One of the last things Grant Schneider did before he left his role as the federal chief information security officer in August was meet the requirement to submit the strategic plan and charter for the Federal Acquisition Security Council to Congress.

It’s always an accomplishment to get agencies to agree on goals, milestones and plans no matter the topic. As I’m sure you’ve heard before, bring 10 people around the table and you’ll get 15 opinions.

The FASC, which Congress created as part of the Secure Technology Act, comes alive at a critical time in the supply chain risk management discussion. After several years of poking the snake with a stick, agencies finally are doing something about the serpent that lies in the weeds waiting to strike.

The fact that the FASC turned concepts and ideas to a real strategy is an important first step to finally getting control of the snake population that seemed be growing out of control and eating the native species.

The FASC strategic plan pointed out that before the Secure Technology Act there was “no centralized construct for unifying federal supply chain risk management (SCRM) activities,” and now the governmentwide organization will “mandates the development of uniform criteria for SCRM programs to increase capabilities to address supply chain risk across all agencies.”

The council’s strategy is based on three pillars:

• Standards, guidelines and practices for federal SCRM programs,
• Information sharing, and
• Stakeholder engagement.

Each pillar includes several statutory mandates and strategic activities to implement those requirements.

For instance, under the standards, guidelines and practices pillar, the FASC wants to raise the maturity level of SCRM practices across all agencies.

“The FASC will assist departments and agencies in strengthening their respective SCRM strategies and implementation plans by identifying common initiatives, standards, guidelines, processes and proven practices implementable by all organizations. NIST, as a member of the FASC, will develop standards and guidelines to address any identified gaps,” the strategic plans stated. “Central to an effective implementation plan is raising awareness among all executive agencies, especially among those senior leaders, acquisition officials, and program teams who are accountable to implement SCRM across their organizations. Achieving measurable improvements in the capacity of executive agencies to meet their legislatively mandated SCRM responsibilities will depend heavily upon establishing governmentwide tools and shared understanding to transform independent activities into a synchronized ecosystem. Common initiatives, standards, best practices and processes are key to a successful transformation and improved risk management by all stakeholders.”

Category management efforts underway

Under each strategic activity, the FASC will take on specific actions to address supply chain challenges.

The council in September completed its first major action by releasing a long-awaited interim rule. The acquisition regulation, which is open for comments through Nov. 2, implements the Federal Acquisition Supply Chain Security Act of 2018, which President Donald Trump signed into law in December 2018 and called for the governmentwide task force to determine how it will share supply chain risk information and how it will recommend removal and exclusion orders to address risks.

Another example of a short term goal is to use category management to address risks. The council will work with the governmentwide IT category manager within the General Services Administration to develop the governmentwide acquisition approach for addressing supply chain threats and risks both centrally and by individual agencies.

In some ways, GSA already is working toward that goal.

Kelley Artz, the supply chain risk management technical lead in the Office of Policy and Compliance at GSA’s Federal Acquisition Service, said her office plans to create a supply chain framework that will run across all agency-run contracting vehicles based on the National Institute of Standards and Technology Special Publication 800-161.

“We look at all those business offerings and then overlay what NIST 800-161 is. Then I also incorporated elements of Committee on National Security Systems (CNSS) 505, which was designed to be supply chain risk management guidance for national security systems. I had to think through that what did at the national security level and bring it to a civilian agency level just in concept. Of course, the NIST IR8179 was useful as well,” said Artz during the recent GSA IT Security day. “I synthesized that information and created the FAS organizational level SCRM plan. It’s really based on the template in 800-161, but I adapted it because we are an acquisition service organization.”

Artz said FAS also created a mission-level plan to detail its approach when the FASC recommends removal of specific products or services.

GSA also set up an agencywide supply chain risk management review board, which includes legal, policy, acquisition, technology and other experts.

“We not only have cross-disciplinary functions but it also represents all of GSA as an enterprise. We discuss supply chain risk management questions, particularly related to Section 889 in that group,” Artz said. “The focus is to support our acquisition workforce and provide transparency across the enterprise about how we are implementing [Section] 889.”

GSA is but one of several agencies setting up governance bodies and processes to share information. Shon Lyublanovits, the senior advisor for cybersecurity in GSA’s Office of IT Category, said one of the most important steps GSA has taken was to create SCRM champions across the department to create awareness.

“We are bringing together people you can educate, empower and help enforce supply chain risk management within your organization. This is not a space we can do in siloes or with one person. Being able to have champions to spread the word and see things that we may not have the ability to see from our advantage point is hugely important,” she said. “If we don’t have strong acquisition compliance, if we don’t have strong acquisition strategy, our ability to move the needle forward in supply chain risk management will be deeply hindered.”

State Department seeks discovery tools

Outside of acquisition, agencies are looking to use data to drive decisions.

The State Department recently issued a request for information looking for an industry tool to help with the discovery and awareness of supply chain risks and to provide information alerts.

State said in the RFI it needs to:

• Maximize the likelihood that DOS can obtain, maintain, and retain total situational awareness of global supply chain related events before, during, and after they unfold.
• Maximize our ability to quickly verify or validate the credibility of a source, author, and online information.
• Minimize the time and effort required to discover relevant and impactful information (and filter-out irrelevant information) regarding global supply chains.
• Maximize the accuracy of machine-translated content originally written in a foreign language and maximize the number of languages translated.
• Minimize the time to recognize, summarize, and disseminate relevant information to targeted internal audience(s).
• Maximize our confidence level that our supply chain is free of bad actors.

The Office of the Director of National Intelligence and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency have been at the forefront of this SCRM effort over the past few years, detailing best practices, highlighting threats and taking actions against companies such as Huawei, ZTE and Kaspersky Lab.

In 2019, CISA issued a 20-page briefing about current and future efforts to secure the federal civilian supply chain.

ODNI, meanwhile, earlier this year issued a six-page document highlighting three focus areas it will key on to reduce supply chain risks.

Other agencies as the Defense Logistics Agency, the National Nuclear Security Administration and many others have individual programs and processes to address SCRM within their own organization.

Legislative, regulatory, policy recommendations

This is why the FASC strategy can bring all of these efforts together around common set of goals.

“[T]he FASC will begin to implement the strategic activities for each pillar. In support of this implementation activity, the FASC has designated a FASC working group with representatives from each department and agency represented on the council, and will bring in support from other departments and agencies as appropriate,” the strategic plan stated. “The working group will assess each strategic activity and determine supporting activities and levels of effort required for implementation. The FASC will continue to collaborate across the government to ensure that each strategic activity is implemented across the federal enterprise.”

Additionally, the FASC will make legislative, regulatory, or policy recommendations to further improve the information and communications technology supply chain risk management.

Lisa Barr, FASC project lead, said at the GSA IT security event, over the next several months an interagency working will begin looking at shared services and common contracts.

“There is a subgroup looking at what are the business needs across the federal enterprise, in terms of what’s really needed for SCRM, where are there gaps, where are tools and capabilities needed?” she said. “Over the course of the next several months, there will be a good set of requirements, and I use that term loosely, the business needs of the federal enterprise and how can those gaps be closed? We will work with GSA to say is it a common contract solution we need to put in place, or working with OMB to figure out if we need a shared service to do risk assessments?”

There’s always a lot of talk about how important small businesses are to federal contracting. Every administration loves to tell us how small businesses are the “engine that runs the economy.”

Yet, the governmentwide small business contracting goal has been at 23% since 1997 despite federal procurement spending hitting $594 billion in fiscal 2019. While agencies have done a good job in meeting and exceeding the 23% goal over the last five-plus years, small businesses continue to face huge challenges as prime and subcontractors. Just take a look at the 8(a) STARS II craziness and several other programs that have gone off the rails in recent years.

So when an agency does something that not only puts small businesses at the forefront of a major procurement but adds clauses to hold large firms accountable, it’s worth noticing.

