An analysis by Bloomberg Government from last summer showed agencies have spent only $500,000 on zero trust architecture tools and services since fiscal 2017.

To be clear, that research only looked for specific mentions of what has become a buzzword mentioned at every conference and vendor white paper over the last two years.

BGov readily acknowledges that there are hundreds of millions, if not billions, of dollars spent on components that would go into a zero trust architecture.

The evidence of that spending and push toward modernizing the federal approach to cybersecurity seems to be everywhere, especially over the past year as agency chief information officers and others have realized the value and potential of changing their approach to network defenses. The COVID-19 pandemic reminded and reinforced the power of identity and access management as a key piece to defend against cyber attacks.

The National Institute of Standards and Technology is reviewing concept papers for how to implement a zero trust architecture across six scenarios.

“This project will focus primarily on access to enterprise resources. More specifically, the focus will be on behaviors of enterprise employees, contractors and guests accessing enterprise resources while connected from the corporate (or enterprise headquarters) network, a branch office, or the public internet,” NIST’s National Cybersecurity Center of Excellence wrote in the project description. “Access requests can occur over both the enterprise-owned part of the infrastructure as well as the public/non-enterprise-owned part of the infrastructure. This requires that all access requests be secure, authorized, and verified before access is enforced, regardless of where the request is initiated or where the resources are located.”

NIST said based on its review of the white papers, it plans to issue a cooperative research and development agreement (CRADA) to demonstrate different approaches to zero trust.

The Department of  Homeland Security and the National Security Agency are among two of the agencies on the leading edge to do more than test these concepts.

Beth Cappello, the DHS deputy CIO, said the agency is using its target architecture initiative, which sets a common technology baseline to let programs adopt new technologies quickly, to implement zero trust components.

“By rapidly implementing IT and security improvements to reduce risk, it will help the Office of the CIO address the remote work posture of our employees. Components have been able to take our target zero trust architecture and quickly customize or tailor it to field similar capabilities within their respective environments,” Cappello said at the recent MicroStrategy World 2021 conference on Feb. 4. “From a technology perspective, the zero trust architecture approach allow us to ensure we have a dynamic, on-demand chain of trust that is continually reassessed at each access point. Frankly, in our continued remote environment, this is incredibly important.”

Homeland Security’s approach to zero trust is all about reusable architecture guides that are focused on user needs and developed with the components in mind.

Cappello said policy templates, pattern libraries and reference implementations also help to ensure DHS is implementing zero trust concepts in a standard way. The DHS zero trust action group which is made up of experts from across the agency is leading the coordinating, developing and sharing of these documents and individual experiences.

“Thus far, we have fielded seven zero trust use cases to enhance access to IT assets and systems,” she said. “These use cases augment security while also reducing the load on our VPN connection points. This zero trust architecture approach also increases our network performance by leveraging a cloud access security broker and cloud security gateway capabilities to give users secure, direct access to cloud managed applications thereby reducing traffic on that Homeland Security enterprise network.”

Data at center of NSA pilot

NSA is taking a similar approach as DHS, providing policies and reusable components as part of its zero trust approach.

Timothy Clyde, the lead systems engineer for NSA’s external identity solutions and service offerings, said at the recent SailPoint Evolution of Identity conference that the agency launched a zero trust pilot just over a year ago with the goal of figuring out how to get users the data they need when they need it no matter the current set of policies and rules.

“What is the level of trust that needs to go with that identity?” Clyde asked. “Depending on what the level of trust is that needs to be with that identity, comes the governance above that identity. We’ve used policy engines. We tag our data and have been doing it successfully now for well over a decade. Some people would argue once you have a solid identity for the person, the device and the data, the policy then becomes probably the most important piece of it. It does need to be dynamic enough, that depending on the environment, you may have two policies that are almost identical. But if you are in ‘Environment A,’ you may have access, but if you are in ‘Environment B,’ you may not.”

Clyde said the initial phase and roll out of the zero trust pilot includes a lab to test technology components for DoD partners and NSA also is making its policy engines available for others to use in their environments.

Neal Ziring, the technical director for NSA’s Cybersecurity directorate, said the agencies can use policy engines to underpin the process to decide who is granted access to information. He said the policy is at the heart of access control.

“Policy administrators create the rules that allow (or not allow) people and systems to access data. In a zero trust architecture, when a user makes a request to access data, the request is sent to a policy information point (PIP). The PIP provides the user information (such as attributes, clearance level, where they are located, etc.) to a policy decision point (PDP). The PDP analyzes this information along with additional policy rules regarding who can access that data, and determines if that user on that device is allowed to access that data. The PDP then delivers this decision to a policy enforcement point (PEP) who is the final authority on whether or not that user or device gets access to that data and either allows or disallows access,” Ziring said in an email to Federal News Network. “These PIP, PDP and PEP sub processes, when combined, are commonly referred to as the zero trust policy engine.”

Unclassified, classified labs established

The zero trust pilot is a joint effort amongst U.S. Cyber Command, the Defense Information Systems Agency and NSA — where they are researching, developing, piloting and lab testing technologies.

“The team has been able to demonstrate the effectiveness of zero trust at preventing, detecting, responding and recovering from cyberattacks,” Ziring said. “NSA is part of the joint team developing the DoD zero trust reference architecture. NSA is developing zero trust best practices and guidance to share with a broader set of US critical network owners, such as National Security System owners. NSA is working with the DoD CIO and DISA to update any existing cybersecurity policies as applicable to include zero trust principles to ensure that all of DoD is synchronized on zero trust, and implements zero trust in a secure and standard way across the department to protect critical information.”

He added the DoDwide working group is partnering with NIST to ensure the guidance on zero trust are in alignment across government.

Under the pilot, NSA and U.S. Cyber Command established an unclassified lab at DreamPort, a public-private innovation partnership that hosts zero trust equipment and simulates customer environments where they test diverse configurations of zero trust implementations.

Ziring said it also serves as a location to hold unclassified discussions with zero trust stakeholders, such as government customers and vendors.

“The ability to engage with our stakeholders at the lowest possible classification level allows for broader engagements across the community and an increased understanding of cybersecurity as it evolves,” he said. “We have a separate testbed with DISA that will host any anticipated classified information.”

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

It’s been two months since the massive attack through the SolarWinds Orion came to light. And while the full impact of the attack still is unknown, the Austin, Texas, company is going on the offensive.

Beyond naming Sudhakar Ramakrishna as its new CEO in December, the company said it’s taking a multitude of other steps to recreate trust with federal customers.

“We know a lot more than we did a couple of weeks ago. There has been a lot going on from an investigation perspective, including the analysis of tools and from outside companies. The last thing we wanted to do is to put out information that we were not confident about, and I think every day our confidence increases that we are getting a better handle on what happened, and how to prevent it from happening in the future and to help customers prevent it in the future,” said a SolarWinds official, who requested anonymity in order to speak about the ongoing investigation. “When we began our remediation efforts and looked inside our operations, the third parties we brought in discovered the attack had nothing to do with SolarWinds. Our customers understand that this could’ve happened to them as easily as it happened to us. This was a unique and unprecedented incident.”

Experts say recreating that trust with their federal customers means having to go above and beyond with internal changes and taking responsibility for the attack.

“A lot of what they are doing is probably overkill. They are showing they are not just the basics, but changing everything and taking security into overdrive to re-establish that trust,” said Bryson Bort, a senior fellow for cybersecurity and emerging threats at R Street Institute, a think tank, in an interview.

The Cybersecurity and Infrastructure Security (CISA) Agency at the Department of Homeland Security said the attack affected 18,000 public and private sector customers of SolarWinds’ Orion product, including 10 federal agencies.

The SolarWinds official said they have been meeting with defense and civilian customers over the last few months, including the National Security Agency, Army Cyber Command, CISA and many others.

“There is a significant initiative across the federal government to identify areas of concern. We have implemented testing across agencies and branches to make sure they have the latest and greatest version as they ramp back up to using SolarWinds in a careful and methodical way and using our partner community to help them deploy it. We want to make sure our federal customers are secure because they were a primary vector for an attack,” the official said. “We know now this was a targeted attack. It was not meant for ransomware or anything like that, but federal agencies were one of the targets.”

