had been a senior technical advisor since July 2020. He joined from industry, but spent time with the Defense Information Systems Agency and NATO Communication and Information Agency.

Finally, the Air Force has a new chief technology officer.

Jay Bonci took over the role in early August, replacing Frank Konieczny, who retired in February.

“I’m rolling up my sleeves to continue the work I’ve done over the last few years supporting Air Force programs and initiatives, now in a leadership role inside of SAF/CN. My part of the mission is to empower and accelerate those on the ground by providing a cohesive enterprise architecture and service delivery strategy,” Bonci wrote on LinkedIn. “In order to continue to rise to the challenges of a modern world, we need to nail a rock solid digital foundation that works for the whole of the department, from weapon systems to commodity IT functions. This is in part prioritizing and integrating the right technological steps, developing the right adoption and enablement mechanisms, up-skilling our workforce, and making sure we are funding the correct efforts. We’ve got an amazing team assembled in SAF/CN to get that done and I’m excited for the future.”

Bonci joined the Air Force after spending 14 years at Akamai Technologies.

“It’s going to take me some time to get my legs underneath me and to resolve my outsider’s view of the world with the insider one. I intend to make LinkedIn part of the communications channel involved in this role so that industry and other government entities can have a good sense of how we are thinking and where our priorities are,” he wrote. “The Air Force and the larger Department of Defense is large and filled with numerous tribes, so I’ll be investigating and experimenting with how best to use these open-air communication platforms.”

Two technology executives leave government

Jim Russo, the branch chief of the Solutions Development Technical Account Management for enterprise technology services in the Information Technology Category in the Federal Acquisition Service at the General Services Administration, retired Aug. 27 after 41 years in the public and private sectors.

“I’m fortunate that I’ve been part of meaningful programs (especially enterprise infrastructure solutions (EIS) and commercial satellite communication COMSATCOM) while in government and especially our partnerships with DoD and CISA,” Russo said in an email.

Russo, who spent 17 years at GSA, played a key role in the development and implementation approach for the Trusted Internet Connections 3.0 architecture under the EIS program.

He said he plans to “rest, recharge and then consider possible opportunities.”

In a bit of a surprising move, Donna Roy, the chief operating officer and former CIO at the Consumer Financial Protection Bureau, left in July to join the private sector. She joined Guidehouse in August as strategy adviser in the company’s national security segment.

Roy returns to the sector where she spent 13 years working for DHS. She was the executive director of the Information Sharing and Services Office before joining CFPB in 2019.

“I am thrilled to join this innovative team. I am deeply honored to have served in federal service for over 20 years with so many dedicated civil servants. I am looking forward to this next chapter and the adventures it will bring!!!” Roy wrote on LinkedIn.

There are more than 30 different supply chain security related efforts going on across government.

There are the big ones you know about like the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) initiatives and the National Institute of Standards and Technology’s Special Publication 800-161 update.

There are smaller ones like NASA SEWP’s crosswalk between 800-161 and the Open Trusted Technology Provider Standard from the Open Group. The General Services Administration also quietly put out a cyber supply chain risk management strategy in March that just saw the light about a month ago.

Basically, the proliferation of supply chain security efforts has the potential to wreak havoc on industry and agencies alike.

John Miller, the senior vice president of policy and general counsel for the Information Technology Industry Council and a member of the Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force—sponsored by the National Risk Management Center (NRMC) in the Cybersecurity and Infrastructure Agency in the Homeland Security Department, said the tipping point is near.

“If we are going to get this policy right, we need to have all the efforts coordinated and holistic. That will, among other things, create a better policy and make it easier for companies to comply,” said Miller at an event sponsored by the Center for Cybersecurity Policy and Law and NIST in early August.

The one organization that could bring all of these efforts under one umbrella is emerging from behind its Wizard of Oz curtain.

44-page final rule with few changes

The Federal Acquisition Security Council (FASC) finalized its processes, procedures and practices by releasing its final rule on Aug. 26.

The FASC, which Congress created as part of the Secure Technology Act, released the interim final rule last September. It provided the structure to how the council will oversee the supply chain risk management processes, practices and procedures.

The council changed little in the final rule, focusing mostly on technical, structural and other minor areas to help clarify and/or simplify the 44-page rule.

Only six entities submitted comments and few led to any even minor changes across the two main subparts.

One of the sections establishes the role of the FASC’s information sharing agency (ISA). The final rule gives the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency that responsibility. Through the ISA, the FASC will work with CISA to standardize “processes and procedures for submission and dissemination of supply chain information and facilitates the operations of a supply chain risk management (SCRM) task force under the FASC. This FASC task force consists of designated technical experts who assist the FASC in implementing its information sharing, risk analysis and risk assessment functions.”

It also prescribes mandatory and voluntary information sharing criteria and associated information protection requirements.

The other subpart outlines the FASC’s procedures to evaluate the supply chain risks brought by companies or products. It also describes how the council will recommend to DHS, the Defense Department and the Office of the Director of National Intelligence that the three lead agencies issue orders requiring the removal of products or services or excluding specific companies from future procurements. The section also details the process for issuing removal orders and exclusion orders as well as agency requests for waivers.

Waiver requires compelling justification

Joyce Corell, the assistant director for supply chain and cyber directorate at the National Counterintelligence and Security Center in the Office of the Director of National Intelligence (ODNI), said it was important for the final rule to increase the transparency and consistency of the exclusion and removal processes.

“When we need to as a council make a recommendation and we’ve gotten information that gives us pause about a particular high-risk vendor and we’ve realized there is no mitigation available other than excluding or removing that vendor from our systems, we need to have sound criteria and repeatable processes in place,” Corell said during the Center for Cybersecurity Policy and Law and NIST event. “That is what this rulemaking is about so that we have that analytic integrity and rigor behind those risk assessments.”

Among the most “significant” changes is the new language specifying new requirements that agencies must meet to request to be excepted from the removal or exclusion order. These include providing a compelling justification and other mitigation approaches.

“Those agencies must submit their request in writing to the official who issued the order and provide specified information, including a compelling justification for the waiver and a description of any forms of risk mitigation to be undertaken if the waiver is granted,” the final rule stated.

Another area where the FASC changed the rule was in response to several commenters who asked for “further clarification of the protections that would be afforded to non-federal entities who voluntarily share information with the FASC.”

Liability protections remain unclear

The council added language to the final rule to describe the protection to information that is not otherwise publicly or commercially available that non-federal entities (NFEs) and others submit to the FASC.

“If such information is marked by the submitting NFE with the legend, ‘Confidential and Not to Be Publicly Disclosed,’ the FASC will not release the marked material to the public, except to the extent required by law,” the final rule stated.