This is the case for the Defense Information Systems Agency’s systems engineering, technology and innovation (SETI) contract.

For its effort, DISA received the 2020 Verdure award from the Defense Department for demonstrating fresh approaches to balancing the development of efficient procurement methods and the utilization of small businesses. The Pentagon established the Verdure award in 2015 as one of five formal recognition programs to promote the success of small business programs.

“The bottoms up redesign of SETI four years ago appears to have set us up for success today. The tenets of the SETI program and the innovative acquisition tactics that we have been developed and deployed throughout the program’s instantiation have been validated by our peers across the department as best of breed,” said Christopher Riley, the SETI program manager for DISA, during a call with reporters on Oct. 9. “When we first built the construct of SETI what we were trying to do had never been done before. It was either going to be a use case of what not to do or set the new standard for driving innovation in large scale acquisitions in the department.”

Riley said SETI is now the new standards bearer for how to work with small businesses going forward.

There are several reasons why Riley and others at DISA believe SETI is what the future of small business contracting could look like.

DISA took specific steps to create the 10-year contract that has a ceiling of $7.5 billion with input from small firms. SETI includes two contract suites — one just for small businesses and one that is unrestricted. DISA awarded 15 companies a spot on the unrestricted version in July 2019 and the small business portion just got out of protest delays earlier this summer and has 25 awardees.

Carlen Capenos, DISA’s Office of Small Business Programs director, said through focused feedback during the draft and final solicitation phases, the agency removed barriers that may have limited which small firms would’ve bid.

“Two specific examples were the clearance requirement. Generally everything we do in DISA requires a facility site clearance of the prime contractor at time of proposal. That is a huge barrier not only to small businesses but to joint ventures themselves. We removed that barrier and said that we would sponsor that award to a company or joint venture who didn’t have it. That was something we don’t normally do and had the ability to let more companies and joint ventures come in,” Capenos said. “The other thing we did is removed the requirement for the cost accounting certification. Again, we normally require it at time of proposal, but in this case we said you didn’t need it at proposal, you would need it before you did cost contracts. We would sponsor that certification process for you.”

Another barrier DISA is trying to address is the tendency of the services or defense agencies of just automatically using the unrestricted version of SETI.

Christopher Gray, DISA’s chief of the contracting office at the Defense Information Technology Contracting Office – National Capital Region, said contracting officers must first consider letting the task order against the small business portion of the contract before using the unrestricted version. And if a military service or defense agency decides to use the unrestricted contract, firms on the small business one can still bid on the task order.

“We also made a deliberate statement that did not require small business to address all the elements of the statement of work (SOW). We know small businesses, particularly those that are innovative have niche capabilities and we wanted to get to those truly innovative small businesses that have niche capabilities and not fire them all off just because they couldn’t perform in one or two specific task areas,” he said.

Riley added DISA also wanted to bring to the SETI non-traditional contractors so that was another barrier they removed.

“One of the things that was a typical barrier of entry for small businesses was you had to have past performance references related to the Department of Defense. We allowed for past performance references from outside of the DoD, which allowed them to bring historical capabilities to the table when they propose,” he said.

It seems like DISA was successful in reaching many of those non-traditional firms.

Capenos said about half of all the awardees had to be entered into DISA’s contract writing system, meaning they hadn’t done business with the agency before.

Riley added that out of the more than 100 offerors, about 80% did not have experience with DISA.

Now all of these efforts and upfront work will be for naught if DISA’s customers and large businesses fall back on old habits of not following SETI’s rules around task orders for small businesses or ensuring subcontracting opportunities.

Capenos said DISA plans to hold prime contractors accountable for their actions to support small firms.

“We have a requirement for subcontracting in all contracts whether it was awarded to a large business or a small business, and they have to report those quarterly. Not only do they have to report them to the contracting officers, but they will report them to our office too so we can help monitor and measure the dollars and pieces of work that are being executed by small businesses,” she said. “Not only will we measure and monitor it, but small and large businesses will be rated on it on their contractor performance assessment report (CPARs).”

Additionally — and maybe this is the best part of SETI — DISA built into the contract an off-ramp after five years where it can decide not to exercise the option of contractors who aren’t meeting their small business requirements.

While DISA is saying all the right things and has done a lot of the upfront work to set SETI up for success as a small business and innovative contract, the proof always is in the pudding over the next five years.

If DISA lives up to its word, holds buyers and large businesses accountable and truly supports small businesses, then SETI will be the standard bearer for future deals, and one which other agencies should definitely look at as a model.

Just about a year ago, Office of Federal Procurement Policy Administrator Dr. Michael Wooten unveiled what likely will be his signature priority—removing friction from the acquisition process.

While many in industry privately mock and question what that concept or phrase really means, it’s clear that frictionless acquisition will lean heavily on robotics process automation (RPA) and other initiatives to lessen the burden on contracting officers.

That became abundantly clear during the ACT-IAC Acquisition Excellence conference last week.

Not only did Wooten continue to message this now governmentwide goal, he also offered some real life examples of what the future could look like.

One of those efforts focuses on reducing procurement administrative lead time (PALT).

“We look to accelerate the use of facilitated requirements development workshops, known as SAWS,” Wooten said. “We should enhance the requirements development process with the same technologies used to finish my sentences when I send texts or emails. This is no pie-in-the-sky vision. The technology exists today. In fact, the Department of Interior is piloting this approach. Under one of its contracts, a contractor supporting the Department of Interior applies natural language processing and machine learning tools to coach Interior’s acquisition community through the acquisition process. These artificial intelligence tools collect data to identify training needs. These data support management decisions to support better performance through training or process improvements.”

Step back for a second and think about this, as a program manager is writing a requirement to buy help desk services or facilities engineering services or even something more complex like the design of the next fighter jet, and the AI and natural language processing tool brings in the clauses and requirements deemed most relevant based on scanning hundreds or thousands of previous contracts. Then the program manager just has to decide or make hopefully minor adjustments to the language.

Wooten said this is about reducing lead time to get from needing something to having something by creating collaborative, cross-functional teams to anticipate customer needs more proactively.

He said agencies are testing out SAWs that bring together cross-functional teams.

Of course, SAWs are not a new concept. It’s something the General Services Administration used in 2015 to create the blanket purchase agreement for identity management services after the Office of Personnel Management data breach. The Defense Department also has used SAWs since 2012 for all service acquisition worth more than $1 billion.

Not sure why OFPP believes piloting these concepts still is necessary as it’s clear they work and “remove friction.”

RPA pilots abound

Automation is another concept gaining a lot of attention in the acquisition community. Several agencies from the IRS to the Army to GSA have applied RPA to the procurement process.

Wooten said automation will change the way contracting officers will work.

“Process automation tools can improve compliance. We should look forward to a time when process automation tools take on the routine processes. These process automation tools can on the ‘flow-chartable’ tasks. These tools will execute program decisions,” he said. “In this fashion, automation can enable a compliance system that enables greater speed and accuracy. As process automation tools take on program decisions, they free people to make non-program decisions. They free people to exercise critical thinking and professional judgement. They empower people to create solutions.”

The IRS and the Army are testing out the exact concepts Wooten is referring to.

Mitchell Winans, the IRS senior advisor for enterprise digitalization, said the tax agency has two programs under the Pilot IRS initiative.

One tool is a contract clause review.

“It’s a tool where you can upload a procurement document of any kind, answer seven easy questions about that document and the tool provides a compliance report in seconds. The tool is able to identify text that is missing or misapplied, maybe it’s out of date, maybe it’s incomplete so it’s checking the Federal Acquisition Regulations, the Treasury acquisition regulations, IRS acquisition policies and things like that,” Winans said at the Acquisition Excellence event. “That tool already has been able to identify and correct over 10,000 errors for our procurement operations. It has a huge return on investment, huge time and cost saver for our acquisition employees.”

