Federal technology executives continue to shuffle chairs. The Education Department’s Federal Student Aid Office is getting a new chief information officer. The National Technical Information Service at the Commerce Department is losing their director, and a longtime cybersecurity executive at the Homeland Security Department is retiring.

These are the latest in a string of changes in the federal technology community.

At the Federal Student Aid Office, Mia Jordan is coming over from the Agriculture Department’s Rural Development bureau.

Avi Bender will retire from NTIS at the end of September after 20 years in government and another 25 in the private sector.

And finally, John Felker, the assistant director for integrated operations at the Cybersecurity and Infrastructure Security Agency, is retiring after 37 years in the public and private sectors.

Jordan and Felker announced their decisions on LinkedIn, while Bender told staff in late July, according to an email obtained by Federal News Network.

Jordan said she has been with USDA for 10 years, first with the National Resource Conservation Service (NRCS) as the director of IT governance and chief architect. She became the Rural Development CIO in 2017.

At FSA, she said on LinkedIn that she will lead “the technology transformation for students and their families looking to obtain funding to achieve educational goals. I am very fortunate to join a forward leaning organization with a talented team of change agents and thought leaders who are passionate about enabling students to receive a quality education!”

She replaces John Fare, who had been CIO at Federal Student Aid since 2018. It’s unclear when Fare left this role.

Bender and Felker are both leaving federal service at the end of September.

Bender told staff he plans to continue to work on digital transformation, but first will take some time off and then decide what comes next.

“There is never a good time to leave but I feel that we have a strong senior leadership team led by [NTIS deputy director] Greg [Capella] and we have turned the corner as a result of our hard work and dedication to the mission of NTIS,” Bender wrote. “We have been on a great journey (or rollercoaster) together and have come a long way. We will be cash positive at the end of this fiscal year with an impressive portfolio of federal artificial intelligence/data projects. We are well positioned for continued growth and success. All of you have demonstrated incredible resilience and dedication in delivering our unique data services. Our private sector partnerships are expanding, and federal agencies are seeking our data science and AI innovation services.”

Bender praised NTIS’s effort during the pandemic, particularly in light of shifting spending priorities across their customer base.

Joining NTIS in 2016, Bender focused on changing how the bureau provides services to other agencies by helping them make better use of data to address mission critical needs with that all-important focus on improving citizen services.

He also partnered with the private sector to expand NTIS’s reach and services. He launched the Joint Venture Partnership, where Bender brought in research institutions, nonprofits or for-profits to provide data services, particularly related to predictive analytics, machine learning and artificial intelligence.

Before coming to NTIS, Bender was the chief technology officer at the Census Bureau from 2010 to 2016 and before that he worked at the IRS as the director of enterprise architecture.

Felker joined DHS in 2015 after spending 17 years in the Coast Guard and working in the private sector after retirement.

He led the National Cybersecurity and Communications Integration Center from 2015 to 2019, and over the last 14 months, served in his current role as assistant director for integration operations at CISA.

“In almost 37 years of experience that includes the Coast Guard, the private sector, the NCCIC and CISA, these past several years have been some of the most exciting, interesting, rewarding and challenging for me,” he wrote on LinkedIn. “That our team was able to perform so well and deliver on mission while creating a new organization, is a testament to the ability, creativity and positive attitude of the tremendous men and women with whom I’ve had the pleasure to serve.”

As director of NCCIC, Felker matured the operation to do more red and blue team exercises to make agency networks stronger. He promoted more information sharing with private sector partners and brought in more automation to improve identifying and fixing potential and real cyber threats.

In his new role, Felker wrote on LinkedIn that he led an effort to integrate three disparate functions—cyber, physical and communications—into a 24/7 operations center that oversees all agency operations.

It’s unclear who will replace Felker.

Felker becomes these second CISA executive to announce he is leaving in the last week. Brian Harrell, the assistant director for infrastructure security, said he is returning to the private sector.

It’s been more than a year since the General Services Administration first floated the idea of a governmentwide contract for cloud and collaboration services, similar to the one the Defense Department awarded last August to General Dynamics IT.

While the Civilian Enterprise Office Solutions (CEOS) concept hasn’t gotten past the idea stage, the research behind it birthed another idea.

As an aside, the DoD version, called the Defense Enterprise Office Solutions (DEOS), remains stuck in the protest cycle with Perspecta filing a complaint over the $7.6 billion award, GSA and DoD promising to take correction action only to face constant challenges over the next 10 months.

But back to the story of how CEOS led to this new idea.

“During the development of CEOS, the teams involved in the process realized the importance of clear market and acquisition intelligence for both government and industry. The need for consistency in IT pricing and contract terms and conditions, better information sharing across agencies, and more unified messaging to the vendor community was clear,” said a senior administration official in an email to Federal News Network.

So to that end, the Office of Federal Procurement Policy, GSA, NASA and the NIH Information Technology Acquisition and Assessment Center (NITAAC) plan to launch a new IT vendor management office (ITVMO) in October.

OFPP and its partners introduced the concept of the ITVMO to industry groups a few weeks ago, outlining the goals and mission areas in a one-page fact sheet, which Federal News Network obtained. These include data analytics, subject matter expertise, vendor relationship management, best-in-class (BIC) solutions management and IT security and risk management.

“Agencies find themselves not always having access to the information they require to make informed IT buying decisions. The ITVMO will fill a critical need for these agencies by leveraging existing governmentwide procurement data, IT contracting technical expertise, IT category management, and shared agency IT acquisition knowledge to enable agencies to make smarter and more cost effective IT buying decisions,” the one-pager stated. “The mission of the ITVMO is to serve agencies as a trusted advisor and advocate for governmentwide IT category and vendor management.”

Of course, we could argue about what does BIC really mean, but that’s for another day.

The concept of a vendor management office isn’t new. The Department of Veterans Affairs launched one in 2012 and the Office of Management and Budget wanted to expand the concept governmentwide. Former OFPP Administrator Anne Rung issued a memo in December 2015 outlining plans to create an IT vendor management office.

But for whatever reason, the concept didn’t take off.

A “meeting of the minds”

Now OFPP believes the time is right.

“Launching the ITVMO is an important step in our category management evolution,” said Michael Wooten, the OFPP administrator, in a statement to Federal News Network. “The ITVMO will further sharpen the government’s IT acquisition intelligence capability. It will allow us to leverage our collective expertise, turn data into information, and increase engagement with our important vendor partners. We should expect greater clarity in our solicitations, improved ‘meeting of the minds,’ and better ability to spell out our requirements to match commercially available solutions.”

OFPP says over the last several years, the government has seen more than $1 billion in cost avoidance by using data to drive decisions within category management.

“Based on our category management success over the last several years, we – as a community – have seen the tremendous value in sharing insights, pricing data, terms and conditions, and other important acquisition intelligence – especially in IT,” the senior administration official said. “[T]he ITVMO will advance all of these important levers to ensure we are getting the best deal possible.”

Stan Soloway, a former Defense Department acquisition executive and now president and CEO of Celero Strategies, said putting the data from the best-in-class contracts and from category management to work is a laudable goal.

“The more data, the more aggregation, the more synthesis, the better decisions agencies can make,” he said. “A lot of this requires competitors to play nicely together. SEWP, GSA, and NITAAC all compete for market share so how much do you open the door for everyone to see each other’s data? Does this ultimately down the road, lead to a sharp consolidation of governmentwide acquisition contracts?”

Soloway said the data will demonstrate which vendors are winning task orders more often, what products or services agencies are buying at scale and whether the GWACs really are all that different.

OFPP has long tried to consolidate multiple award contracts and has had limited success. One recent example is the Department of Homeland Security’s 2019 decision not to move forward with EAGLE 3 as a standalone vehicle and move a lot of that work to GSA’s GWACs like Alliant 2 or VETS 2.

150,000 contracts eliminated

The senior administration official didn’t insinuate that the ITVMO would lead to any sort of consolidation of contracts, but the overarching goals of category management include reducing duplicative contracting.

Since 2017, OMB said on the performance.gov portal agencies have eliminated nearly 150,000 or 35% of duplicative or sub-optimized contracts not aligned to category management (more than half of this reduction was made to contracts held by other than small businesses).

