The $50 billion IT services and software procurement known as CIO-SP4 reached new lows on July 19 with the National Institutes of Health IT Acquisition and Assessment Center (NITAAC) release of amendment seven.

Not only did the changes throw bidders into a new frenzy, but continued modifications to the rules to the small business teaming arrangements is putting the entire procurement at risk of collapsing under its own futility.

To understand just how problematic the changes brought on by amendment seven are, let’s look at a company, I’ll call Technology Company X (TCX). The real company agreed to share its story under condition of anonymity because it still plans to bid on the program and didn’t want to impact its relationship with NITAAC.

TCX is a small business, a CIO-SP3 contract holder and the person leading the bid effort, let’s call them Pat, has been in the federal market for more than 30 years. It’s clear, this isn’t someone or a company new to the market.

At the heart of the issue are changes in amendment seven that no longer lets small firms claim the experience of its large business subcontractors for points as part of the self-scoring evaluation.

Pat said TCX pulled two large businesses onto their team of small firms to help increase its total points. Out of a possible 10,000 points, TCX had more than 9,700 points before the amendment, meaning Pat felt TCX was in good shape to move into the second round of the competition.

When NITAAC released amendment seven and removed the ability of small firms to claim points from large business subcontractors, TCX’s self-score dropped to about 5,000.

“There was a clear implication from NITAAC that if you’re not over 9,000 points, you will not make the cut. It’s unclear where the cut is, so you’d be stupid not to compose your team of large and small contractors to maximize your points,” Pat said. “After amendment seven, our initial reaction was we are not sure we will make the cut. So we are now beating the bushes for small businesses who we can add to our team to get us back up to where we think the cut is going to be. The problem is we will wind up with a large unwieldy team if we have to add another 6 to 8 small businesses. Managing a team like that is another evaluation criteria, so we will also have to change our entire management approach. How do we make sure all the team members have reasonable access to task orders while making certain that we do 51% of all work?”

Why are all amendments on small business teaming?

Pat said it goes beyond the extra work of finding new teammates in the small amount of time NITAAC gave them until bids are due. The changes also impact TCX’s relationship with the large firms because they now have to ask them not to be on their CIO-SP4 team, which could harm their long-term teaming and partnering opportunities.

“The requirements are way out of line. NITAAC doesn’t seem to understand the burden these changes place on small businesses,” Pat said. “What is unique about CIO-SP4 is the focus on small business teaming. Why is every amendment focused on that and forcing everyone to do a joint venture? I think that was the underlying argument between the Small Business Administration and NITAAC that delayed the final solicitation.”

Pat said TCX spent more than $50,000 in proposal costs and employee hours working on this procurement.

TCX isn’t alone with this problem. Pat said they know of several other small firms which may not bid and/or file a protest with the Government Accountability Office.

In fact, NITAAC is facing a new bid protest that was filed July 22 by Pluribus Digital on this exact issue.

The company argues that amendment seven changes the way the agency will count only small business experience and the 14-day response is not sufficient for offerors to change their proposed teams.

Two other firms also have protests over CIO-SP4 before GAO.

On July 15, Tata American International Corp. filed a complaint arguing the information required to be submitted to show prior experience, especially in areas where the company has not performed for the government is confidential, and can’t be disclosed.

The third protest, which AgilisTek, LLC, filed on July 9 goes back to the previous changes to the solicitation regarding mentor-protégé arrangements and the ambiguities in the procurement itself.

Changes impact small, large businesses alike

Cy Alba, a partner with the law firm Piliero Mazza and who represented some of the companies that filed protests on July 2 only to have them be dismissed by GAO after NITAAC said it would take corrective action, said NITAAC’s amendment and change is causing two major problems.

“For small businesses, who cannot simply reform into joint ventures with large firms who are not their mentor because it would make the joint venture a large business, it is forcing them to ‘no-bid,’ wasting hundreds of thousands in bid and proposal dollars,” Alba said. “For large businesses though, it may have the same effect, in practice. This is because large businesses are also being prohibited from using subcontractors for numerous areas of the RFP. However, unlike small businesses, the large firms could create joint ventures, but the timing is the problem.”

Alba said the Defense Logistics Agency (DLA) is taking 20-to-30 days to issue CAGE codes to new entities, and NITAAC only gave firms an 11-day extension for the proposal due date.

“Even if they created a new JV immediately, they could not secure the CAGE code from DLA in time to bid,” he said. “So even large businesses are looking at major lost bid and proposal dollars. All-in-all, NITAAC’s last minute, capricious, change is costing companies millions of dollars at a time when dollars are stretched thin for so many, particularly the small business who likely had to forego other opportunities to take a shot at CIO-SP4. It is truly galling the total lack of understanding that NITAAC has as it seems they are not even aware of the time and expense companies put into these procurements or they just don’t care.”

A NITAAC spokeswoman declined to comment for the story, citing it’s an active procurement.

But Jim Williams, a former acting administrator of the General Services Administration and a senior executive who ran large procurements at the IRS and the Department of Homeland Security, said NITAAC absolutely should be discussing the changes and helping industry understand its thinking.

A growing call to pause the entire effort

Shane McCall, the managing partner of Koprince Law, said NITAAC needs to go back to the drawing board on this one. He is one of several experts calling on NITAAC to hit the pause button and relook at the entire procurement.

“While it may have been OK, although not the best for small businesses, for the CIO-SP4 solicitation to include this requirement, to change the ground rules this late in the game will leave a lot of small businesses out in the cold,” he said.

The Professional Services Council wrote a second letter to NITAAC and the Department of Health and Human Services on July 22 asking for a total reassessment of its approach “with the proper coverage for the business relationships and small business regulations,” and to issue a new, final amendment that gives bidders at least 30 days until proposals are due to ensure they have “sufficient, uninterrupted time to respond.”

“The latest amendment has frustrated many companies of all sizes. Given ever-changing proposal requirements and shifting timelines, PSC recommends a pause of the entire CIO-SP4 RFP,” said Stephanie Kostro, PSC’s executive vice president for policy. “Over the last 18 months, PSC has provided feedback to NITAAC on numerous occasions on needed clarifications of the CIO-SP4 RFP and the importance of adequate timelines for proposal submissions. The seven amendments published since late May have served to further compound industry concerns and have forced potential offerors to consider alternative strategies or decide not to bid on the CIO-SP4 opportunity at all. The additional two weeks provided by the most recent amendment for bid submission is insufficient for major overhauls of teaming arrangements. Such a brief extension reflects NITAAC’s disregard for or misunderstanding of how industry prepares teams and solutions in today’s government technology and professional services marketplace.”

In their 30 years in the market, Pat has rarely, possibly never, seen a procurement run so poorly as CIO-SP4. Pat said when an agency runs a procurement this big and this significant, the most important facet is transparency and consistency, and unfortunately, NITAAC hasn’t been very good at either.

It was a moment of unintentional irony when Col. Romel Jaramillo, the Defense Department’s IPv6 lead, said his office was busy implementing the third memo of this century from the Office of Management and Budget to move to the “new” network backbone.

Yes, the federal community has been talking about, and in some cases actually making real progress, moving to Internet Protocol version 6 (IPv6) since 2005.

Deadlines have come and gone. Working groups have stood up and quietly disappeared. Vendors and conference organizers have jumped on the IPv6 bandwagon and then jumped off it as quickly.

It’s almost been 16 years since OMB, the General Services Administration and network experts told us we would soon run out of IPv4 addresses and would be “forced” to move to IPv6.

Much like the oil crisis of the 1970s when we were all told we would eventually run out of oil and had to move to electric or natural gas powered cars, IPv4 continues to underlie most of the government’s network architectures.

But the question that still has yet to be answered, is the time to move to IPv6 with its better security, nearly unlimited IP addresses and all the other potential benefits going to take, or will we be talking about a fourth, fifth and sixth memo as we move later in the 2020s?

Maria Roat, the deputy federal chief information officer, said while new approaches and techniques have kept IPv4 viable over the last 16 years, the growth of devices and users will eventually bring a tipping point.

“In 2015, the last IPv4 address was issued,” Roat said at the recent IPv6 event hosted by GSA. “Today there are more users and devices connected to the internet than there are IPv4 addresses. Driven by the limitation of IPv4 to keep up with the continued growth of the internet, we need the security feature and performance of IPv6.”

Roat and her predecessors surely made similar comments back in 2005 and again in 2010.

It’s not that agencies haven’t made progress. Data from the National Institute of Standards and Technology demonstrates the last 16 years hasn’t been all talk.

Of the 25 CFO Act agencies, 12 have either all their domains IPv6 enabled or are in the process of making them enabled.