The second tool the IRS is testing focuses on contractor responsibility determination, which automatically verifies a company is eligible to do business with the government before awarding a contract.

He said it’s a highly manual and time consuming process.

“We built a bot where the acquisition employee can just email the DUNS number for the company that they want to check to the bot and the bot automatically searches public databases, downloads some documents, captures some screenshots and auto populates a responsibility determination Word document, and then sends everything back to the procurement employee in a streamlined report in roughly five minutes. This is a process that normally would take an employee, depending on their workload and the complexity of whats happening, two to three hours and have to complete it manually by hand. We think it saves us approximately 2.5 hours per responsibility determination and over 11,000 hours per year.”

DORA the bot, not the explorer

The Army also launched a bot, called DORA—determination of responsibility assistant—to do contractor responsibility determinations based on the IRS pilot.

Liz Chirico, the acquisition innovation lead in the Office of the Deputy Assistant Secretary of the Army for procurement, said the bot isn’t taking away the contracting officer’s responsibility to make the eligibility determination. It’s giving them the information pulled from SAM.gov and FAPIS.gov and putting a summary of that information into an already formatted template.

“We divided our bot into two different areas. The first one is under the simplified acquisition threshold (SAT) so when acquisition officials query that version of the bot, they will receive more streamlined policy output that is just one form,” she said. “Then the over SAT bot, which is a much more detailed policy output form and is about three pages long. It goes into more details. The bot is not able to fill out all the areas on the form because we do not have non-personnel common access card credentials yet, but we are looking into that for the future.”

Chirico said it saves a tremendous amount of time, from hours to minutes.

She said the Army tested the bot out with 1,000 contract specialists last year. It concluded before January and within a few weeks the Army decided to make it permanent.

“We plan to extend to the Air Force and Navy in fiscal 2021. We signed a memorandum of agreement with them,” Chirico said. “Our team is looking into a couple of other interesting intelligent automation ideas. We are looking at automating some of the manual look up processes for pricing so going to some of the public facing pricing sites like GSA’s CALC and the Bureau of Labor and Statistics are two examples. We also are looking into streamlining the acquisition requirements process. That process often takes a lot of time and requires duplicative information, so if there is any way for us to streamline that and have all of the requirements stated up front and have those templates and forms pre-populated.”

She said the Army also is looking for a bot to do Section 889—prohibition of Chinese made telecommunications products—look up once it goes into SAM.gov.

Phase 3 of automation

Marc Mancher, a principal with Deloitte Consulting and who leads the call center and automation business, said these and other examples across the government shows using RPA or intelligent automation has few significant barriers to entry and gives a huge ROI.

He said the public sector is entering wave 3 of RPA, which he said means widespread adoption in the business areas.

“Agencies are realizing they need RPA associated with business areas because it came make it better or faster,” Mancher said. “That is why we see this playing out where RPA is becoming more mainline and becoming part of everything else.”

He said when agencies buy tools like document processing software or a chatbot, they are requesting RPA as part of the system.

“I think the fear of RPA or bots taking your job is down. I think the hype is down too, but software approvals are up,” Mancher said. “I don’t think RPA has hit its peak yet. The number of bots will continue to grow for a couple of reasons. If you look at bots alone, if you can take 30 seconds out of average handle time of a document, that can drastically reduce your spending and improve your customer service. There are so many examples not touched yet in that space.”

And this brings us back around to the frictionless acquisition. Some may scoff at the words or concepts, but the Army and the IRS are proving that through automation tools, federal procurement can move more quickly without losing any rigor. If there is one things the COVID-19 pandemic has showed agencies, speed and thoroughness do not have to be opposing factors in procurement.

This month is the fifth anniversary of the Cybersecurity Information Sharing Act. The law made it easier for companies to share cyber threat information without fear of liability or consequences.

The law gave the Homeland Security Department top and bottom cover to make two-way sharing more than just talk.

Despite the thirst for cyber threat information only growing and the increase in private sector providers, the Cybersecurity and Infrastructure Security Agency continues to put the pieces in place to meet the spirit and intent of the law.

Two of the most recent examples are a new contract for a vulnerability disclosure platform (VDP) and a recent inspector general report on the Automated Information Sharing (AIS) that reads like so many other auditor reports: progress made, more progress needed.

“CISA has increased the number of AIS participants as well as the volume of cyber threat indicators it had shared since the program’s inception in 2016. However, CISA has made limited progress improving the overall quality of information it shares with AIS participants to effectively reduce cyber threats and protect against attacks,” auditors wrote. “CISA’s lack of progress in improving the quality of information it shares can be attributed to a number of factors, such as limited numbers of AIS participants sharing cyber indicators with CISA, delays receiving cyber threat intelligence standards, and insufficient CISA office staff. To be more effective, CISA should hire the staff it needs to provide outreach, guidance and training.”

The AIS program has struggled to live up to its promise for much of the past four years. The IG report, once again, explained why, but provided some reasons to be excited.

For instance, the IG said CISA shared 673 classified threat indicators with non-federal entities in 2017, and nearly 2,000 in 2018, as well as more than 5.4 million unclassified indicators with federal and non-federal entities. It also granted 129 security clearances to private sector partners in 2017, and 155 in 2018. In total, CISA maintained 1,536 active security clearances in 2017, and 1,691 in 2018.

“CISA increased the number of non-Federal participants by more than 195 percent — from 74 in 2016 to 219 in 2018, including 13 international computer emergency response teams,” the report stated. “On the other hand, the number of federal participants remained fairly steady, with only a 10 percent increase— from 30 entities in 2016 to 33 in 2018.”

While the quantitative metrics have all been going in the right direction in 2017 and 2018, the qualitative metrics show AIS remains a work in progress.

The IG stated, “11 of 17 participants (five Federal and six private sector) said the indicators lacked contextual/background data for determining the appropriate course of action to mitigate threats against their networks. Additionally, some participants stated that some indicators received were false positives or unusable information.”

Auditors say a big reason why the threat data isn’t as valuable as it could be is the limited number of participants sharing with CISA.

“Although CISA increased the number of AIS program participants (information consumers) by 142% between 2016 and 2018, this did not equate to an increase in the number of information producers. According to program officials we spoke with, the number of program participants using the AIS capability to share cyber threat indicators is minimal,” the report stated. “For example, CISA has experienced only a slight increase in data producers sharing their cyber threat indicators and defensive measures using AIS during the past two years. Specifically, only 2 of 188 AIS participants (1%) shared cyber indicators with CISA in 2017, and only 9 of 252 participants (3%) shared indicators in 2018. Without more information producers, CISA cannot improve the quality of information it shares under the program and AIS participants remain restricted in their ability to effectively mitigate evolving security threats and vulnerabilities.”

CISA responded to the IG report with several initiatives, including relying on the Cybersecurity Quality Services Management Office (QSMO), in which AIS will be highlighted and promoted as a shared service.

AIS will not be the only shared service offered by the QSMO.

The General Services Administration awarded a five-year, $13 million contract on behalf of CISA to a women-owned small firm to build a vulnerability disclosure platform.

Under the contract, Endyna will create a centralized database that agencies can use to report, discover and take actions against cyber threat information. The QSMO will offer the platform as a shared service so agencies can meet the September Binding Operational Directive (BOD) calling for the use of a VDP platform.

CISA says the platform will promote good-faith security research, hopefully resulting in improved security and coordinated disclosure across federal civilian agencies.

In a fact sheet, CISA says the software-as-a-service platform will be the primary point of entry for vulnerability reporters to alert participating agencies of issues on the agency’s internet accessible systems. Agencies will be responsible for addressing the identified vulnerabilities.

All of this focus on cyber threat sharing isn’t lost on some lawmakers. The value of the data should be driving investment decisions, according to Sens. Rob Portman (R-Ohio) and Gary Peters (D-Mich.).