Soloway said increased data transparency will be helpful as long as it’s in context of what agencies are buying, which is easier for products than services for the most part.

“You have to make sure the data you are looking at is based on common set of factors,” he said. “The VMOs that I’ve had the most positive reaction with are more about engagement with the marketplace versus making buying decisions. They provide forecasts and are open to answering questions or guiding new contractors. This has an external piece too. My understanding is a lot of data collection and analytics done by the ITVMO, which is really what the heart of this is about, will remain internal for government only users.”

The senior administration official said the goal of the office is help agencies move from idea to strategy to acquisition.

“The ITVMO will identify resources for market research, support independent government cost estimates, and assist in the development of RFPs. Our contributions will focus on areas that benefit from the ITVMO’s enterprise perspective,” the official said. “A whole-of-government approach will bring together program staff, contract specialists, vendors and other IT acquisition professionals from various agencies to solve common IT acquisition problems. The ITVMO will leverage existing governmentwide procurement data, IT contracting technical expertise, IT category management, and shared agency IT acquisition knowledge to enable the federal government to make smarter and more cost effective IT buying decisions.”

The official said industry also will certainly benefit because requirements will be more consistent.

“We often hear from industry that agencies ask for similar things just a little differently, making it more costly to respond to solicitations. By standardizing technical, cyber, and reporting requirements, industry can develop their technical proposals in an efficient manner,” the official said. “Moreover, by having one office working on governmentwide IT challenges, industry can provide feedback to the government more efficiently and work with us to solve these challenges together.”

The official said GSA will stand up the office in October and it will be paid for by fees charged to use the technology-related BICs.

“OFPP has been working with the IT category manager for several months to reach out to agencies for feedback on lessons learned from their vendor management practices,” the official said. “In addition to agency VMOs, the team has been interviewing and surveying IT and acquisition professionals as they develop the service offerings and capabilities of the ITVMO. We imagine this will be an iterative process as we seek to meet the demands of a dynamic market.”

For many of the 700 or so companies on the 8(a) STARS II contract, the Small Business Administration pulled the rug out from under them.

Many believe SBA’s decision to let the General Services Administration increase the ceiling of the popular governmentwide acquisition contract by $7 billion only if the contract’s period of performance ended in June 2022 — nearly two years sooner than the original contract had laid out when awarded in 2009 — is shortsighted and misinformed, and reverses decades of small business policy and precedence.

And similar to the decision that the Department of Health and Human Services made with its Program Support Center, SBA is putting its customer agencies and the companies they are supposed to support at risk for a flawed set of reasons and rationales.

“What is unfair is the way SBA surprised everyone with their decision to limit the period of performance,” said John Shoraka, a former associate administrator of government contracting and business development at SBA and now co-founder and managing director of GovContractPros. “If the decision was made several years ago, then maybe I could see it as being fair. But if I’m an 8(a) firm or a government buyer, I’ve planned on this contract being available to use until 2024 and the decision to limit the period of performance is throwing everything into upheaval.”

The upheaval is even more pronounced because GSA and SBA made the decision as agencies entered the fourth quarter buying season.

Clyde Goldbach, principal with Solutions By Design II, LLC, an 8(a) STARS II contract holder, said in August and September 2019, agencies flocked to the GWAC, placing 47% of all orders during that time period. Of that 47%, 31% happened in September alone.

He said through July 30, the number request for quotes on STARS II are down 20% as compared to 2019.

The ceiling increase and shortened period of performance went into effect on July 1.

One official at a company impacted by SBA’s decision, who requested anonymity for fear of retribution by the agency, said as of Aug. 21, there were fewer than five task orders on GSA’s e-Buy platform for 8(a) STARS II. A much different environment than in previous years when agencies, on average, obligated more than $1.4 billion a year through the contract.

“What SBA is telling Congress and the media is how this $7 billion ceiling increase is a big deal and a great accomplishment for small businesses. But there also is a little bit of sensationalism in that number. It’s not a funded amount. It’s just a ceiling increase and agencies will get nowhere near that amount procured,” the official said. “There is no justification. There is no rationale as to why the period of performance was required to be shortened when they increased the ceiling. I think a lot of people would want to know. If the increase in STARS II is so great, then why isn’t it being used? The reason is period of performance.”

GSA, USCIS changing solicitations

The data is starting to support that claim too.

Goldbach and others say agencies are pulling back planned and in-process solicitations planned for 8(a) STARS II before SBA shortened the period of performance.

On May 21, the U.S. Citizenship and Immigration Service cancelled a solicitation for a planned contact under STARS II. On July 21, GSA’s Federal Acquisition Service cancelled a procurement too. Both cited the limited period of performance as it why they cancelled the contracts.

Goldbach said the Justice Department pulled a RFQ planned for STARS II and instead awarded to an Alaskan Native corporation, meaning the opportunity is gone from the 8(a) program forever.

Goldbach, who is helping to lead an effort called the 8(a) STARS II Coalition of vendors impacted by SBA’s decision, provided comments from other firms who are feeling the impact of the limited period of performance.

“We have already seen the ill effects of GSA’s decision. USCIS just lopped off an option year of a solicitation that they have in process. Now all price submissions must be revised and resubmitted,” said one company.

Another wrote, “I just got finished convincing <agency> to seriously consider STARS II for an upcoming recompete of our work and now that plan has crashed and burned. A few possible end of year directed actions I was hoping to put through STARS II are now also overcome by events with the new period of performance.”

Taking the legs out from under them

SBA, however, said in email comments to Federal News Network that while GSA would be the better agency to comment on how customer agencies are using STARS II currently, contracts in the 8(a) program can’t be moved out of it without SBA’s approval.

“It is always within the discretion of the procuring agency to use one 8(a) vehicle instead of another, i.e., to seek a competitive 8(a) award which is open to all eligible participants; to seek the award of an order under an 8(a) multiple award contract that is available only to specified 8(a) participants who are contract holders; or to seek to make a sole source 8(a) award above the general competitive threshold amounts to a current entity-owned 8(a) participant,” the SBA stated. “Where an agency seeks to make a competitive 8(a) award, which is open to all eligible participants or seeks to make a sole source 8(a) award above the general competitive threshold amounts to a current entity-owned 8(a) participant, the award will be made to a current participant in the 8(a) program and will further the goal of assisting in the business development of program participants.”

Shoraka, the former 8(a) executive, said agencies and companies have been planning to put work on the GWAC for 12-to-18-24 months so the last minute change is causing unnecessary challenges.

“SBA is surprising a large group of firms in the last minute during the fourth quarter and it’s unfair to them and to the agencies, because it puts them in a difficult position too,” he said. “It could’ve been planned better especially given we are in an environment where the government is looking for ways to support small and minority businesses. This is, in my mind, directly contrary to that and we don’t want to take the legs out from under them.”

SBA and GSA have been aggressively pushing back against these concerns and complaints.

GSA’s Laura Stanton, the assistant commissioner for the Office of the IT Category, wrote a blog post explaining the rationale around limiting the period of performance. Stanton basically posted the letter GSA and SBA sent to 8(a) STARS II holders explaining the three reasons why the period of performance (PoP) had to be limited.

Stanton said in the post that in coordination with SBA raising the ceiling and decreasing the PoP to two years was the best business decision for several reasons:

1. GSA and SBA anticipated the two-year PoP would permit agencies to respond to the immediate agency needs for the COVID-19 pandemic.
2. All of the 8(a) STARS II vendors will now have the opportunity to pursue $7 billion in new business. Approximately 538 vendors have graduated from the 8(a) Program and, thanks to the ceiling increase, are still benefiting from the opportunities on 8(a) STARS II. In addition, the 204 current 8(a) firms and 45 Joint Venture firms also now are able to compete for up to $7 billion in new opportunities.
3. A two-year PoP will allow 8(a) program graduates the opportunity to transition out of the STARS II program. Both GSA and SBA provide a wide variety of training courses and other resources to assist small businesses that have graduated from the 8(a) Program with positioning themselves to win federal contracts. Examples include training and guidance on finding federal procurement opportunities, pursuing small business set asides and becoming a mentor-protégé.

In responses to email questions, SBA offered more insights behind its thinking of limiting the period of performance.