But making a domain IPv6 enabled is one thing — moving totally away from IPv4 is a bigger lift.

Roat said OMB recognized that challenge in its November 2020 memo that detailed new deadlines, including the need to develop an agencywide IPv6 implementation team within 45 days, an agencywide policy within 180 days and to identify at least one pilot of an IPv6-only operational system by the end of fiscal 2021 and report the results to OMB.

The memo has a goal of having 80% of all IP-enabled assets operating in IPv6 only environments by the end of fiscal 2025.

“When you think about that in the planning and budget cycles, we already are moving into fiscal 2023 planning. We are looking at operating in [an] IPv6-only environment by [the] end of 2025 so this will require a multi-year effort,” she said. “This is not a CIO thing. This involves key stakeholders as well as industry, CFOs and others in the planning.”

DoD and the IRS are among those agencies involving key stakeholders and are in the middle of the planning.

DoD’s Jaramillo said a new implementation memo should be ready in the next few weeks and a new IPv6 strategy should be completed by the end of the fiscal year.

“We are working to identify more pilots and have an IPv6 only pilot under development,” he said. “The implementation guidance and memo has resulted in a strategy, a DoD cybersecurity analysis report, the standup of a virtual project management office and component supported integrated product teams (IPTs), IPv6 language in the component’s planning guidance and some future funding via the component’s program objective memorandums and two DoD IPv6 workshops that develop [plans] for at least two pilots.”

Two of those pilots are with the Defense Logistics Agency and Strategic Command, both of which did limited deployment of IPv6. Jaramillo said the pilot proved tools and personnel can track IPv6 deployment.

The Defense Information Systems Agency also has enabled its core backbone to go IPv6-enabled.

Jaramillo also said all internet access points also are now enabled to support IPv6.

“Our cybersecurity service providers (CSSPs) and our tools are seeing IPv6. The concern previously is we were not ready to support IPv6. But I think the DLA pilot is helping to answer those concerns,” he said. “We are waiting on feedback on how leadership has seen those results. We [will] have more news by the end of the fiscal year.”

A June 2020 report on DoD’s implementation efforts from the Government Accountability Office found the Pentagon was missing three key pieces to its strategy, including a cost estimate, a risk analysis and an inventory of existing IP compliant devices and technologies.

IRS focused on applications

The IRS, meanwhile, has been working on the move to IP6 since at least 2012. A 2014 report from the Treasury Inspector General for Tax Administration found the tax agency struggled with its initial planning.

Scott Morizot, an IRS application developer and technical lead for IPv6 transition, said at the GSA event that since 2016 the agency made significant progress.

“Our internet sites and services are IPv6 enabled. Internal service accessing internet are IPv6 enabled. We have IPv6 deployed throughout our enterprise network, wide-area network and local-area network configuration. Our WAN covers 500-plus sites, both small and large, and that has been deployed since 2016,” Morizot said. “The clients on our network are primarily Windows 10 and they are all dual-stacked everywhere they connect wired and wireless. Our remote virtual private network (VPN) can connect over IPv4 or IPv6, whichever is available for them. They prefer IPv6 if they have it available to establish the tunnel.”

Additionally, the IRS is moving applications and the servers which they are running on. He said this is much more difficult than many believe.

“Every application will behave differently. You need to have your people look at it and prepare for enabling IPv6 on the servers supporting your applications and within your application configuration,” Morizot said. “What we did and have been doing since 2013 is communicating to staff and the contracts they run some of the basic principles of IPv6 requirements.  We have long sessions we have provided to them. We have issued data calls and have then assessed their readiness to implement IPv6. At this point with IPv6 deployed down to the clients, we are now moving into the widespread point where we are enabling IPv6 across our application infrastructure. We will be doing that for the next 18 months.”

Like the IRS and DoD, the next 12-to-18 months will, once again, demonstrate whether agencies are taking this latest deadline seriously. Previously, agencies have struggled because of a lack of real urgency. So OMB must figure out what the pressure points are to make IPv6 more than a futuristic talking point.

Agencies submitted just under 100 proposals to get a share of the $1 billion in the Technology Modernization Fund.

This was about the number Federal Chief Information Officer Clare Martorana was hoping for back in May.

While more specific details about the proposals, including which agencies and for what kind of projects remain hush-hush—I’m told the Office of Management and Budget is planning to brief lawmakers in the coming weeks about the TMF progress—some details have started to trickle out.

Eric Hysen, the Department of Homeland Security’s CIO, said his agency submitted four proposals to obtain TMF funding.

“I am regularly talking with my colleagues at OMB and the General Services Administration about and advocating for those projects through the process,” Hysen said at the Acquisition Trends conference sponsored by the Professional Services Council. “Those include work to modernize how we process non-citizens arriving at the southern border and better exchange data across DHS components and other agencies; looking at the travel process and as travel picks up again after the pandemic, how we can make the experience of going through an airport easier, more seamless and more secure; looking at how some of our components access and analyze key data sets in conjunction with our new chief data officer; and also how we share critical threat information with our state and local law enforcement partners, which is only more important as we look to confront the threats presented by domestic violence and extremism.”

Matt Hartman, the deputy executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency at DHS and a TMF board member, said the board already reviewed three agency proposals to move toward a zero trust architecture.

“With the new minimal repayment model in place, this is really a good vehicle for agencies to jump start some of these really critical capabilities,” Hartman said at a recent event sponsored by Meritalk. “I know that OMB, GSA and others are really focused on security in this next iteration of the TMF.”

Clear guidance needed for TMF

The scarcity of information about the number of proposals or the agencies which applied isn’t surprising.

House staff members say OMB has yet to schedule briefings with key committees. OMB briefed lawmakers in April ahead of the TMF guidance the administration released in early May.

An aide to Sen. Maggie Hassan (D-N.H.) said the chairwoman of the Homeland Security and Governmental Affairs Subcommittee on emerging threats and spending oversight is pleased to see agencies taking advantage of the TMF.

“[She] hopes that the TMF Board prioritizes proposals that dispose of costly and inefficient legacy IT systems,” the aide added.

Rep. Gerry Connolly (D-Va.), chairman of the Oversight and Reform Subcommittee on government operations, said at the MITRE event he is focused on making sure agencies have clear guidance for how to apply for TMF funding, and those plans are monitored to address any potential challenges.

He said the subcommittee will monitor OMB and agency use of TMF funding.

OMB has the opportunity to reverse four years of subpar communication with lawmakers about the value and benefits of the TMF. It’s understandable why Martorana and staff don’t want to get ahead of Congress, but they also shouldn’t lose site of the importance of telling TMF’s story to as many people as possible.

And there should be plenty to say with just under 100 proposals. OMB promised agencies to accelerate the review of proposals sent in by June 2 for this first tranche of funding.

The board added new alternate members to help review proposals, including Maria Roat, the deputy federal CIO, Chris DeRusha, the federal chief information security officer, Harrison Smith, the co-director of the Enterprise Digitalization and Case Management at the IRS, Sheena Burrell, the deputy CIO of the National Archives and Records Administration, and Sean Connelly, the Trusted Internet Connections Program Manager at CISA.

No less rigor of proposals review

Roat, who spoke last week at an event sponsored by MITRE, said the board received proposals from a range of agencies, including the Department of Defense for the first time.

“With the TMF proposals, we are connecting the dots, tying the investments to overarching strategic plans, mission requirements and outcomes as well as we are considering agency budget submissions, looking at fiscal 2022 and 2023,” she said. “We need to make sure we maintain the quality, governance and rigor that made all the prior awarded projects successful. As expected, we are seeing large scale modernization, cybersecurity projects that require multi-year and sustained continuous investments. I’m really excited by the number of projects and the ability to prioritize those projects that cut across agencies, address those security gaps and improve the public’s ability to access public services.”

The fact that DoD applied for TMF funding demonstrates how the changes to the repayment incentive as well as the surge in funding is making the TMF more attractive. That was especially true for DHS.

“As we are looking at all of these efforts and the long list that we are still working on below that, we are looking at this in a way that is a little different from how DHS at least viewed the TMF in the past,” Hysen said. “You will note, I didn’t name any components or any systems or programs in the examples I just gave. I talked about common needs and uses across the department. What we are trying to do very deliberately is not just use the TMF as an opportunity to look at our big list of unfunded modernization programs that we just need one vendor and we already have a whole plan for. But really to look at common problems and challenges across the department and set up systems and structures that will allow us to move together. We think we can get a lot more done if we modernize in common aligned ways across DHS components and systems.”

He said the goal isn’t to build one system for the entire agency, but focus on systems that will serve the customer better and using the TMF funding to move forward together across the department.

Hysen said he expects that DHS will continue to submit proposals to obtain TMF funding in the coming months.