The FASC says, however, that it “retains broad discretion to disclose information submitted by NFEs to appropriate recipients in a range of circumstances. The FASC recognizes that its retention of such broad discretion may dissuade some NFEs from submitting sensitive information. At this time, however, the FASC has chosen to prioritize greater sharing of information in appropriate circumstances over the possibility of receiving more supply chain risk information from NFEs. If the FASC determines over time that the federal government’s interests would be better served by a different weighing of priorities, the FASC may revise the rule accordingly.”

This idea of dissuading sharing of information as well as repercussions came up more than once in comments.

For instance, one commenter asked if NFEs would receive liability protection as provided under the Cybersecurity Information Sharing Act of 2015. The FASC said the final rule doesn’t address this issue, but it is coordinating with FASC member agencies to consider any intersections between CISA 2015 and the FASC’s authorities and may provide further guidance.

Another example that commenters brought up was if NFEs submit false or inaccurate information and whether they should have to “attest” to the accuracy of the information. The FASC didn’t adopt that recommendation either, saying it will continue to conduct due diligence and review information from multiple sources.

Chris DeRusha, the federal chief information security officer and chairman of the council, said now that the final rule is out, the FASC can focus on finalizing its 2022 strategic plan.

“We are thinking through how to provide the right guidance. Do we need to do some new policies on supply chain risk management for agencies to help with that? How are we doing to get the right risk information to agencies and how do we assess that to make sure we are taking all the appropriate steps?” DeRusha said at the event. “We are happy to get through some of the core things we need to do to become a mature council and shift our focus to more strategic objectives.”

The FASC’s first strategic plan, released last summer, outlined the three pillars and corresponding strategic objectives.

• Standards, guidelines and practices for federal SCRM programs,
• Information sharing, and
• Stakeholder engagement.

Each pillar includes several statutory mandates and strategic activities to implement those requirements.

“I know a lot of people have been saying ‘what is taking so long to get stuff up and running.’ It’s incredibly important to get the processes right. We want to be risk based. When we go into exclusion and removal orders we want to make sure those processes are sound,” said Jon Boyens, a senior advisor for information security in the Information Technology Laboratory at NIST at the event. “Going forward, if folks look at the Secure Technology Act, the exclusion and removal order is a big piece, but we will start focusing on some of the other pieces like information sharing and the supply chain risk management practices and guidance to the agencies that are really asking for it, and how those agencies function with the FASC.”

Biniam Gebre is an unknown commodity in the federal acquisition community. Basically when President Joe Biden picked the former appointee of the Department of Housing and Urban Development to lead the Office of Federal Procurement Policy, there was a collective “Who?” from current and former federal acquisition executives.

And on paper, Gebre has no discernable experience with federal acquisition beyond working for Accenture Federal Services. He majored in chemistry as an undergraduate and received his Master’s in finance and economics from Northwestern University’s Kellogg School of Management.

As I was contacted from these acquisition friends about the White House’s decision to nominate Gebre, it occurred to me that the similarities between him and former federal chief information officer Suzette Kent are striking. Like Gebre, Kent had no discernable experience to be the federal CIO. Her background, based on her LinkedIn profile and biography provided by the White House, offered no real evidence she was qualified to be federal CIO.

But what we couldn’t tell about Kent was her understanding of people and how to get them to work together toward common goals.

Kent, as it turned out, was one of the top federal CIOs in the last 20 years, proving, once again that old sports analogy, that paper and stat sheets mean nothing when the game is played on the field.

So to help Gebre understand the field, the conference and really the league he’s about to join — assuming the Senate confirms him — Federal News Network asked former OFPP administrators to offer some advice and insights to help Gebre prepare for the “game.”

Responses came from:

• Rob Burton, former OFPP deputy administrator and acting administrator from 2001-2008, and now a partner with Crowell & Moring’s government contracts group;
• Joe Jordan, former OFPP administrator from 2012-2014, now CEO of Actuparo LLC;
• Anne Rung, former OFPP administrator from 2014-2016, now senior vice president at Varis;
• Angela Styles, former OFPP administrator 2001-2003, now partner with Akin Gump Strauss Hauer and Feld; and
• Michael Wooten, former OFPP administrator 2019-2021, now vice president for National Industries for the Blind.

Federal News Network: Based on your experience, what were some of the areas that you saw as your biggest learning curves when you became OFPP administrator? How did you shorten the timeframe to learn what you needed to know? 

Wooten: I came to the position without understanding how the budget side of the Office of Management and Budget worked, and I didn’t shorten that learning curve. There was the task of fixing the derailed implementation of Part B of Section 889, implementing sections of the CARES Act, all while we worked remotely. The next administrator should make it a priority to get to know the budget leaders, the principal associate directors (PADs) and deputy associate directors (DADs). Get the PADs and DADs to teach you about the budget process.

Jordan: The fastest way for an OFPP administrator to shorten the learning curve on almost anything is to seek the counsel of [current OFPP career staff] Lesley Field, Mathew Blum, Joanie Newhart, and the incredible career staff in the office. This is even, or maybe especially, true when dealing with the delicate balance of furthering the White House’s “social policy through procurement” priorities while also advancing the economy and efficiency of the federal procurement system. Almost every key stakeholder within the Executive Office of the President quickly learns about the president’s authority to issue executive orders that direct federal contractors to meet certain criteria, certify to various attributes, or exhibit a set of behaviors. While these can be very positive for the government and society, they also can come with significant costs to federal contractors, which can drive up prices for federal customers or harm the competitive dynamics of certain industries. Navigating these discussions without alienating any of the wonderful and committed colleagues, partners or stakeholders was the biggest challenge of the job.

Burton: I had an advantage when I moved to OFPP because of my 20 years of experience in DoD acquisition. Consequently, I was familiar with most of the laws and regulations governing federal procurement. However, I did not fully appreciate the influential role of OFPP. Someone told me to carefully read the OFPP Act before doing anything else. The OFPP Act is the law that established OFPP within the Office of Management and Budget in 1974. This was a great recommendation because I never appreciated how much authority the OFPP administrator has and the significant role OFPP plays in developing acquisition legislation, regulations and governmentwide procurement policies. Most importantly, the law allows the administrator to develop innovative solutions to address the many challenges facing the acquisition community.

Styles: Having been a government contracts lawyer for private industry before I started, I knew a lot of general information about the contracting process — what was working and what wasn’t working from the industry perspective. Still, I had to spend a good amount of time prioritizing administration initiatives, the needs of the government workforce generally and industry. The first month or two is a good time to soak in the issues and prioritize the focus of the office. Critical to that effort was relying on the OFPP staff to help with that effort. And it is also important to know when suggestions from staff or industry may need to be ignored.

Rung: I had to learn to navigate through the internal stakeholders, especially teams within the Executive Office of the President who may have interests and/or ownership of components of contract-related initiatives. I learned through trial-by-error as President Barack Obama issued contract-related executive orders and it required the participation of many internal teams to develop and execute on them.