“[O]nce the ceiling was reached no new orders could be issued. At that point all firms who were contract holders on STARS II could no longer expect any additional awards under STARS II. At the same time, GSA had already issued its intent to start the procurement process for STARS III – and currently expects awards under STARS III in August 2021,” the agency said. “STARS II has been a 10-year contract. Many of the 8(a) firms who are contract holders under STARS II graduated from the 8(a) program many years ago. These firms received nine years in the 8(a) program, may have been awarded STARS II contracts right before leaving the program and have benefited from the 8(a) program eight, nine or 10 years beyond their graduation dates (or a total of 17, 18 or 19 years of 8(a) benefits). Unfortunately, these firms do not see that SBA and GSA have given them the opportunity to receive additional 8(a) orders and perform for an additional two years when there was no such opportunity on the ceiling was hit.”

GSA released the STARS III request for proposals in July with a $50 billion ceiling.

A bunch of whiners?

On the surface, the argument that many of these firms have benefited a great deal from being on 8(a) STARS II provides a strong reason to limit the period of performance any further. As GSA highlighted, 538 of the 787 firms on STARS II have graduated from the 8(a) program meaning they are receiving additional benefits beyond the traditional nine years.

“As a sampling, of 32 firms who have objected to SBA and Congress about the perceived shortened performance period, 28 have already graduated from the 8(a) program (with four still current participants); 15 of those firms graduated from the program in 2014 or earlier (with firms graduating in 2009, 2010, 2011, 2012, 2013, and 2014) – meaning about half of the firms who have objected have received 8(a) awards through STARS II for at least six years beyond the end of their program terms so far and will be able to perform orders under STARS II for another two years,” SBA stated.

Based on those numbers, it would seem that these firms are “whining” about having to “leave” the 8(a) program 4 or 5 or, in some cases, 10 years since actually graduating.

But Shoraka and others say, SBA is changing the rules at the end of the game.

“The fact that companies how graduated from the program are still receiving contracts shouldn’t be a surprise to them. That’s why, in my mind, they are almost changing policy midway when they got an opportunity to do so. They shouldn’t use this situation to change previous policy. If SBA wants to change policy do it in more deliberate way,” he said. “The way firms have used this tool is as a post 8(a) graduate program. That was how it was presented to them when they were awarded a spot on the contract in the first place. If we hadn’t reached the ceiling, they would’ve benefited to 2024, but for reaching ceiling SBA is changing the rules.”

Goldbach said the issue of graduated 8(a) firms continuing to receive contracts under the 8(a) program is common across many contracts. He said, for instance, 40% of all 8(a) firms who have a Schedule 70 contract from GSA have graduated but still benefit from the program.

And the argument that STARS III is coming as a reason to limit the period of performance rings hallow too to some.

The company official said these GWACs take much longer than expected to get to award, as evidenced by GSA releasing the 8(a) STARS II on-ramp in 2015 but not awarding it until 2017.

Tension between companies, oversight

A former SBA official, who requested anonymity because they didn’t get permission from their current company to talk to the press, said the need to raise the ceiling put the agency in a tough spot— either impact companies or continue to get beat up by Congress and auditors.

SBA seemed almost to confirm that in comments to Federal News Network.

“Knowing that the STARS III procurement process was already underway and that orders for additional performance could be issued under STARS III as soon as STARS III awards were finalized in one year, it made sense to limit additional performance under STARS II to an additional two years, particularly when SBA has been criticized by its OIG and Congress for allowing ‘awards’ to firms that have graduated from the program,” the agency stated.

SBA is working on a changes that would require small businesses who win spots on a GWAC or multiple award contract to recertify if their status changes or if they are bought by a large company. That new rule for 8(a) recertifications, called for in the 2010 Small Business Jobs Act, however, remains in the rulemaking process.

Read more: Reporter’s Notebook

The former official said the problem with taking a hardline now is the rules when GSA awarded STARS II should remain in effect throughout the life of the contract.

“People assumed the contract would operate as it always had, and if not for the ceiling issue, this would’ve never come up so can I see why it’s concerning to these companies,” the former official said. “At same time, how are we helping current 8(a) participants if you can only reach former 8(a)s? That is a tension that has been around for a long time?”

A tension now exacerbated by SBA’s decision to change the rules at the end of the game.

Lawmakers take interest in changes

The 8(a) STARS II Coalition has received support from House and Senate lawmakers who are pressuring SBA and GSA for answers.

Rep. Eleanor Holmes Norton (D-D.C.), wrote to GSA on July 27 asking for a written explanation of the decision to limit the period of performance.

Then four House members and three Senators wrote to SBA and GSA on July 28 seeking answers to 10 questions by Aug. 14 about the decision and impact to limit the period of performance on STARS II.

While it’s unclear if SBA or GSA responded to the lawmakers’ letters, the small businesses are left in the cold because of a decision that could’ve been made with more pragmatism and forethought.

Few would argue that the recertification process is broken, and the fact that SBA knows a fix is coming for 8(a) STARS III and other future contracts, it would’ve have been smart and practical not to rewrite long-standing policy, especially in the fourth quarter buying season and for a highly successful 8(a) contract, but keep the popular program available based on the terms and conditions SBA and GSA promised from the beginning.

If there is a reason to have hope that agencies actually are addressing outdated and potentially risky mission-critical systems, the five agencies that answered the call from Sen. Maggie Hassan (D-N.H.) provided a little optimism.

The Defense Department told the Senator that in June it finished an update to an Air Force system, which the Government Accountability Office in June 2019 deemed moderately high in risk to mission and moderate in cybersecurity risk.

The Education Department, which GAO said a year ago didn’t have a plan to modernize its systems, now does, and it includes the release of a new solicitation this fall to modernize the Federal Student Aid system that is 46 years old and considered high risk to mission and cybersecurity. Education said it plans to release an updated system by October 2022.

Along with DoD and Education, the Department of Homeland Security, the Social Security Administration and the Small Business Administration also answered the senator’s six questions.

“One of the things that is constantly misunderstood is how much we have to do to get out from under the technical debt,” said Mike Hettinger, the president of Hettinger Strategy group and a former staff member for the House Oversight and Government Reform Committee. “We read the GAO report that says one system in several agencies that needs to be modernized but this shows just how much work there really is. When we talk about $1 billion for the Technology Modernization Fund or more investments for the IRS, it’s not just throwing money at small problems, but it’s trying to address the fact that there is a lot of work to be done.”

The departments of Treasury, Interior, Health and Human Services and Transportation as well as the Office of Personnel Management hadn’t responded to Hassan’s request as of Aug. 10. The deadline to respond to the ranking member of the Homeland Security and Governmental Affairs Subcommittee on Federal Spending Oversight and Emergency Management was Aug. 3.

But those agencies which did respond shed light on plans and actions not previously made public, at least in this way.

Hettinger said that while many of the agency’s answers may have been the same five years ago and would still be similar in five years, the letters show what is important to each chief information officer, and in some cases the chief financial officer, over the next few years.

“One of the key things that may not be called out explicitly, but was obvious from the letters is agencies need more money for IT modernization. This nickeling and diming isn’t going to cut it. If you really want to invest long term, I would’ve like to have seen their investment plan by fiscal year. How are they going to invest in these programs to really modernize these legacy systems? You need to know how much money they will need each year and what milestones they will achieve,” he said. “There are a lot of quarterly briefings Congress is requiring on different legacy systems across the government and one way to look at it is to ask agencies to tell them how they are doing.”

In DHS’s letter, which included attachments for its network modernization plan under the Enterprise Infrastructure Solutions (EIS) program and its data center consolidation and migration plan, Karen Evans, the agency’s CIO, and Troy Edgar, the agency’s CFO, laid out its five top priorities and estimated completion dates:

• DHS is pursuing a phased approach to network modernization, which runs through fiscal 2023.
• Data center 2 exit is targeted for first quarter 2021.
• Data center consolidation and optimization will run through 2021.
• Security operations center optimization commences in 2020 with the first assessments, and optimization efforts will be ongoing through 2024.
• DHS plans to use the Cybersecurity Talent Management System (CTMS) under the Title 6 authority to recruit cybersecurity service employees to support SOC optimization in 2021. Initially, DHS plans to use CTMS to hire and manage approximately 40 new cybersecurity service employees for the enterprise 24 hour-per-day security operations site outside the National Capital Region. This effort will provide a roadmap for program implementation by components, and associated CTMS hiring will expand beginning in 2022.