The lawmakers introduced the Risk-Informed Spending for Cybersecurity (RISC) Act that would require agencies to make investment decisions for cybersecurity tools based on a new risk-based budgeting model. The bill calls on the Office of Management and Budget to develop that methodology.

“Through the budget process, agencies make decisions about the tools they need to ensure they are addressing risks and closing capability gaps. Too often, insufficient information about threats and their associated risks inhibits their ability to make the best, most informed decisions,” Portman said in a statement. “It is crucial that federal agencies know the return on investment for each cybersecurity capability acquired and whether those capabilities address existing security vulnerabilities. This bipartisan legislation will help give federal agencies the information they need to make informed decisions about their cybersecurity budgets.”

Peters called the bill “common sense legislation” that will ensure agencies invest in cybersecurity defenses to guard against the variety of attacks they face.

The bill is partly based on OMB’s 2018 Cyber Risk Determination report that provided a governmentwide view of the process by which agencies address threats and set a baseline to improve upon.

Matt Cornelius, a former OMB senior technology and cybersecurity advisor and now the executive director of the Alliance for Digital Innovation, an industry association, said in a statement that the bill will help agencies develop a data driven, risk-based process for cyber investments.

“The bill would push agencies to leverage better intelligence, data and real time information to provide a more robust understanding their current cybersecurity performance and to improve the budget and appropriations process to ensure agencies have the resources they need to mitigate critical threats and vulnerabilities,” he said.

Let’s start out with this basic truism: No one likes the current approach to rating contractor performance.

Neither the agency contracting officers nor program managers, and not the vendors who sometimes wait three to six months after the contract is complete to get a mostly meaningless “satisfactory” rating.

The data itself lacks value and transparency.

And, to be honest, it seems to have become another checklist activity for many agencies.

A new survey by GovConRx and the Office of Federal Procurement Policy shows, once again, just how little value there is in the current approach to contractor performance assessment ratings (CPARs).

“One of the facts that we heard back was how many agencies still aren’t doing CPARs or certainly not on time,” said Ken Susskind, founder and CEO of GovConRx in an interview. “It was interesting to hear back from industry about not getting CPARs rating because in the end they are needed for future procurements, not withstanding the fact that OFPP is taking measures, having policy and tracking with metrics on the CPARs website, how far or ahead they may be.”

GovConRx worked with industry groups, the Professional Services Council (PSC), Armed Forces Communications and Electronics Association (AFCEA), American Council for Technology and Industry Advisory Council (ACT-IAC), and the Government Technology and Services Council (GTSC), to determine the current state of CPARs.

Among the results of the survey that stood out are:

• 95% of all respondents would like to take part in contractor self-assessments provided at agreed intervals throughout the contract performance period to promote more frequent government-contractor communication.
• 84% support a “CPARS Lite” approach for certain fixed price and commercial item contracts and less complex procurements under a certain dollar value (e.g., $500,000). This would allow expedited CPARS ratings and reduce the burden of CPARS reporting across the acquisition workforce.
• 77% want a closer alignment between CPARS narratives and ratings and the associated quality assurance surveillance plan (QASP), mission objectives and contract outcomes. This would ensure that the contractor’s efforts, and ratings, are more focused on key contract objectives versus less significant contract admin items.

Mike Smith, a former director of strategic sourcing at the Department of Homeland Security and now executive vice president at GovConRx, said the use of self-assessments is not a new concept, and one that is commonly viewed as a performance management best practice.

“We first saw this in the human resources world, asking employees to provide some kind of summary of their accomplishments and adding any associated metrics to help with annual performance reviews. This is the same kind of thing,” he said. “The idea is not for them to provide their rating, but their key accomplishments and associated metrics. Industry has a vested interest in making sure they provide the right kind of data to help increase the accuracy and usefulness of the data in CPARs.”

Improve communications

Greg Giddens, a former head of acquisition at the Department of Veterans Affairs and now an adviser to GovConRx and a partner with Potomac Ridge Consulting, said the self-assessment can improve communication between the contractor and government.

“In the end, what we don’t want to happen is after the period of performance, the government then gives a report card to industry. We want them engaging during the period of performance so the government actually gets mission-enabled by the performance that industry is doing,” he said. “We’d rather identify something early in the process and through this dialogue and self-assessment discussion and get it corrected versus letting it go on and in the end the government says, ‘it didn’t turn out good.’ That doesn’t help get the mission done. The self-assessment is provide a catalyst for those discussions to make some of those mid-course corrections that may be needed.”

The challenge with self-assessments, however, is clear. It’s like asking a student to grade themselves on a test. No vendor will rate themselves poorly or say they didn’t meet the goals or objectives, and it could lead to more delays over definitions and disagreements.

Giddens said he used this self-assessment approach during his time in government, using a “trust but verify” methodology where the contractor and agency both brought metrics to the discussion.

“There is an assumption that the government is tracking and monitoring the key elements of the contract performance anyway. This is just an additional assistance they may or may not be tracking, or give them some idea of other factors that might lead to an evaluation,” Smith said.

Susskind added the emphasis shouldn’t be on the rating or grade, but the narrative based on the right type of data.

“It has to start with some substantiated documentation and narrative. That’s the problem and what’s missing so the suggestion is industry should participate with the government to provide that narrative,” he said.

Susskind added a theme emerged during the survey process that industry believed the contracting officers and other acquisition officials did provide the kind of feedback from the program side to judge the vendor’s performance.

The data seems to support that too. GovConRx continues to track ratings across the government and the use of “satisfactory” continues to rise, while the determination of “very good” or “excellent” have slid downhill over the last five years.

OFPP and DHS recognized last year there are challenges with CPARs and launched a pilot program using artificial intelligence to collect data to help fill out the ratings.

But Smith said one of the issues the pilot is facing is the quality of the data.

“Our hope is to help increase the quality of the data in the system so when you apply the AI tools to the data, you are able to pull out important, relevant information that is valid in the source selection,” he said.

Susskind said other agencies are looking at running some self-assessment pilots to see how the approach could work. He hopes that the pilots may help show how new tools or methodologies could reduce the burden on the acquisition workforce as they clearly believe CPARs is “just another thing” they have to do.

Smith said when he was in government if a contractor offered a self-assessment, he would’ve welcomed that input, and industry could do that now without any change to acquisition regulations or any new policy from OFPP.

He said the Transportation Security Administration wrote its own policy to obtain contractor self-assessments. Smith said TSA has found them valuable.

Government must be open to change

Giddens added at VA they would do program reviews reviewing key performance indicators.

“If there isn’t an openness on the government side to accept these reviews and accept them, then they will not be of any use,” he said. “We have to start changing the culture that says ‘well because my process doesn’t have a self-assessment, I can’t take a look at it.’ It has to be a culture of reducing that friction and improving communication so in the end we maximize the opportunity for industry to delivery on the mission.”

The need for culture change is just a talking point. Susskind said almost 75% of survey respondents said they experienced resistance from agency customers to doing self-assessments.

The survey continues to show what we already know: Agencies will continue to make past performance an evaluation factor, thus making CPARs still a relevant and important database.

The respondents to the survey believe better CPARs data with a focus on the narrative would help inform agency source selection committees to make better decisions.

Giddens said a robust CPARs system could give agencies and companies important data to understand the health and performance of their business and mission efforts.

“There is no doubt changes to CPARs is coming,” Susskind said. “We see that both from what we’ve heard from government and industry.”

The question remains what will those changes look like and how long will they take to come about?

The Trump administration is preparing to fill two of the top governmentwide technology executives roles in the next two weeks. And early returns on those in the running aren’t positive.

Multiple sources confirm President Donald Trump plans to name Basil Parker as the new federal chief information officer and Camilo Sandoval as the new federal chief information security officer.