FNN: What’s the best advice you received about being OFPP administrator from others in or out of government? 

Burton: Several agency senior procurement executives and government contractors recommended that I routinely meet with industry associations and others to develop a better understanding of the practical problems both contractors and agency acquisition personnel face when implementing the regulations and policies developed by OFPP. As a result, I held quarterly meetings with various industry groups, which proved invaluable in addressing some of the serious problems confronting the federal acquisition system.

Rung: I received endless advice and guidance from the experienced, wise and incredibly kind and patient OFPP team, many of whom have worked under many presidents and administrators. I also learned from former administrators who graciously offered their time and advice whenever I needed it. Stan Soloway, the former president of the Professional Services Council and Defense acquisition executive, was also a great mentor and adviser. I do recall one great piece of advice from my legislative team before testifying: “Make them like you and forget you.”

Wooten: The best advice I received was to understand my reality — I was confirmed over halfway through President Donald Trump’s term — do not try to “boil the ocean” … play to your strength to achieve a reasonable win, such as creating a vision for the acquisition workforce. However, my best advice to anyone taking the administrator’s post: Know your authorities and understand them better than your colleagues in leadership.

Jordan: The best advice that I received was to always take a breath when the stress of the role was at its peak; remember that the president appointed you to this role for a reason, and you need to stay true to your convictions to do the job and serve the president well. The other great piece of advice about serving in this type of role came from my friend Dean Koppel, a longtime senior leader of the SBA contracting policy office. Before my first of more than a dozen Congressional hearings, he told me:

• You can never win a Congressional hearing — it is like arguing with your parents. So try to earn respect and then get out of there without anyone looking bad.
• If you don’t know the answer to a question, don’t guess!

Styles: Do what is right for the taxpayer. It is their money and they are relying on us to spend it wisely; [there are] few more important missions. The second one was “if all sides are a little unhappy you are probably on the right policy track. You never want anyone to be too happy.” And I will say that I received a lot of bad advice: “Be a cheerleader,” “follow in the footsteps of Steve and Dee,” [and] “don’t make Congress angry, particularly Republican members.”

FNN: What is the one or two things you wish you’d known about being OFPP administrator before you took the job? 

Styles: How important all the career civil servants are to doing the job right. From OFPP to OMB to DoD, the job is impossible without them and without engaging them. Engage them early, get their ideas, seek their input on new policies.

Jordan: Well, I had already had a chance to work with the great OFPP and OMB team, so I had a pretty good idea about many of the role’s requirements. What I hadn’t fully grasped before arriving was how many different policy teams or offices look to federal procurement as the way to achieve their objectives. I wish I had been better prepared and more proactive in those conversations. For better or worse, there is infinitely more nuance to the job than simply trying to get federal agencies the highest quality goods and services for the lowest possible cost to the taxpayer.

Rung: I wish I had better understood the importance of developing internal relationships within the White House offices. I understood my role as head of the FAR Council and governmentwide acquisition councils, and my role as liaison with industry, but I didn’t understand the roles and responsibilities of other White House offices and how intertwined my role was with these teams.

Wooten: I wish I fully understood how to plan the “hand I was dealt.” What do you do when you have no procurement authority, a small but mighty staff with a far greater reach across government than I had, a big and powerful General Services Administration on the FAR Council, the Department of Defense juggernaut on the FAR Council, and a very slow FAR process? Answer: make friends in the West Wing. If confirmed, the 16^th administrator will have time, and he will have the ability to build relationships that can help balance the political equation. Also make friends amongst OMB’s budget leadership, the “PADs and DADs.”

Burton: Since I was a federal career executive, I did not fully appreciate the role of politics in the development of procurement regulations and policies. Politics probably plays too much of a role in forming OFPP’s priorities and acquisition reform initiatives. In this regard, it is important for the OFPP administrator to rely on the outstanding career executives and professionals who work at OFPP. I found the staff to be invaluable in helping shape the president’s acquisition agenda and priorities for the benefit of the American taxpayers. Generally speaking, good procurement policy should be devoid of politics.

FNN: If you could put one item on his high priority to-do list, what should he tackle early on in his tenure? 

Burton: I think it is critical for him to issue a policy memorandum that shows strong support for better communications between agency acquisition personnel and contractors. This should be a high priority for the Biden-Harris administration. Since I left OFPP and started working in the private sector, I have witnessed first-hand the serious problems that arise simply because of a lack of communication between the government and private sector contractors. Without question, robust communications and transparency will result in better market research, improved agency solicitations and statements of work and fewer bid protests and contract disputes. With very little effort, improved government-industry communications will result in significant cost savings and a more efficient acquisition system.

Rung: I will leave that important task to the next administrator, but the key is to clearly and often communicate that priority to galvanize the workforce and other key stakeholders (but understand that you will never achieve 100% alignment and consensus on any priority initiative). Don’t get bogged down with too many priorities — stay focused.

Wooten: There is a big win available in adjusting the system of e-commerce portals so that small business spend can be managed and accelerated in a way that is fair to small businesses. This approach can help him achieve the Biden administration’s goals of doubling the small business spend, and he can achieve this doubling without killing category management thereby driving up the cost of buying.

Jordan: I will let administrator-nominee Gebre decide that with the president and their great team. And I would only suggest that the ways to make those priorities come to fruition are communicating and working with all sides of the issues as much as possible. There are a lot of people out here rooting for him to be successful in this important role!

Styles: Establishing substantive credibility. It can be through speeches and meetings, but people need to know the person and their commitment to the job.

Rep. Darrell Issa returned to Congress in January after a brief two-year absence. The California Republican, who was once the chairman of the Oversight and Reform Committee, didn’t take long to jump back on the “one CIO to rule them all” bandwagon.

About 93 minutes into the latest hearing on the Federal IT Acquisition Reform Act (FITARA), for which Issa is the co-author of, he went on a 2:06 soliloquy about why agencies need one person with the title chief information officer.

“Isn’t it time for us to consider looking at stringing together this network of CIOs and, particularly as it relates to cyber, into a single point of accountability? Similarly to the Office of Personnel Management or Office of Management and Budget or any other cabinet head, isn’t it time that the government operations, which is our committee, look at a reorganization that takes that $100-plus billion and creates at least one person accountable directly to the president who has the expertise and the vision to bring together these disparate entities that are spread across the government,” Issa asked the Government Accountability Office’s Carol Harris, the director of IT and cybersecurity issues. “I would ask the chairman to task GAO with some further study on that for the committee.”

Rep Gerry Connolly (D-Va.), chairman of the Government Operations Subcommittee and co-author of FITARA, piled on about the number of CIOs across the government. He reminded that back in 2012 there were at least 250 people with the title CIO across the government.

In 2012, when Connolly and Issa first introduced this idea of having one person with the title CIO per agency, it was disconcerting, maybe even a bit abrupt.