The Social Security Administration said its IT modernization priorities will lead to cost savings.

“Our modernization plan is a program of business process improvement and IT development. We view cost-savings as our return on investment (ROI) for efficiencies gained through our IT modernization efforts. We base our ROI on efficiency estimates gained by similar entities after completion of their modernization projects, as well as on cost efficiencies achievable over time through our work with leading research firms,” SSA’s letter stated. “As we modernize our IT infrastructure, including retiring legacy systems, we assume incremental efficiency gains of 10% in the first year benefits are realized, 15% in the following two years, and 20% thereafter. Applying these gains to the portion of our annual IT cost affected by modernization efforts results in a positive ROI of about 12%.”

Pentagon to triple use of cloud services

And then there is DoD, which hit a range of IT modernization topics.

“We expect cost to shift from legacy hosting and data center models to modern cloud based digital infrastructure, with a target of 9% of total IT spending dedicated to cloud services by FY2025, up from 3% in 2022,” wrote DoD CIO Dana Deasy. “The department is also in the process of implementing programs such as comply-to-connect (C2C) and Automated Continuous Endpoint Monitoring (ACEM), which will work together with Enterprise Patch Management System (EPMS) to provide enterprisewide automated patching and endpoint monitoring capability. This will enable the provisioning of trusted patches in a timely manner, enhance situational awareness, and provide improved visibility tools. These three capabilities will be deployed across the enterprise over the next several years.”

Deasy said DoD will invest about $526 million into C2C and another $389 million in ACEM.

“These capabilities will automate labor-intensive patching activities, and are expected to reduce overall operating costs for the DoD. Cost saving projections will be determined once each of these capabilities is operational,” Deasy wrote. “The department anticipates ACEM to be operationalized by the end of calendar year 2020. C2C will be implemented in stages, starting in 2022 with an estimated completion by the end of 2024, on both unclassified and classified networks. The EPMS will reach initial operational capability on classified networks by third quarter of 2021.”

Another trend that emerged from all five responses was the common need for Congressional help in the form of a working capital fund authorization.

Education, DHS and DoD all mentioned the need for his authorization, while SBA, which created a WCF in 2019, asked for lawmakers to reduce the burden of data calls and reports.

SSA received more than $370 million from Congress since 2017 for IT modernization so it made its case for a different kind of resource, people.

“In the area of human capital, we believe that the SSA may benefit from statutory hiring flexibilities that other agencies have to hire individuals in positions that require expertise of an extremely high level,” SSA’s letter stated. “For example, the IRS has a statutory authority known as “’streamlined critical pay’ that provides a significant amount of flexibility. Such hiring flexibilities may provide us with access to key skills and talents to support our IT modernization and digital transformation efforts.”

What comes next?

Hettinger said Hassan can use the information from these letters in several ways.

First, she can write her own letters to appropriation committee leaders to encourage them to authorize working capital funds for IT modernization.

Second, he said, she could use the letters as a basis for hearings and other investigations.

“What comes out of all of these responses is the need to fix these outdated systems and the answers could be the starting point to build some legislation,” Hettinger said. “At the end of the day, these letters have to help drive change. That may be requiring agencies to no longer do five-year IT modernization plans or at least require some more consistency in them. That may lead to an adjustment for how Congress or OMB ask agencies to plan for IT. In the end, the goal is to drive toward the same goal of modern technology and how Congress can enable that more quickly.”

This story has been updated to add a quote from a USDS spokesperson on Aug. 17 at 1:25 p.m.

Let me know if you’ve heard this one before: An agency hires “experts” to develop an application, spends tens of millions of dollars and the effort falls flat.

This easily could be the story to focus on with Small Business Administration’s Certify.SBA.gov project.

A recent agency inspector general report found the agency brought in U.S. Digital Service experts, spent upwards of $30 million over the last five years to develop the platform only for most of the effort to go to scrap and forcing SBA to basically start over again.

Instead this is a story about perseverance. It’s a story about lessons learned that every agency should keep in mind. And this is a story that offers an inside view into why federal projects do fail and how simple steps could change the direction of any IT project.

A quick background to start: SBA kicked off an 11-year, $45 million project to modernize how small businesses apply to be a part of socioeconomic programs like the 8(a) and women-owned small business initiatives. The agency tried this before in 2008 and spent $3.5 million before giving up six years later.

On this second try, SBA brought in USDS experts to run the program, oversee the development and implementation of the software and ensure success. While on the surface the partnership seemed to find success, the IG report and interviews with experts show just how the program went off the rails.

Here are four lessons agencies should heed from SBA’s experience.

Lesson No. 1: Get the requirements right from the outset or else the rest of the effort suffers

This seems simple, but for whatever reason SBA, like so many agencies, struggled to know what they were trying to accomplish. There has been, and continues to be, a lot of discussion about outcomes versus outputs when it comes to system development. But for an assortment of reasons this simple concept remains elusive to many in the technology sector.

“USDS didn’t think about the companies who would come back to SBA down the road to use the other services like loans or other assistance. They looked at it from myopic perspective of getting certified,” said a former SBA official, who requested anonymity in order to talk about this controversial program. “They didn’t think it would be good for SBA to know their customer journey, whether the business started off getting a certification, then went to the Mentor-Protégé program and then they got 7(a) loans. USDS didn’t ever understand that perspective.”

A government official with knowledge of SBA said the inability to define requirements has been a common problem at the agency for years.

Read more: Reporter’s Notebook

“Every one of those [past] efforts had problems and the only thing that is consistent is incomplete requirements. That makes it impossible to build a final solution and have it right,” said the official, who also requested anonymity because they didn’t get permission to speak to the press. “SBA finally shrunk the requirements down to just women-owned small businesses and it got that one thing right. But even these requirements changed through the launch, and that’s a program office issue.”

The official added the program office also dropped the ball because it didn’t give USDS a complete set of requirements from the beginning.

Steve Cooper, a former CIO at the Department of Homeland Security and the Commerce Department and who now is consulting at SBA, said the lack of an independent verification and validation from a third party also contributed to the challenges.

“The tough part of this was there was not direct involvement of the small businesses who have to go through the certification process, and USDS and the program office attempted to use proxies for customers and that apparently failed,” he said.

It was clear that SBA didn’t get the right decision makers in room that know the processes to guide the project and make sure the users are involved from the beginning.

Lesson No. 2: Mission modernization projects need to involve the CIO’s office

Multiple sources say from the start USDS didn’t, or more specifically wouldn’t, work with the CIO’s office and, in fact, made it clear that the team only answered to the Office of Management and Budget.

“They weren’t cooperating. They had a holier than thou attitude, were dismissive and demeaning. They were not inclusionary at all,” said the former SBA official. “We tried to get them to be part of the journey, but they were dismissive of any inclusionary efforts.”

The government official added only when the Certify.SBA.gov program got into trouble did USDS bring in the CIO’s office.

“It was a wrong approach and there was no adult supervision on top of it,” the official said. “Finally, through the governance process where the CIO and CFO offices conducted reviews last summer did the agency say enough as they didn’t see an end to the costs.”

“USDS is committed to delivering better government services to the American people, and appreciated the opportunity to collaborate with SBA on work to improve the customer experience for small businesses,” said a USDS spokesperson in an email to Federal News Network.

Read more: Agency Oversight news

A SBA spokeswoman declined to comment beyond what the agency wrote in response to the IG report. The agency didn’t comment on the USDS role or its efforts in the IG report. The agency, however, pointed out that Certify.SBA.gov has made the process better and the agency has seen a 65 percent increase in new participant applications since Certify’s 8(a) application
went into production.

“SBA is pleased that the report recognizes the fact that Certify has aided in
small business participation due to the simplified process of submitting applications,” the agency stated in the report.

Cooper said anytime a vendor or third-party like USDS decided not to or fails to collaborate with the CIO’s office, the program is in more danger of problems because it’s being siloed within the mission office.

“As a former federal CIO, I would argue that oversight should’ve been done by [the] CIO’s office but in this case, it wasn’t done by anybody,” he said.