Parker is currently the chief of staff at the Office of Personnel Management, and spent almost his entire career in the private sector before coming to OPM in 2018. He would replace Suzette Kent, who left in July.

Sandoval, who previously served as the acting CIO at the Veterans Affairs Department for a year in 2018, has been a senior advisor in the Office of Management and Budget’s Office of the Federal CIO since June. He would replace Grant Schneider, who left at the end of August after five years at OMB.

The news that the administration was considering filling both those roles surprised most observers, and few people personally had met or knew either candidate.

Of those who have worked with Parker and Sandoval, the reactions weren’t good.

“The type of person you will get for 55 days or however long until the election, and what you would get if you win reelection are a different caliber of person,” said one source, who requested anonymity. “It also says something about your ability to get something done. If someone is appointed in a lame duck situation then they are a lame duck.”

One source called the decision to bring in both men “an insult” to the federal IT community because of what looks to be the political nature of the decision.

Another source called the decision a “train wreck” because of what they said was a lack of qualifications.

On paper, at least, Parker seems to have some of the right experience to be federal CIO. He started his career as a computer scientist at the Defense Information Systems Agency and spent much of the last two decades working in the defense and cyber sectors, including for Booz Allen Hamilton, where he oversaw IT and cyber initiatives across the defense and federal civilian markets and Arctic Slope Regional Corporation (ASRC) Federal, where he led and managed the federal and cyber markets.

Parker also has commercial sector experience where he was director of operations for a commercial sector company as well as a director of security for Value Options, a large healthcare provider.

But sources say Parker has been mostly quiet at OPM and hasn’t demonstrated any real understanding of federal IT in meetings.

One source who spent time at CIO Council meetings with Parker said he didn’t demonstrate any of the skills needed to be a successful federal CIO.

“To be a successful CIO, it’s all about influence. You don’t have a lot of control of things so it’s all about being influential,” the source said. “He seemed like a nice competent person, but didn’t show any thoughtful strategic skills needed for a position of this stature.”

The source added that Parker and Sandoval don’t seem to bring the same pedigree as those CIOs and CISOs that came before them.

“It’s like taking a car you been driving 100 MPH and putting it in neutral,” the source said. “These two folks are clearly not the kind of leaders needed to drive the agenda that [nominee to be OMB deputy director for management] Mike Rigas was talking about recently where emerging technology and cybersecurity will be important. It’s unclear why the White House went through the process of bringing in a strong leader like [deputy federal CIO] Maria Roat, and to then put in two folks on top of her who clearly do not have the same influence or experience. It seems like you are stepping on some of your best assets.”

A LinkedIn message to Parker was not immediately returned.

As for Sandoval, sources raised concerns about his short time at VA where he wasn’t well respected, as well as past accusations that he didn’t treat people well.

A group of 11 Democrat lawmakers wrote to the VA Deputy Secretary in May 2018 distressed over the naming of Sandoval as the acting VA CIO.

Before coming to VA, Sandoval also worked as the senior White House advisor for the Department of the Treasury.

After Sandoval left VA, he joined MCI, Inc., in November 2019 as its president and CIO. MCI says it’s a high tech data-driven business process outsourcing and digital experience provider based in Iowa City, Iowa. He also held management roles in risk and information management for American Express, for Bank of America Merrill Lynch, for FISERV, and in software engineering for American Airlines. He also is a veteran, having served in the Air Force, and for the National Security Agency at Fort Meade, Maryland (29th Intelligence Squadron) and Misawa Cryptologic Operations Center (MCOC) in Misawa, Japan (301st Intelligence Squadron).

A LinkedIn message to Sandoval seeking comment was not immediately returned.

“The concern is both of these men will turn federal IT into a partisan conversation,” said another source. “For IT to work, it doesn’t help anyone to make it partisan. No one wants to see the CIO community distracted or insulted at this point in the year, given everything that has to do with COVID, the budget and so many other things going on.”

Another source said Parker and Sandoval will not have a lot of time to do much either positively or negatively, especially if there is a change in administration.

“The best they can hope to do is to make some shifts in budget but that changes if there is a new administration. But they are not going to get any big policy movements from OMB in four months. They really are just more like a caretaker,” the source said. “If President Trump wins a second term, they will have a head start after the election. It’s a fine bet for the administration to make, but you shouldn’t expect much to happen over the next four months. This seems to be more about hedging against career folks managing the transition. I believe political appointees will be involved if there is a transition.”

MeriTalk first reported the news about Parker and Sandoval.

A virtual private network vulnerability that has been known since December. Stolen credentials of a power user. A poorly configured firewall. It didn’t take long for the hacker to own this unnamed federal agency.

In what was a matter of days, maybe weeks, this bad actor, possibly a nation state given how sophisticated the attack was, set up two remote command-and-control points, reviewed email and other documents to look for passwords and started networking hopping to find more valuable data and information.

And now the Cybersecurity and Infrastructure Security Agency at the Homeland Security Department is laying out what happened with depth and specificity rarely seen in a public way. Without a doubt, CISA is telling other agencies, “Don’t let this happen to you.”

The use case, gently titled “Federal Agency Compromised by Malicious Cyber Actor” is a detailed example of what happens when your agency’s cyber hygiene is poor and exacerbated by the surge in remote workers.

“COVID-19 has undermined the cybersecurity of U.S. agencies. Telework and a 400% increase in attacks have allowed for intrusions. Telework places a huge strain on IT and security resources and these skeleton crews have lost both visibility and the capacity to harden these remote systems,” said Tom Kellermann, head of cybersecurity strategy for VMWare. “This attack illustrates the greater problem of over reliance on VPNs to protect these systems. The current security posture of perimeter defense is ineffective against the kill chains of 2020.”

Kellermann said while it’s hard to tell if this was a small or large agency impacted by the attack, all signs point to the hacker being from a nation state like Russia or China.

“Given the level of sophistication that we see here, it’s pretty clear that it’s a nation state because it doesn’t necessarily fit the operations of cyber criminals or hacktivists,” he said. “Nation states tend to set up two command and control points that were encrypted, and the fact that CISA was not sure how they compromised the user’s credentials, it means the adversary likely bypassed two-factor authentication. This was a highly sophisticated group who used a multi-stage attack, and most likely wanted to move laterally across government agencies. I think that is why there is so much detail in this warning.”

John Pescatore, the director of emerging security trends at the SANS Institute, said this incident has all the characteristics of a “living off the land” attack.

Symantec described “living off the land attacks” as those “where attackers take advantage of native tools and services already present on targeted systems” and have grown in popularity over the last few years.

Crowdstrike says LOTL attacks generally do not involve malware and have become more popular among those who support cyber espionage, with 40% of all global attacks in 2018 not involving malware, meaning that they relied entirely on built-in programs.

“The bad guys figured out with living off the land attacks that if they get credentials and use those capabilities they can’t tell us from the administrators and the malware detection will not go off,” Pescatore said. “A lot of what is described in the use case, the use of PowerShell and SOCK proxies use the operating system to attack itself.”

Pescatore said once the hacker owned the machine from the inside, it was just a matter of communicating to the outside to exfiltrate data or move network to network.

“Sounds like whatever agency this was had a poorly configured firewall because it let anything on the inside talk to the outside based on the high number of ports that were open,” he said. “The attacker seemed to combine a lot of known techniques, and there were a lot of security hygiene mistakes like why the administrator didn’t have two-factor authentication implemented? Why the firewall was configured to allow all the outbound traffic?”

August guidance warned of vulnerabilities

While the case study is a new way of presenting this type of cyber attack, CISA alerted agencies to similar concerns in August with the release of a capacity enhancement guide for remote devices outside the agency’s network. CISA said the guide is in response to reported VPN bandwidth constraints that are impacting the timely patching of roaming devices and degrading or interrupting other vital services that employees or citizens are accessing remotely.

