The Defense Department is one small step away from officially getting the Cybersecurity Maturity Model Certification off the starting blocks.

Ellen Lord, the undersecretary of Defense for Acquisition and Sustainment, is ready to sign off on the memorandum of understanding with the CMMC accreditation body that would jumpstart the training of third-party assessment organizations.

Katie Arrington, the chief information security officer for acquisition at DoD, said the MOU is through the clearance process and is just awaiting Lord’s signature.

Arrington, speaking at the Washington Technology CMMC event in McLean, Virginia on March 13, said once the MOU is signed, the six-month push to begin putting CMMC standards in procurements officially will begin.

“The accreditation board, the Johns Hopkins University Applied Physics Laboratory, Carnegie Mellon University and DoD are going through simulations of training, working through the kinks,” she said. “The first session of classes will actually be a lot of the proof in the pudding, and DoD will be there to help through this. This is new so we want to make sure we get it right.”

Until the MOU is signed, contractors are in limbo in how much they can prepare for the CMMC assessments.

Alan Chvotkin, the executive vice president and senior counsel at the Professional Services Council, said until contractors know what assessors are looking for, they can only do so much to prepare for CMMC.

The good news, Chvotkin said, is many companies who do work for DoD already have to go through some sort of certification process whether it’s ISO or CMMI or others.

“Under the CMMC, it’s binary or pass/fail. You either meet all of the controls for a given level or you don’t. That’s a significant difference that companies have to think about, too,” he said. “It will require a lot of investment in addition to the preparation so you are ready when the assessors come in.”

Preparing for CMMC with other certifications

Citizant is one of those companies.

Alba Aleman, CEO and founder of Citizant, an IT services firm, said the biggest challenge is what is the evidence the assessors are looking for in their audits.

“When you do the interviews, when you try to get that evidence, it requires all of your people to speak the same language. It’s different than it happening behind the scenes and IT is handling it. That requires a lot of internal training and communications to get everyone up to the same page. That’s more resource intensive than just self-assessments.”

Read more: Reporter’s Notebook

Pam Schoppert, the director of quality programs at Citizant, added it’s a people, process and tools challenge.

“The pragmatic application of selecting from those three areas to bring to bear the evidence is a different mindedness than saying, ‘we do it, it’s behind the walls and our people know it,’” she said. “This is a people issue, not just an IT issue. It’s getting the culture to understand this is the way we do business.”

Schoppert said Citizant just went through its sixth capability maturity model integration (CMMI) assessment and are ISO 9001 and 27001 certified so it’s used to preparing for the audits.

But Aleman said that doesn’t mean her company is ready for CMMC.

“We are in the process of doing our gap analysis now so the three areas they are looking at is documentation changes, infrastructure changes with our managed services provider and what tool investments,” she said. “We will be looking at our costs this year to get to assessment. But the ongoing costs of continuous monitoring, we don’t know what that looks like.”

Chvotkin said the biggest costs for companies who go through the CMMC assessment will be in the up-front preparation.

“Costs will come in a couple of areas. The first is your systems preparation to be ready. The second is the cost of the assessment itself. And the third is the ongoing application of those standards for individual programs and contracts,” he said. “The biggest issue on cost is what level a company seeks certification at—1, 2, 3, 4 or 5. The higher the level of certification, the more significant the cost because the number of controls and processes that have to be complied with.”

Beware of scammers

In the meantime until the accreditation body gets the assessors trained, DoD is warning vendors against any one claiming they can get you certified.

Lord issued a statement on March 13 warning against any third-party assertions about CMMC.

“At this time, only training materials or presentations provided by the Department will reflect our official position with respect to the CMMC program,” she wrote.

Chvotkin said the other major piece of the CMMC roll out is the release of the Defense Federal Acquisition Regulation (DFARs) rule for CMMC.

He said that also will help vendors understand what falls under the “allowable cost” for cybersecurity that DoD is now permitting.

“For companies working on a fixed price basis, allowable costs don’t mean anything. For companies working on a cost reimbursable basis, it could. There are a lot of rules about allowability and reasonableness that have to be assessed,” Chvotkin said. “How the department finally permits and addresses the allowable cost nature of CMMC will be important and whether there will be other resources available either directly or indirectly.