Lesson No. 3: Buy before build; custom code only as a last resort

This continues to be a lesson too many agencies have to learn. SBA’s IG said the agency’s Business Technology Investment Council (BTIC) found in August 2019 that the Certify platform was “unsustainable on a long-term basis due to the cost of maintaining and updating the platform’s 35 mostly open-source software items and services. Additionally, program officials reported that Certify’s current design had unaddressed security vulnerabilities and was difficult to understand and improve. Furthermore, program officials found latent defects and data migration errors.”

Again, multiple sources say this was because USDS decided to custom-code the platform instead of using a commercial off-the-shelf application.

The former SBA official called the decision “astounding,” especially given USDS prided themselves on bringing in commercial best practices, and nowhere does it say custom coding is the first option.

“When USDS came onboard they did not look at other agency IT systems and data structure properly. For example the data structure in the Small Business Innovation Research (SBIR) program SBIR.gov platform has similar data structure to what would need to be collected for Certify.SBA.gov, and we asked them to stop recreating the wheel and synchronize with working agency IT systems and then customize only where they need to,” the official said. “Part of the problem was Certify was being sold as an end-all solution and not a tool in the tool kit. This is one of the tools SBA is doing to solve pain points from case management and workflow perspectives.”

Read more: Technology news

Another example of the build not buy decision by USDS came with the identity access and authentication application. The former official said the developers chose not to use the Login.gov service from the General Services Administration and instead developed their own approach, which ended up not working well.

“Anytime you build a system that complex where everything is custom coded, the tail to maintain it would be very expensive and difficult to protect from cyber perspective,” said the government official. “They should’ve looked for a software-as-a-service instead of custom coding.”

In September, SBA decided to move away from the custom coded platform and awarded a $3.5 million contract to move to a Microsoft Dynamics 365-based platform as part of SBA’s new enterprise customer relation management system initiative. SBA also implemented the Login.gov service from GSA earlier this summer as part of this and other development efforts.

Lesson No. 4: Mission goals remain so know when to change direction

After, as the former SBA official said, the agency “kicked out” USDS, and the CIO’s office took over the development, the move away from the custom code and use of acommercial platform let Certify find more success.

SBA launched “version 2” of the program in July for women-owned small businesses and had plans to continue development.

The former SBA official said the agency threw out upwards of 80% of the work from USDS and spent less than $10 million to get version 2 up and running in less than nine months.

“Now SBA has an architecture and its data flows on the back end are more robust and have more fidelity so now they just have to focus on the front end,” the former official said. “It’s really just a case management system because 75% of the fields are the same no matter what you apply for so you just needed a baseline set of capabilities you could standardize, and then you could customize the front end from there for the different programs. The platform is in a much better position now and going in the direction it needs to go.”

Source say current CIO Keith Bluestein decided in recent weeks to pause the work on Certify and decide on how to move forward with the entire effort.

Cooper said moving Certify forward means reviewing the current approach and deciding whether a low-code or no-code platform makes sense for future iterations.

“The OCIO recognized that they don’t want to do custom development or as little as they can. In addition, what you have is a significant portion of the system is workflow automation. Any of these platforms can automate workflow automation without any custom coding,” he said. “As a former federal CIO, what the CIO is now doing is taking what they’ve learned in the federal enterprise over the last several years and applying industry best practices to this Certify optimization effort. In listening to SBA OCIO team, there is clearly an understanding that earlier efforts did not use best practices and moving forward and paying attention to [the] IG report, they are moving in the right direction.”

Cooper added that this experience for SBA should be shared with other agencies. He said while failed projects are wasteful and frustrating, sharing the mistakes and missteps will help others ensure they don’t step in the same potholes.

“The reason why this keeps on happening is agencies still operate within own agency boundaries and don’t consciously take the time to share what they’ve learned to help avoid other mistakes,” he said. “The federal government writ large blames people and when you do that, the learning process doesn’t happen easily. People are scared to come forward so others can learn from their experiences, especially if you think sharing will mess up your career or get you fired.”

Most of the time, the focus on the twice-a-year Federal IT Acquisition Reform Act scorecard hearing is on the grades. Which agencies are up, which are down and which agency chief information officers remain in the proverbial back room versus the board room?

But when you dig deeper into the testimony or the hearing discussion, that’s where some of the most interesting IT modernization progress news is revealed.

Here are three takeaways from the House Oversight and Government Reform Subcommittee on Government Operations FITARA 10 hearing:

Education defends data incident

The Education Department received a B+ on the FITARA scorecard, down from an A+ in December. But that wasn’t the reason Jason Gray, the agency’s CIO, appeared before the House Oversight and Reform Subcommittee on Government Operations on Aug. 3. After his opening statement highlighting Education’s IT modernization progress over the last few years — upgrading 5,000 laptops, reducing storage costs and saving $20.5 million — Rep. Stephen Lynch (D-Mass.) made the reason why Gray was appearing before the subcommittee clear.

“I read recently a pretty good story in The Washington Post that talked about thousands and thousands of borrowers of student loans whose personal information, their Social Security numbers, their detailed financial information was left exposed by the Department of Education for like six months. These are people who were looking for some relief, either they had been taken advantage of or exploited by for-profit universities … yet we left all their information available to whomever would tap into it,” Lynch said.

The data incident Lynch referred to came to light in late June and immediately drew the attention of lawmakers.

Gray, obviously, was prepared for the question.

“I would share that article was incorrect. The department did not leave that open for many months,” he said. “We had a situation where a file share was inadvertently left open to internal department only employees. As we briefed the committee on Friday [July 31], there was not external access. It was one element. We did report as required by OMB memo 20-04. It is a low-risk incident.”

Gray compared the situation to where a safety deposit box in a secured vault in a bank is left unlocked and the only people who can access the vault are trusted, vetted employees. He said it was one file out of 7 million folders where a user inadvertently allowed others in the department permissions to access the data.

“This is a situation where an employee actually recognized that a safety deposit box in that vault was left open and external people could not get to it. It should not have been unlocked,” he said. “

Lynch interrupted to ask if every single person has a “need to know?” — meaning they have access to the data. Gray said while every employee is vetted to be able to review that information, they all don’t need to access it.

Lynch said Education needs to tighten up the access to this sensitive data, to which Gray agreed and said the agency already has taken steps to do that.

“We took care of it right away. We also went through and scrubbed and rescrubbed. We hired a third party to come in and recheck all of what we’ve done. As of this morning, they have come to the same exact conclusion as it relates specifically to this incident, it was a low-risk incident,” Gray said.

For the rest of the hearing, another 35 minutes or so, Gray received three more questions, two of which focused on this data incident and Education’s cybersecurity challenges.

Reps. Glenn Grothman (R-Wis.) and Gerry Connolly (D-Va.) both asked about improving Education’s cybersecurity scores. On the scorecard, the agency received a C and the agency’s inspector general 2019 Federal Information Security Management Act report from October found Education’s “programs were not effective in any of the five security functions — identify, protect, detect, respond and recover.”

Gray said Education has taken a four-phased approach to focus on its processes, policies, tools and training of employees.

“We’ve also developed and implemented a cyber risk scorecard with near-real time metrics and it’s aligned to the National Institute of Standards and Technology’s cybersecurity framework,” he said. “That’s visible to our system owners so they see exactly how they are doing. When something is red, it’s not necessarily red, but it’s an indication that it needs some work. The scorecard gets briefed every single month to the secretary and deputy secretary and monthly to all the assistant secretaries.”

Scorecard changes coming sooner than later

If you didn’t stay around for the second panel of former federal IT executives, then you missed what the future of FITARA likely will look like.

It was clear the subcommittee plans to add the transition to the Enterprise Infrastructure Solutions (EIS) program from Networx for telecommunications and infrastructure modernization to future scorecards. And it was clear the subcommittee is considering removing the software licenses subcategory from the future scorecards as every agency but the Office of Personnel Management received an “A.”

But the second panel, which featured Richard Spires, former Department of Homeland Security CIO, LaVerne Council, former Department of Veterans Affairs CIO, and Dave Powner, former Government Accountability Office director of IT issues, identified some of the more substantial ideas for change.

All three offered five improvements lawmakers and GAO should consider, and several common themes emerged.