The guide aimed to build upon the recommendations CISA put forward with the Trusted Internet Connections 3.0 telework guidance in April.

“[W]hen routing traffic through agency campus networks, agencies face challenges related to virtual private network (VPN) bandwidth constraints, which are impacting the timely patching of roaming devices and degrading or interrupting other vital services being accessed from roaming devices. These significant delays in patching leave roaming devices susceptible to common vulnerabilities and threats,” CISA wrote in the guidance. “Recent increases in teleworking have amplified these issues and made securing roaming devices even more challenging.”

CISA recommended nine ways agencies can implement a cloud-based remote vulnerability and patch management capabilities, including centrally managing devices, configuring devices to disable receiving automatic updates for the operating system and individual software directly from vendors, and ensuring cloud services include an agency-managed patch repository.

In the use case, CISA also recommends agencies take several steps, including employing an enterprisewide firewall, closing down ports that aren’t in use and implementing the principle of least privilege on data access.

VPNs remain concerning

VMWare’s Kellermann said agencies continue to over rely on VPNs and adversaries are getting better at taking over encrypted tunnels.

“VPN tunnels allow for trusted traffic on the network and the hacker masked its efforts because it was in those tunnels,” he said. “The only way CISA or the agency saw what was going on is because they saw data leaving the systems. At that point, it’s almost too late, and the real concern is if the adversary moved laterally and was island hopping between networks.”

Kellermann said the threat of cyber attacks is only getting worse, particularly because of the pandemic and surge of remote workers. He said new data from VMWare shows cyber criminals are emboldened and doing more to attack and take over networks.

“We will release new data soon that shows 82% of the time we are seeing counter incident response where the adversaries are fighting back,” he said. “They are deleting logs or manipulating time stamps. They are committing destructive attacks such as dropping in ransomware without asking for money just to be mean.”

General Services Administration customers are still unhappy with the Advantage platform.

The Defense and Energy departments and NASA really are the only ones paying contractors when they can’t work because of the coronavirus pandemic.

And the Government Accountability Office decides in favor of the plaintiffs in two protests that could have some lasting impact on federal acquisition.

Welcome to another episode of “As the Acquisition World Turns.”

Like the soap opera’s 54-year run, the acquisition community sees its share of repeating story lines, surprising twists and turns and, of course, maybe even a villain or two.

Let’s start with the repeating story line. GSA’s customers continue to be unhappy with certain aspects of the online buying platform Advantage.

Julie Dunne, the commissioner of the Federal Acquisition Service at GSA, wrote in a blog post that the results of their 2020 Customer Satisfaction Survey of more than 2,500 respondents found the three most common concerns, all of which present significant barriers to the purchase products listed are:

• Missing or confusing product descriptions : Seven percent of responses indicated that customers struggled with incomplete or inaccurate product information, while 15.1% found the product information confusing.
• Out of stock items appearing in search results: Nine percent of customers stated product availability is an area for improvement.
• Missing or inaccurate product photos: Five percent of our customers’ responses indicated acquisition challenges related to missing or inaccurate product photographs.

“Analysis of customer comments in these categories continues to show significant pain points impacting the customer shopping experience,” Dunne wrote. “Of the three categories of concern identified above, product photo accuracy leads the field with inaccurate or confusing product description tied for the second spot. We know there are more than 15 million products on GSA Advantage! with no photos. Almost 37 million products use repeat photos (e.g. company logos) instead of actual product photos.”

These problems are not new. Back in 2011, GSA promised to make navigation and search easier, add more product details and add features like brochures, installation instructions and demonstrations of the product.

In 2018, former FAS Commissioner Alan Thomas also said customers are driving changes to Advantage and other acquisition tools. While some changes have occurred for the better, like the use of order level materials (OLMs) under schedule contracts and schedule consolidation, problems with Advantage remains a long-running story line.

Dunne recognizes the ongoing challenges and promised to fix the problems.

“In the near term, we need your help to improve the customer experience by reviewing and updating your product photos and product descriptions on GSA Advantage. Together, I know we can do better,” she wrote. “Looking forward, we will be addressing these types of concerns and improving the customer experience through GSA’s Catalog Management initiative. This initiative is focused on improving the policies, processes, and systems used to manage catalogs so customers have access to accurate and up-to-date information (including using manufacturer-originating information) to offer consistent product descriptions and improved product photos.”

Despite the frustrations, agencies continue to use GSA Advantage and get better pricing than commercial platforms like Amazon.

As many have said before, fixing Advantage seems to be the right move as it remains popular and valuable for agencies to use. The question always comes back to how quickly can GSA fix it?

Unpriced schedules coming?

And speaking of pricing, GSA also released an advanced notice of proposed rulemaking to gain feedback on how it will implement Section 876 authority of the 2019 National Defense Authorization Act to remove price as an evaluation factor for some acquisition vehicles. In soap opera talk, this is the long-lost brother/sister coming back — one of those moments when you say, “this can’t be happening?”

Mark Lee, the assistant commissioner of the Office of Policy and Compliance in FAS, wrote in a Sept. 1 blog post that the goal of the ANPR is to “determine when use of this authority represents the best acquisition strategy for our contract vehicles.”

Lee wrote that the final rule eventually will make it easier for:

• Customers to realize better value and savings;
• The FAS acquisition workforce to focus on helping customers achieve robust competition at the order level; and
• Suppliers to obtain FAS acquisition vehicle contracts.

GSA took the first step to use the authority in the ASTRO solicitation in late August.

Lee said GSA knows agency and industry customers want to apply the authority to the schedules program too.

“We want your input to identify when implementation of this authority would represent the best acquisition strategy,” he wrote.

Roger Waldron, the president of the Coalition for Government Procurement, wrote in a blog post that the implementation of 876 would “focus the FSS program on commercial best practices, continuing the march away from bureaucratic, non-competitive practices, like cost-build negotiations of contract service rates. Section 876 will have a cascading impact, reducing burdensome administrative contract costs, allowing customer agencies and industry to focus on competition for and performance of mission requirements.”

Comments are due by Friday, Sept. 18.

3610 usage is small

In a plot twist of sorts, the Government Accountability Office reported on Sept. 3 that only DoD and NASA have taken advantage of the authorities in Section 3610 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act. This lets agencies pay a contractor for the cost of paid leave incurred during the pandemic so that it can maintain its workforce in a ready state.

While vendors demanded this authority and Congress complied, GAO reviewed seven agencies and found DoD is the only agency to spend significant money to keep vendors ready through July 2020. Of the $22 million paid to contractors by three agencies, the Pentagon accounted for $18.3 million.

“With the exceptions of DoD and Department of Energy, agency officials we met with either did not expect a large amount or were uncertain about the level of future requests for reimbursements under section 3610,” GAO stated. “DoD officials told us that, in July 2020, several large defense contractors provided DoD with rough order of magnitude estimates of the impact that COVID-19-related actions had on their businesses — including the amount of paid leave they provided to their employees — that were generally in line with the [$1 billion] figure. DoD officials cautioned, however, that these estimates were not formal requests for reimbursement, nor were they accompanied by supporting documentation. DoE officials told us they also expected a significant cost impact due to contractor requests for section 3610 reimbursement.”

GAO said part of the issue with the implementation of 3610 had been a lack of consistent policy, but auditors say the Office of Management and Budget addressed the problems in early July with new guidance. Still, that caused some initial slowdown in 3610 usage.

SSA, LoC messed up evaluations

Turning to the villain in our story, Oracle, which seems to like to play the role of foil, Mythics and AT&T won protests at GAO stopping procurements at the Library of Congress and the Social Security Administration, respectively.

Of course, who the real villain is in this story depends on where you sit. If the Library of Congress had, say, followed the Federal Acquisition Regulations and not asked for brand name in their $150 million cloud procurement or at least written a brand name justification, then maybe this story wouldn’t have a bad person.