Free remediation services

A second SolarWinds official said they also know now that the attack was much broader than SolarWinds Orion. The official said 30% of the incidents researched so far do not have their technology deployed.

SolarWinds is providing agencies with free remediation services through trained and cleared third parties.

“We have taken on or shared the responsibility for securing the Orion deployments or rebuild and redeploying the technology within any given agency environment,” the second official said. “We are making those resources available for agency customers. We actively have partners in place and are working with federal agencies and third parties.”

Experts say it’s a good sign that SolarWinds is helping agencies with remediation efforts as many still are trying to figure out the impact of the attack and whether they will “rip and replace” the company’s software or just update it.

“Any time a company that goes beyond statements and actually puts resources, dollars and/or time into addressing a problem definitely shows a level of commitment and accepting more than formal legalities or contract but more of customer focus,” said Michael Daniel, the former White House cybersecurity coordinator and now president and CEO of the Cyber Threat Alliance. “The damage assessment for agencies will take a long time. Every damage assessment that I’ve ever seen in government took months or years to fully produce the facts about what happened. This is a tough call on the government side of what to actually do. Do you have the confidence that SolarWinds and you have eradicated the adversary? This is a much more complex problem set than whether to just rip and replace. It’s about how much of your network needs to be burned to the ground, discarded and rebuilt from scratch? That is a monumental undertaking.”

The first SolarWinds official said some agencies are considering ripping and replacing, while others are figuring out how to remediate the vulnerabilities.

Pre-breach cybersecurity questioned

Larry Clinton, the president and CEO of the Internet Security Alliance (ISA), said part of what the company is doing is trying to maintain their business by being good business partners.

But he and other experts say the after-the-hack efforts, not just providing free third-party assistance, but all the changes they are making to their internal processes calls into question why did it take a massive attack for them — or for any company for that matter — to harden their cybersecurity efforts.

“How successful will they be is hard to say, but the question that is more pressing is did they do the appropriate things on the front end so that they were practicing due diligence to ensure this kind of thing would not have happened?” Clinton said. “The big question for me is did they do enough realizing how critical an element they were in government and industry infrastructure? Were they doing enough on the front end to ensure their own security? SolarWinds should’ve known enough that that were a critical element and should’ve been doing a really good front end security. That’s what I’m more interested than what they were doing on back end.”

The question of what SolarWinds did pre-breach is one experts continue to ask.

One cyber expert, who requested anonymity, said there has been a lot of “swirl” around SolarWinds pre-breach cyber practices.

“They need to address their reputation problem. While I personally don’t have any knowledge of any of those issues, their reputation was they didn’t take cyber as seriously as they should have, and that they chose to under invest in cyber to prioritize growth in other areas,” the expert said. “Certainly if I were a customer of SolarWinds, I would want them to demonstrate what their cyber practices are, and if I’ve never asked before, I will now. And this applies to many contractors, not just SolarWinds.”

The first SolarWinds official said among the steps the company took are expanding its multi-factor authentication environment, forced password resets across all of its domains ranging from production to lab to staging, and created new software build environments with stricter controls that include zero trust architectures and controls and creating reproducible software builds across multiple pipelines.

“We do not believe our digital code signing certificate was compromised but we did ask for it to be revoked. That was the best way to effectively kill those impacted builds,” the official said. “We want to make sure no one can install that build so as of March 8, the previous code signing certificate will be revoked. Our new software builds are coming and adhere to common criteria and are signed with the new certificate. Those are builds for our federal customers who are upgrading and using testing labs to push through their internal processes.”

Less about attack, more about response

R Street’s Bort said while these changes are important, the real question for SolarWinds and really all organizations is how fast can they detect, respond and mitigate future intrusions.

“At the end of the day a determined adversary will always win. If SolarWinds implemented all of these defensive measures two years ago, this still would’ve happened because a nation state that wants to get into a network will,” he said. “Your risk is an embodiment of every vendor in your environment and agencies have to look hard at detect and response. What is your ability to see what happened afterwards? That is the big question.”

Daniel, of the Cyber Threat Alliance, warned against over rotating on the supply chain security issue. He said agencies still need to do the basics of cybersecurity before they spend too much time or energy on supply chain risks.

At the same time, Daniel said SolarWinds will have both a similar and different impact than the hacks suffered by the Office of Personnel Management.

He said SolarWinds, like OPM did, will act a “wake-up call” to non-IT executives who either didn’t understand the supply chain risks or didn’t think it was a big deal for their agency and only a DoD problem.

“You have to make sure you have all the basics in place first before you move on to supply chain risks. Your everyday ransomware and phishing are still your main vector of cyber threats and vulnerabilities,” he said. “Incidents like this highlight the fact this isn’t about a fancy piece of technology. You can’t just buy something to put on the network to address the problem. This is about process, organization, contracts and agreements, which in some cases can be harder. You have to have both technology and organization practices.”

Fraudsters, pathfinders, pilots and final rule. Third-party assessment organizations (3PAOs), the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and controlled unclassified information. This is what you need to know about the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) program.

Based on two events last week where leaders from the DoD and the CMMC Accreditation Body spoke, here is the breakdown of the latest of this much-watched, anxiety-inducing cybersecurity and supply chain initiative:

Fraudsters

About a year ago, the Pentagon warned against third-party vendors who said they could get Defense industrial base contractors ready and possibly approved under CMMC. They were making that claim before DoD even finalized the standards. As DoD gets closer to testing the standards this spring, fraudsters are once again trying to take advantage of unsuspecting companies.

“We had an individual reach out to us on LinkedIn, and they fell prey to one of the companies who is not certified, who is saying, ‘hey, pay me, let me come in, I can get you certified.’ And they didn’t get what they paid $10,000 for. And now they’re coming back to us, and where’s my certification?” said Stacy Bostjanick, the director of CMMC policy in the Office of the Under Secretary of Defense for Acquisition and Sustainment, during the Jan. 25 webinar sponsored by FedHealthIT and G2Xchange FedCiv. “So please be careful and wary of how you bring these contractors and consultants in. Understand that if you’re bringing somebody in to consult with you, to help you prepare for CMMC, it really should have gone through some of the CMMC-AB training. If you really want to ensure that you’re getting the right information, you need to go with people who’ve who have had the CMMC-AB training and have a certification through them. And then that way, you’re less likely, I hope not at all likely, to have somebody try to take advantage of you in that scenario.”

Pathfinders

Do your homework to make sure the assessors and third party assessment organizations are CMMC-AB certified. Currently there are 100 assessors that have received provisional approval from the AB and 73 approved third-party assessment organizations (3PAOs).

This is a key term for vendors to understand. DoD did three pathfinders using CMMC requirements: the Missile Defense Agency, the Navy and the Defense Logistics Agency. MDA held the first pathfinder, and the Navy’s and DLA’s are ongoing. In each case, DoD is testing out the CMMC assessment approach.

“We had tabletop exercises where we came together and we figured out what would the RFI language look like. We had the contractor as part and parcel with this so they could tell us whether certain information was not helpful to us. We need to have this kind of information for us to be able to prepare and understand what we’re looking at,” Bostjanick said. “We also went through a mock RFP and a post-award conference and an adjudicate dispute resolution challenge. We also took the assessors and ran them through the first run of the training. We use the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) team, since the detect team had already been out on the ground doing the DoD assessments in accordance with the NIST 800-171 methodology. We felt that we wanted to have the members of the DIBCAC team, as well as the members from the Carnegie Mellon Software Engineering Institute and Johns Hopkins Applied Physics Laboratory, that put together the model, go through the training to ensure that the training was presented in a way that it met the tenants and the understanding of what we wanted out of the model.”

For the DLA pathfinder, DoD said it will use real CMMC assessors to continue testing out the CMMC approach.

Pilots

Pathfinders are not pilots, but they do matter quite a bit. DoD would do themselves and CMMC a service by detailing how the pathfinders worked, what they found and what they learned.