“Both Mr. Issa and I reflect on our private sector experience and look at the federal government and say this is a system that can’t possibly work with that many people with that title,” he said. “We hoped there would be an evolution that somebody would emerge as the ‘primus inter pares,’ and the reason we emphasized this solid line [to the secretary] is because of this proliferation. Someone has to be in charge. Someone has to be designated as the responsible and accountable person who is empowered to make decisions. In bureaucracies, if you don’t report to the boss, everybody knows everything you have to say is ‘ad referendum.’ That is what we are trying to get at it. If there is a better way to get at it, we’d like to hear about it.”

In the end, FITARA didn’t mandate having a single CIO per agency, but Connolly and Issa haven’t given up on that idea.

And nine years later, maybe it’s time to relook at that concept.

Back in 2012, only the departments of Interior and Veterans Affairs had consolidated the CIO titles down to one. The Department of Agriculture followed suit and has been living under this construct.

Interior made the changes in 2010, before FITARA was even an idea, and USDA in 2017 went from having 22 people with the title of CIO down to one.

While few, if any, other agencies followed suit, there is no clear evidence that Interior and USDA are better or worse off due to this change.

At the same time, Issa and Connolly’s belief today — and nine years ago — makes more sense than ever that with the ever-growing cybersecurity threats and the true recognition by non-technology leaders on the dependence of hardware, software and infrastructure to run their agencies, maybe it’s time to consolidate the number of people with the title CIO.

“Congressman Issa is very interested in building off what we’ve learned since the enactment of FITARA, as well as utilizing that knowledge to push for further modernization and improvements. As more data is collected, it’s important for agencies to be working together to ensure they’re not duplicating efforts,” said an Issa spokesman in an email to Federal News Network.

Federal News Network asked four former CIOs in the federal government for their thoughts on Issa and Connolly revving up the “one CIO to rule them all” bandwagon.

Reponses came from:

• Karen Evans, former CIO at the departments of Energy and Homeland Security, and Office of Justice Programs in the Justice Department, and former administrator for IT and e-government at OMB (Federal CIO).
• Simon Szykman, former Commerce CIO and now senior vice president for client growth at Maximus
• Malcolm Jackson, former CIO at the Environment Protection Agency and now principal director for CIO advisory services at Accenture.
• Rajive Mathur, former CIO at the Social Security Administration and now partner and associate director at the Boston Consulting Group.

Federal News Network: Is it a good idea to have one person with the title CIO for each agency? Why or why not?

Evans: During my first appointment as the CIO of Department of Energy, the secretary and senior leadership (deputy secretary, chief of staff and CFO) supported this approach and program offices’ CIOs were retitled. There was only one CIO for the department. The secretary clearly stated there was only one CIO and I reported to him. It worked to streamline and get handle on the investments and the partnership with the CFO made the implementation possible. I do think having one CIO for cabinet departments is a good idea, because it is the departmental CIO who Congress holds accountable (which is why the FITARA Scorecard is still measuring CIO authorities). Ultimately, it is the head of the agency/department who is responsible for the performance of their department and he/she should have flexibility on the management structure they need to be successful, because this will get to those who are dual reporting, such as DHS where the CIO reports both to the secretary and the undersecretary of management. The person appointed into these situations, such as DHS and State Department, should be able to have the skill set to make this arrangement work to accomplish the goals of the administration and the secretary.

Szykman: On the surface, the idea of having only one person with the CIO title at each agency appears to be aligned with the idea of empowering CIOs to more effectively manage an agency’s IT investments. But in reality, changing or eliminating titles does little to empower an agency CIO if it’s not also accompanied by other organizational, management or policy changes to accomplish that goal. Many cabinet-level agencies are federated organizations with sub-agency components that have their own independently requested and managed budgets, and their own CIOs who report to sub-agency leadership. Historically, one of the challenges faced by top-level agency CIOs is a lack of visibility into, and ability to influence, both budgeting and spending decisions at the sub-agency level. A shift to having only one person with the CIO title can be impactful if it’s made in conjunction with other policy changes, but without also addressing those structural issues, merely stripping the sub-agency CIO of that title could result in a superficial measure that doesn’t necessarily fix the underlying shortcomings.

Jackson: Yes, in my opinion it is a good idea to have one person with the title of CIO at each agency. Having one CIO enables an agency to drive a common approach for technology on such topics as: strategy, operational optimization, technology modernization, cyber resilience, workforce transformation, digitization and service delivery. It also ensures resources can be optimized in a cost-effective manner and best positions an agency for success. Having multiple CIOs can sometimes make it more difficult for an agency to properly align limited resources against the highest priorities.

Mathur: First of all, I am surprised why this question is even being asked! One person with the title of CIO is critical to the success of any agency’s mission and that role should report to the head of the agency. Enabling technology, and more notably, digital technology, is an asset that should be front and center to the C-suite and the head of the agency should consider how he/she can use all the assets at their disposal to meet the agency’s mission in serving taxpayers.

FNN: From your experience, what are some potential unintended consequences of this change?

Jackson: Due to the size of some of the federal agencies, one CIO may not have as deep of an understanding of the needs of every sub-agency or bureau. This could cause a mission area to feel as though their needs are not being met. One of the biggest unintended consequences is a mission area going outside the IT organization for technology capabilities. In the past, you have seen this happen in what has been termed as “shadow IT.” A successful CIO needs to take the time to build relationships and learn the needs of all mission areas of the agency. There may be a case where shadow IT can be used to pilot innovation. But managed incorrectly, shadow IT can lead to capability duplicity, increased cost, and present cyber risks to the agency.

Mathur: The role of the central CIO should not be as a gatekeeper to technology, but an enabler for the business to use technology. I viewed my role as CIO at SSA as a general contractor for technology for my business customers, where I would and should be able to lay out the possibilities (the options) to solve the business needs. The options I present should balance technical strength with speed to market and the needs of the business. The options I, as CIO, should present could be to buy/outsource to a vendor or build your own. And the build-your-own model doesn’t have to be “stick built” in the parlance of residential housing construction; it could be modular or prefabricated using low code, no code solutions. In modern software development, the business needs to be presented with credible options and that’s the job of the trusted CIO/GC. By putting in place the right technology and process infrastructure, a modern centralized CIO shop should, for example, be able to accelerate development by allowing business to develop applications using low code no code. This citizen development model is one that we set up at SSA using a well-known low code platform.

Szykman: One unintended consequence of this change is the potential impact on the ability to recruit the most highly qualified IT executives into CIO roles. Among the cabinet-level agencies, it is not uncommon for one or more sub-agency components to have annual IT budgets in hundreds of millions of dollars, sometimes even above the billion dollar level. It is important for the senior-most IT executive in such a role to have an appropriate level of experience managing budgets, organizations, systems and services. Many of the most highly qualified candidates for those roles will come from the ranks of existing CIOs, from both inside and outside of the federal government. It may be a challenge to recruit highly seasoned and experienced CIOs into a position that has a non-CIO title, such as associate CIO, due to the perception that it may be a step down from their past or current roles.