MGT Act fix coming

Roat said the TMF board and project management office already started reviewing project proposals.

OMB should consider publicizing details sooner than later given House members have begun marking up the fiscal 2022 financial services and general government spending bill. Lawmakers included “only” $50 million for the TMF next year. This is well below the White House’s request of $500 million.

The good news about the initial bill is the Office of Personnel Management would receive authorization to develop an IT working capital fund, which is the more valuable piece of the Modernizing Government Technology Act. The MGT Act also created the TMF.

OPM could transfer up to 3% of unspent salaries and expenses funding into the working capital fund for IT modernization efforts.

If this provision makes it into law, OPM would be the second agency, joining SBA, to receive approval from Congress for the IT working capital fund.

Over the long run, OPM or any other agency may not need Congressional approval—which has been difficult to obtain.

Hassan has promised to introduce a technical amendment to clarify that agencies do not need new authority from Congress to create the WCF.

The aide to Hassan said she is continuing to work on a fix to the Modernizing Government Technology Act, and our team is having ongoing discussions with Rep. Connolly’s office about addressing the issues with working capital funds.

At the MITRE event, Connolly said plans to fix the MGT Act issue with working capital funds either through legislation or meetings with agency general counsels.

“We will have to work with the Appropriations Committee because this becomes a bit of a turf battle in terms of what can you do with appropriated dollars and who has jurisdiction over that,” he said. “It’s just critical that every agency has a working capital fund so that they can stay abreast of changes in technology, that they can implement the latest encryption programs and measures to protect the assets in the databases and the proprietary information, and retire those legacy systems. I see that as another critical piece in addition to the TMF.”

Correction: DHS did include a the ISO-9001 and OTTP requirements in draft versions of the FirstSource III solicitation. 

The Department of Homeland Security’s acquisition shop is one of the most well-respected in government. It communicates with industry almost better than any other.

It makes decisions that are both pragmatic and unselfish, like deciding not to pursue an EAGLE III multiple award contract and move the work to existing governmentwide acquisition contracts. The procurement office also admits when it makes mistakes, like it did with its agile procurement several years ago.

For these reasons and many others, it’s a real head scratcher why DHS is requiring two arduous certifications for vendors under its FirstSource III solicitation for technology products and related services.

In the request for proposals for this small business contract with a $10 billion ceiling, DHS mandated that small firms must have the ISO 9001:2015 Quality Management System and/or the Open Trusted Technology Provider Standards.

This decision to make these standards a requirement has led two small firms to file a protest with the Government Accountability Office on June 8, just a few days before bids were due.

The companies, z SofTech Solutions and KPaul Properties, claim the requirement for the certifications  is “unduly restrictive” and creates an unnecessary limitation of the competition because DHS didn’t give bidders an appropriate amount of time to go through the process.

“DHS went rogue on this requirement,” said Leticia Alexander, the president of z SofTech Solutions, one of the two companies who filed a protest. “To be a value-added reseller (VAR), a system integrator or a managed service provider, you do not need all these certifications. DHS has conflated a lot of requirements for the reseller community. When we resell for major suppliers we do not need all these certifications. We work with distributors to ensure we are doing quality control processing. It’s a partnership effort and that is what we have distributors. To me DHS doesn’t know what the reseller agreement entails and they didn’t elicit that support from the supplier community or reseller community.”

Emails to DHS seeking comment were not returned. Typically, agencies do not comment on ongoing litigation anyways.

Procurement experts said that, generally speaking, when it comes to these types of protests, the agency and complainant resolves the issue before GAO gets a chance to issue a decision.

Kevin Paul, a member of KPaul Properties, said the requirements specifically to be ISO-9001 certified is inappropriate.

“Even if the government is able to justify the requirement for the certification, the certification relates to quality management and maintenance of standards that would be applied during contract performance, rather than relating to the contractor’s ability to do the particular work requested in the solicitation,” Paul said in an email to Federal News Network. “The requirement that offerors present a currently effective certification at the time of Phase I submission unduly restricts competition and is not rationally related to any agency need. Instead, the agency could check for compliance later in the process during Phase 2, at the time of award, or at some predetermined length of time after award (such as is the case with the GSA 2GIT BPA – 10 months). This would maximize the number of eligible offerors, not impose undue financial burden on small businesses, and would not impede any legitimate governmental need as the certifications relate to evaluating and maintaining quality during contract performance. Potential elimination during Phase I would be wholly arbitrary when contractors will be able to meet all desired requirements by the time contractual performance begins. This issue was brought up multiple times in the Q&A, but was rejected by DHS.”

Paul added GAO previously ruled in favor of the companies who filed similar protests–USA Jet Airlines, Inc.; Active Aero Group, Inc., B-404666  (April 1, 2011), and Lbm Inc., B-286271 (Dec. 1, 2000).

Limiting competition for SDBs?

Alexander agreed that it seems like DHS is trying to limit competition, particularly from small disadvantaged businesses.

She said it could take six months and cost upwards of $30,000 to get an ISO-9001 certification.

“I’ve worked with IBM, and my company works with IBM, CISCO, AWS and many others and none of them asked us for these certifications,” Alexander said. “We work with our suppliers to ensure we have quality control. We share that responsibility because it has to be a collaborative approach. That is why we think it is just another barrier.”

Paul added, “What the DHS is doing is creating a pool of large companies who technically meet some required socio-economic status but can choke out other more appropriately labelled business size statuses.”

Alexander and Paul want DHS to remove the certification requirements from the request for proposals.

“This is not a way to get small businesses involved,” Alexander said. “We were on a call with DHS, asked them about this requirement. They didn’t answer the questions. We don’t think DHS is upholding up their end of the bargain about making it easier to do a business with underserved communities.”

Many procurement experts said FirstSource has been a small business success story with more than 16,000 task orders to small firms worth more than $3.8 billion since fiscal 2012, according to Bloomberg Government. BGov said the top spending bureaus since 2012 are Customs and Border Protection ($1.3 billion), U.S. Citizenship and Immigration Services ($613 million) and FEMA ($374 million).

Again, this is why the requirement for ISO and OTTP certifications is so surprising. Why would DHS decide to require these standards without any sort of previous alert or notification, and why would they not answer questions from the vendors asking about the requirement?

For a procurement shop that has made its reputation of being among the most transparent, this is disappointing.

Big contracts mean big business

The reason why KPaul and z SofTech Solutions are taking the time and spending the money to file bid protests is they, and many other vendors, recognize the growing trend to use multiple award contracts across government.

BGov found agencies spent more money through multiple award contracts in fiscal 2020 than ever before. Agencies obligated $159 billion through more than 2,000 of these acquisition vehicles.

BGov said about one-half of all MAC spending was for IT and professional services last year.

Since 2016, the Defense Department’s reliance on multiple award contracts grew by 50% while civilian agency use grew by 33%. Small businesses also did well through MACS, winning about 33% of all awards for the second year in a row in 2020.

BGov said task orders expiring through fiscal 2026 on legacy MACs are worth $20 billion, meaning getting on the next generation of multiple-award contracts like FirstSource or the General Services Administration’s Polaris or the National Institutes of Health’s IT Acquisition Assessment Center’s CIO-SP4 is much more important.

And speaking of multiple award contracts, GSA awarded 426 8(a) vendors a spot on the 8(a) STARS III vehicle. An 8(a)STARSIII initial award list as of June can be seen here.

“GSA is rolling out this new contract vehicle in cohorts, balancing the need to provide innovative products and services that agencies require quickly, with the intent to on-board the broadest number of small businesses over time,” said Federal Acquisition Service Commissioner Sonny Hashmi in a statement. “Through this strategy, GSA can start to create an immediate positive impact to our partner agencies’ mission, while increasing opportunities for our small business partners.”

GSA said it intends to make STARS III awards in phases with the next cohort coming later this summer.

Agencies were big fans of the 8(a) STARS II contract, requiring GSA to increase the contract’s ceiling by $7 billion last year. Agencies spent more than $11.1 billion on the contract since 2011.

The Cybersecurity Maturity Model Certification (CMMC) program recently reached an important milestone, naming the first several certified third-party assessment organizations.

Kratos and Redspin made it through the CMMC maturity level 3 (ML3) assessment gauntlet performed by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIB CAC) and other administrative and personnel requirements.

“Reaching this step in getting the CMMC ecosystem up and running is a significant milestone and we look forward to authorizing additional C3PAOs in the coming days and weeks,” said CMMC-AB chief executive Matthew Travis in a release.

The naming of C3PAOs is the first step toward getting companies CMMC certified. The question now is whether vendors will decide it’s not worth the time or cost.

This is the potentially the case among electronic manufacturers.