DoD announced the first seven pilots in December, and Bostjanick said at least three more are in the works. During the initial roll out of CMMC, the Pentagon said it plans to pilot CMMC with 15 total acquisitions. Diane Knight, who is DoD’s CMMC lead for pilots and pathfinders, said the big challenge for the pilots is the timing of the acquisitions themselves and whether they can still make awards in 2021.

“Our expectation is about 100 subs per prime, so we’re thinking about 1,500 companies will have to be CMMC certified for the pilots,” Bostjanick said. “Now, the one thing that you have to be aware of is our expectation is that only 20% of the companies in the DIB actually handle controlled unclassified information, the vast majority of the companies are going to fall into the CMMC level one arena. They’re not going to need to go up to that level CUI.”

Bostjanick said DoD also is working with the General Services Administration and the Department of Homeland Security on potential pilots.

“We’re working with all of those groups to make sure that we can meet the timeline, because the last thing we want to do is to affect anybody’s acquisition and slow it down,” she said. “We have to assess the acquisition, make sure that we have all the resources and capabilities in place, and that’s how we’re moving out. We’re building and we’re growing.”

Final rule

First off, the excitement over the last week that DHS was all in on CMMC wasn’t accurate. It’s no surprise DHS, GSA and probably others are paying attention and interested, and in some cases may be adding CMMC to the master scope of the contract, but there is no evidence from DoD or any other agency that these other agencies are adopting the standards part and parcel.

Second, and maybe more importantly, DoD seems to be aware of “first-mover status” concerns and is ramping up so the playing field is level. Just look at the number of 3PAOs, assessors and other important pieces to get vendors ready. Will it be perfect? It never is. But the recognition of the concern is an important first step. This is why DoD said they will be piloting CMMC through 2026.

DoD released the interim CMMC rule in September and after accepting comments, it expects the final version to be out by mid-to-late summer.

Bostjanick said DoD is reviewing the comments on the interim rule and will send the final version to the Office of Management and Budget for approval in the spring time.

3PAOs

Since DoD released the CMMC rule as an interim final, it went into effect Nov. 30. This means DoD can move forward with the pilots under the regulations it outlined. You shouldn’t expect any significant changes in the final rule given DoD’s desire to roll out CMMC this year.

There are now 53 total 3PAOs and another 355 applications that are pending. Those 53 3PAOs have 100 certified assessors to work with to analyze how companies meet CMMC level one.

Bostjanick said the next step is to get the 3PAOs ready to do assessments under CMMC level 3.

“We are looking at having the first handful done by hopefully March, and then as we continue to move forward the DIBCAC assessors will reach out and set up the assessments with the 3PAOs. Once those assessors on staff are trained and have their suitability determinations … they will be able to do assessments. We will prioritize pilots to make sure those contractors who will participate in that will get priority and no one misses out on the opportunity to compete, and then they can move out from there,” she said.

The CMMC-AB and DoD expect to release the scoping documents for 3PAO assessments in the coming weeks.

“From a clients’ perspective, everyone is anxious to get going. They want to know what the timelines look like. They want to know what they can be doing today to kind of get going. And they also want to know how does this coincide or complement their other compliance initiatives and investments that they’ve made over the course of the year, not just FedRAMP, but in the in the commercial space, ISO certification, CMMI, all of those different things that play a part in this puzzle,” said Doug Barbin, a principal and cybersecurity leader at Schellman & Company, a 3PAO.

DIBCAC

See the early discussion about fraudsters — only work with CMMC-AB certified and approved 3PAOs and assessors. The board has a list on its website. More importantly, however, getting the 3PAOs trained and ready to do assessments will take time and that’s one reason why many believe the Pentagon is biting off more than it can chew with CMMC. It’s also why DoD recognizes that the pilots will go on for five years because getting 300,000 companies through the process will be a huge task. DoD and the CMMC-AB also are trying to ensure consistency in the training, which may be another reason why patience is required.

DIBCAC — at the Defense Contract Management Agency (DCMA) — will play a big role in getting the 3PAOs and assessors ready to conduct CMMC reviews. There are 25 DIBCAC teams which the AB has approved as assessors.

“We were contacted by a DIBCAC assessor just at the end of last week. So we’ll be kicking off that assessment this week as well,” said Barbin said. “So we’re excited for that, as excited as you can be of being assessed. We do have different accreditation bodies that come in and poke at us throughout the course of the year.”

Additionally, Bostjanick said DoD is close to finalizing the DIBCAC assessment reciprocity memo, which would help companies that already went through the DCMA analysis not have to go through another review to ensure they meet CMMC level one requirements.

“Basically what we did with that one is, if you scored on a DIBCAC assessment of 70 or above, then the areas that you missed, you would only have to have those areas assessed for CMMC, plus the additional 20 requirements,” she said. “If you scored lower than a 70, then you have to have a full assessment redone. With FedRAMP, we have members from the CMMC-AB, the DIBCAC and GSA working on the reciprocity agreement for the components between GSA and CMMC to align them. Once we have gotten that drilled down and outlined, we’ll put a memo together with both GSA and DoD to say, ‘CMMC will accept these components, and if you’re FedRAMP moderate, then you may be equal to this level in CMMC.’”

She said the reciprocity effort with the DIBCAC and FedRAMP is a major focus right now for her team.

What vendors need to know

Reciprocity has been one of those big issues industry has called for since DoD launched CMMC. It’s good to know the Pentagon and GSA are taking this seriously. The sooner the reciprocity specifics are finalized, the better for all involved. At the same time, DoD relying on the DIBCAC to get 3PAOs ready for level 3 seems short sighted. There are only 25 DIBCAC teams and they can only do so many assessments, which in the long-term will slow down the process. One guess may be that as the 3PAOs become level three certified, they can, in turn, do level three assessments of others? That is unclear from DoD.

Once again the federal technology community was left flabbergasted and wondering “why?” from a decision by the Defense Department around cloud computing.

This time it’s the Defense Information Systems Agency, which — until it suddenly changed its mind late on Friday — had made a decision that left us all questioning the initial rationale behind yet another cloud acquisition program.

DISA, which receives mostly high marks from industry for its inclusiveness and openness to innovation, decided to do the exact opposite. It initially wanted to limit responses to a request for information for a cloud program office only to 14 large and 23 small vendors on its Systems Engineering, Technology, and Innovation (SETI) vehicle.

But pressure by three industry associations and other experts convinced DISA to change its mind and let other companies beyond those 37 submit RFI responses.

“We appreciate DISA’s swift response and resolution,” said Megan Petersen, ITI’s senior director of policy, public sector and counsel, in a statement to Federal News Network. “We look forward to submitting comments to this important effort on behalf of ITI’s members. We encourage DISA to provide additional opportunities for ITI and the broader tech industry to share perspectives on buying cloud and other innovative technologies.”

Before the change of heart, ITI, the Alliance for Digital Innovation and the Internet Association wrote to DISA questioning its decision to limit RFI responses.

“As trade associations representing hundreds of global technology companies—including major cloud service providers—we are in a unique position to offer valuable perspective regarding DoD’s questions,” the Jan. 27 letter stated. “By polling our diverse members and consolidating responses, we can provide DoD with significant market intelligence. To ensure DoD’s market research is comprehensive, we encourage the government to publicly post this RFI and allow companies and trade associations with relevant experience and insight to contribute responses to this important effort.”

11 questions about buying cloud

DISA released the RFI to the SETI contractors in early January seeking feedback on creating a Cloud Computing Program Office (CCPO) “to streamline contract processes to enable the DoD to procure cloud IT professional services within weeks instead of months from the identification of requirements. This RFI is seeking information regarding all methods and approaches — and feasibility — to shorten procurement timelines and to simultaneously support agile contracting practices.”

To some, that RFI is the future embodiment of the JEDI — the Joint Enterprise Defense Infrastructure — program. DISA is asking 11 questions about the current and future approaches to buying cloud services, conducting market research and developing requirements.

The industry groups questioned why DISA would just go to this small group of contractors for information rather than a broader, and even non-traditional, set of companies.

One industry source, who requested anonymity because they were worried about impacting their relationship with DISA, said it’s unclear why the agency started with a narrow group.

“After the first RFI, you never see an agency open it up wider after hearing from that first group,” the source said. “You usually start wide and go narrower once you figure out what is possible. If this is the first step, it will lead them further away from market leaders and the best companies out there.”