Evans: It is a change management issue and there are some large components who will make the argument they should have their “own” CIO. However, they are a component organization. The head of their organization works for the secretary who works for the President. The concern many component organizations feel is that their priorities are not going to get done because they are competing with the department. Additionally, previous legislation provides exemptions, for example, national security systems, as well as focuses on “information technology” systems, which causes a separation and stove piping of the security for the department and/or agency. The risk management profile needs to include all systems (IT/OT and associated authorities) in order to properly “protect, detect and defend” their enterprise.

FNN: What would be some of benefits of this change?

Szykman: With the right structural changes relating to elevating agency CIO empowerment, this change certainly could help make a more unambiguous statement about who in an agency has the ultimate responsibility and accountability for managing IT-related tradeoffs and risks, and optimizing the expenditure of IT resources, not only within a sub-agency component but across the entire agency IT portfolio.

Mathur: The primary reasons for a single technical leadership are: operational consistency, cost avoidance, cybersecurity and employee/customer experience. Most agencies have complex missions with many operating units which seek to deliver public services through a variety of delivery channels — phone, in-person, online, and even by mail. They also have similar technical and operational needs. Examples of common needs may be workflow systems, technologies to communicate with external advocacy groups, vendor payment technologies, in-office visitor management systems, and many others. Hundreds, if not thousands of managers and employees with staffs have unique roles and geographies, but similar needs that could be consolidated. The underlying information, business rules, and even security that is required for service delivery should be consistent across channels and the CIO’s role should be to identify patterns, develop and implement approaches which are robust across the agency.

Jackson: One CIO can provide clear leadership messages that support an agency with identifying technology needs based on mission criticality and then cascade across the enterprise to ensure the most important projects are funded and being prioritized.

Evans: Consolidation, modernization, reduction of duplication, leveraging existing investments and expertise would accelerate implementation of initiatives. It would assist the department to move as an “enterprise” and it would be beneficial especially as it relates to the risk posture of the department and managing the cybersecurity posture for the department. Additionally, it would benefit the Cybersecurity and Infrastructure Security Agency (CISA) at DHS because they would streamline who they would work with in order for them to accomplish their mission regarding the management of federal networks. There are just not enough people to duplicate functions and the resources should be leveraged to achieve the maximum outcomes.

FNN: What should lawmakers keep in mind as they start down this path once again of considering requiring one person with the title of CIO per agency?

Evans: Regardless of title, it takes the secretary and leadership of the department to recognize their role and support the CIO going forward. The CIO has to have the right skills to make it happen and meet expectations.

Jackson: Lawmakers should ensure they give agency CIOs the power to make decisions and not be marginalized by having them report to a level below the agency lead. Today, this is the case for some federal CIOs. Technology is too important to not be a priority of the agency leader. Consider, for example, how CIOs responded during the COVID-19 pandemic, as well as the spate of recent cyber-attacks. For some, it may have been the first time an agency lead was briefed on telework and cyber capabilities. Technology is critical to an agency’s mission, and the CIO needs to be appropriately positioned to be successful.

Szykman: A change like this shouldn’t be undertaken without considering the impact on recruiting — specifically the ability of sub-agency components to recruit the best talent from inside and outside of government into a position that demands proven CIO experience, but at the same time does not offer candidates the title of CIO. And more importantly, the underlying structural problem that creates a variety of obstacles to more highly effective management of IT in government is not one of tiles, but rather of authority, accountability, visibility and influence. Accordingly, changing titles will likely not produce the intended outcomes unless it is done in conjunction with other measures that address those other factors.

Beyond the opening statements, the most recent hearing of the Federal IT Acquisition Reform Act (FITARA) scorecard focused little on the grades themselves.

The hearing reminded us, once again, that the news rarely comes from the reason the hearing or event was called together in the first place.

There were plenty of good tidbits that came from the 97-minute hearing. We could focus on the fact that the committee called chief information officers from both the Small Business Administration and the Social Security Administration and all but ignored them.

Outside of his opening statement, Sean Brune, the SSA CIO, spoke for a whopping 2:32, while Keith Bluestein, the SBA CIO, took up another 2:31 of time.

It makes no sense for lawmakers to call these executives and not ask them questions.

I’m sure Brune and Bluestein were just fine with the little attention they received, but it seems like a lost opportunity by the subcommittee.

We also could dig deeper into a new bill Rep. Gerry Connolly (D-Va.) is writing to improve the federal internship program and help address long-standing federal IT workforce shortcomings.

While both of those tidbits are interesting, there isn’t a lot of there.

So here are three takeaways from the hearing you may have missed and that matter to the federal IT community.

Time has come to end the debate

After eight years of debate, it’s time for Reps. Gerry Connolly (D-Va.), Katie Porter (D-Calif.) and the other members of the Oversight and Reform Committee to fish or cut bait when it comes to data center consolidation.

The other saying about “getting off the pot” may be more appropriate here, but we are a somewhat civilized news organization after all.

No matter how you say it, Connolly and his friends have been complaining about the Office of Management and Budget’s definition of a data center for the better part of eight years. And twice a year at the hearings on the FITARA scorecard, they raise their voices, make threats and promise to hold OMB accountable.

And then it’s Groundhog Day all over again.

At the most recent FITARA scorecard hearing, the day played itself out once again with Porter pressing the Government Accountability Office over how agencies face increased cybersecurity threats because of the imprecise definition of a data center that doesn’t include non-tiered facilities.

Connolly piled on, threatening legislation to force OMB to have what he and the committee believe is a more accurate definition of a data center.

“This subcommittee will insist with the letter of the law being complied with,” Connolly said. “When we pass a law, we expect it to be complied with. The time to argue is while we are debating that draft legislation, not after it becomes law. The fact we have had 12 hearings on this subject all about compliance with the law, no other committee in Congress that I’m aware of has done that. I hope demonstrates our determination that this happens. We see ourselves as your partner, but we are going to insist the various components of FITARA that Mr. [Rep. Darrell] Issa (R-Calif.) and I wrote be complied with. We are prepared to pass more legislation on a bi-partisan basis, if necessary.”

Like a good solider, Clare Martorana, the federal chief information officer, promised to work with the subcommittee and continue the conversation. It should be noted, however, that she made no commitment to change the definition.

To be clear, Martorana is inheriting this problem and debate, which started under former Federal CIO Steven Van Roekel in 2013 and continued up through 2019 when former Federal CIO Suzette Kent released the most recent data center policy.