Read more: Acquisition News

While vendors are waiting on the accreditation body, DoD is testing out the CMMC standards with the Missile Defense Agency vendors.

Arrington said MDA has been running a series of pathfinder programs using supply chain risk management standards. DoD is taking the data from those pilots and working with the vendors to see how the CMMC requirements would’ve fit into the effort.

“Those pathfinders has been very cooperative and collaborative with the primes in terms of how we do the flow down of information. It only made sense to use those as the jumping off point because we all had such a collaborative nature on those pathfinders. We just mapped the CMMC to what those look like so we can validate with the primes and subs and say is this the way you would’ve read this? Is this [the] CMMC level you think this would’ve been at? So we actually have an understanding of what it looks like,” she said. “This will help us validate the way we structured the model and the contracting so as we go through these RFIs, we have the right structure in the acquisition. We used heavily the Defense Industrial Base cybersecurity assessment capability (DIBCAC), [from the Defense Contract Management Agency], we used that pretty extensively on how they actually did an assessment on the NIST standards, their methodology and what they were doing. We are using what already has been laid out and using the best practices to get the most bang for the buck.”

DCMA did audits of its contractors using the NIST SP 800-171, which is the cybersecurity compliance standards for contractors.

It’s been almost 15 years since the Office of Management and Budget first put agencies on notice to move to internet protocol version 6 (IPv6). And in in 2010 and again in 2012, OMB tried and failed to get momentum behind this effort.

Who remembers the “threat” that agencies would run out of IPv4 addresses and the internet would break down?

Like the warnings from the 1970s that the world run out of oil if we didn’t do something, experts predictions have fallen short.

So what’s the difference this time with the 2020 version of the “you have to move to IPv6” memo, which OMB released a draft version for public comment on March 2?

Experts say there are several reasons why the time is right for agencies to transition to IPv6, and it’s not based on “what if” scenarios.

“This was miscast previously as an IT problem, when it’s really an enterprisewide problem of people, process and technology,” said Peter Tseronis, founder and CEO of Dots and Bridges and a former IPv6 task force leader for the CIO Council. “This is about how organizations rely on technology to meet their missions. You have to modernize and transform at a fundamental level and that means the stuff behind the walls.”

He said the rise of internet of things (IoT) devices across nearly every federal mission space should help agencies see that the time is right to more full transition.

Tseronis said if this latest memo falls just to the agency chief information officer once again, it will have a limited impact. But if the CIO can get others CXOs to care about it because moving to IPv6 impacts all mission, then it will be more successful.

Tseronis and other experts praised OMB’s approach to this latest draft memo.

They said it’s not so much about adding another unfunded mandate to agency plates, but laying out a straightforward strategy over the next five years mixed with places to find help and additional information.

“We are now at point where we need to finish the job and the memo does a great job of saying, ‘let’s start with low hanging fruit,’ things you can pilot and then do a phased approach to move to IPv6,” said David Belson, the senior director of internet research and analysis at the Internet Society, an organization that supports and promotes the development of the internet as a global technical infrastructure, in an interview with Federal News Network. “OMB also is telling agencies to leverage the NIST program for testing and approving technologies as well as acquisition language. OMB is saying to agencies there is a lot of support and best practices for you to use so there is no reason you shouldn’t be able to get this done.”

In the draft memo, OMB detailed a series of goals and deadlines for agencies, including creating an internal IPv6 team, writing new agencywide policies and identifying at least one pilot that they can complete by the end of fiscal 2021.

“In the last five years, IPv6 momentum in industry has dramatically increased, with large IPv6 commercial deployments in many business sectors now driven by reducing cost, decreasing complexity, improving security and eliminating barriers to innovation in networked information systems. Mobile networks, data centers and leading-edge enterprise networks, for example, have been evolving to IPv6-only networks,” wrote Federal CIO Suzette Kent in a notice in the Federal Register. “It is essential for the federal government to expand and enhance its strategic commitment to the transition to IPv6 in order to keep pace with and capitalize on industry trends.”

OMB sets four goals over the next five years:

• Transition at least 20% of IP-enabled assets on federal networks are IPv6-only by the end of fiscal 2023;
• Transition at least 50% of IP-enabled assets on Federal networks are IPv6-only by the end of 2024;
• Transition at least 80% of IP-enabled assets on Federal networks are IPv6-only by the end of 2025; and
• Identify and justify federal information systems that cannot be converted to use IPv6 and provide a schedule for replacing or retiring these systems.