Before DISA reversed course on Friday, its answers to questions about the RFI provided limited insight into its rationale.

A DISA spokesperson said the reason to go only to the SETI contract holders with the RFI is to gain perspective from innovative, and even some non-traditional, contractors.

“We will conduct an analysis after responses are received to determine the next steps in conducting market research, if required. This reflects our overall strategy of approaching the effort in an iterative fashion,” the spokesperson said. “The recent RFI is only a first step in conducting market research to identify viable paths to accelerate the acquisition of cloud professional services so that mission partners can acquire the necessary technical support to migrate and operate in various cloud environments. DISA is starting with targeted market research under the SETI contract vehicle and, after analyzing the information, will determine the next iteration of market research required for this endeavor.”

Protecting against conflict of interest

But if you look at the SETI contractor holders, particularly the unrestricted group, the list is mostly a who’s who of vendors: IBM, Northrop Grumman, Leidos, Booz Allen Hamilton and Deloitte. It’s harder to tell if the SETI small business awardees are where DISA is referring to asking non-traditional contractors, but it’s hard to imagine these vendors are on the cutting edge if DISA is trusting them to be a part of a contract with a ceiling of $7.5 billion.

The other concern that some in industry raised about using only SETI contractors is how can DISA protect itself from potentially having a conflict of interest in the future solicitation to set up the program office? Many of these contractors have relationships with cloud providers and even if DoD finally comes to its senses and makes multiple awards under JEDI, there will be no way to isolate the people who run the program office from the folks who support the implementation of cloud services from Microsoft, Amazon Web Services and other providers.

The DISA spokesperson didn’t directly address the conflict of interest concern except to say there are regulations and policies that prohibit those kind of actions.

“The recent RFI is only a first step in conducting market research to identify viable paths to accelerate the acquisition of cloud professional services so that mission partners can acquire the necessary technical support to migrate and operate in various cloud environments. The market research effort will continue to iterate as information is analyzed,” the spokesperson said.

DISA offered no details on its timeline for the next steps to eventually create a cloud program office solicitation.

John Weiler, the executive director of the IT Acquisition Advisory Council, said too often DoD makes this kind of mistake by limiting market research. He said it’s a main reason for many of DoD’s IT failures. He said narrowing input from knowledgeable sources increases the risk of missing out on true innovation.

The JEDI program is often held out as an example of failed market research, despite DoD conducting extensive conversations with industry. The concern remains that DoD had an end goal in mind so the industry days and other feedback were mostly for show.

Changes coming to JEDI?

Speaking of JEDI, DoD seems to be more open than ever to reconsidering its path forward. In a report to Congress, which DoD provided to the press, it says should it lose one part of AWS’s JEDI protest before the Court of Federal Claims, the Pentagon may need to look at alternative paths.

DoD told Congress that if the court denies its motion to dismiss AWS’s claims of improper influence, the complexity and length of time of the case “might bring the future of the JEDI cloud procurement into question. Under this scenario, the DoD CIO would reassess the strategy going forward.”

This is the first time DoD has broached the topic of reassessing the JEDI strategy.

Even if the court dismisses AWS’s claims of improper influence, DoD says work on JEDI would remain paused for at least four or five more months while the rest of the case is litigated.

The fact DoD is even open to rethinking its JEDI strategy is a significant change to the entire conversation that we’ve had over the last three-plus years. Let’s hope DISA is paying attention to how the battleship is starting to turn and maybe it can realize the shortcomings of its cloud program office strategy more quickly.

The rising call to protect agency technology supply chains isn’t new. Back in 2012, the Senate Armed Services Committee released an eye-opening report on counterfeit electronic products in the Defense Department.

The Pentagon has been aware of counterfeit and supply chain problems dating back decades, but saw a huge upswing in these parts infiltrating its national security systems starting in 2005.

The recent SolarWinds cyber breach brought to light not only how complicated this challenge is but the need to stop staring at the problem and take real action.

Over the last few years, agencies have done a lot of thinking and planning with the development of the Cybersecurity Maturity Model Certification (CMMC) standards and the creation of the Federal Acquisition Security Council (FASC) to name a few, but real change has been hard to come by.

Jon Boyens, the deputy chief of Computer Security Division at the National Institute of Standards and Technology, said a 2018 report by the Ponemon Institute found 66% of companies do not have a comprehensive third-party inventory. The 2019 Ponemon report found the average cost of a supply chain attack was $7.5 million and more than 50% of all respondents reported a breach in the two years.

“Even now, when we talk about supply chain risk management, it’s kind of a level set. It means different things to different people. Some people still do not get the relevance of it or they look at different aspects very adversarial,” Boyens said at a recent supply chain event sponsored by FCW.

This is why many believe the SolarWinds supply chain breach finally will get the government and industry to act more decisively and quickly.

Rep. John Katko (R-N.Y.), the ranking member of the Homeland Security Committee, explained this desire to take real actions and not just stare at the problem in a Jan. 19 letter to the Cybersecurity and Infrastructure Security Agency in the Department of Homeland Security.

“I remain concerned that the Federal Acquisition Security Council is not making rapid enough progress to operationalize its ability to leverage its authorities from the SECURE Technology Act,” Katko wrote to acting CISA director Brandon Wales. “It is our understanding that CISA is currently developing the analytical framework that will help guide how risk judgements are considered by the FASC. As a member of the council and the designated information sharing agency of the FASC, it is incumbent on CISA to ensure that all recommendations take into account the wide range of potential attack vectors to the supply chain. Recent revelations about the cyber campaigns against SolarWinds and other entities have reinforced the foundational importance of secure software for overall information and communications technology (ICT) supply chain risk management. Accordingly, specific attention should be given to software assurance and software development lifecycle considerations as part of the analytic framework behind FASC recommendations.”

FASC still getting started

The FASC has been more than two years in the making. President Donald Trump signed the Federal Acquisition Supply Chain Security Act of 2018 into law as part of the Secure Technology Act. The council finalized its strategic plan, its charter and issued an interim rule detailing how it will share supply chain risk information and recommendation removal or exclusions of specific products or technologies.

Katko asked for CISA to give the committee its timeline to operationalize the information sharing framework no later than Feb. 1.

His letter also demonstrates the need for the FASC, CISA and many others around government to move more quickly to address supply chain challenges.

A Government Accountability Office report from December shined a brighter light on this issue of doing something rather than just talking about it.

Of the seven best practices to protect the technology supply chain, GAO says few of the 23 civilian CFO Act agencies implemented them.

“[T]he potential exists for serious adverse impact on an agency’s operations, assets and employees. Nevertheless, the majority of the 23 agencies had not implemented any of the seven selected foundational practices for managing ICT supply chain risks,” GAO stated. “These practices included establishing executive oversight of ICT SCRM activities, developing an agencywide SCRM strategy, and establishing a process to conduct agencywide assessment of ICT supply chain risks. Among those agencies that had implemented any of the practices, none had fully implemented all of them.”

Boyens and others say while agencies are taking steps in the right direction, the government needs to implement key practices and principles to make progress more quickly.

NIST is outlining those eight key principles in a new publication NISTIR 8276. Boyens said he expects NIST to finalize the document in the next two to three weeks as it’s currently in the formal NIST review process. The agency released the draft 8276 for comments in February 2020.

He said among the key principles NIST will include are recommending agencies establish a former SCRM program to help decide which requirements will flow down to which suppliers, how best to assess and monitor the supply chain and create relationships with and manage key suppliers.

“Sometimes a lot of the political and economic aspects get into SCRM and blurry the water a little bit, which is why trustworthiness is so important. Do I have a level of confidence that makes me think the other entity is trustworthy,” Boyens said. “A lot of that can be basic due diligence. How does the business conduct itself? Are they reliable? What are the confidence building mechanisms we can use? We rely heavily on standards and conformity assessment procedures to get us to that confidence level.”

System security engineering is key

NIST also will release the updated draft Special Publication 800-161 for supply chain risk management in the next month or two. The agency hasn’t updated the publication since 2015.