Despite this definition disagreement, agency progress has been clear. GAO’s Carol Harris, the director of IT and cybersecurity issues, highlighted how agencies have saved or avoided spending more than $7 billion from the data center consolidation and optimization initiative since 2015. She said, however, OMB needs to relook at the definition.

“We do want to keep track of some of the non-tiered data centers, particularly the fairly big ones…and make sure they are following the requirements of the DCOI initiative and are subject to the reporting requirements associated with that initiative,” Harris said.

After eight years, the time for threats and complaining should be over. Connolly and Porter should either introduce legislation to force the definition change or stop complaining about it. Eight years of this debate is enough.

Working capital fund stock rises

The subcommittee didn’t spend much time at the most recent hearing talking about the piece of the Modernizing Government Technology (MGT) Act that has the potential to truly change the trajectory of agency IT modernization efforts—working capital funds.

The scorecard showed about half the agencies are meeting the goals of establishing a working capital fund or planning to have one to save “leftover” money and put it toward IT modernization. Three agencies received “A” grades and 10 received “B” grades.

For those agencies who aren’t quite on board yet with a working capital fund, take a moment to understand its impact on the Small Business Administration. SBA was one of the first agencies to set up a WCF, receiving Congressional authority in 2020. SBA says in its fiscal 2021 budget request it expects to have $4 million in 2020 and another $2 million in 2021 in the fund.

Keith Bluestein, SBA’s CIO, explained to the committee how having a working capital fund has made a huge difference for the agency.

“While this is still a relatively new capability and will mature over time, the IT WCF allows SBA to have a long-term vision for modernization and change with a managed resource pool to ensure that vision can be realized. Words are inadequate to express the relief this provides the CIO in responding to various changes that occur over the course of a given fiscal year,” he said. “While our fund is young, it provided the agency with additional flexibility to adapt to emerging needs. This tool helped bolster FITARA even further by strengthening the collaborative bond the CIO has with the CFO to execute the agency’s mission. MGT was a welcome adjunct to FITARA and has allowed SBA to better plan and resource expenditures on a multi-year horizon.”

SBA is using the funds banked in the WCF to modernize its infrastructure, to unify and enhance its customer experience tools internally and externally, to update its support technology for small business certification programs; and to improve the systems that manage entrepreneurial development and learning.

Bluestein said it used money from the WCF to accelerate the initiative to upgrade the Entrepreneurial Development Management Information System (EDMIS).

“The IT WCF allowed us to allocate the resources effectively over a multi-year horizon, which ensured the stability of the project from inception to delivery at the end of June this year,” he said. “This is a huge success story for the entrepreneur community as the new tool can provide rapid reporting and analysis of data for actionable decision making which previously took months. The tool allows data to come alive and enables our investors in America’s small business to take quick action and identify emerging opportunities. This capability is a small business game changer and was directly enabled by the MGT Act and the cross-agency collaboration driven by FITARA.”

This is exactly what lawmakers had in mind when they approved the provision in the MGT Act, using money that otherwise would’ve been returned to the Treasury for underfunded IT projects.

SBA, and most recently the Office of Personnel Management, are among the only agencies to receive approval from the appropriations committee to set up an IT WCF. Connolly and others believe agencies do not need approval from their appropriations committee to set up the fund. But several agency general counsels, including the U.S. Agency for International Development, the Education Department and others, have determined approval is necessary.

Sen. Maggie Hassan (D-N.H.) and Connolly promised to introduce a technical amendment to address the confusion.

It’s clear that technical change can’t come soon enough.

4 priorities of the new federal CIO

Beyond a few speaking engagements, Martorana used her first time appearing before Congress to lay out four priorities.

There isn’t anything surprising here, but it’s good to know given she stayed under the radar during her time as the CIO at the Office of Personnel Management.

You can read all about them in more detail in her testimony, but here is the short hand version:

• Investing in the present—Using the Technology Modernization Fund to address immediate needs across the government.
• Investing in our people—Upskilling and reskilling current federal workers as well as recruiting the next generation of technologists.
• Transitioning to enterprise collaboration and a product mindset—Take on a user’s mindset and organize around those users and services, and not around information systems.
• Embracing innovation in policy development—Refreshing the way OMB and the CIO Council develop and implement technology policy.

“My priorities shared today outline the investments, the people and the focus that are critical to the end goal: delivering secure information technology across government and high-quality services to the American people. Technology is the underpinning of everything the government accomplishes,” she wrote in her testimony.

While none of these four are surprising, let’s focus on the fourth item around policy development.

Martorana said she wants to rethink the approach to federal IT.

“We must identify new ways of working across government, such as developing playbooks that build on what we know already works, collaborate more frequently with key stakeholders to focus oversight with the work being done today, and rethinking how we are working in the Office of the Federal CIO, such as pairing technologists with policy experts at the beginning of the effort to develop innovative technology solutions within our laws, rules and regulations,” she told lawmakers. “We must optimize for results, not optics. We need to show, not tell and deliver on mission.”

Martorana offered more details in her written testimony on this idea of pairing policy experts with technologists.

“By integrating delivery experts with policy experts and working together at the beginning of this process, we can test new ideas and help propel IT modernization across the government,” she wrote. “We must raise government technology standards and practices to those of the private sector, and rely on open-source technologies, modern security practices, and pressure-tested solutions already in place. By embracing innovation and translating it into modern and secure policies and experiences, agencies will be best positioned to deliver best-in-class services for the American people.”

Martorana is building on the efforts by the previous two federal CIOs — Tony Scott and Suzette Kent — who made it a habit of releasing draft policies to not only agencies, but industry too. They both believed in the idea that more feedback is better.

Martorana seems to be taking this one step further. While she hasn’t specifically said she will continue to release draft policies to the federal community, bringing technology experts to the table will provide a similar result.

Mark Forman, the former associate administrator of e-government and IT for OMB — and really the first federal CIO — during the administration of President George W. Bush, wrote about this concept on LinkedIn. He said he was disappointed lawmakers didn’t focus in on this priority during the hearing.

“In particular, updating the IT governance polices by bringing together technologist and IT policy analysts will have a profound effect on implementation of the existing body of laws regarding agency IT spending, cybersecurity, acquisition and management,” wrote Forman, who is now the executive vice president at Dynamic Integrated Services. “This is an exciting initiative that will impact legacy IT providers, the federal IT workforce, agency modernization efforts. I hope Clare and her team can make progress in resolving chronic federal IT problems.”

As Forman and many others know, fixing these chronic problems will take a lot more than new policy, but getting the right foundation in place is an important start. Kent began the process by removing outdated policies and improving others. Martorana can build on that legacy by recruiting technologists who understand how government works and aren’t afraid to take smart risks.

The Bureau of the Fiscal Service laid out its most complete vision to date of what the future of financial management shared services will mean to agencies and vendors alike.