“Some of the graded have reached a level of maturity where perhaps grading is no longer a necessity. This is not to say they are no longer important, but there are other areas that would benefit from the transparency, measurement and oversight the scorecard provides,” said Powner, who is now director of strategic engagement and partnerships at the MITRE Corp.

Spires, who now runs his own consulting firm, said despite the progress of FITARA, agencies continue to need to mature processes and procedures to manage and maintain technology systems and applications.

“Given the success of the scorecard, it should continue as a tool to measure agency progress. I recommend changes to the scorecard to sharpen the focus on IT management and modernization,” he said.

All three thought the subcommittee should address workforce gaps and IT budgeting challenges through future scorecards.

Council, the current CEO of Emerald One, LLC, said ensuring agencies have a “culture of readiness” to adopt new or emerging technologies is critical.

“IT is not an island. It is a catalyst, a partner, a visionary. No CIO can transform their technology environment in isolation. The culture must be prepared to adjust to that transformation,” Council said. “The organizational culture must not only endure technology modernization. They must embrace it.”

Powner added focusing on the workforce would help better address long-standing challenges to fill critical skillsets.

“[A]lthough not directly tied to this scorecard discussion, Congress should look at using more critical pay authorities for CIOs, as well as examining five-year appointment terms for CIOs to address the short tenure problem and its impact on mission modernization,” he said.

The appropriations process has long stood in the way of IT modernization success.

Spires said agencies need to understand cost and value coming from technology, through the use of Technology Business Management standards and through the benchmarking of IT services.

Powner agreed that understanding where money is spent and what agencies get from that funding would help them make the case for increases in technology funding from Congress.

“We must ensure that our agencies’ fiscal reality supports the technology mandates we impose. It is a disappointing reality that many of our agencies continue to receive technology budgets that allow them to do little more than maintain and sustain outdated systems,” Council said. “For FITARA, the Modernizing Government Technology Act, the Technology Modernization Fund and other technology legislation to affect significant change and position our government for the next crisis, consider how they may link to one another. Is TMF funding contingent upon FITARA scores? Can FITARA scores be decreased due to the low use of the mechanisms in MGT? By creating more meaningful connections between the different tactics, the committee can create the leverage and strength some agency CIOs need to build support through their leadership teams.”

Spires offered an interesting idea for how to keep the scorecard relevant going forward. He suggested creating an advisory board led by GAO and includes the CIO Council, OMB and private sector experts to come up with suggestions to improve FITARA over the next three-to-six months.

OPM IT modernization revealed

Remember when the Office of Personnel Management was the agency every lawmaker and contractor cared so much about? A short five years ago this past June marked the anniversary of when the world found out about the neglectful status of OPM’s IT infrastructure that led to the loss of data of 21.5 million federal employees and contractors.

The public focus on OPM dimmed the further we got from the breach and the agency technology officials crawled out of sight over the past few years leaving much to wonder about whether the agency fixed many of its systemic IT problems.

Clare Martorana, OPM’s seventh CIO in seven years, shed a little light on the state of OPM’s IT modernization efforts during the hearing. And on the surface, it’s hard to tell just how much progress the agency has made.

On the positive side, Martorana said the agency rolled about 2,800 laptops to employees and moved to Microsoft Windows 10 and cloud-based Office 365 email.

“[W]e made improvements to expand our virtual private network (VPN) capacity and security to ensure we’d be able to provide the same level of support to our workforce of about 2,800 OPM employees, as well as about 11,000 Department of Defense Counterintelligence and Security Agency (DCSA) employees and contractors,” Martorana said in her written testimony. “OPM staff and contractors moved seamlessly to maximum telework, utilizing this secure connection to the OPM network over the internet to access the various OPM systems and applications. Due to our laptop repair program, virtually every staff member was able to take their laptop home and perform their work with little to no interruption.”

She said OPM has an average of 4,500 concurrent users a day and the network consistently remains below 50% bandwidth consumption.

Another positive development happened in mid-July. She said OPM successfully migrated their mainframe technology from the headquarters building in Washington, D.C., to the Iron Mountain commercial data center in Boyers, Pennsylvania.

“We also met the challenge of decoupling OPM’s systems from DCSA’s 2 1/2 months before the Oct. 1 deadline as required under the National Defense Authorization Act (NDAA) for Fiscal Year 2018 and Executive Order (EO) 13869,” Martorana said. “OPM and DCSA’s systems are now fully operational in a new modern environment and have a disaster recovery environment in place. Many said this could not be done.”

This really was the first update by OPM in nearly 18 months since David Garcia left February 2019 and leadership elevated Martorana to the CIO role.

But it also shows how far OPM has to go. Martorana said the agency’s IT budget remains fed by seven disparate funding streams. She wants to create a working capital fund under the MGT Act, but it’s unclear whether Congress will grant her that authority.

Martorana also seemed to insinuate that real IT modernization at OPM can’t truly begin until DCSA takes over all security clearance related technology infrastructure and systems later this year.

“We are struggling with our staffing. We are struggling to make sure we have appropriate staff levels to support all of the systems we are maintaining,” she said. “We are still on a daily basis operating DCSA, national background investigations systems and all of their daily operations as well as all of their laptop and desktop support services. As we are able to hand that mission full over to DoD and focus singularly on OPM, that will give us the opportunity to focus on OPM’s core mission and upgrade all of the services we deliver to our mission.”

One of those core mission areas is the retirement systems modernization effort that has failed numerous times over the past three decades.

Martorana said OPM recently tested an emergency technical solution with one payroll provider to allow for the electronic submission of retirement applications to OPM.

“Our test was successful and can be expanded to the remaining payroll providers should we have the funding levels necessary to support this effort,” she said.

Martorana promised to get OPM’s FITARA scorecard grade up to a B+ from a C+ in the next grading period. She said funding under the coronavirus stimulus bill will help the agency improve how it manages its software licenses to meet the goals of the MEGABYTE Act.

“Before you can modernize an enterprise, you must ensure that you have a solid foundation to build upon,” she said in her testimony. “OPM is undergoing the foundational efforts to modernize outdated and dilapidated systems and infrastructure which makes operating challenging on a daily basis.”

The push to implement Technology Business Management standards went quiet for much of the past year. There was little public discussion among agency chief information officers or chief financial officers.

The Office of Management and Budget released no memos or policies over the past year pushing TBM forward until this past July when it updated Circular A-11.

And even in A-11, the annual budget guidance, there is no direct mention of TBM — a priority since 2017. A-11 highlights TBM-related concepts like the requirement for agencies to “complete the phased implementation of more granular IT cost reporting. While there is no expectation that agencies will change authoritative data systems at this time, agencies should continue to categorize costs into IT Cost Pools and IT Towers. Over time, OMB will work with agencies to determine how to automate authoritative data collection.”

While the push for TBM has been inconspicuous at the OMB level, there are rumblings from below. The CIO Council released a new guide developed by the Federal Technology Investment Management (FTIM) community of practice and the General Services Administration’s Office of Governmentwide Policy, called Meeting IT Priorities with TBM.

The council said the guide helps “to illustrate how IT cost transparency can be enhanced through the TBM framework,” and “aligns the priority activities to the four disciplines of TBM (transparency, delivering value, shaping business demand, and planning and governing) for a more enhanced description of how TBM can help meet the agency goals.”

Kelly Morrison, a former a performance analyst in OMB’s Federal Chief Information Officer’s office and now a director leading Grant Thornton’s TBM practice, said the new guide is important piece to helping CIOs, budget analysts and others working in the capital planning and investment control (CPIC) function to integrate TBM processes and change management efforts.

“The value of any policy, initiative, management framework, process or tool is based upon utility and utilization. This guide will hopefully provide agencies a broad view and understanding of how TBM data and insights can start to be integrated and leveraged with the various business processes and how to engage stakeholders across the organization(s),” she said. “Until TBM data is utilized to inform the various processes, products and overarching planning, programming, budgeting and execution lifecycle, agencies are missing the opportunity to unlock the true value potential. This guide can be a helpful map for agencies.”

New CPIC tool

At the same time, GSA released a new tool, Folio, which is for IT portfolio management.