“In that publication, we are putting in key practices for cybersecurity aspects of supply chain risk management from a government perspective,” he said. “It’s mostly likely going to have a lot of aspects of NISTIR 8276, but it will be tailored to the U.S. government and our constraints.”

Boyens said it’s clear agencies can’t be 100% sure that they are receiving a trustworthy system. Instead, agencies need to make sure they are resilient and continue mission functions in the event of a breach.

“System security engineering is a key component to that, building resilient architecture and systems. That is where a lot of this is fundamental in cyber supply chain risk management,” he said.

CISA also has been active in the supply chain risk management space through its ICT Supply Chain Risk Management Working Group, which released its year two report in December highlighting six initiatives it worked on during 2020.

Among its deliverables in 2020 were the creation of a vendor SCRM template, which are a standardized set of questions to communicate ICT supply chain risk posture and analyze comparative risk among all types and sizes of organizations, to enable increased transparency in managing ICT outsourcing risks, and a threat evaluation working group. That committee conducted an assessment of threats to and from products and services, evaluating those threats with a scenario-based process. It also created a risk and mitigation resource by leveraging threat groupings and applying the National Institute of Standards and Technology Risk Management Framework described in NIST SP 800-161.

Bob Kolasky, the director of the National Risk Management Center at CISA, said at the FCW event that the task force will release its second version of the threat evaluation guide in the next week or two.

“The task force identified a couple hundred reference threats to the supply chain, including exploitation, physical and cyber threats,” he said. “The guidance will serve as a reference for risk managers so they can identify where their priority threats are and match them with vulnerabilities to their systems.”

He said government, industry and others downloaded version one of the guide 14,000 times in the year since the task force released it.

Few would argue that working groups and guidance aren’t important and help lay the ground work for good work, but agencies and industry should know what the problems are by now when it comes to supply chain risks and should start fixing them.

When it came to federal acquisition policy, the four years of the Trump administration could be considered a time of Laissez-faire.

There were only four acquisition memos signed off by the director of the Office of Management and Budget that didn’t deal with the COVID-19 pandemic in the past 48 months. Sure acquisition was part of many, if not all, of the technology memos and the data strategy memos, but those that addressed federal procurement and only federal procurement, were few and far between.

Along with those four OMB memos, the Office of Federal Procurement Policy issued five other memos, including three in the last month, which directed agencies to take specific steps to improve federal procurement.

In all, that’s nine memos in four years or 2.33 memos a year, which equals not a lot of oversight or changes to the federal acquisition process from a governmentwide and OMB level.

Now that doesn’t mean the federal acquisition process has been stagnant for four years. We all recognize there has been plenty of change, with the continued rise of other transaction agreements, the successes during the pandemic and the continued push for innovative approaches like reverse industry days and the use of robotics process automation to reduce manual or tedious processes.

This is why it’s significant that in his waning days as administrator, Michael Wooten, who joined in August 2019 as OFPP administrator, signed out three memos, including one to further drive one of his key initiatives — reducing acquisition timelines.

“This memorandum takes an important step toward measuring the timeliness of federal procurements by establishing a common definition of ‘procurement administrative lead time (PALT)’ and providing guidance on steps agencies should take to reduce PALT in their acquisition activities through modern business practices that shorten the time from the identification of need to delivery of value,” Wooten wrote in the Jan. 11 memo. “By measuring PALT and addressing areas of friction, the federal government will continue to build on prior actions to more effectively steward the use of American taxpayer dollars.”

Along with the PALT memo, Wooten signed out another one on Jan. 7 to reinforce the idea that they should limit how they require educational certifications and licenses instead of just accepting stated skills when buying IT services and other types of services.

“Focusing on desired competencies to achieve stated outcomes, rather than imposing degree requirements, helps to break down barriers to entry and promote effective competition by giving prospective government contractors the flexibility they need to build a team with the best suited personnel to address an agency’s requirements. This flexibility is especially important for those small businesses that may otherwise lack the resources to participate in competitions for services if their existing employees do not meet the educational requirements and deprive taxpayers of the resourcefulness and ingenuity that these small businesses could bring to the federal marketplace,” Wooten wrote. “In addition, by avoiding reflexive use of educational requirements, agencies can also realize significant savings and cost avoidance while still getting access to the critical skills they need.”

Wooten issued a third memo on Oct. 30 reminding agencies to take steps to increase the participation of people with disabilities in federal contracting, specifically by awarding more contracts to companies under the AbilityOne program. The memo states agencies spent about $4 billion with AbilityOne contractors in fiscal 2019.

A powerful management tool

While two of these memos are just good reminders, addressing the timeliness of acquisitions has been a priority for Wooten.

“I think [PALT] is a powerful management tool that we should use to examine our performance, to examine the performance of our systems and look for ways to improve the systems. It is not a bludgeoning tool to be use to whip the workforce to get product out faster,” Wooten said at the National Contract Management Association Government Contract Management Symposium in December. “We need to look at this as a measurement of the system and the effectiveness of the system.”

The memo finalized the definition of PALT — “[T]he time between the date on which an initial solicitation for a contract or order is issued by a federal department or agency and the date of the award of the contract or order” — and provides guidance to promote consistent application across agencies.

Wooten said the definition and use of PALT is a good first step toward improving the acquisition process.

“There is a lot of important work that goes on before you even start the PALT clock. We must not ignore that,” he said. “There are some agencies who already are measuring that and should continue to measure that. The whole point of frictionless acquisition is reducing the time between identifying a need and saying I’ve now received those goods and services.”

As a part of the frictionless acquisition cross-agency goal under the President’s Management Agenda, OFPP says in its fiscal 2020 fourth quarter update that the next step after releasing the definition is to capture and baseline data to create a common benchmark to improve agency processes.

17 proven practices

OFPP set a goal for agencies to complete 90% of routine, non-major acquisitions and 80% of complex major acquisitions within a timeframe comparable to private sector averages or benchmarks of leading state and local governments or federal agencies by 2025.

“PALT can help to drive continual process improvement and the pursuit of more innovative procurement practices, especially when the data are used in combination with other inputs for evaluating the overall effectiveness of the acquisition process in delivering value to the taxpayer, such as cost and the quality of the contractor’s performance,” the memo stated. “As agencies evaluate PALT, they should consider the growing list of proven business practices and technologies that agency acquisition innovation advocates (AIAs) and industry liaisons have been promoting to reduce friction across the acquisition lifecycle. This includes using more innovative and less burdensome processes for conducting acquisitions, leveraging technology to modernize operations and help the workforce move from low to high value activities, and taking advantage of modern ‘high definition’ data analytics to support smarter buying decisions.”

Wooten’s memo includes a four-phase approach to reduce PALT as well as 17 agency examples of strategies to reduce lead time.

Of course, the PALT varies depends on what agencies are buying.

Soraya Correa, the chief procurement officer at the Department of Homeland Security, said she believes the clock starts when a program office says “I think I have a need” and the contracting team starts engaging with the program office.

“The other step in this is how we do our market research. Is market research merely going online and seeing what contractor did this before or is it, maybe, going out to industry with this problem statement and say, ‘Tell us about this. How do you do this? How do you evaluate this?’ All too often we are hesitant to go talk to industry and a lot of times they have good answers, and by the way, if they have input into that solicitation, I think it helps us,” she said. “I think it helps us do a better solicitation and possibly helps us when we get to the debriefing and that all-dreaded protest phase because we would’ve had good industry input and hopefully we will learn from it. So when I think about PALT, I think about moving that dynamic to the left.”

This acceleration doesn’t mean a lack of rigor either. Wooten and others say the goal of PALT, under the Frictionless Acquisition initiative, is all about removing the tedious processes that have become barnacles to the procurement process.

For decades, the federal government received a bad rap when it came to innovation. The perception of the government always trailing the private sector seeped into the entire culture of the federal community, from political appointees to employees to contractors.

In fact, early on during the Obama administration a senior official on the technology and management speaking circuit kept deriding the “state of federal IT.”

The official talked at conferences and events about how far behind agencies were in implementing the latest and greatest IT of 2010.

Now 11 years later, that same official, who works with the incoming Biden administration, may be surprised about how much has changed.