Cricket Liu, the chief domain name system (DNS) architect for Infoblox, said industry, particularly the telecommunications and mobile carriers, have moved to IPv6 because, like many larger agencies, they were running out of IPv4 addresses and the growth of devices all but forced their hands.

As agencies started using  sensors, wearables and deployed devices where everything  from phones to printers to smart speakers used IP addresses, it now may be enough to get them to invest time, money and people in the IPv6 transition.

Over the last 15 years, agencies have taken small steps. The latest data from the National Institute of Standards and Technology showed out 60% of DNS, 81% of all email and 65% of all web traffic remain on IPv4.

At the same time, NIST says agencies are much further along when it comes to having IPv6 enabled domains and enabling DNS security domains.

Out of 2,900 IPv6 enabled services tested, NIST found 62% are operational and 3% are in progress.

“We effectively are running out of IPv4 addresses. There are small chunks of v4 addresses coming back to the registries, but that just kicks the can down the road because no one is giving enough back to make a difference,” Belson said. “Through IPv4 marketplaces, organizations can purchase addresses, but it’s not cheap and those prices will continue to go up as space becomes more scarce. I think those factors are driving why OMB is now pushing for IPv6, but it’s not just one event or one reason.”

Chris Usserman, a principal security architect for Infoblox Federal, said another of the driving forces behind OMB’s memo likely is along with the increase in IoT devices is the fact agencies are moving to cloud services faster.

“There are some vendors who previously weren’t prepared for IPv6,” he said. “Agencies were also not prepared from a knowledge, budget or otherwise to implement IPv6. And if one agency is going to do it what about everyone else? So communication between agency networks would become more difficult. I think there has been a general lack of understanding about what is required to implement IPv6 architecture.”

As agencies start to implement OMB’s latest memo, Usserman said they should first triage their systems to see what is running already on IPv6 and which ones could run on the protocol, but aren’t yet.

“Once you get a sense of that, you know what you are up against and you can start your planning,” he said. “Then you can start moving apps that are ready to move to IPv6 and sunset others that are not.”

Tseronis added agencies should consider creating an internal IPv6 task force to handle both the technical side as well as the culture side.

“I’d have the internal task force do a road show so everyone understands why it matters to each unique mission area. You have to make it a living, breathing effort,” he said. “If not, people will look for the easiest reason to say why they don’t need IPv6. I’d find one mission where you made IPv6 real and show why it matters versus trying to treat it as an enterprise program.”

The big question that comes from this fourth memo on moving to IPv6 is what are OMB’s plans for accountability? The Internet Society’s Belson said that was the one big glaring whole in the guidance. And like we saw several times over the last 15 years, if there is not accountability, agencies will not complete the move to IPv6.

There was a flurry of lawmakers seemingly troubled, disappointed and disturbed about the lack of governmentwide progress to move to the Enterprise Infrastructure Solutions (EIS) contract.

While the reality is most of the lawmakers probably had never heard of EIS until their staff explained to them 10 minutes before the hearing started that it’s a way for agencies to modernize their voice, video and data services, the House Oversight and Reform Subcommittee on Government Operations created at least an newsworthy façade last week.

The hearing also ferreted out a host of other valuable news nuggets about several of the General Services Administration’s technology services.

As one never to let a good almost 90-minute hearing go to waste, the subcommittee pressed GSA on the status and future of its e-commerce platform initiative.

About an hour into the hearing, Rep. Mark Meadows, R-N.C., ranking member of the subcommittee and the incoming chief of staff for President Donald Trump, asked what seemed like a simple question about GSA’s e-commerce platform initiative.

“Are you going to have the two awardees by the end of the month?” Meadows asked.

Bill Zielinski, GSA’s assistant commissioner for the Office of Information Technology Category, said the goal is to make the award in the springtime if not by the end of the month.

But then as Meadows pushed harder about meeting deadlines, Zielinski revealed yet another challenges for the program.

“Currently, we do have several protests that we are working through that impact or effect when we will be able to issue that award,” he said.

That answer perked the ears up of most people who are following the e-commerce effort. We had reported on two protests—one at the agency level by Amazon and another to the Government Accountability Office by Overstock—but Zielinski’s reveal was quite shocking.