A new survey from the IPC, an industry association representing electronic manufacturers, found nearly a quarter of all respondents said the cost and burden of CMMC may force them out of the defense industrial base (DIB).

About half of IPC’s 3,000 members are located in the U.S. and many are serving the DoD market.

Chris Mitchell, vice president for global government relations at IPC, said in an interview with Federal News Network that CMMC may lead to further contraction of an industrial base that has been shrinking over the last 20 years.

“This is important because we’ve already seen a considerable contraction and reduction in the number of electronics manufacturers here in the United States. To give you a sense of the kind of trajectory that we’ve been on as a country, over the last 20 years or so we have dropped from more than 2,000 printed circuit board manufacturers in the United States to fewer than 200. And that number is expected to decline further,” Mitchell said. “We were hearing from so many of our members that they were having anxiety about CMMC. It’s important to understand that electronics manufacturing generally is a thin margined business, so even small incremental cost increases can really effect a company’s competitiveness. As companies are beginning to undertake the assessments and do the other stuff necessary for certification, we were hearing from many of them that the costs were much larger than they had anticipated, and that there was continuing to be a lack of clarity about the requirements and what the timeline were.”

He added the combination of a shrinking industrial base combined with the costs and burden of CMMC could lead to the Defense Department facing a much weakened industrial base.

Taking this one step further, nearly every weapon system, every back-office process and every communication tool relies on the sector.

DoD’s January report to Congress on its industrial base capabilities underscored this problem.

“The dependence on foreign sources for semiconductor products continues to represent a serious threat to the economic prosperity and national security of the U.S., as much of the critical infrastructure is dependent on microelectronic devices,” the report stated. “This threat will become more pronounced as emergent technology sectors, such as Internet of Things (IoT) and AI, require commodity quantities of advanced semiconductor components.”

DoD also recognized the contraction in the market. The Pentagon said in the report that in the aerospace and defense sector, electronic equipment contributed 23% of total mergers and acquisitions’ deal value in the first half of fiscal 2020 about $15.4 billion. The most noteworthy of these mergers and acquisitions were the BAE Systems Inc. acquisition of Collins Aerospace-Military – Military Global Positioning System, and the Teledyne Technologies Inc. acquisition of Photonics Technologies SAS.

Mitchell said the potential impact isn’t just on the prime contractors, but the flow down to the subcontractors too.

“When it comes to the supply chain, there are already great strains on it. We had a call with an industry representative, not related to CMMC, and a big part of that discussion was the fact that we already are having a hard time sourcing parts, components, materials,” he said. “I think CMMC without some adjustments is likely to exacerbate these concerns.”

More than a third of the respondents say that CMMC will weaken the DIB, and 41% say the requirements will cause other problems in their supply chain. IPC received 108 responses from contract manufacturers, printed circuit board fabricators, original equipment manufacturers and suppliers who self-reported they are planning to undergo a CMMC assessment in the next five years.

Despite their concerns, IPC found some of its members, including original equipment manufacturers (OEMs), prime contractors and others already are beginning to implement CMMC.

Cost of CMMC is another obstacle for electronic manufacturers. The survey found most suppliers say they expect and are willing to spend upwards of $50,000 on CMMC readiness. Nearly one-third (32%) report that it will take them one to two years to prepare to undergo CMMC assessment.IPC found more than half of the suppliers say if implementation costs more than $100,000, CMMC would be too expensive.

“DoD’s own cost analysis estimated the cost of a CMMC Maturity Level 3 (ML3) certification to be more than $118,000 in the first year. This means DoD’s own estimate of CMMC compliance costs is too high for 77 percent of the IPC survey respondents,” IPC found.

DoD estimates the cost to obtain a CMMC level 3 certification to be about $118,000.

But Mitchell said that estimate seems to be low.

“Those companies that are going through that process are reporting much, much higher cost estimates in excess of $300,000 in some cases, and these are not large companies that we’re talking about,” he said. “I think the fear on our part is that as companies go through this process, the cost estimates are likely to increase, and as a result, the inclination to leave the defense market may increase as well.”

What the survey didn’t answer is just how big the DoD market is for these electronic manufacturers, and is it a big enough market for them to spend money on CMMC? For instance, the Center for Strategic and International Studies (CSIS) estimated that the Army would spend more than $5.6 billion on communications and electronics equipment last year. Overall, CSIS projected funding for communications, sensors and electronics to increase by 21% by 2022.

More clarity, transparency necessary

Is a $10-15 billion market big enough for these firms to spend a few hundred thousand each to play? Or is the potential not as attractive as the globalization of electronics sector means hundreds of billions more and DoD isn’t worth the trouble?

While IPC can’t necessarily answer it, it’s clear the dwindling number of contractors is concerning for both DoD and the industry at large.

The Defense Advanced Products Research Agency (DARPA), for example, initiated in 2017 the Electronics Resurgence Initiative (ERI) as a response to several technical and economic trends in the microelectronics sector.

Through the program, DARPA is funding work across seven areas, including accelerating innovation in artificial intelligence hardware to make decisions at the edge faster, mitigating the costs of electronic design and overcoming security threats in the hardware lifecycle.

Mitchell said IPC would like to see DoD provide more clarity and transparency around CMMC, particularly by addressing reciprocity with existing industry standards.

“There are many existing industry standards in place that have actually been doing a pretty good job of strengthening the security of the industrial base. IPC, in fact, has worked very closely with the Defense Department to establish IPC- 1791, which is a trusted supplier standard that also integrates into it cybersecurity requirements. Companies have now been working for more than two years in order to meet that standard and be validated. As a result, the printed circuit board and printed circuit board assembly industries are more robust today, are more secure today than they were two years ago,” he said. “We would love to see whether it’s in the context of CMMC, or apart from it. We would love to see DoD place greater emphasis on leveraging these standards. I think that they reflect an industry commitment to ensure that our industrial base is secure, both physically as well as cyber.”

Interestingly enough, DoD even refers to the IPC-1791 standard in its January report to Congress, saying “A strategy is currently under development and will require implementation by January 2023.”

Mitchell said IPC has shared the survey results with DoD, as well as lawmakers.

He said the goal is to use the data to help convince DoD to work more closely with industry to figure out how companies can earn the CMMC certification in a way that isn’t too burdensome and too costly. He said the other issues is to clarify how to gain compliance beyond hiring consultants.

“Let’s take every opportunity to try to leverage existing standards that are already in use by industry to figure out if we can fray some of the costs that way as well,” he said. “My understanding is that there is a desire to bring some uniformity across the entire industrial base. In many respects, if you talk to the industry, they think it’s a laudable goal. I think the challenge, of course, is that it isn’t just in the case of security, but both in terms of security and quality as whole, as well as a whole number of other areas. These companies are expending tremendous resources in order to have operations that are validated by one measurement or another. CMMC adds tremendous costs to businesses that are operating on the thin margins. So to the degree that we can leverage existing standards, we think that that’s a really good approach.”

IPC’s members’ concern over CMMC isn’t just one sector. While DoD has done a good job of talking about CMMC, the number of unanswered questions or what the path forward looks like is growing. DoD needs to make public how it will update its plan for CMMC based on Deputy Secretary Kathleen Hicks’ review that completed in May and squash some of the silly rumors that started to gain traction.

The deadline for agencies to fully implement the Technology Business Management (TBM) framework is technically three months away, about the time when initial budget requests for fiscal 2023 will go to the Office of Management and Budget.

Despite working on implementing TBM for the better part of four years, agencies continue to struggle with the data that is required to drive decisions and compare their costs with private and public sector experts.

“I couldn’t do benchmarking without having that four years of data, having the ability to have that trending and the comparison and that understanding of the data. But when you look federalwide, some agencies that have really matured around using the taxonomy are definitely looking at benchmarking,” said Maria Roat, the deputy federal chief information officer, during a webinar sponsored by ACT-IAC. “I want to caution around benchmarking. You just can’t say ‘Hey, I’m going to start with benchmarking,’ without having a pretty good read on your data because you don’t want to have flawed data and try to do benchmarking.”

And too many agencies still have flawed data, making it harder to get the expected value of TBM.

Roat said the governmentwide maturity around TBM and data isn’t quite there yet.

“While we’re continuing to make adjustments to the fiscal 2022 [budget] and looking at cutting down on the data requirements and what we’re getting at the Office of Management and Budget level, you can’t put the cart before the horse on the benchmarking because you don’t want to use flawed data. But perfection is the enemy of good enough. You want to have good enough data to be able to start doing benchmarking, and figure out in what areas that you want to compare yourself to,” she said. “There’s a lot of levers and a lot of moving parts on it, and when you make the decision and the timing on starting to do benchmarking, because the Community of Practice said we’re going to benchmark against industry well, how do you know you have good data, and it’s not flawed? Can we compare agency to agency? Sometimes you can, sometimes you can’t, depending on the size of the agency, and what parameters you’re looking. There’s a lot of factors to consider in the benchmarking. I think there’s value in it.”