The second request for information released in June outlined the role of the Quality Service Management Office (QSMO) and how they intend to reach the right level of standardization vs. flexibility.

Matt Miller, the acting commissioner for the Bureau of the Fiscal Service in the U.S. Department of the Treasury, said there is more “meat on the bone” around the core financial system baseline capabilities as well as potentially other types of offerings from the QSMO marketplace.

“We’re looking for the commercial providers to bring those modern, configurable service-oriented software solutions that will hopefully help the government and agencies reduce some duplicative technology footprint as well as maybe reduce some of the burden for agency CFOs and their folks to not have as much to do when it comes to maintaining software and technology,” Miller said in an interview with Federal News Network. “The underlying premise is standardization and reuse. Where can you leverage things that are common, rather than creating and building customer unique services? I think that one of the key areas of distinction in this approach moving forward, that we think will really be beneficial, is much more of a focus on the customer and the customer experience. That’s one of our guiding principles.”

It’s a guiding principle learned after more than 15 years of fits and starts to get agencies to move to financial management services.

Started during the administration of President George W. Bush, financial management shared services has been a goal now of three Office of Management and Budgets. There has been a few successes such as the Department of Housing and Urban Development moving to Treasury’s ARC. There have been plenty of failures too like the Veterans Affairs Department’s unsuccessful move to the Agriculture Department’s National Finance Center or the Labor Department’s disastrous attempt with a private sector provider.

Initial launch coming late 2022

Ann Ebberts, the CEO of the Association of Government Accountants (AGA), said these latest efforts by Treasury are steps in the right direction.

“Looking across the government over the years, there has been a number of initial tries at implementing new financial management systems. We’ve heard the stories that the efforts were taking too long or the product didn’t work like the way agencies wanted it to,” Ebberts said. “Treasury is identifying the capabilities needed and I think taking a more straight forward approach should go a long way to identify standard processes and data. Treasury is trying to get the customer involved and getting agreement on how the system or processes should work and what processes should be provided or supported. They are not creating this from whole cloth. Sometimes it’s just a matter of putting the right people together to describe the pros and cons.”

Miller said the two RFIs and the dozens of meetings with industry and agencies has been about getting the right people together, and influencing the QSMO’s planning to launch its initial marketplace offerings in late fiscal 2022. To be clear, the QSMO will be a broker or organizer of services. It will not provide any services.

“One of the key distinctions that we’ll see in this marketplace, as opposed to the most recent marketplace under the most recent initiative that spawned from OMB memo 13-08 a few years ago, is the result of OMB memo 13-08 created a federal only and a provider-centric marketplace. There were the four designated federal providers, and they all brought to market or brought to bear a standard solution. They were solid solutions, but there wasn’t as much flexibility and there wasn’t as much of an ability for the commercial providers to interact directly in the marketplace as well,” he said. “Now what we’re looking at is a marketplace that will allow interaction with both commercial and federal, but still trying to allow that flexibility and choice, but incorporating the standards into the solution.”

Miller said the previous shared services approaches were less customer-centric and more system centric.

“With this marketplace, we will have a combination of commercial and federal providers and much more of a customer-centric marketplace. We’re taking the good from the past in initiatives and shared services, and then building on it with some of the lessons learned,” he said.

The need to modernize agency financial systems isn’t new, but it took on a bigger imperative when the QSMO surveyed agencies last year to create a baseline understanding of the market.

Miller said the QSMO asked about the current system provider, whether the applications are hosted in the cloud or in data centers and other details that will help them shape the marketplace offerings.

“Even excluding the Defense Department, what we found out is that today, there are in place 56 separate installations of core financial systems, and half of those are going to be in need of either a major upgrade or some sort of acquisition or action to extend their life beyond 2025. So just four years away, half of the agencies are going to be facing some sort of modernization need. Also 60% of those systems are hosted on-premise today,” he said. “The results of that data call did a couple things. Number one, it helps us understand which agencies might have the more time sensitive needs and where we need to focus our partnership with agencies on to try to prioritize adoption in the marketplace. But also, it definitely underscored the importance of and the need and the value of this marketplace, well in advance of 2025. It really helped validate, and confirm the criticality of the need of establishing this marketplace as quickly as possible.”

The move to shared services is never fast, nor easy. That’s clear from what agencies have been through over the last 15-plus years.

Acquisition strategy in the works

But it’s also why Treasury isn’t going at this alone. Miller said they are partnering with the General Services Administration to create an acquisition strategy that will lead to the initial offerings next year.

“This is going to be a complex acquisition approach that we need to figure out. We need to be creative and innovative. In trying to work out what that acquisition approach is, we’ve got some end goals in mind. From an agency standpoint, we want this marketplace to be easy to access, easy to navigate and easy to consume the services that are needed from that marketplace. We need to think about that in the acquisition approach,” Miller said. “From an industry standpoint, we want to make sure that whatever approach we use to build this marketplace allows for competition, that it allows for innovation and that it allows for on-ramps and off-ramps over time for different providers. There’s a lot of careful thought and consideration into trying to nail down what’s the right acquisition approach, then executing that acquisition approach is going to take certainly many months to do so.”

Miller said the QSMO and GSA should have a better idea later this summer of the acquisition strategy and release it to the public.

AGA’s Ebberts said the other challenge the QSMO must face is with the workforce and the need for financial managers and others to understand how to manage shared services and work with the data that comes from these systems.

She said AGA’s Certified Government Financial Management program is addressing the need to upskill and reskill the workforce as the QSMO finalizes its approach.

Like many initiatives, the financial management QSMO is going to evolve.

Miller said the QSMO will continue to talk and listen to industry and agency customers as it develops its current strategy and future ones.

“We envision the marketplace will have both federal and commercial service providers. We envision that the marketplace will provide agencies with flexibility and choice, but the flexibility and choice will be of standards-based solutions. And the kind of the marquee aspect, or the centerpiece of this, is we envision the marketplace will be modern cloud based, service based core financial management software solutions,” he said.

And of course, he hopes if the QSMO builds it, the agency customers will come and forget about the past struggles.

There still are five major agencies without a permanent chief information officer. Among those agencies are the Defense Department, the Transportation Department and the Office of National Director of Intelligence.

That number was seven as of late June. But over the last few weeks, the Department of Housing and Urban Development and the Office of Personnel Management filled those key technology roles. In case you missed it, HUD named Beth Niblock, the former city of Detroit CIO, to lead its technology modernization efforts. And just last week, OPM removed the “acting” title from Guy Cavallo and made him its CIO. He had been acting since March when Clare Martorana moved from OPM to be the federal CIO.

These are among the most significant changes in the federal technology and acquisition community over the last few months.

But before we go deep into the state of agency CIOs, or for that matter, asking the Biden administration why it’s taking them so long to nominate an administrator in the Office of Federal Procurement Policy, let’s focus on a big loss for the federal IT community.