So now this procurement has faced five protests despite GSA’s best intentions to hear from industry, gather their feedback and write a solicitation that made sense.

“We have received a number of protests and the three that remain are asking us to reassess their proposals that were submitted,” Zielinski said.

After the hearing, Zielinski confirmed these are agency-level protests as opposed to the vendors going to GAO or the Court of Federal Claims. GSA declined to provide any further details on who is protesting or the timeline of when it would resolve the protests.

Zielinski told the committee that GSA is hopeful to make the award for the platform by the end of March or shortly thereafter.

GSA already decided the Amazon protest and ended up amending the solicitation. Overstock dropped its protest earlier this month.

More concerns than just protests

The protests are just the tip of the challenge for GSA to get this portal off the ground.

Rep. Stacey Plaskett, D-V.I., asked about how GSA will ensure agencies comply with AbilityOne requirements, which mandate agencies purchase certain products from companies in the program.

Zielinski said the e-commerce platform doesn’t relieve agencies of their responsibilities to meet the mandates of AbilityOne.

“Part of the requirements for the portal providers is to ensure that we have insight into what is being purchased and they are specifically able to identify where and when a purchase card holder is looking at items that fall under the AbilityOne program and ensure they are made aware that those are items available through AbilityOne,” he said. “As part of the proposals, the portal providers are required to tell us how they will do so. There is a second part, we will need to work closely with AbilityOne to ensure that their providers are aware of the program and that they are fully participating as well.”

Plaskett pushed further on other laws and regulations required under the portal.

Zielinski said agencies still will have to meet all current acquisition laws and regulations if using the portal; however, he didn’t say how GSA would enforce or require them to do so through the portal.

Concerns over how the portal will meet AbilityOne requirements and other acquisition regulations could be relegated to the back-burner if GSA can’t ensure the portal providers address supply chain concerns.

The White House issued an executive order aimed at e-commerce providers like Amazon, Walmart.com and others, some of which are expected to bid on GSA’s solicitation.

Plaskett pushed for answers from GSA as well on how the EO and e-commerce platform program can co-exist.

“It goes back to the information and data we will collect through the commercial platform that is currently not available. As agencies are making their purchases online today, we don’t have access to information that allows us to test and check,” Zielinski said. “We are looking to utilize the commercial best practices, work with the Department of Homeland Security and the recommendations they have made for e-commerce platforms and actually incorporating automation to where when there has been identified providers of these products that are counterfeit or barred or removed, that the platform will be able to utilize that information to prevent them from being available to customers.”

Supply chain risk management shortcomings

But with the proof of concept expected to launch this year, GSA has a long way to go.

GAO’s Carol Harris, the director of IT acquisition management issues, said her office has ongoing work about civilian agencies’ supply chain risk management processes, and GSA is behind.

“GSA, of seven major NIST practices, has not implemented any at this time. There are some draft guidance that they have in place, but there is nothing that has been institutionalized at the organization right now,” Harris said. “That is in-combination with the deployment of this online marketplace. These risk management practices are internal to GSA so this is what GSA should be following as they procure their own goods and services to ensure they are not counterfeit or compromised in any way. But in order to vet offerings on this marketplace, they should have a robust process. So if the internal process is still in its infancy, then we have to be very cautious as we move forward with GSA deploying an online marketplace for the federal government.”

Rep. Gerry Connolly, D-Va., chairman of the subcommittee, said while he finds the e-commerce platform concept exciting, agencies have little to no room for failure on something like this.

“It seems to me that it’s worthy of heeding the advice and analysis of GAO here to try to get this right at the ground level so that we can realize the potential I think it has,” he said. “We will be very interested in that. We want to be supportive of that. We just want to make sure it has more than a fighting chance once it takes off to be successful.”

Meadows echoed Connolly’s comments about GSA’s preparation for the e-commerce portal and pushing for a more open initiative.

“I’m concerned because I’ve seen so many great plans that we were going to save money, not just on IT, but across the agency. The minute the federal government gets involved we have real problems. With this portal, the fact that you have protests, is it a protest…of access to the portal?” Meadows asked in the last question of the hearing. “The only way to get efficiencies is to allow the free flow of people to come in an actually compete. Otherwise, it becomes another bureaucratic portal that says, ‘If you have figured out our maze and you are able to figure your way in,’ you actually get in and what happens, prices actually don’t go down, but go up.”