A new survey of federal chief information officers and interviews with agency technology leaders show the IT and innovation gap between public and private sector organizations has closed significantly, and because of the COVID-19 pandemic, agencies are enjoying the taste of new technology more often.

“Agencies are getting better at adopting new technologies, which in turn contributes to enabling the workforce as well as an increased ability to deliver on the mission,” stated the survey of federal chief information officers by the Professional Services Council and Attain. “Core services, business and mission are more interconnected, as are agencies and the citizens they serve. People inside and outside of the government IT community are paying more attention to technology as they see the value it offers. One respondent felt strongly that IT is viewed as a ‘go-to organization’ within their agency. Through innovation and change management, technology has transformed how people are working. That individual reiterated a comment made when discussing modernization, saying that government needs to move in the direction of innovation initiatives, adding that people are looking for more innovation.”

PSC and Attain interviewed 11 agency CIOs and other federal technology leaders between July and October 2020 about seven broad topics including the state of IT modernization, cybersecurity, the workforce and the pandemic.

People, relationships propelling agencies

Simon Szykman, the chief technology officer at Attain, said government may never move at the rapid pace of the private sector, but they are not lagging like they once did and are catching up more quickly than ever before.

“I think in the past there was a challenge of re-skilling the federal workforce that may have had skills that weren’t leading edge. I’m not sure the reskilling challenge has been solved, but the ability to bring new technologies in the form of knowledge that’s brought in with new people seems to be happening more readily than in the past. Maybe it’s something as simple as that retirement wave is starting to happen and creating room to hire new people, which is always a challenge,” Szykman said.

The people that Szykman may be referring to are those that came in with the U.S. Digital Service, the Presidential Innovation Fellows program and the General Services Administration’s 18F organization as well as the push by the Office of Federal Procurement Policy to emphasize modernized acquisition initiatives.

While USDS and 18F were far from perfect during their first five or so years, their long-term impact on promoting innovation, new ways implementing IT and upskilling federal employees is clear.

The other reason, Szykman said, that came through in the survey, and buoyed by the pandemic, is the improved relationship with industry.

“I think the government is becoming more effective at learning about these technologies, what they can do and what they want to do with those technologies to really leverage the private sector capabilities,” he said. “The private sector capabilities are more agile, you can bring in new skills more quickly, and you can swap people with one skillset out for people with another skillset so there is a level of agility that the contracting ecosystem brings. I feel like the government is now capitalizing on that more effectively than they had in the past and part of the reason is the good working relationship between government and industry.”

GSA’s innovative contract

One example of that is the recent contract award by the General Services Administration to NCI Information Systems. The $807 million contract will support GSA’s Office of Digital Infrastructure Technologies (IDT) with technical expertise to move the government closer to industry leading practices in IT modernization, improving access and quality of services to internal customers and reducing delivery costs, according to a GSA spokesperson.

Erika Dinnie, the acting associate CIO for digital infrastructure technologies at GSA, said at a recent ATARC event that GSA constructed the contract differently than in the past, when it was a traditional support contract.

“This is designed to push down our operational costs and partner with our new contractor to introduce some of these innovative ideas and move to a digital organization and introducing innovation like artificial intelligence and robotics process automation (RPA),” she said. “We will be designing digital personas, for example, and using AI to develop those personas so we can get into predictive analysts so we can predict that some of the actions we are taking might result in these two or three options. It will help us make better decisions.”

GSA says it will use the contract to employ modern methodologies that introduce better alignment with our customer’s business needs and priorities in order to deliver business value and innovation.

Rick Holgate, a former CIO for the Justice Department’s Bureau of Alcohol, Tobacco, Firearms and Explosives and now a senior executive partner for the public sector at Gartner, said the pandemic provided CIOs and others the “courage” not to be so risk averse.

“Zoom, the Defense Department’s Commercial Virtual Remote (CVR) and many others were so urgently needed that endless foot-dragging and hand-wringing became impossible,” Holgate said. “The end-user expectations and pressure have become so intense as to be unavoidable and undeniable. Largely virtual/remote organizations have become a new normal in government agencies, operating much more akin to private-sector analogs; office space downsizing and reconfiguration is actively happening, rebalancing the portfolio of physical space and enabling technology.”

Progress made, more progress needed

The incoming Biden administration seems to want to pick up on this innovation theme. President-elect Joe Biden’s pandemic relief proposal seems to have the handwriting of former members of 18F and USDS all over it. Among the things it includes is $200 million for the Information Technology Oversight and Reform (ITOR) fund to help rapidly hire hundreds of cyber and engineering experts to support the federal chief information security officer and U.S. Digital Service.

But unlike what happened when the Obama administration took over where they set up 18F and USDS to address systemic IT challenges, the combination of time and the pandemic has moved the needle for agencies and for the Biden technology leaders.

David Shive, the GSA CIO, said at the ATARC event that while there is plenty still to do the IT, the innovation gap clearly has closed.

“I spend lot of time with private sector CIOs. When I’m talking with them and I talk about the GSA experience, it is more often for me to hear from them, ‘Wow, you are light years ahead of us,’ than it is not,” Shive said. “Now, it depends on the type of organization you are talking to. If you are talking to Mary’s plumbing shop, then we are light years ahead of them. If you are talking to Google or someone like that, then probably not. But by and large, when I’m talking to Fortune 100 company CIOs, there is certain parity with what government is doing, many of the issues that we face are similar and many of the successes that we had in government, those CIOs are still trying to solve within their organizations.”

When it comes to federal procurement, the General Services Administration takes no off days.

While the GSA’s Federal Acquisition Service employees will never be mistaken for elite athletes — where this concept of no days off comes from — they aren’t wasting any time setting up 2021 to be a busy year for contractors and for new governmentwide acquisition contracts.

In the span of two weeks, GSA released the draft solicitation for Polaris, the small business GWAC to replace the debacle that was Alliant 2 Small Business as well as two requests for information — one for artificial intelligence and machine learning capabilities, and one to develop a new professional services vehicle.

These initial pieces of market research or acquisition strategy planning come as GSA already is reviewing bids for spots under the 8(a) STARS III GWAC and the ASTRO program. GSA expects to make awards for both of these programs in spring 2021 or thereabouts.

“We are looking at fiscal 2021 at being the year where we see some big awards,” said Laura Stanton, FAS’ assistant commissioner for the Office of Information Technology Category, during a recent event sponsored by ACT-IAC. “In fiscal 2020, the IT category facilitated more than $30 billion in annual government spend. We still are wrapping up those year-end numbers, but it represents the trust the federal agencies have put in us, the customer service, the support is reducing the procurement action lead time, innovation and data transparency and all of the things the agencies put their trust in ITC to make that happen. Out of that, we also provided more than $2 billion in savings and cost avoidance for the customers of ITC alone.”

Just for comparison, in 2019, the IT category saw about $26.5 billion in spending, which means FAS saw a 15% growth rate.

“Some of the growth in 2020 is likely from COVID and some of it is from use of best-in-class contracts and spend under management,” Staunton said.

Polaris, 8(a) STARS III, ASTRO and several other initiatives like the commercial platform, the 2GIT vehicle and OASIS with all the new vendors are slated to gain momentum in 2021 means GSA will continue to capture more of the market.

There are several interesting aspects to the Polaris draft request for proposals starting off with its use of the Section 876 authority. GSA is not using price as an evaluation factor at the master contract level, meaning price only matters for each individual task order.

Driving competition down to the task order level has been a key priority for out-going Administrator Emily Murphy during her tenure. With ASTRO first and now with Polaris, it seems the tide is starting to turn.

Another factor in Polaris is its call out of the Cybersecurity Maturity Model Certification (CMMC) standards. While the GWAC doesn’t require CMMC certification, GSA is asking vendors to become accredited.

Keith Nakasone, the deputy assistant commissioner for IT Acquisition in FAS’ ITC, said at the recent ACT-IAC event that vendors must move from self-attestation to a more rigorous review of components and parts.

“We are embedding the language in the GWAC. The level of certification will come in at the order level, meaning vendors don’t have to be certified at the master contract level. It’s going to be based on the orders that come through the GWAC,” he said. “We included the CMMC language within the master level so it’s within scope. At the order level, agencies can add additional requirements for levels 1-5 depending on their mission requirements. We want to leave that flexibility in the mission program and learn over time alongside with the Defense Department.”