Kelly Morrison, director of digital transformation and management at Grant Thornton Public Sector and a former a performance analyst in OMB’s Federal Chief Information Officer’s office, said without a baseline it will be difficult for agencies to improve management, governance, strategic budgeting and oversight of IT spending.

“Agencies have to orient investments in IT around IT services/solutions being provided and be able to see how new investments or projects enhance existing IT services or create new services and how those services are enabling mission and business objectives — providing a clear line of sight,” she said in an email to Federal News Network.

Some of those changes to IT project data OMB is considering may include removing 17 fields and adding seven new ones to the IT data management reporting requirements that help feed the capital planning and investment control (CPIC) efforts.

And email obtained by Federal News Network from March outline some of the possible changes OMB proposed to the CIO community. The proposed removal of data include the requirement to outline how the investment matches to the Federal Enterprise Architecture’s Business Reference Model (BRM); the requirement to offer alternatives to cloud computing; and detailing total spend on infrastructure-, platform-, software-as-a-service and managed services.

The new data fields under consideration include questions focused on how projects are adequately implementing incremental development methodologies, including how often the agency is delivering new capabilities.

“As part of the larger federal IT dashboard modernization effort, GSA will be transitioning IT management data collection to a new approach called ‘IT Collect Application Programming Interface,’” the email stated. “The new application will take advantage of a modernized architecture, simplified coding language, longitudinal data collection and a ‘flat ledger’ designed to improve both the usability of the data being provided as well as reduce future costs when making data collection changes.”

The IT Collet API also will support OMB’s final requirements for the development of the fiscal 2023 budget request.

Data becoming more consistent

The data, both under TBM and more broadly for budget development, has been inconsistent over the years.

Keith Bluestein, the Small Business Administration’s CIO, said there was a time when a CIO’s office would send data to senior leadership to present to the President’s Management Council and find out later that the PMC received totally different data from OMB.

Bluestein said OMB and the data is much more consistent today than four or five years ago.

“The challenge was making sure that everybody was going to the same data source and it was being provided to the same place,” he said. “It’s tough to kind of get your arms around what that true data set is, and to make sure that’s the only one that’s going out of here.”

Dan York, the director of IT Spending Transparency at GSA, said this is why data standards and data quality is so important.

“The sooner we have actual standards by which we can capture IT and the acquisition systems or the FM financial management systems, budget execution systems, the sooner we can begin the process of automating the those data poles,” he said. “When we automate, we take the human error out of it. We take the fat finger errors out. We take the program manager guessing what their budget is and what they spent. That really allows the program managers to focus on the schedule, the performance, the risks of their program, and less of the manual data entry because we can pull those from auditable authoritative systems of record. Understanding what data we need, creating the standards by which to collect it in a system of record, and then automating that collection in such a way where we can really have the humans focus on human work, and have the machine focus on machine work. That’s really going to clean up data quality throughout the federal space.”

Roat said at the event OMB started focusing on data standards in 2019 with a focus on realigning product and service codes (PSC). OMB and the CIO Council removed 20 PSCs and realigned 40 others to abide by the TBM taxonomy overall.

“This past year the CIO Council took on a project to take a holistic look at the IT portfolio of the federal government, not just looking at CPIC, major investments and the cost, but really look at holistically what that portfolio is. I challenged the team to say, what are the core requirements that agencies have to report on? What does OMB need? What will help across the federal government?” she said. “We went back to basics and tore down all the way down to what’s required in law, the definition of CPIC, what’s required for budget submissions because even as we try to do multiyear approaches to modernization, if you don’t have good data to support that even trying to look forward, that’s going to be really hard.”

She said these changes will eventually be in Circular A-11.

Policy, legislation needed?

Grant Thornton’s Morrison said it’s great that the TBM taxonomy is being baked into the Federal Integrated Business Framework (FIBF) and Product Service Codes (PSCs) but the taxonomy alone doesn’t provide the full value potential TBM offers.

“Policy and or legislation is needed to maintain the focus for agencies to implement TBM holistically, and for the federal government to continue baking TBM into the way the federal government does business/operates — for instance — updates to sub budget object class codes in financial management systems, incorporating the enterprise program inventory required by the Taxpayer Right to Know Act into TBM so that all IT costs can be aligned with the program inventory — both of these examples require engagement form communities outside of IT, thus reinforcing the focus of the panel,” she said. “TBM is not just an IT initiative, it requires the full CXO suite policy or legislation is likely needed to hold agencies accountable.”

Morrison said that’s why it’s important for OMB to reinforce and agencies to understand TBM isn’t a CIO’s job.

“There was previously a TBM executive steering committee with OMB and agency CXO leadership spanning IT, budget, finance, acquisition, human capital and performance. Unless this is happening at OMB and the CXO Councils, it is going to be up to every agency to push the boulder up the hill to affect the desired changes,” Morrison said in an email to Federal News Network. “This is why TBM was included in the prior President’s Management Agenda and as a cross-agency priority goal. TBM needs to be a holistic management priority tracked at the PMC level and for which agency deputy secretaries/administrators are responsible for.”

GSA’s York said more and more agencies understand the potential of TBM, as the community of practice grew to more than 650 members from 20 when the CIO Council launched it in 2017.

“There’s real community approach to choosing projects that they want to implement and help with their maturity. We are sharing the results of those projects across the entire government helps all boats rise together, which is really our main mission within the TBM project management office,” York said. “There’s certainly a lot of challenges that exist, particularly around change management and how you get large organizations to see the value and in future looking endeavors. But with the help of agencies and OMB, we really accomplished a lot over the last few years.”

The question is when will all of that work turn into widespread value for all agencies, instead of just a select few who jumped into TBM with both feet.

Since agencies began to talk about moving to the cloud in 2010, public and private sector advocates played up the idea that programs could “pay by the drink” or buy services on a consumption basis.

The fact is, few if any agencies truly achieved this model.

After almost two-and-a-half years of work, the General Services Administration is about ready to unleash a new way to buy cloud services.

GSA released its second draft policy to industry in May that would let agencies buy cloud services “by the drink” through the schedule contract.

A second draft policy created by Jeff Koses, GSA’s senior procurement executive, outlines how this buying approach would work under the schedule contract, including not requiring the Price Reduction Clause, which mandates vendors give the government their lowest price at all times, and what type of contract and how the funding would work.

“GSA anticipates purchasing cloud computing on a consumption basis will increase competition, as the move towards commercial practices will encourage new entrants to the FSS program,” Koses wrote in the draft policy, which Federal news Network obtained. “With a contract structure more closely tied to real time demand, this approach also provides greater flexibility to take advantage of technology improvements and better support cyber security. Tying cloud computing procurements to commercial market prices will also provide cost transparency without burdening contractors with additional transactional price reporting requirements. Plus, this approach promotes cost efficiency as it reduces the need to lock into long term contracts in markets where falling prices are reasonably anticipated.”

“We hope the policy lays out a clear way to execute the pay by the drink execution strategy using the schedules,” said Nick West, GSA’s deputy director of the Office of Policy, Integrity and Workforce, during a panel at the recent Coalition for Government Procurement spring conference. “We hope to have some sort of language in the schedule contracts by the fall or maybe earlier, hopefully. We really are looking to build something that the CIOs will use and [industry] will offer solutions for them to use.”

Continued work to improve cloud buying SIN

GSA gave industry its first look at how it wanted to change this policy in January 2020.

West said the pandemic delayed the work on the final policy, but GSA did incorporate comments into this second draft policy.

Keith Nakasone, who recently retired after 32 years in government, including the last four-plus as the deputy assistant commissioner for acquisition in GSA’s Office of IT Category, said adding the pay-by-the-drink model to the schedules is another way the  Federal Acquisition Service is evolving the cloud special item number (518210C — previously 132-40).

The second draft memo offers more specifics than the first one. For instance, agencies would buy off of cloud service provider pricelists and receive any discounts as prices change. Agencies can incrementally fund task orders for cloud services instead of putting all of the money on contract at one time.

“The ordering activity contracting officer will use a requirements task order. This task order type provides for filling all actual purchase requirements of an ordering activity for cloud computing services during a specified contract period, with performance by the contractor being scheduled by activating and funding individual contract line items (CLINs) and sub-CLINs under this task order,” the draft policy states. “The ordering activity contracting officer must state a realistic estimated total quantity in the task order solicitation and the resulting task order. All CLINs within the task order must include a defined scope with all items priced at time of award. The ordering activity may obligate funds as the bona fide need arises for predefined and established fixed-priced procurement requirements on individual CLINs and sub-CLINs.”