If there was some good news that came from this hearing for the e-commerce portal, it was about agency interest in using it.

Zielinski told the subcommittee that GSA has met with more than a dozen agencies, and received commitment from several to work with them to help drive requirements and to participate in the program.

It’s a good sign for the e-commerce platform initiative that agencies and other members of Congress are interested in the program, but the fact that there are three more agency-level protests and confusion over the executive order continues to hang a dark cloud over the effort.

“Strike a blow for liberty!” said Rep. Gerry Connolly (D-Va.) when he heard from both the General Services Administration and the Government Accountability Office that the 18F organization would meet its goal of achieving full cost recovery by the end of fiscal 2020.

If you aren’t familiar with GSA’s 18F organization, the Obama administration brought in private sector technology experts to help agencies jump start and further IT modernization programs. The initial folks who ran 18F set it up like a private sector start-up where money was free flowing and rules were less important.

Needless to say, 18F got in a bit of trouble, particularly around procurement and cybersecurity requirements.

The other area where 18F went off track was being able to pay for itself. In 2016, GAO reported 18F wouldn’t be able to pay back its $30 million start-up loan and revenues would continue to fall short of its operating expenses until 2019 at the earliest.

Anil Cheriyan, the director of the Technology Transformation Services at GSA, told the House Oversight and Reform Subcommittee on Government Operations on March 4 that 18F came close to fully recovering its costs in 2019 and expects the organization to do so in 2020.

“18F workforce has been right-sized to meet program demand. At its peak, the staff levels were in excess of 225. We are currently at just under a 100 staff,” Cheriyan said in his written testimony. “Billable utilization of the staff has grown by 6.6% from fiscal 2018 to fiscal 2019 resulting in a significant improvement in cost recoverability. All current work performed by 18F was started only after signed interagency agreements were in place. All newly acquired software installed and operated by 18F has been approved by GSA IT through the IT standards process and received an authorization to operate as appropriate.”

He added 18F’s gross margin improved by well over $3.5 million in the last year. 18F, however, had a net loss of $600,000 on revenue of $32.5 million.

The Centers of Excellence, on the other hand, were fully cost recoverable in 2019, Cheriyan said in his testimony. But when asked to clarify between fully cost recoverable and fully recovering their costs, GSA declined to comment. Leaving us to wonder if the CoEs are going down a similar path as 18F with expansion and staffing that can’t keep up with “sales” or “revenue.”

Cheriyan said in his testimony that the CoEs do have a staff utilization rate of over 80%, which is a positive sign.

The White House launched the Centers of Excellence in 2017 to help accelerate IT modernization by focusing on five areas: cloud adoption, data analytics, customer experience, contact centers and data center optimization. The Agriculture Department volunteered to be the first agency to test out the CoE concept, and over the last three years, the administration expanded the use of these experts to six other agencies, including most recently the Government Accountability Office.

Cheriyan said the CoE effort is much further along with USDA, but the other agencies remain in phase 1 or just about to enter phase 2, which is the case with the Department of Housing and Urban Development. HUD has been stuck in the middle of phases 1 and 2 for much of the past six months.

He said he expects HUD is looking to move about 1,000 forms into an automated, streamlined cloud service as well as building more customer specific tools.

Rep. Ro Khanna (D-Calif.) asked Cheriyan what’s the difference between 18F and the CoEs.

“18F is primarily what I’d call a user-centered design focused organization, looking at the user processes and streamlining the user’s processes. 18F programs are very specific, they are initiative driven like building a new website and streamlining those processes,” Cheriyan said. “The Centers of Excellence approach is much more of a top-down transformation approach, leveraging the six competency areas that we’ve built. We are leveraging skills and capabilities that are typically needed to drive a transformation. So it’s much larger in scope and there could be multiple initiatives in a CoE program, where 18F is program specific.”

Connolly brought up a similar question later in the hearing, only to get a similar answer from Cheriyan.

This leaves one to wonder if the confusion by lawmakers about the difference between the CoEs and 18F is a byproduct of a lack of demonstrated success? It’s not to say these two organizations haven’t made a difference, rather it, like many things in government, goes back to telling a good story about the impact of any program. It’s unclear if the administration hasn’t told a good story because there isn’t one yet to tell, particularly with the CoEs, or if they are just bad story tellers.