But GAO said in the Sept. 9 decision that LOC failed to justify why it wanted Microsoft and Amazon Web Services, and why a single-award was necessary.

You can read the entire decision, but let’s just say the Library of Congress lost on all complaints Oracle and Mythics filed with GAO about.

Then again, maybe SSA is the villain in this story too?

AT&T won a protest of a $524 million award to Verizon for SSA’s Next Generation Telephony Project (NGTP). Like with the Library of Congress case, the agency failed to document and mitigate a potential conflict of interest.

In both cases, GAO recommends the LoC and SSA to take corrective action by fixing the solicitations and re-evaluating the awards.

Hope you enjoyed this latest episode of As the Acquisition World Turns, a never-ending roller coaster of story lines and people.

Grant Schneider probably never intended to be a chief information security officer. He started his career in financial management where he learned how the federal budget process worked.

That type of analytical, fact based approach served Schneider well when he made the transition to technology

He spent seven years as the Defense Intelligence Agency’s chief information officer before coming to the Office of Management and Budget—first on a two-year detail where he jumped into the data breach at the Office of Personnel Management and then in the deputy and finally federal CISO roles.

Schneider, who announced in August that he was leaving to join Venable law firm as a senior director of cybersecurity services, was not a flashy CISO, nor was he your typical cyber expert who prefers to remain behind the firewall and not discuss TTP (tactics, techniques and procedures).

He was always accessible, willing to listen to and answer, to the best of his ability, the hard questions whether about Chinese hackers or the early struggles of the continuous diagnostics and mitigation (CDM) program or why the Trusted Internet Connections (TIC) policy update took so long—by the way we were hopeful the final vulnerability disclosure binding operational directive would drop before Schneider left on Aug. 28.

Schneider’s success as federal CISO were probably not obvious to the casual observer because he rarely, if ever, signed off on a public policy nor did he announce new initiatives—both of which usually came from the federal CIO or even head of OMB.

But the behind the scenes work to get the Federal CISO Council and the rest of the IT and cyber community behind a strategy or concept was all Schneider and his staff.

Federal News Network asked cybersecurity experts who worked closely with Schneider over the last six years for their opinion on his impact on the federal cybersecurity community.

What impact did Grant Schneider have on federal cybersecurity over the last five years?

Josh Moses, the former chief of the cyber and national security branch in the office of Federal CIO at OMB: Grant was essential to reinvigorating cybersecurity leadership from the top of the house–the White House–he was a key strategic advisor as Trevor Rudolph and Tony Scott stood up the Cyber and National Security branch in OMB after the Federal Information Security Management Act Modernization Act of 2014 became law. His experience as an agency CIO helped shape the initial policy direction, and inform the hiring decisions for the team. Five years later, we have a strategic direction and much more comprehensive view of federal cybersecurity, maturity across both large and small agency programs, quality service and capabilities from the Homeland Security Department and a true community of practice. Grant drove these efforts in his leadership capacity at National Security Council and at OMB.

Ross Nodurft, the senior director of cybersecurity services at Venable and a former chief of cybersecurity at OMB: It’s easier to ask where he did not have an impact. If we think about the time “post OPM,” Grant has either helped shape or directly led all of the major cybersecurity efforts to reform, modernize and bolster federal cybersecurity. During his tenure as the deputy federal CISO and then the Federal CISO, the government has established the CISO Council, developed cybersecurity workforce strategies, issued countless policy memos and tracked risk across the government.

Tony Scott, the former Federal CIO and now president of the Tony Scott Group: Grant played a critical leading role in the initial response to the OPM breach, and then helped craft and implement follow on initiatives including the National Action Plan, the Cybersecurity Sprint and many other policy changes that have come over the past few years.

What would you point to as 1 or 2 of his biggest accomplishments?

Nodurft: The National Cyber Strategy that Grant put together–given the dual hat of Federal CISO and senior director of NSC cyber–is very important. It elevates federal cybersecurity to a level commiserate with critical infrastructure and sets goals and guidance for how to deliver on those goals.

His work developing and issuing federal government risk reports where Grant and the OMB team (kudos to Josh Moses, Derek Larson, and Nick Ufier) developed a risk report that measured outcomes and tracked the risks across the federal enterprise. This reporting and way of measuring risk has enabled the federal civilian agencies to move away from a compliance focused approach to cybersecurity towards a true risk management approach.

His work to stand up the Federal Acquisition Security Council. That body and the processes it will oversee will help secure the federal government for years to come.

Scott: Organizing the initial response to the OPM breach was certainly one of them. At the time, the U.S. government had not experienced anything like that, and there was a great deal of uncertainty as to who should play what role, etc. Grant, based on his prior experience, knew what each agency was good at from a cybersecurity and investigative perspective, and most importantly, had a great personal network and relationships within the broader federal government that he could quickly leverage.

Beyond that, I think Grant was key to building a great team in OMB, and keeping that team focused on the most important activities over administrations and leadership changes.

Moses: Overseeing actions in support of Executive Order 13800—the 2017 Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. The EO was a point of continuity between the current and prior administrations on this critical issue. The EO covered agency security, critical infrastructure security, workforce development and Grant was instrumental at quarterbacking its execution and coordination across the government. The output from the EO, be it the Risk Determination Report, the National Cyber Strategy and a series of supporting EOs, filled a void by setting strategic direction for national cybersecurity. That is no small feat, as agencies grapple with budgeting to maintain let alone expand cyber programs each year and Grant helped provide justification and a North Star for this program for years to come.

Perhaps unsung, Grant was also essential to driving cyber workforce initiatives in the last administration. He was a conduit between OPM and White House leadership, helping to identify and execute on actions that would build the talent pipeline and strengthen the workforce.

Getting agencies to improve cybersecurity is like herding cats, what made Grant successful as the Federal CISO?

Scott: I personally liked his style. He worked in a way that was informative, and collaborative, and with just enough nudging to get things done.

Moses: Grant is adept at listening, which is an essential skill when it comes to working with agencies and understanding the hundreds (literally) of unique challenges that agencies face. A great piece of advice he gave me was “become comfortable with not having an answer,” as you can find a reasonable, feasible way forward by listening to the room and collaborating. In other words, he’s really good at when to let the cat roam a bit before trying to herd them.

Nodurft: His willingness to listen and his ability to convene the right group of folks. He had the respect of the CISO community and that allowed him to reach out to the CISOs as well as their agency leadership to cut through red tape when needed.

What is the top priority for the next Federal CISO?

Nodurft: The next Federal CISO will need to tackle a governmentwide approach to cloud security, given the recent shift to virtual work environments. This will give them a chance to update Federal Risk Authorization Management Program (FedRAMP). Additionally, the next Federal CISO will need to work with agencies to establish flexible but similar approaches to supply chain cybersecurity.

Moses: Keeping mission operations resilient in what may be a tough budget climate for cybersecurity over the next couple of years. Recovering from this pandemic and rebuilding government operations after the recovery are going to shift agencies’ resources and priorities. This should force a hard, “smart” look at using more software and cloud-based security solutions to support that resource shift. The next Federal CISO is going to have to keep agencies’ hand on the throttle in that climate and continue to guide agencies to that North Star for program performance.

Scott: Continue to build a great team – people with a few years’ experience in the OMB cyber team are highly sought after, and so recruiting and backfilling open positions will always have to be a number one priority.

Beyond that, I think it’s creating a vision of how federal agencies can best continue to leverage shared assets and common capabilities to address emerging needs vs. each agency doing its own thing, which, although great progress has been made, is an ongoing issue.

Emily Murphy, the General Services Administration’s administrator, uttered her “famous” words during her nomination hearing before the Senate Homeland Security and Governmental Affairs Committee in October 2017: “We are trying to make sure GSA’s contracting officers and our policies support really vigorous competition at the task order level because that is the amount we actually are going to spend so we want to get the best deal there, the most competition we can there.”