GSA’s goal with Polaris, which has no maximum dollar ceiling, is to promote innovation through the seven technology performance areas that include cloud, cybersecurity, data management and software development.

“The contractor should approach agency task order requirements with technical proposals offering innovative solutions that leverage the flexibility provided by the master contract,” the draft RFP stated. “The choice to align the master contract scope with Technology Business Management (TBM) [standards] and the definitions of IT allows for the adoption of new technologies and innovative solution approaches as they evolve over the life of the contract. The government also encourages the contractor to continuously prospect for and establish strategic relationships, especially with innovative small businesses, to meet this objective.”

Polaris plans to make awards to three pools of vendors — small businesses, women-owned small businesses and Historically-underutilized Business Zone (HUBZone) small firms. Comments on the draft RFP are due by Jan. 29.

Two RFIs released

Innovation seems to be a common theme across GSA acquisition efforts.

The AI/ML RFI is asking product and service vendors for feedback on current capabilities, contracts already offering these technologies and agencies or sectors that already are using the products or services.

“We are taking these forward leaning approaches so that we can adopt technology as well as provide what we know today and inject future technology moving forward,” Nakasone said.

Responses to the RFI are due Jan 29.

“We are keeping technology offerings that work currently on GWACS, but we are making some tweaks to emphasize emerging technologies like AI, edge computing and ‘anything as-a-service’ so customer agencies can tap into the small companies that provide these expertise to drive further IT modernization and improve service delivery,” said Allen Hill, the acting deputy assistant commissioner for category management in FAS.

Finally, the new professional services effort may not be considered a formal RFI, but FAS is working with ACT-IAC to hold listening sessions with vendors in early February.

“The next generation services IDIQ will seek to combine features such as unpriced master contracts, small business set asides, vetted and open enrollment with all order types including firm fixed price, cost-type, time and materials and hybrids into one centrally managed, user friendly structure,” GSA wrote in a fact sheet. “The goal is to complete an acquisition strategy that achieves the outlined objectives for this new contract program by fiscal 2021 end. After the acquisition strategy is completed our plan is to issue the solicitation in fiscal 2022, with awards and contract use beginning in fiscal 2023.”

New services marketplace

Tiffany Hixson, the assistant commissioner for the professional services and human capital categories at FAS, said at the recent Coalition for Government Procurement conference, that this effort is part of a new services marketplace will bring together several different work streams.

She said there are three goals:

• Rationalize, align and expand our multiple award contract, GWAC and schedule offerings. “Sometimes they work well together and sometimes no so much. We recognize that so our teams are going to be working to try to get them to work together a little more cohesively,” Hixson said.
• Improve FAS’ market research and buying tools for federal acquisition professionals. She said GSA plans to rationalize the assortment of digital tools and support the services contracts better than current digital tools do.
• Improve FAS’ data and reporting systems. She said many of those systems that industry uses need to be improved.

“The OASIS ordering period expires in 2024 so we are asking ‘what’s next?’ We will be talking to the federal acquisition community and industry about what that next is. We are beginning our formal market research and planning for what the next generation contract and best-in-class contract will be in government,” Hixson said. “Internal to the organization, we are formally establishing a collaborative community with in FAS so we are working on services contracts more holistically and thinking about how to better provide those services contract needs.”

Professional services is among the largest growth areas for FAS. Hixson said usage of all services contracts under her portfolio grew 9.5% year over year, which meant $1.78 billion more sales in 2020. She said the biggest drivers were schedules contracts growing 11% and OASIS, which increased by 7% over 2019. Schedules sales outpaced OASIS for the first time in the last few years.

“Our five-year growth for all contract programs and that includes the human capital services programs, including HCATs and schedules, has been 60% over the last five years. In 2016, it was about $13 billion in business volume and in 2020, we had $21 billion in business volume,” she said. “For us, while the number is big, the important part of that message is our contracts are meeting the needs of the federal community.”

GSA is starting at the right place by listening and learning from its federal agency and industry customers because OASIS and the schedule contract for services have been highly successful so the goal is to make them better, not just mess with a good thing.

Seven agencies will be looking for new chief information officers next week.

The departments of Homeland Security, Defense, Housing and Urban Development, State, Transportation and Veterans Affairs, as well as the Social Security Administration, will be saying good-bye to their politically-appointed CIOs. So too, will the Office of Management and Budget where Basil Parker, the federal CIO, and Camilo Sandoval, the federal chief information security officer, also will be exiting after a short tenure.

Rajive Mathur, the SSA CIO, left in October, but the last day for the others is expected to be Friday, according to government sources familiar with the expected changeover.

Stuart McGuigan, the State Department’s chief information officer, told staff on Monday that he is leaving on Jan. 20.

State confirmed McGuigan is leaving.

“Mr. McGuigan leaves behind a legacy of leading the department’s worldwide information technology transformation during the COVID-19 crisis, enterprise architecture, cybersecurity management, IT service delivery and talent management, to name just a few,” said a State spokesperson in an email to Federal News Network.

He has been CIO since March 2019 after Secretary Mike Pompeo appointed him to the position. Before coming to State, McGuigan spent his career in the private sector with companies such as Johnson & Johnson, where he was vice president and CIO, and CVS Caremark.

McGuigan is one of the few State CIOs who hadn’t previously worked at the agency either in the technology office or as a Foreign Service officer.

During his time at State, McGuigan led several initiatives including the reorganization of how the agency oversees cybersecurity, moving toward an agile approach to software development and adding more rigor to the IT review process.

State has a $2.6 billion IT budget in fiscal 2021, up from $2.4 billion last year. The Federal IT Dashboard states 81% of State’s projects are on schedule, but only 56% are on budget.

CIOs on the move Jan. 20

The other CIOs who are leaving by Jan. 20 include:

David Chow, HUD: Joined in August 2018, making him one of the longest serving political CIOs. Chow led HUD’s partnership with the IT Modernization Centers of Excellence and took advantage of the Technology Modernization Fund (TMF) loan to address long-standing legacy challenges.

Ryan Cote, Transportation: Joined in March 2019 and picked up the “big hairy audacious goals (BHAG)” of IT modernization that his predecessor, Vicki Hildebrand, launched. Cote said he focused on consolidating networks and improving the overall architecture, and consolidating about 1,700 web applications into a single platform.

Dana Deasy, DoD: Joined in April 2018, Deasy inherited the JEDI cloud program that remains mired in delays and protests. Despite his inability to get JEDI moving, he found success in creating several new strategies for digital transformation, identity and access management, and for data management. Most importantly, maybe, Deasy ensured the military services and defense agencies could telework during the pandemic, developing and launching the Commercial Virtual Remote (CVR) to support 250,000 remote workers a day.

Karen Evans, DHS: Became CIO in May, focusing on network modernization and security center operations upgrades. Evans also helped DHS thrive during the pandemic by expanding the virtual private network and implementing collaboration tools.

Jim Gfrerer, VA: Joined VA in January 2019, focusing on IT modernization, especially during the pandemic where he upgraded network capacity and addressed the challenges with the Trusted Internet Connections (TIC) requirements.

Changes at DHS, HHS, NOAA

The CIOs aren’t the only federal executives on the move.

Ken Bible is the new chief information security officer at DHS, coming over after spending the last five-plus years as the deputy CIO for the Marines Corps. He replaces Paul Beckman, who left in January 2020.

Also over at DHS, Daniel Kroese, the acting deputy assistant director of the National Risk Management center at the Cybersecurity and Infrastructure Security Agency, left to become the new staff director for the Republicans on the House Homeland Security Committee.

Kroese came to CISA in 2018 to help launch the center from Rep. John Ratcliff’s office where he was chief of staff.

“[I] couldn’t be more excited to start this week as staff director on the House Committee on Homeland Security for Ranking Member John Katko (R-N.Y.). From cybersecurity to border security to counterterrorism and emergency preparedness – these are incredibly important issue areas where the country demands professionalism,” he wrote on LinkedIn. “Thank you to the dedicated men and women of the Cybersecurity and Infrastructure Security Agency for your friendship and partnership these past three years. It was an honor to work for great leaders like Christopher Krebs and Bob Kolasky. The fight continues, and I’ll see you on the other side.”