“Designed by the federal eCPIC Steering Committee (FESCOM) community, Folio is the successor to the eCPIC application, which served as the premier governmentwide shared service for over 15 years,” GSA wrote in a July 27 blog post. “It is a web-based, government-owned, fee-for-service technology solution that helps agencies manage and report to OMB on their portfolio management, IT capital planning, and IT governance processes. The new application provides an improved user interface, flexible data collection capabilities, and a modern technology stack.”

GSA said 17 agencies tested and migrated more than 13,000 records to Folio between March and July. The data includes more than 2,600 investments, more than 4,300 projects and 1,700 users.

Read more: Technology news

Taken together, these are the first new tools and guides agencies have as they hit the home stretch with their 2022 budget requests, which traditionally are due to OMB in mid-September.

Agencies are under specific deadlines to implement TBM through their 2022 budget request, but the uphill climb to use these standards has been slow. As part of the President’s Management Agenda, CIO Council’s Federal Technology Investment Management (FTIM) Community of Practice with the support of ACT-IAC industry volunteers will develop an IT spending transparency maturity model. The current state of the maturity model is unclear.

This is why the new guide becomes important to educate IT and non-IT executives about how to use TBM. It seems part refresher and part initial education of a CFO or budget analyst who is learning about the standards.

“I encourage agency representatives outside of the TBM community to review this guide as it may help them understand how to engage and leverage the team leading the TBM effort,” Morrison said. “There needs to be a partnership where the agency is embracing the TBM framework as a game changing management tool – it’s an uphill battle if there is a single team driving without organizational support and engagement.”

Applying TBM to IT priorities

In the guide, users can learn how to apply TBM to IT strategic plans or the Federal IT Acquisition Reform Act, the CPIC process or any number of priority initiatives like data center consolidation and optimization or the continuous diagnostics and mitigation (CDM) program.

“This document explains how agencies can use TBM as a part of a larger IT cost transparency effort to meet IT priorities,” the guide states. “Each priority outlines initiatives and related requirements from OMB guidance, memos, and/or legislation. The guide below provides a crosswalk to identify and understand how TBM can help satisfy relevant requirements.”

The end goal with TBM, as a few agencies have learned, is to get a better handle on where they are spending money on technology and then make better decisions based on that data.

A 2018 survey by the TBM Council and Grant Thornton found public and private sector CIOs are struggling to become a trusted partner instead of seen just as a cost center.

Read more: Reporter’s Notebook

Jim Gfrerer, the assistant secretary for information and technology and CIO at the Department of Veterans Affairs, said during a recent interview that the coronavirus pandemic is helping to break that cost center perspective.

“People often look at the enterprise costs, and they say, ‘what do I get out of that? Well you have a highly functioning and efficient Trusted Internet Connections gateway so you also get access to those applications that we built, and without that reliable and durable enterprise, what good is the world’s finest and most premier application?” he said. “Through TBM, we’re able to show the administration in the staff offices, a budgetwide, enterprisewide, here’s what we’re spending on you direct and indirectly to provide you those services that you so desperately depend on.”

Grferer said VA, like the private sector, has to start asking itself when does it become a technology company delivering healthcare outcomes?

He said the pandemic has started to bring employees around to that point of view.

“You really can’t shortchange your technology because it is becoming the critical, indispensable aspect of your care delivery,” Grferer said. “The Veterans Health Administration motto is ‘care anywhere, at anywhere,’ and you only do that with technology.”

And if you don’t know what that technology costs, it becomes even more difficult of a challenge to become a technology provider of mission outcomes.

Less than two months after the Cybersecurity Maturity Model Certification advisory board became official, there’s already changes afoot.

Two original members of the advisory board have recently left. John Weiler, CEO of the IT Acquisition Advisory Committee (IT-ACC), and Jim Goepel, the CEO and general counsel for Fathom Cyber LLC, are no longer listed on the main board of directors section.

Goepel left for personal reasons, while Weiler decided to work with the CMMC AB in a new way.

The change comes as the Senate and House armed services committee members turn up the heat on the CMMC by adding nine  provisions—six from the Senate—in the fiscal 2021 Defense authorization bill.

Each chamber already passed its version of the bill and the legislation is in conference.

The one provision in both bills is for DoD to bring their own cyber hygiene up to a level 3 under CMMC.

“The committee is concerned that while DoD leadership recognizes that certain cyber hygiene practices could effectively protect the department from a significant number of cybersecurity risks the department has not implemented its own cyber hygiene practices, and yet it plans to require private sector companies to implement cyber hygiene practices through the Cybersecurity Maturity Model Certification (CMMC) framework,” the House report stated. “Given the importance of implementing cyber hygiene practices that could effectively protect DOD missions, information, systems and networks, we direct the secretary of Defense to submit a report to the defense committees identifying the extent to which each of the DoD components have implemented cyber hygiene practices and levels identified in the CMMC framework.”

The Senate bill goes even further detailing what information they are interested in from the Pentagon.

“The report shall include, for each DoD component that does not achieve at least level 3 status, a determination as to whether and details as to how: (1) The component will implement relevant security measures to achieve a desired CMMC or other appropriate capability and performance threshold prior to March 1, 2022; and (2) The component will mitigate potential risks until those practices and capabilities are implemented,” the Senate report stated. “The committee further directs the Comptroller General to review this report of the secretary of Defense and provide a briefing to the congressional defense committees no later than 180 days after its submission to the Congress.”

The report would be due by March 2021.

More reports on implementation

Both chambers also want updates on CMMC implementation next year.

The House wants the Acquisition and Sustainment Office to submit a report by Jan. 15 addressing nine topics, including the estimated annual costs to the department for CMMC expenses that will be considered an allowable cost on a government contract for each of fiscal years 2020 through 2024; a discussion of the roles, responsibilities and liabilities for the prime contractors and subcontractors with regard to the assigning of the CMMC tier; and a discussion of how the CMMC Accreditation Board will prioritize the requests for CMMC certification and the factors used to determine priority, if any, specifically with regard to company size, sole source contracting, and the timelines included in the Department’s rollout of CMMC.

The Senate bill, meanwhile, asks the Government Accountability Office to evaluate CMMC and include “perspectives of companies across the defense industrial base and include analysis of the department’s oversight responsibilities, the role of nongovernmental entities in managing and executing the program, and assessment of the department’s incorporation of lessons learned from the pilot programs.”

GAO also should “assess the department’s plans to expand the requirement to all contracts and associated costs and the steps the department has taken to ensure a consistent acquisition approach across all military services and components.”

This report would be due by May 31.

With all of this interest in CMMC, the IT-AAC and the CMMC board signed a memorandum of understanding to create a center of excellence where the two non-profits will work together to promote the standards, train industry and work with NATO partners to adopt the requirements.

Weiler, who recently left the board, said the goal of the CoE is to bring together the many voices across the defense industrial base supply chain to help advise government, Congress and industry about the best ways of meeting the goals of the CMMC. He said the center “will provide an honest broker and force multiplier for small and medium businesses to get educated and prepared for CMMC and related cyber hygiene standards, and help enable existing DIB communities of practice and industry groups keep abreast of emerging changes, threats and educational programs that can be applied within their own domain, in a shared expense/revenue model.”

Changes coming from NIST?

One last possible change that came about on July 31 when the National Institute of Standards and Technology issued a draft special publication 800-53B, Control Baselines for Information Systems and Organizations.

Larry Allen, president of Allen Federal Business Partners, told the Federal Drive with Tom Temin that the draft requirements may impact level 4 and IL5 under CMMC.

“[E]ven if you’re certified to one standard, does that really mean that you’re going to be certified whatever this new NIST standard is that’s now going through the rulemaking process? We don’t know,” Allen said. “If you’re a contractor, this has to just be very confusing. And it’s a huge distraction at federal year end. My recommendation to DoD is just slow down, lower your expectations. Everybody knows that if the road isn’t built, nobody can get to the end of the road. And you shouldn’t be expecting people to pull into your parking lot if the road isn’t built.”

Allen added that contractors will not know for sure how 800-53B will impact CMMC IL4 and IL5 requirements until both standards are final, but changes are coming.

NIST details 20 control families ranging from incident response to configuration management to supply chain risks management.

In the supply chain risk management family, NIST details 14 controls, which is two more than the moderate level and three more than the low level

Agencies now have three of the six documents needed to begin to move away from the old way of securing their networks—thus lifting the security albatross off their proverbial necks.