As a side note, the Obama administration took until October 2009 to nominate Dan Gordon and the Trump administration took more than two years before nominating Michael Wooten.

But that’s a story for another time.

The big news is that Alma Cole, the chief information security officer for the Customs and Border Protection directorate in the Department of Homeland Security, is heading back to the private sector after a four-and-a-half year second stint with the agency.

Cole confirmed to Federal News Network that he’s taken a position as senior deputy CISO for Caterpillar, Inc., a global information services company, and he will be working under CISO Eric Sporre, a former FBI special agent and assistant director of the FBI’s Insider Threat Office.

“I’m very proud of all we have accomplished at CBP over the last four-and-a-half years of building our security program. It is now easily one of the best in DHS and government overall, and we have played key leadership roles in the department’s security operations optimization strategy, the establishment of common DHS-wide security orchestration, automation and response (SOAR) capability, the transformation of [the] continuous diagnostics and mitigation (CDM) [program] into a data-centric instead of a tool-centric approach, the establishment of a meaningful data loss prevention and insider threat program, the implementation of an advanced, mission-focused cyber threat intelligence program, the modernization and refinement of CBP’s identity management program, and more,” he said in an email.

Cole said Scott Davis will be acting CISO at CBP. Scott has been the deputy for the past year and was previously CISO at the Labor Department.

“CBP is in great hands with Scott,” he said.” I’m relocating to the Irving, Texas where Caterpillar is building out its IT footprint, and am greatly looking forward to joining its world-class security and IT operations team.”

Before returning to CBP in 2017, Cole worked at Robbins-Gioia and spent five years at DHS and CBP.

Back to the CIO shuffle

If you missed the news of Niblock coming to HUD, it wouldn’t be surprising.

She quietly assumed the role in July after spending the last seven years running Detroit’s IT organization. During her career, she also was CIO for the Louisville, Kentucky, Metro Government.

Niblock takes over for David Chow, who was HUD’s CIO for the previous two-and-half years.

She inherits an agency that is in the middle of a major transformation. HUD’s IT budget, at $447.1 million in fiscal 2021, is up by $130 million over the last five years. HUD requested slightly less, $437 million, for next year.

According to the Federal IT Dashboard, HUD is struggling to keep its projects on schedule with 55% meeting their goals. The agency’s largest project is upgrading its single family housing application, which includes mortgage insurance on loans, at $65 million.

HUD also received a loan from the Technology Modernization Fund to move away from five legacy mainframe systems that support three legacy Single family/Federal Housing Administration (FHA) applications.

The initiative is facing schedule challenges, according to the TMF website. HUD initially received approval for a loan of $20 million in 2018 and received about $13.5 million so far.

Among Niblock’s biggest challenges will be the amount of technical debt HUD carries among its mission critical applications and making a decision around the future of its IT infrastructure effort. Former CIOs have been trying to move off of the HITS contract awarded in 2005 to two system integrators to create a managed service offering. HUD faced protests of a new blanket purchase agreement for IT infrastructure support services back in April 2020, its unclear the state of that effort today.

Similar to Niblock, Cavallo inherits an IT organization in the midst of a transformation.

OPM’s progress, particularly since the 2015 massive data breach, mostly has been under wraps. Martorana testified during a Federal IT Acquisition Reform Act (FITARA) hearing in August 2020 about the progress OPM has made and shed light on some changes including the move to Microsoft Windows 10 and the move of mainframe technology to a commercial data center.

Cavallo, who previously was the deputy CIO at the Small Business Administration before coming to OPM in September 2020,  became acting CIO in March. He inherits a $125.3 million IT budget this year and a request of $140.9 million for next year.

According to the Federal IT Dashboard, OPM is meeting most of its goals around cost and schedule with 83% of all projects meeting cost goals and 70% of all projects meeting schedule goals.

Among Cavallo’s biggest projects is the seemingly never-ending effort to modernize the retirement services system. Attempts to modernize that system have failed at least four times over the last 20 years.

One of Cavallo’s initial projects will follow the same playbook he was a part of at SBA, which means moving as much of his infrastructure and services to the cloud. For example, OPM is implementing cloud-based cybersecurity tools.

While at SBA, Cavallo and team reduced the number of tools SBA had to manage as part of the cybersecurity modernization effort, meaning using 100% of the functionality of each tool instead of 5-10% functionality of 38 tools.

SBA also showed how the Trusted Internet Connections (TIC) and the continuous diagnostic and mitigation (CDM) programs could be done in the cloud. SBA proved to DHS and the Office of Management and Budget that the outcomes were the same in using cloud tools as compared to on-premise tools.

Prior to joining SBA, Cavallo returned to the federal government from the private sector and served as the executive director for IT operations at the Transportation Security Administration (TSA), where he oversaw the worldwide technology and telecommunications infrastructures, operations and support for more than 65,000 TSA staff.

Prior to TSA, Cavallo served as a senior government advisor at Microsoft for over nine years.

USDS lands expert; two formers find new roles

Another change you may have missed is acquisition expert Frank McNally joining the U.S. Digital Service as a digital services expert and acquisition strategist in early July.

McNally, who started his career as a contracting officer with TSA, worked for the past six years at the Public Spend Forum as its director of learning and content development.

According to the USDS, an acquisition strategist helps agencies “make buying digital services for the government more efficient and effective. Often, agencies don’t have the capacity or expertise to build their own digital services, so they partner with technical experts outside the government. From jumping in on short discovery sprints to acquisition strategy across product portfolios, our biggest strengths are in market intelligence, innovating on evaluation methods, and creating contracts that focus on results over requirements.”

McNally likely will be one of many new hires at USDS. The organization inside OMB received $200 million in the American Rescue Plan Act, in part, to expand its services with new expertise.

Two former federal technology executives found new homes.

Margie Graves, the former deputy federal CIO and deputy CIO at DHS, joined the IBM Center for the Business of Government as a senior fellow and as a digital strategist for IBM’s federal services team.

“As a senior fellow, she will focus on research, public speaking, and writing across a broad range of technology and data issues including cloud computing, analytics, emerging technology, and cybersecurity,” wrote Dan Chenok, the center’s executive director in a July 19 blog post. “Margie’s work with the center will be informed by her experience and expertise related in part to improving the way government delivers results and technology services to the public.”

Graves left federal service in December 2019, after more than 18 years in government, including three-plus at OMB.

Over the last 18 months, Graves led her own consulting firm and was a visiting fellow for the IBM center.

Rick Driggers, the former assistant director for the Integrated Operations Division at the Cybersecurity and Infrastructure Security Agency (CISA), joined Accenture federal services, where he will continue to focus on cyber issues, particularly within the critical infrastructure sector.

He left CISA earlier this month after almost 17 years at DHS, including the last 10 with CISA and its predecessor the National Protection and Programs Directorate.