GSA also says it will analyze metrics such as cost transparency, increase competition and better cybersecurity, on how this pay-by-the-drink model is working.

7% of all IT schedule spending

Agency customers haven’t exactly been beating down the door to use the schedules to buy cloud services. Of the $6.8 billion agencies spent on cloud services in fiscal 2020, according to Bloomberg Government, about $400 million of that came through the schedules. Cloud buys accounted for about 7% of all spending on the IT schedule last year.

The new policy would meet two of GSA’s goals: Making it easier to buy cloud services—a common call from industry and agency customers—and driving more business to its vehicle.

“GSA should be applauded for trying to make governmentwide policy in this vitally important area for federal IT modernization and service delivery. The hope is that they spend even more time consulting with industry leaders in this space, as well as key agencies who are leveraging the cloud most effectively, and only adopt guidance that is necessary for the bulk of government — and not simply trying to nibble around edge use cases,” said one industry expert, who requested anonymity in order to speak about the draft policy. “The scope and focus of the memo take a very ‘government-centric’ view of a very common issue in the commercial market, which is how to price the consumption of cloud services. Rather than complicate the federal buying guidance on this, GSA should require agencies to adopt commercial pricing that cloud providers offer to their non-government clients. These prices can be made transparent and be updated in real time through standard cloud service provider tools that can make data available on a GSA catalog.”

One way the draft policy takes this “government-centric” view of cloud buying is the requirement for task orders to have ceilings and for vendors to alert the customer if the total amount will reach 85% of the cap within the next 30 days.

Industry experts would argue these requirements still do not match how the private sector buys, which is based on demand and not funding.

“GSA seems to acknowledge that the cost per unit of usage for cloud generally goes down over time, but they feel the need to orient the memo to solve for the fact that there might be some random need for a spike in usage at a certain instance,” the industry expert said. “It seems difficult to understand how GSA will constantly monitor for this across all agency cloud contracts and there is worry that they are trying to solve for a problem that is already being addressed. Think of how agencies operated with increased compute needs during the coronavirus response.”

Commercial parity is difficult

To GSA’s defense, it may never be able to achieve pure commercial parity, but the draft policy takes an important step.

“[C]onsumption purchasing may not be the best fit for every requirement. Cloud service providers offer multiple pricing models, including pay-as-you-go (e.g. on-demand and spot instances) and paying upfront (e.g. reserved instances, subscriptions). The pay-as-you-go models are the most popular in the private sector because of their efficiency and flexibility.  However, other models may be more appropriate in certain circumstances,” Koses wrote. “For example, upfront payment plans, while inflexible, are often highly discounted and may offer the best value for users with predictable needs. As such, the private sector routinely leverages combinations of these pricing models and the government should replicate this approach as appropriate.”

This isn’t the first time GSA has tried to make it easier for agencies to buy cloud services. In 2016, the agency began work to change the Federal Acquisition Regulations and even considered legislative remedies, but it’s unclear if anything came from those initiatives. A year later, an interagency working group developed a best practices guide for buying cloud services.

Let’s hope after five years of fits and starts, GSA completes the promise made more than a decade ago that agencies will be able to buy cloud services like they buy electricity.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Biden administration’s first complete budget request was light on technology and cyber policy and process changes. But it was definitely full of hope.

The hope that Congress will fund the Technology Modernization Fund (TMF) at another $500 million for fiscal 2022 after putting $1 billion into it as part of the American Rescue Plan Act.

The hope that agency workforces will grow by as much as 9.6% at the Department of Housing and Urban Development (HUD) or 7.4% at the Environmental Protection Agency (EPA), after years of being stagnant or seeing reductions.

And the hope the largely flat Defense Department request and the decision to do away with the Overseas Contingency Operations (OCO) account will not be over taken by the defense hawks, lobbyists and the Pentagon itself continuing the drum banging over near peer competition and losing the next great power competition.

Like every White House budget request, the Biden version is full of ideas and concepts that begin the long conversations with Congress. The goal, of course, is that these efforts will culminate not with the threat of yet another partial government shutdown or multiple continuing resolutions, but agencies knowing where they stand with enough time left in fiscal 2022 to hire employees, improve technology and continue to prove the value of federal programs and policies.

“The budget makes these investments in a way that’s responsive to both the near- and medium-term economic landscape, as well as the long-term challenges our country faces. In the near-term, the decades-long, global trend of declining interest rates, even as publicly held debt has increased, gives us the fiscal space to make necessary upfront investments,” said Shalanda Young, acting director of the Office of Management and Budget (OMB), during a call with reporters on May 28. “Under the budget policies, the real cost of federal debt payments will remain below the historical average through the coming decade, even as the budget assumes that interest rates will rise from their current lows, consistent with private-sector forecasts. Low real debt service payments show that the cost of these upfront investments is not burdening the economy. To the contrast, failing to make these investments at a time of such low interest costs would be an historic missed opportunity that would leave future generations worse off. This budget does not make that mistake, and it invests — its investments will pay dividends for generations to come. Over the long run, when we face larger fiscal challenges and more uncertainty about interest rates, the budget will reduce the deficit and improve our nation’s finances.”

Anyone who has paid attention to this annual exercise over the last two decades knows that the budget request has been more of a policy document than a funding effort based on reality. This is especially true for technology, cybersecurity and government reform efforts.

This year, however, the analytical perspectives chapter, where most of these policy ideas usually live, is full of “mom and apple pie” quotes like, “Cybersecurity is an important component of the administration’s IT modernization efforts….” or “Federal agencies’ ongoing efforts to modernize their IT will enhance mission effectiveness and reduce mission risks through a series of complementary initiatives…”

So to find the real policy ideas and see where OMB wants agencies to move, you have to dig a little deeper.

Here are the budget items that help demonstrate the Biden administration’s IT and cyber policy goals. These are not in any specific order.

A better chance for working capital funds

Usually any discussion about IT and cyber starts with the TMF. But for this one, let’s start with that other piece of the Modernizing Government Technology (MGT) Act that has the potential for more impactful, working capital funds. Over the last few years, several agencies have asked for this authority from Congress, but only the Small Business Administration (SBA) has received it.

The Labor Department is asking for authority to create an IT working capital fund (IT WCF) using MGT Act authority. “This IT WCF would include all activities currently financed through the WCF, as well as the development and operational costs for agency-specific applications currently funded directly by agencies. Shifting these activities into an IT WCF has no impact on total spending at the department.”

Labor is asking for $37.2 million for IT modernization efforts in 2022, up from $29 million in 2021 and $26 million in 2020.

The Office of Personnel Management (OPM) also seems to be requesting authority for an IT WCF too. The budget says it plans to “transfer salaries and expenses extra funding into the IT WCF.”

OPM’s CIO’s office asked for $73 million in 2022, up from $39 million in 2021 and $46 million in 2020.

The U.S. Agency for International Development also is seeking IT WCF authority for at least a third year in a row. It is asking to transfer 5% or up to $30 million to the fund.

Congress added a provision in the 2021 budget that says no more than 3% of salaries and expenses and business loans program account may be transferred to IT WCF. SBA says it expects to have $2 million in the IT WCF in 2022, down from $7 million in 2021.

The SBA’s CIO’s office asked for $30 million in 2022, down from $48 million in 2021, but up from $29 million in 2020.

Interestingly, the Environmental Protection Agency has run a working capital fund since 1997 and says the MGT Act gives it additional authority to use the money for IT modernization efforts, such as its enterprise human resources IT services and regional information technology service and support, managed by EPA Region 8. EPA expects its WCF to have $354 million in 2022.

Few other, if any, agencies have taken a similar interpretation of the MGT Act, which is why Sen. Maggie Hassan (D-N.H.), chairwoman of the Homeland Security and Governmental Affairs Subcommittee on Emerging Threats and Spending Oversight, plans to add a technical amendment to the MGT Act to fix this challenge.

Interestingly enough, the Department of Homeland Security says it is shutting down its non-MGT Act working capital fund. In 2020, the WCF had $424 million.

“DHS and the Working Capital Fund (WCF) governance board decided to dissolve the WCF in 2021. This decision was reached after conducting strategic reviews of the WCF governance criteria and discussions within the Management Directorate on their business strategy for providing services to their customer base,” the budget documents state. “As a result, no funds are included in the 2022 Budget. All activities were removed from the WCF with base transfers in 2021. DHS components will transfer funds to the servicing management lines of business for fee-for-service and governmentwide mandated services.”