With Overstock’s decision to withdraw its bid protest of the e-commerce platform solicitation, it looks as though the General Services Administration has a clear path to kick off its three-year pilot.

But wait, not so fast. The White House’s executive order on e-commerce platforms creates a whole other level of potential roadblocks to this effort.

President Donald Trump signed the order on Jan. 31 with a goal of cracking down on counterfeit products and threatening Amazon, Walmart.com, eBay and others with suspension and debarment unless they address this growing concern.

Immediately, it was clear based on Navarro’s comments, GSA’s e-commerce platform effort faced a new set of obstacles.

“This crisis is not about any one e-commerce platform. This is about e-commerce platforms as a class playing by a different set of rules that simultaneously hammer brick-and-mortar retailers, defraud consumers, steal American jobs, and rip off intellectual property rights holders,” said Peter Navarro, the assistant to the President for trade and manufacturing policy, during a press call on Jan. 31. “Under current lax interpretations of existing rules and laws, e-commerce platforms face virtually no liability for their counterfeit trafficking. Today, virtually immune from the kind of laws and liabilities that govern bricks-and-mortar retail, e-commerce platforms such as Amazon, Shopify, Alibaba, eBay, JD.com, WalMart.com and a constellation of lesser players provide the digital hubs that perniciously interconnect vast cadres of online third-party counterfeiters and social media enablers, like Instagram, to American consumers.”

At the same time, GSA is on the path to setting up a new e-commerce platform, potentially with Amazon or Walmart or eBay, and will not require the platform providers to follow specific laws like the Trade Agreements Act or the Buy American Act because purchases are under the micro-purchase threshold of $10,000. The path cleared last week when Overstock withdrew its protest. The Government Accountability Office said Overstock’s lawyers offered no explanation as to why it had given up on the protest. Overstock filed its complaint in January soon after GSA updated its request for proposals. Some experts say it may be because after reading the documents GSA submitted to GAO, Overstock realized its chances of winning were small. GSA now is expected to make an award for its pilot in the coming months.

These mixed messages coming from the White House and GSA is leaving some industry organizations seeking answers.

The Coalition for Government Procurement sent a letter to Navarro on Feb. 25 seeking clarification of the administration’s position on e-commerce platforms.

“Through GSA’s program, the government effectively is endorsing ‘e-commerce platforms as a class playing by a different set of rules,’ the very problem the Executive Order seeks to address,” writes Roger Waldron, the president of the Coalition for Government Procurement. “At the same time, it squanders a perfect opportunity to implement the government’s goals by mandating, through contract, platform provider responsibility for product authenticity and legal compliance. A clear, consistent articulation of government policy here would be of great value to our members, as it would help them in their efforts to address the needs of the government market. So too, it would rationalize the government’s approach to e-commerce and risk mitigation. Any guidance you could provide here would be very much appreciated.”

Waldron hosts Off the Shelf on Federal News Network.

In an email, Waldron added the e-commerce market could be worth as much as $60 billion if the administration includes the purchases from GSA’s schedules program.

“With revenue comes responsibility.  The administration’s Executive Order and Dr. Navarro’s comments are clear statement that e-commerce platforms should be responsible for the integrity of their marketplaces,” he wrote. “In contrast, GSA’s solicitation, as recently amended, offers a conflicting view, namely, that each transaction is governed by the rubric ‘buyer beware.’  The solicitation essentially insulates e-commerce platforms from responsibility for the integrity of their marketplaces. Just as significant, under the Multiple Award Schedules, contractors are held responsible for the integrity of their contracts and GSA vets each contractor to ensure the integrity of the MAS market, as whole.”

Is anyone paying attention  in Congress?

This leads us to the question about whether GSA even knew about the executive order.

Waldron and others say it looks doubtful from the outside.

“It is starting to look like the right hand doesn’t know what the left hand is doing,” he said. “So, we’re left with two different perspectives on e-commerce security and accountability. The administration, through the Executive Order, supports making platform providers accountable for supply chain security and product integrity.  GSA, apparently, has a different view.”