The Cybersecurity and Infrastructure Security Agency released on Friday the program guidebook, the reference architecture and the security capabilities catalog under the Trusted Internet Connections (TIC) 3.0 policy.

Taken altogether, these documents detail a modernized TIC program, define the program’s concepts and outline security capabilities that agencies should consider as they implement TIC 3.0.

CISA received more than 500 comments from agencies and industry on the draft documents it released in December. The Office of Management and Budget set the stage for agencies with the release of its final TIC 3.0 policy in September, finally updating the 12-year-old regulation.

The TIC 3.0 policy helps make it easier for agencies to move applications to cloud services by giving them a less prescriptive and more flexible approach to securing data and using the off-premise services.

“CISA anticipates the final core TIC 3.0 guidance will better address stakeholder needs and concerns. The guidance is expected to evolve to reflect technological advancements, changes in threats and the lessons learned from TIC pilots to help ensure its usefulness to federal agencies,” the agency stated in its response to the comments it received on the draft documents. “CISA is also committed to supporting agencies and continuously receiving feedback to aid in the development of future iterations of TIC guidance.”

CISA says it will release the final versions of the use case handbook, the overlay handbook and two uses cases for traditional TIC and branch offices later this summer. CISA gave agencies the third initial use case in April to help them address the surge in teleworkers.

Five common themes from stakeholders

From the comments, CISA identified five common themes, including alignment across cyber programs, support from DHS and more details and context for the terminology used in the documents.

“Several additional use cases have been proposed to CISA. CISA will coordinate with OMB, the General Services Administration and the Federal Chief Information Security Officer’s Council to prioritize and determine use cases to support after releasing the Traditional TIC Use Case and the Branch Office Use Case,” the agency stated. “The updated TIC guidance employs new architectural and security concepts to be more supportive of the latest technology and broad range of agency enterprises that will be adopting TIC 3.0. Agencies have accepted the new approach to TIC implementation, and the TIC program has received positive feedback on its increased flexibility and responsiveness to agency needs. Additionally, the number of security capabilities has increased to reflect the growing number of cybersecurity threats and adoption of cloud-based services.”

Another major update based on comments is around trust zones. CISA says it provided more information on the prerequisites, boundaries and criteria of trust zones. It also offered more clarity on trust inheritance in traffic between zones and policy enforcement points (PEPs).

“Within a trust zone, further segmentation is permissible, including segmentation to the network, application, or browser level. This can occur when there are both shared protections that are common across all entities within the trust zone and distinct capabilities that are applicable only to a subset of endpoints within that zone,” the reference architecture stated. “Agencies may use relevant factors for grouping endpoints, which could include client purpose, services, user roles, need-to-know, geography or other criteria.”

CISA also detailed three trust zones—high, medium and low—and sample considerations around controls, transparency and verification requirements.

“[A]n agency could determine that all cloud service providers (CSPs) should be designated as medium trust,” the document stated. “On the other hand, an agency could also categorize one CSP as medium trust and another as low trust based on unique circumstances, like stronger contractual terms that provide greater visibility into one of the CSPs.”

Additionally, CISA made major changes to the security capabilities catalog, formerly known as the Security Capabilities Handbook, specifically around building on the trust zones discussion in the reference architecture.

CISA says six criteria guide an agency’s risk-based decisions on which capabilities are best suited for the system. These include:

• Technology maturity
• Sensor positioning
• Policy enforcement point deployment
• Scoped to the TIC initiative to achieve security objectives
• Use case applicability
• Goal based decisions

“TIC use cases will reference capabilities from this catalog and will provide guidance on how to deploy these capabilities within the context of a unique use case,” the catalog stated. “TIC overlays will provide mappings from these capabilities to vendor-specific tools and services. Over time, this catalog will be updated and will be informed by TIC pilot activities, TIC use cases, emerging technologies and threat insight.”

The still pending documents will include further updates to the use cases specifically focused on the relationships and data flows between trust zones and capability deployment. CISA also will try to clarify how “real world” networks align with use cases such as the scoping around cloud service providers (CSPs), PEPs and trust levels.

Just getting this first set of documents out helps agencies and vendors alike begin the transition to TIC 3.0, but it’s still the beginning of the process. The question always remains, how fast can CISA and agencies move and still remain secure?

And now for an entirely different idea to modernize federal technology. What if Congress gave the IRS $2 billion to move off legacy systems and the savings from the tax agency would go back into the governmentwide Technology Modernization Fund?

That is the idea from Rep. Steny Hoyer (D-Md.), the House majority leader.

Hoyer sent a letter to Steven Mnuchin, the secretary of Treasury, on July 31 proposing to merge the TMF with the line item for IRS modernization funding.

“Since the funds will be administered through the TMF, the long-term cost savings resulting from the IRS upgrades would be reinvested through the TMF’s competitive revolving fund model into other urgently needed federal technology upgrades, including the Treasury Department, the Small Business Administration, and other agencies,” Hoyer wrote. “That TMF model has already proven effective through three years of success.”

Hoyer said House Democrats included $1 billion in the HEROES Act, which it passed on May 15, for TMF, and the Trump Administration and Senate Republicans included $2 billion for technology upgrades specifically for the IRS in the legislative package proposed on July 27.

“I hope you will consider this suggestion, which would go a long way toward eliminating barriers to the effective implementation of our COVID-19 relief programs and help modernize government systems more broadly,” Hoyer wrote. “The American people deserve a government possessing the latest technology that enables it to serve them to the highest level of efficiency and ability.”

This proposal differs greatly from those of Hoyer’s colleagues in both chambers.

Sen. Chris Van Hollen led an effort on July 29 to convince Appropriations Committee leaders to match the House allocation of $1 billion for the TMF.

Over on the House side, Reps. Gerry Connolly (D-Va.), Carolyn Maloney (D-N.Y.) and 11 other Democrat lawmakers sent a letter to House leadership and the Appropriations Committee chairman and ranking member asking to include $1 billion for the TMF in the latest stimulus bill.

The TMF Board also made its 10^th loan under the program to the U.S. Customs and Border Protection directorate on July 28.

Senate passes VA IT reform bill

And talking about an agency with a lot of technical debt and one that Congress keeps sending more money to, the Department of Veterans Affairs may be getting new marching orders from lawmakers.

The Senate passed the Veterans Affairs IT Reform Act last week in an effort to “bring more accountability and oversight to the office within VA charged with delivering IT projects critical to providing care and benefits to millions of veterans and their families across the country.”

The bill requires increased transparency into proposed and current IT spending on critical programs for veterans at VA, while also directing VA to institute a number of outstanding Government Accountability Office (GAO) recommendations related to planning, management and operation of its Office of Information and Technology (OIT).

Sens. Marsha Blackburn (R-Tenn.) and Jon Tester (D-Mont.) sponsored the bill that now heads to the House for consideration.

The bill would:

• Require VA to improve their IT budgeting processes by reporting significant budget variances and providing mitigation plans, creating expenditure plans for IT projects worth more than $25 million over three years. It also would try to improve the accuracy and detail of the annual President’s budget request for VA IT by ensuring the requests align with the department’s IT modernization strategy and includes full lifecycle costs including operations and maintenance requirements.
• Require VA to fully implement OMB’s Data Center Consolidation Initiative – improving VA’s Federal IT Acquisition Reform Act (FITARA) compliance. VA would submit a compliance plan 90 days after the bill becomes law and then provide Congress with an annual progress report in March.
• Institute a number of outstanding Government Accountability Office recommendations to improve OIT’s management and operation, including telling oversight committees which investments could be moved to the cloud, how much savings would come from that effort and developing a continuous monitoring strategy to improve VA’s cybersecurity posture.

While the bill authorizes no more funding, VA’s IT budget is more than $4.3 billion, and according to the federal IT dashboard, 88% of its projects are on schedule, but only 52% of its projects are on budget.

The challenges the agency has faced over the last 15 years are well documented. Another bill telling VA to comply with existing laws and policies from OMB seems a bit ironic. If VA didn’t or couldn’t comply the first time, why do Tester and Blackburn believe a second mandate will matter? Maybe a better approach would be to hold monthly oversight hearings or briefings like the committees did after the VA’s massive data breach in 2006. That both got leadership’s attention and prompted real change.