Finally on a related WCF note, the Transportation Department (DoT) plans to spend $93 million from its $726 million agencywide central account “to continue the department’s implementation of a shared services environment for commodity information technology (IT) investments. The IT shared services initiative will modernize IT across the department and improve mission delivery by consolidating separate, overlapping, and duplicative processes and functions.”

The CIO’s office is asking for $17.7 million in 2022.

The budget also says DoT will continue consolidating commodity IT services across operating administrations with a focus on investment-level commodity IT, as well as IT security and compliance activities. It will use shared services to enable the department to improve cybersecurity, increase efficiencies and improve transparency in IT spending.

The cybersecurity growth continues

The Biden administration is asking for $9.8 billion for federal civilian cybersecurity in 2022. This would be a 14% increase over 2021. The Defense Department says its cybersecurity budget request in 2022 is $10.4 billion, bringing total cyber spending above $20 billion governmentwide for the first time.

Included in the overall request is $20 million for a new Cyber Response and Recovery Fund (CRRF) run by the Cybersecurity and Infrastructure Security Agency (CISA) to improve national critical infrastructure cybersecurity response.

“In the first year, the administration proposes to pilot the CRRF, limiting funding during the pilot phase to supporting non-federal entities in responding to, and recovering from, a critical cyber incident,” the budget documents state. “The CRRF would be purpose restricted to carrying out CISA’s existing statutory authorities for cyber response and recovery in support of critical infrastructure and during a significant cybersecurity incident as defined in Presidential Policy Directive (PPD 41): United States Cyber Incident Coordination. Funds would only be available if all criteria were met and if the President had approved use of the funds.”

Sens. Gary Peters (D-Mich.) and Rob Portman (R-Ohio) introduced the bill to create the fund on May 12 that would enable CISA to more easily coordinate federal and non-federal response efforts to a major cyber incident. The bill authorizes $20 million for the fund.

The Biden request also includes $15 million to support the Office of the National Cyber Director, which Congress established in the National Defense Authorization Act of 2021.

In all, the Biden administration is asking for $1.7 billion in total funding for CISA, including $913 million for cybersecurity. Of that, $350 million would be for procurement construction and improvements account, down from $439 million in 2021 and $481 million in 2020. This account typically funds the continuous diagnostics and mitigation (CDM) program as well as the national cybersecurity protection system initiatives like EINSTEIN and automated information sharing. The budget did not break out CDM or other programs specifically.

Beyond CISA, several agencies are seeking increases in cybersecurity funding, including those impacted by the SolarWinds attack.

The Treasury Department, for example, is asking for $137 million for its cybersecurity enhancement account (CEA), which is $114 million more than usual to provide “resources to strengthen Treasury’s cybersecurity posture and address the impacts of the SolarWinds incident.”

The CEA supports departmentwide and bureau-specific investments of high value assets and provide more enterprisewide services.

The Energy Department’s CIO office is asking for $68 million in 2022 after making no specific line item requests in 2021 or 2020. While the request doesn’t say what the money would be used for, it’s easy to assume that at least some of the funding is for cybersecurity. Energy wrote in the 2022 request that “significant investments will address cyber vulnerabilities identified as a result of SolarWinds incident of December 2020.”

Energy also is looking to merge two cyber offices with the Defense Critical Energy Infrastructure (DCEI) Energy Mission Assurance functions moving into the Office of Cybersecurity, Energy Security and Emergency Response (CESER). The merger would bring the cybersecurity sharing and support efforts with the electric utility industry under CESER’s purview.

Energy is requesting $201 million for CESER, up from $157 million in 2021 and $158 million in 2020.

Beyond the SolarWinds attack, agencies are seeking more funding on cyber defensive efforts.

The FBI is seeking $15.2 million to defend itself from cybersecurity threats.

The Agriculture Department CIO requested $101.1 million, including $56 million for cybersecurity requirements. The overall request is up from $67 million in 2021 and $65 million in 2020.

The Commerce Department is asking for $126.9 million for technology modernization projects. This funding would be divided up with $20 million for business application system modernization and $106.9 million for cybersecurity risk mitigation.

IT modernization beyond the TMF

The federal civilian IT budget request reaches $58.4 billion, a 2.4% increase over 2021. The Biden administration, for reasons unknown, didn’t include the Defense Department’s IT or cyber budget requests in the analytical perspectives. So it’s hard to get a sense of how much the overall federal IT budget is increasing.

The Federal IT Dashboard says DoD will spend about $37.1 billion on IT in 2021, up from $36.6 billion in 2020. In its 2022 request, DoD says it’s moving funding around to meet needs in artificial intelligence, 5G and other emerging technologies.

Using these numbers as the baseline, total federal IT spending would be more than $95.5 billion.

As mentioned earlier, the administration wants another $500 million for the Technology Modernization Fund (TMF). What’s interesting with this request, which comes under the General Services Administration’s budget because they manage the fund, is they expect to carry over $811 million out its $1.086 billion 2021 and 2020 funding.

This seems to highlight that OMB and the TMF Board expects to hand out less than $200 million from the TMF over the next four months.

The two other funds that help with IT modernization also are seeing solid support.

On one hand, GSA’s Federal Citizen Services Fund is asking for an increase to $59.2 million, up from $55 million in 2021.

OMB’s IT Oversight and Reform (ITOR) fund seeks $10.4 million in 2022, up from $5 million in 2021 and $6 million in 2020.

OMB says the additional money will be used for the Federal Acquisition Security Council (FASC) and to implement its sharing of supply chain risk information and exercise its authorities to recommend issuances of removal and exclusion orders to address supply chain security risks within agencies.

The administration also offered more details about its plans to use the $200 million for U.S. Digital Service that was in the American Rescue Plan Act.

USDS plans to increase its full-time employees to 271 in 2022, up from 161 this year. It says the larger number of employees will enable “USDS to quickly address technology emergencies, ensure access and equity are integrated into products and pro­cesses, and help agencies modernize their systems for long-term stability.”

USDS, however, expects fewer employees, 60 compared to 63, to be reimbursable through agency fees.

The Justice Department (DoJ) also is seeking a hefty increase in its IT modernization account.

DoJ says it wants $141 million for its Justice Information Sharing Technology fund. That is up from $84 million in 2021 and $68 million in 2020.

“IT transformation is an ongoing commitment to evolve DoJ’s IT environment by driving toward shared commodity infrastructure services and seeking simplified design and implementation of tools to advance the mission. These efforts allow DoJ to shift from custom, government-owned solutions, to advanced industry-leading offerings at competitive pricing. The OCIO recognizes modernization as an ongoing activity, requiring IT strategies to adapt as technology changes,” the budget document stated.

The decision to ban Kaspersky Lab products and services from federal agency networks and systems may just have been a shot across the bow.

The Justice Department is considering rolling out the big guns against companies owned and operated by Russian nationals.

John Demers, the assistant attorney general for National Security in DoJ, said in light of the SolarWinds attack, Justice, along with the FBI and the intelligence community, launched a new effort to see where there may be supply chain vulnerabilities of companies that are Russian or are doing business in Russia.

“This is not meant punitively, but meant protectively,” Demers said at the recent Justice Department Cyber Symposium. “Where there’s a critical pieces of software, if there’s back end software design and coding being done in a country where we know that they’ve used sophisticated cyber means to do intrusions into U.S. companies, then maybe the U.S. companies shouldn’t be doing work with those companies from Russia or from other untrusted countries. That’s something that we’re going to be looking closely at.”

Demers said Justice, FBI and ODNI will share the information it collects with the Commerce Department, which will then decide how to use its authorities under the May 2019 executive order signed by President Donald Trump about whether to prohibit use of technologies that pose a risk to agencies or critical infrastructure.

“We are evaluating the risks of using information and communications technology and services (ICTS) supplied by companies that operate or store user data in Russia or rely on software development or remote technical support by personnel in Russia,” a Justice Department spokesman added after the event in an email to Federal News Network. “Unlike sanctions, which punish individuals and entities for bad behavior in the past, this review is focused on risk management: Which companies, or classes of transactions, pose a heightened threat to national security because of the vulnerabilities they introduce or the consequences, should they be exploited in the future.”

The spokesman offered not timeline for when DoJ and its partners would complete the review.

This move from the Justice Department, FBI and the intelligence community follows Congressional requirements for agencies to stop using products and services from telecommunications companies owned and operated by Chinese nationals.

While lawmakers started ringing alarm bells as far back as 2012, it took seven years to get language into law to prohibit the use of products and technologies from companies like ZTE and Huawei.

The recent SolarWinds compromise and other cyber attacks are driving DoJ’s review of Russian companies. Only Kaspersky Lab has been officially banned from federal networks and systems.