Oki Mek is inaugurating a new CXO position over at the Department of Health and Human Services. Mek, who has been with HHS for 10 years, is the new chief artificial intelligence officer (CAIO). Previously, he was the senior advisor to the CIO working on Reimagine HHS and the chief technology officer in the acquisition office.

While State is losing its CIO, it has gained a chief data officer. State named Matthew Graviss as its first permanent CDO. He previously served as the CDO at the U.S. Citizenship and Immigration Service in the Department of Homeland Security.

NOAA also lost a key technology executive. Roy Varghese, the NOAA Fisheries CIO, took a new job with the Administrative Office of the U.S. Courts as the chief of the case management system office. He had been the NOAA Fisheries CIO since 2017 and with the agency since 2009.

“This job has been the best job of my life. That’s because the people I worked with became my close friends, the work I was doing was challenging and creative, and I am passionate about the environmental stewardship mission of NOAA. However, the most important reason why I loved NOAA was because my colleagues made me feel like I belonged there throughout my career,” Varghese wrote in a post on LinkedIn.

Long-time federal executive retires

Earl Warrington, who spent more than 30 years in government, retired from the Small Business Administration where he was an IT program manager since July 2019. Warrington also worked at GSA for 18 years.

“New Year’s Eve, I concluded my 30+ year career with federal government. I want to thank the thousands of customers, industry partners and fellow government teammates and strategic partners for your support and trust over these many years,” Warrington wrote on LinkedIn. “It has been an honor and a privilege to serve and help to make a difference in the public sector on many presidential initiatives and agency mission objectives. These technologies and solutions have made such a positive impact on people’s lives. I have been blessed to work for incredible leaders; be a part of successful teams; and most of all to lead so many dedicated, smart and passionate people committed to excellence. Thanks for the ride and the drive. I’ll always be proud to have been a civil servant :-) Looking forward to my next adventure helping the private sector with their goals and mission to support government.”

Warrington said he will continue working as the director and co-founder of Government Sales and Consulting LLC.

On a sad note, John Garing, the former director of strategic planning and information at Defense Information Systems Agency, a retired Air Force colonel and an executive in the White House Communications Agency, passed away on Jan. 6. He was 78.

After leaving federal service in 2010, Garing worked at Suss Consulting and for Vion Corporation before retiring full-time in 2017.

According to the Washington Post obituary, a funeral mass will be held 10 a.m. Tuesday, Jan. 12 at St. Bridget of Ireland Catholic Church, Berryville, Virginia. Burial will be at a later date at Arlington National Cemetery. The family asks in lieu of flowers, please make a donation to Wounded Warriors Project.

If you got the odds the Government Accountability Office is giving vendors on bid protests in Las Vegas, you’d be rich and famous, and probably under investigation by the FBI for insider trading.

Imagine winning 51% of your bets on sports games or horse races? Those are the odds GAO is giving contractors who submit a protest to their office.

New data in GAO’s fiscal 2020 report to Congress on bid protests shows that vendors received some sort of corrective action 51% of the time.

“The reasons agencies take corrective action are diverse, but certainly they are over worked and understaffed so they have less time to follow protests through. I think they see corrective action as way to dispense with a protest and give contractors some relief,” said Eric Crusius, a procurement lawyer and partner with Holland and Knight. “With all the money flowing through the government because of the pandemic, protestors are able to find reasons to protest more frequently. As money leaves doors more quickly, there are more opportunities to find mistakes made by agencies. We’ve seen a lot more corrective action over the last year to the point where I’m almost surprised when it doesn’t happen.”

GAO says the effectiveness rate, which measures how often an agency takes corrective action or the protest is sustained, jumped to 51% from 44% in 2019 and 2018, respectively. The agency says the sustain rate is 15%, which is up from 13% the year before too.

Shane McCall, the managing partner of Koprince Law, said he sees agencies making decisions about taking corrective action fairly quickly after the contractors file the complaint, especially if GAO rejects the government’s dismissal request.

“Sometimes you worry they will take corrective action to blunt the attack of the bid protest but it may not address the root problem,” McCall said. “Sometimes you’d wish it would go to decision versus having to file the same protest even after corrective action.”

Just looking at some of the high-profile acquisitions in 2020—the Defense Department’s DEOS and JEDI and the General Services Administration’s 2GIT, to name a few—the agencies didn’t take the protests to decision and decided to correct flaws in their evaluations or solicitations. Now not all corrective action means vendors get the changes they sought and many can point to agency corrective actions that never breached the surface of the problem.

Crusius said this may be because agencies are taking a path that is less risky so as not to have to pay attorney’s fees if a protest goes to a hearing or even alternative dispute resolution (ADR).

GAO said ADR was another growth area in 2020. The number of cases using ADR jumped to 124 last year from 40 in 2019 and 86 in 2018, respectively.

Rob Burton, a former deputy administrator in the Office of Federal Procurement Policy and now a partner with Crowell and Moring, said GAO has been pushing ADR aggressively and encouraging examiners to engage in more of it.

“What’s not good about ADR is you don’t get a written opinion for precedent. A lot of clients would prefer to have more formal resolution of matter,” he said. “But ADR generally is pretty good with an 82% success rate, which means both parties resolve cases to their satisfaction.”

Basically, the odds that a protest will be successful in some way are greater than at any time in the last five years.

Barbara Kinosky, the managing partner of Centre Law and Consulting, also pointed out that GAO said in the report to Congress that all agencies followed their recommendations. This is the first time this has happened in years as well.

“I do think we will see the effectiveness rate continue to increase,” Kinosky said. “Part of the reason is we are all working from home and the extra hours in the day give people the opportunity to look at records in more detail and they were more able to pick up things like ambiguities or potential problems in procurements.”

At the same time, however, the number of protests dropped for the second year in a row. Burton and other experts say there are several reasons for the decrease.

“Part of the reasons for the number of protests dropping is DoD’s task order threshold went to $25 million from $10 million in 2019. I think this did have an impact because it was a big jump for DoD and more and more work is going through task orders,” Burton said. “Agencies also are doing more enhanced briefings as required by the 2018 defense authorization act. That obviously can’t hurt, and as more agencies do good debriefings, the number of protests will go down.”

Paul Debolt, the chairman of the government contracts group at the Venable law firm, said enhanced debriefings help vendors understand agency decisions and addresses long-standing problems of not doing a good job articulating the award rationale.

“A lot of the questions are focused on concerns they have about the initial information about why the agency made the decision they did,” he said. “As long as the agency is thorough and relatively transparent in award decision there are a lot of companies who decide not to protest. The other thing that factors in to a protest is whether the disappointed offeror is the incumbent. Based on my experience, if a company is the incumbent and the contract is significant enough, they will look pretty hard at filing a protest. But if an incumbent didn’t get the award and the agency can articulate their reasonable basis, many will walk away and not throw good money after bad.”

The other data point to note is the 15% increase in the number of task and deliver order protests to GAO last year.

Legal experts couldn’t point to a specific reason for the increase, other than agencies are spending more money through multiple award and governmentwide acquisition contracts than ever before.

Crusius said the reason these types of protests haven’t increased even more dramatically may be because vendors have an ongoing relationship with agencies under these types of contracts and they don’t want to sour it.

Finally, one last data point from Crowell and Moring’s Burton.

He pointed out that GAO held hearings for just 1%, or just nine cases, out of more than 2,149 cases filed in 2020. That is way down from 2011 (8%) and 2009 (12%) when many more cases received hearings.

“I think this shows the bid protest process is pretty much a paper process, a review of paper records. I’m not sure if GAO just doesn’t feel like they need oral testimony and can just make a decision based on the administrative record,” Burton said. “It’s only in complex cases and usually something that has to do with cost and price that GAO thinks hearings would be beneficial. I think there are plenty of cases where live testimony has a role to play. The analogy I would use is in the civil or criminal court system. They seem to understand the value of having testimony and witnesses. I’m not sure why GAO is different in that regard.”