The question GSA and others have to start asking is what is the future of the e-commerce platform initiative? The main backer of this effort in Congress, Rep. Mac Thornberry (R-Texas), the ranking member of the Armed Services Committee, is retiring in January 2021. And lawmakers, generally speaking, don’t have long attention spans nor do they care much for initiatives they didn’t think of or pass.

Read more Contracting news

Let me just throw this out there, what if GSA never awarded the e-commerce platform solicitation, say pulling it back to revamp it and then let it quietly die? Would anyone notice? Would anyone care?

It will be interesting to see if Navarro responds to the CGP’s letter. When asked about the GSA e-commerce platform effort during his Jan. 31 press conference, it was clear he wasn’t familiar with it and just referenced the Department of Homeland Security report on supply chain security, which also doesn’t address GSA’s program.

HUBZone, FPDS transition updates

The next piece of the Integrated Acquisition Environment (IAE) is scheduled to transition to the new beta.sam.gov site later this month. GSA provided an update to industry on Feb. 25 detailing plans and benefits of moving the Federal Procurement Data System reporting functionalities to the portal.

By March 16, vendors who rely on FPDS will see improved capabilities, including:

• Reports can now span 12 years instead of five
• Reports can now return 150,000 rows instead of 30,000
• Report structure can now be easily shared (attributes, metrics, etc.)
• Additional reportable data fields
• Report creation wizard

GSA has been testing the new report generation capabilities for the last several months. It says it converted about 85% of existing ad hoc reports over to the new portal.

“We’ve worked a great deal with users who have a substantial amount of ad hoc reports prior to the migration to make sure that they understood. We’ve used robotics process automation (RPA) to be able to migrate over the existing ad hoc reports and data,” said Judith Zawatsky, assistant commissioner in the Office of Systems Management in GSA’s Federal Acquisition Service, in an interview with Federal News Network in February. “It is incredibly innovative work. The other thing we are doing because we knew there was latency on system last time and we know migrating of the reports will drive greater usage on the platform. The team is designing for a heavy push in the beginning so that they do not cause any issues with access to the system.”

The FPDS reporting capabilities will be the fifth system migrated into the new IAE environment under beta.sam.gov. Next, GSA said, is to remove the beta from the new site and migrate the old SAM.gov to the new portal.

Over at the Small Business Administration, employees are getting ready for a big transition of their own. SBA released frequently asked questions (FAQs) to help small firms better understand the new requirements for the Historically Underutilized Business Zone (HUBZone) program that started in January.

The HUBZone Council posted the FAQs on its website.

In the 11-page document, SBA addressed 36 questions ranging from annual recertification requirements to employee residency requirements to contracting compliance regulations.

Agencies have never met the governmentwide goal of awarding 3% of all contracts to HUBZone firms. In fiscal 2018, agencies awarded 2.05% or $9.9 billion.

SBA hopes these new regulations will make the program easier for firms to take advantage of thus creating more companies with headquarters in HUBZones.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Department of Health and Human Services is not just failing its agency and contractor customers but also, once again, demonstrating why “the government” gets maligned as wasteful, insular and uncaring.

With its decision to end its assisted acquisition services through its Program Support Center, HHS is putting more than $1 billion in contracts at risk. It’s hanging large and small agencies out to dry — ranging from the Defense Department to the Environmental Protection Agency to the Office of Special Counsel — by canceling contracts and giving them little time to prepare for the changes. And it is withholding payment to potentially hundreds of small and large contractors, putting some at risk of closing down or facing employee layoffs and additional contract costs.

At the same time, HHS is paying tens of thousands of dollars in prompt payment penalties to those same contractors for avoidable mistakes, inching ever closer to what experts would call waste and abuse.

“Since the beginning, HHS PSC was inflicting pain on themselves,” said Ron Robinson, a former program manager for Copper River Technologies, which provided contract support and financial analyst services until December when PSC ended its three-year contract two years early. “It is horrible the way HHS has handled this. They should be held accountable, and it doesn’t seem like anyone wants to. There wasn’t communication. There was a lack of transparency. You see that time and again with them suspending warrants and putting four people on administrative leave without telling them why.”

Multiple requests to Reps. Mark Meadows (R-N.C.), ranking member of the Oversight and Reform Committee, and Harley Rouda (D-Calif.), were not returned seeking comment on PSC’s actions.