DoD piloting several DIB cyber programs

Concerns over foreign ownership or influence on technology companies isn’t just about ownership and location, it’s also about espionage and data leaks.

The Defense Department is taking steps to shore up its industrial base against these long-standing problems.

The DoD chief information officer is expanding its defense industrial base (DIB) cybersecurity information sharing program.

“Although this program was designed to share indicators of compromise and malware analysis services with cleared defense contractors—those members of the industrial base that have security clearances and access to classified information—the DoD CIO is working to amend relevant regulations to expand the program to include non-cleared defense contractors, thus enabling small- and medium-sized contractors to receive important information, including the same signatures, malign IP addresses and threat advisories that the larger cleared primes receive as part of the program,” said Rear Adm. William Chase III, the deputy principal cyber advisor to the Secretary of Defense and director of protecting critical technology task force, in written testimony before the Senate Armed Services Subcommittee on Cybersecurity. “The Defense Cyber Crime Center (DC3) is also expanding the services available to the DIB, piloting efforts such as penetration testing to address contractors’ external-facing vulnerabilities and an adversary emulation program.”

Chase also told lawmakers about a cyber threat intelligence sharing program called Crystal Ball, which is an “outside looking in” type of program

It helped identify and notify 13 DIB partners about the Microsoft Exchange attacks from Chinese actors.

NSA offering cyber services to contractors

Another is the DIB vulnerability disclosure program to help companies improve their cyber hygiene.

DoD is looking to expand these pilots to those companies that do not have security clearances in order to more broadly share the threat data from just 800 contractors to tens of thousands.

Additionally, the National Security Agency is running pilots to share unique, actionable threat information and cybersecurity guidance with members of the DIB and their service providers. Another pilot provides unique cybersecurity capabilities to the DIB, among the most promising of which is the provision of free and secure Domain Name System (DNS) lookup services to the DIB.

“The NSA is offering this cybersecurity service — called Protective DNS, or pDNS — in partnership with an advanced commercial DNS provider and is currently enrolling members of its industrial base,” Chase wrote. “This capability combines a commercial DNS sensor architecture with real-time analytics to quickly understand malicious activity targeting the DIB and to deploy immediate countermeasures. The efficacy of this service has been widely demonstrated—it does not require access to internal contractor networks and has the potential to prevent or disrupt adversary cyber exploitation activities.”

And, of course, there is the Cybersecurity Maturity Model Certification (CMMC) program.

Jesse Salazar, the deputy assistant secretary of Defense for industrial policy, told Senate lawmakers DoD moved CMMC under his office earlier this year.

He said the final CMMC acquisition rules should be in place by the end of 2021 after reviewing about 850 comments and the recommendations from the deputy secretary’s review.

“As part of our look, we are trying to assess how we bring clarity to the requirements that we are asking, looking at the barriers to small businesses and then making sure we have trust in the ecosystem,” Salazar said.

CMMC 30-day review is completed

A source with knowledge of CMMC confirmed the deputy secretary’s 30-day review completed in late April.

Salazar said in his written testimony that one of DoD’s biggest challenges with CMMC is to deconflict and streamline multiple cyber requirements to avoid requiring duplicative efforts.

“This includes providing clear guidance on the alignment of the NIST SP 800-171 DoD Assessment Methodology and CMMC, as they pertain to safeguarding controlled unclassified information (CUI), as well as the requirements and assessment approach for contractors that use cloud service provider offerings,” he said. “Moreover, the department is committed to working with our allies and international partners to better understand how the CMMC framework compares with other nations’ cybersecurity requirements and better align these requirements to help protect the department’s mission critical supply chain.”

Chase said many of these pilots are providing direct cybersecurity services to the industry instead of depending on their ability to use tools to detect threats and vulnerabilities.

“This approach institutionally buys down cybersecurity risk across entire industry segments rather than relying on individual small- and medium-sized businesses to defend their networks as if they were large prime contractors,” he said.

In a matter of days, the federal contracting community will learn whether the General Services Administration avoided and learned from the mistakes it made in November 2019, or if history will repeat itself.

GSA’s Federal Acquisition Service flipped the switch on May 24 for the new SAM.gov portal, bringing together 1.5 million users across six acquisition websites under one umbrella and integrating the data to reduce the burden on agency and industry customers alike.

The new SAM.gov removes the “beta” from the web address, retires the previous version of the site and aims to create a common look and feel across acquisition systems under the Integrated Acquisition Environment (IAE).

“One of the visions we’ve had now for many years in integrating all of these capabilities together is to create for you and contracting officials a single workspace,” said Judith Zawatsky, the assistant commissioner of the Office of Systems Management in FAS, during the recent Coalition for Government Procurement spring conference. “If you already have a log-in and an account, you will not need to do anything but come in and authenticate yourself. You will not need to create a new account and you will not have any issues. When you do authenticate yourself, you are going to find a workspace where you can do all the things for which you have a role for your entity.”

Zawatsky said the user’s workspace will include common searches the user performs and the reports they typically run.

“We’ve changed the design and layout to make it more readable. The design in compliance with the 21^st Century IDEA Act. The design is already very much ahead of the USDS web standards and brings in a lot of functionality. We are very excited about the look and feel, and the ability to see more data that you are looking for and understand what you are looking at so you have to go through less pages,” she said. “We’ve also added a whole new set of data analytics into the system so we actually will be able to get a better understanding of how people are interfacing not only with the site, but with each page, and that, along with feedback, continue to drive changes and improvements.”

The constant feedback — there is a link on every page of SAM.gov to submit comments — will be the tall tale sign of success.

If you remember, the first time GSA launched this site, then called beta.sam.gov in November 2019 when it shut down FedBizOpps.gov, industry was none too happy with the results.

Some of the common complaints back then focused on search parameters, reduced functionality and a lack of data standards. The Professional Services Council outlined their complaints in a 22-page letter sent two months after the launch.

Feedback has been critical for the new design

Zawatsky said in an interview with Federal News Network that GSA received more than 35,000 pieces of feedback already from customers, and the landing pages have gone through 50 different iterations to improve design and functionality through user experience and feedback mechanisms.

“We really, really, really listened. It’s taken us more than a small amount of time to move from that first rollout of beta.sam.gov and then the FBO integration, and we’ve taken a lot of firepower through our business and product owners to really review all of the input that we got, suss it out, organize it and do feedback sessions,” she said. “We do recognize that we have users who are very large businesses that have 100 entities under them and they are trying to manage all of that, and we have people who are just trying to apply for an American Rescue Plan Act grant and just are trying to get through the process. We are trying to accommodate all of those people across an intense amount of data.”

GSA isn’t blind to the fact that agency and industry customers will have to adjust to the new site and there will be some challenges.

Zawatsky said she believes GSA opened up its testing and focus groups to as many agency and industry customers as possible. GSA also believes the workspace concept will give users more control over the specific data they are looking for.

“We really encourage people to log-in so they can have their profile and workspace. They can follow opportunities. They can look at their searches and create their own experience. That is our iterative goal. We bring all this data together. We make it 21^st Century IDEA Act compliant. We make it secure. We keep the data clean and protected, and people create their own experiences,” she said.

To log-in to the systems, users will have to have a login.gov account.

Goodbye DUNS, hello UEI

Another big change GSA is getting industry and agencies ready for is the move away from the DUNS number and to the Unique Entity Identifier (UEI), which will be the standards starting in April 2022.

Every vendor organization will receive a UEI at the launch of the new portal.

Amber Hart, co-founder of the Pulse of GovCon, a market intelligence firm, said GSA has an opportunity with the new SAM.gov to fix some of the frustrating aspects of beta.sam.gov.

“A majority of industry spends thousands of dollars so that a commercial firm can string together GSA’s own data to figure out the historical context. GSA could remedy this situation and did make a slight attempt at doing this with ‘history’ and ‘related notice’ data entry points on the new SAM.gov but that feature seems to be missing the point as it still is a manual entry process,” Harts said in an email to Federal News Network. “This is a massive undertaking that I don’t think anyone could ever get fully right, and I know GSA had their own reasons for combining all of these systems – like making internal processes easier, more secure, etc. – but to industry, it just seems like the contract opportunity functionality of SAM.gov was an afterthought based on the outcome.”

Hart and others will have plenty of opportunity to comment and offer feedback over the coming weeks.

FAS Commissioner Sonny Hashmi said at the Coalition’s event that the site is more responsive and more scalable.

“We decoupled the front end from the back end. For you, that means that we are able to roll out more capabilities more quickly and in a more decentralized way,” he said. “We know SAM isn’t always easy to use, and we know you all have identified some pain points. One thing I can commit to you is that we will listen.”

And if there are problems, industry will not be shy about speaking up.