She offered experience, understanding and hope where only previous administrators’ words offered hallowed general concepts before.

If anyone understood the ridiculousness of asking a vendor’s price for something they haven’t seen the requirements for, it was Murphy.

And when Congress blessed the concept of creating an “unpriced multiple award contract” where costs only mattered at each individual task order level in the 2018 National Defense Authorization Act, many in the acquisition community — including myself — thought the clarion call finally has been heard.

It took almost two years since the provision became law, but GSA’s release of the ASTRO solicitation for manned, unmanned and robotic platforms finally is putting the stake in the ground that “price” as an evaluation factor for large multiple-award contracts is no longer relevant.

“While ASTRO will be the first contract vehicle to use the Section 876 authority, GSA anticipates that more will follow,” Murphy said in an email to Federal News Network. “Having ASTRO lead the way made sense for two reasons. First, ASTRO will be an assisted acquisition on behalf of the Department of Defense without any of the direct order components commonly found on other GSA governmentwide acquisition contracts (GWACs) and multi-agency contracts (MACs). This means GSA can closely monitor competition at the task order level and ensure in particular we see that competition in pricing.  Second, ASTRO will serve as an opportunity to refine best practices for use of the Section 876 authority while the advance notice of proposed rulemaking (published on August 19, 2020)  to use Section 876 authority in the Federal Supply Schedule program proceeds.”

In fact, GSA is considering using the Section 876 authority for its new small business GWAC. Officials said Thursday during an industry day that that the “unpriced master contract” approach was one of several on the table as it developed the new acquisition strategy.

In the ASTRO solicitation GSA wrote, “Because services are diverse within the scope of the master contract, the master contract provides the [contracting officer] the flexibility and authority to determine fair and reasonable pricing tailored to the individual task order requirement, including the task order statement of work or objectives, risks, uncertainties, complexity, urgency, contract type, and competition. Accordingly, the master contract does not predetermine cost and price reasonableness or fair and reasonable labor rates for services performed at the task order level. The master contract does not establish prices for any supply or service at the task order level; therefore, the [contracting officer] shall establish cost and price reasonableness for each task order using the policies and methods in FAR Subpart 15.4, internal policies, and other applicable regulatory supplements.”

And just like that, one of the biggest problems with large-scale, winter-take all multiple award contracts is solved.

OK, it’s not solved. But this is a huge step in the right direction to stop the inevitable award-protest-award-protest cycle that so many GWACs from Alliant to Alliant 2 small business to OASIS to a host of agency specific multiple award contracts have been thrust into in part because agencies required price as an evaluation factor, which limited who was deemed qualified and therefore awarded a spot on these five-to-10 year contracts.

Theoretically speaking under ASTRO, GSA could let every qualified vendor on the contract and let the chips fall where they may for each task order.

Ending of the rate card game?

Tim Cooke, president and CEO of ASIGovernment, said this approach may just put an end to the game nearly every vendor plays with its rate card game. It’s one which no one likes, either.

“It depends on how you evaluate price, typically, but let’s say there are 10 labor categories and your company only intends to use six of them, you chose the number so government weights the labor rates based on the hours they give you so your weighted average rate that is lower than otherwise it would be,” he said. “Companies don’t put ‘real’ rates down for every labor category. They assume they can substitute people. Four of them that you will not use will be lower, and the other six will be a little higher and then the company will shift people up and down labor categories so they will still make money, but still have a lower evaluated rate.”

Cooke said this “game” is well known among pricing shops across federal contractors.

So by requiring price only at the task order level, Cooke and other experts say agencies will get better competition and face fewer contract administrative burdens.

Roger Waldron, the president of the Coalition for Government Procurement, has been pushing GSA to use the 876 authority for the last two years.

He said the “unpriced master contract” approach should reduce barriers to entry for all companies.

“ASTRO talks about bringing in the highest-rated companies so now, more than ever, the focus should be on the technical side or capability side. That is the entry point,” he said. “The contract creates a greater emphasis on technical because it’s not a trade-off determination.”

The decision to use ASTRO to test out this approach can be traced to several factors.

First, GSA is building on its efforts from the OASIS professional services GWAC to rethink how it evaluates proposals where it first used a self-scoring evaluation approach.

“It is meaningless to do cost-price trade off at the multiple award level when pricing doesn’t mean much,” said Jim Williams, former acting GSA administrator and former head of the Federal Acquisition Service. “When it means something is when you have real requirements and you look at not only labor prices, but the labor mix because that is what you are proposing to meet the government’s needs. The other thing it gets away from is the government trying to drive down labor pricing. When a company is competing in the labor market and when competing against commercial interests, it’s about getting the best solution at a reasonable cost. I like this approach very much. There is so much good about it and I think it will be a success and it will spread.”

ASTRO is a good test case

Second, manned, unamend and robotic platforms are more research and development than commodity technology.

ASIGovernment’s Cooke said in many ways ASTRO is a research and development contract.

“R&D is typically just cost-plus type contracts. ASTRO is labor hour only so only time and materials type of contracts. It’s not that different from cost plus,” he said. DoD and GSA want to attract as many non-traditional and traditional providers of this technology, especially in this R&D arena. Commercial companies are not used to a two-step competition where price is evaluated at both steps.”

But unlike traditional R&D, the “unpriced master contract” isn’t abandoning price altogether, just pushing it down where it matters most.

Dave Zvenyach, a former head of 18F and assistant commissioner of the Office of Systems Management at GSA and now a consultant and director Hangar, said it’s good to see GSA continue to push the acquisition innovation envelope.

“It’s important to step back and keep in mind there is technical trade off with cost and quality, and GSA is signaling that quality is the main factor,” he said. “This is different because GSA is not considering reasonable pricing, but the idea of focusing on technical quality at beginning and dealing with price at the back end is an important next step in the ongoing conversation about getting the best quality solutions.”

This idea of an “unpriced master contract” is not a new one. The Navy with Seaport-3 and the Air Force with NetCents tested out this approach, and the 2007 Service Acquisition Reform Act (SARA) panel recommended the creation of a schedule that didn’t require upfront pricing.

Benefits for agencies, industry

Williams said one of the biggest challenges for GSA to get this idea off the ground has been the focus of its inspector general on enforcing the price reduction clause under schedule contracts.

“People like the IG have been opposed to this concept in the schedules arena because the PRC allows them to examine contractors’ books to see if they are giving the government their most favored pricing so the auditors haven’t been supportive of getting rid of price,” he said. “But when you are buying services, the PRC shouldn’t matter because price at the master contract level is meaningless.”

CGP’s Waldron said one thing to watch for is how agencies respond to this change. He said GSA will have to do a fair amount of training to get contracting officers comfortable with how ASTRO will work.

GSA Administrator Murphy said the approach to ASTRO will benefit everyone involved.

“Section 876 authority allows the acquisition workforce to focus on vendor qualifications in the first round of the procurement and should result in awards to vendors with a high caliber of technical expertise. Once this pool of highly capable vendors is selected these vendors will compete on specific highly technical requirements and pricing at the task order level,” she said. “This approach will also help vendors — especially small businesses — by saving on bid and proposal costs up front. For example, vendors will spend less time and effort bidding on Contract Line Item Numbers (CLINs) that are never used. Simultaneously, it will liberate contracting officers from having to perform pricing analysis on those CLINs – and focus efforts on pricing analysis at the task order. Finally, this approach will benefit customer agencies by lowering barriers to entry for vendors and increasing the pool of vendors at the IDIQ stage. Further, enhanced price competition at the task order level will result in better value and savings for our customers and ultimately the taxpayer.”

Let’s also hope the “unpriced master contract” approach will mark the beginning of the end for what many believe is the no-longer viable process to compete and award multiple award contracts.