One flawed reason to another

Robinson and four other industry sources, all of whom requested anonymity because they either are still waiting to get paid by HHS or because they still have work before the agency, say the rationale for closing down the Program Support Center’s most successful offering was based on one flawed reason after another.

HHS jumped from one explanation to another to justify what sources called an irresponsible and short-sighted decision to close down PSC’s assisted acquisition services in such an abrupt and painful manner. The rationale included:

• An alleged missing $40 million from its acquisition fund
• How PSC’s contracting officers “handled” classified information
• A potential criminal investigation of contracting officers at the Space and Naval Warfare Systems Command

Four executives remain on administrative leave after almost a year: Al Sample, the well-respected head of PSC; Bill McCabe, the chief financial officer, and the director of Financial Management and Procurement Portfolio; Patrick Joy, the head of PSC’s contracting activity; and Donald Hadrick, the chief supervisory contracting officer. HHS continues to pay their full salaries at the Senior Executive Service or GS-15 levels and benefits, costing the government more than $600,000 a year. Meanwhile, HHS still searches for a reason that will stick for why these highly-respected executives were embarrassingly walked out of their offices last spring.

Attempts to contact McCabe, Hadrick and Joy through LinkedIn went unanswered. Sample declined to offer further details beyond that his situation hasn’t changed.

A HHS spokeswoman chose not to answer more than a dozen specific questions for this article, despite multiple attempts to convince them to share more in order to capture both sides of the story.

This is the only comment HHS provided:

“HHS is currently conducting a review of its financial systems and processes in an effort to improve PSC operations and strengthen transparency. This is part of a larger process improvement effort. At the same time, PSC is working with customer agencies independently to support their individual missions and make payments as soon as possible after ensuring the goods or services have been delivered and meet the customer’s requirements.”

Lack of transparency, communication

The decision by HHS not to offer any insights or any further comment is part of the problem with this entire situation. The lack of transparency has been stunning, to the press, agencies and vendor partners. For the spokeswoman to say PSC is working with its customer agencies feels disingenuous at best and full on deceit at worst to the multiple sources Federal News Network talked to for this article.

Read more: Reporter’s Notebook

Time and again, vendors say PSC stopped answering phone calls or emails. Soon after, payment for work already completed ceased too. And sources say both PSC and the agencies who are their customers are playing the finger pointing game leaving vendors caught in the middle.

“They are still stonewalling us. We can’t get anyone to answer us. When we do reach someone, we are told to go back to [the awarding] customer agency. Lawyers are blaming each other, telling us to take this up with the other agency,” said one industry source. “We’ve written a formal request for payment. We are waiting for attorneys to talk more. We only received responses when we sent emails directly and aggressively to request something. But when we send invoices, [PSC is] not responding.”

Other vendors experienced the same HHS communication blackout.

“Our invoices are now several months overdue. We have made repeated calls, sent repeated e-mails, and we’ve gotten no commitment whatsoever to pay or even [have been] given a payment date,” said another industry source. “We have sent supporting paperwork not once, but multiple times. It seems to go to different people each time, and gets ‘lost’ when the new persons come along.”

The source said the lack of communication and payment delays are even more difficult for small firms.

“As a small business, this hits hard. Highly skilled people and teams which have taken years to build up are facing layoffs. [It’s] very hard to recover from this afterwards. Ultimately the customer suffers diminished readiness,” the source said. “It’s not good.”

HHS also failed to tell the Defense Department in September about suspending employee assistance programs. DoD and HHS finally worked out a way to get the program running again, but sent formal notification after the fact that it planned to end the services two months later. It’s also unclear if HHS shut down EAP services as the website provides no information on the current status of the program.

Payments starting to flow

Two other industry executives said PSC is starting to pay invoices, but it’s been an uphill climb for months.

One of the industry sources said HHS has paid prompt payment penalties for as much as $84,000. The Prompt Payment Act requires agencies to pay a penalty of 2.6% interest for every 30 days the invoice is overdue. The source said with most invoices being at least three months late, HHS is paying 7.8% interest on almost every contract. This is another example where HHS’s decisions have resulted in waste.

“Vendors are happy to get paid and [are] getting paid lot of extra money because three months or more of interest adds up,” the vendor source said.

Another industry executive said the level of scrutiny invoices are getting is over the top.

“PSC is taking a position that until they have completely confirmed that everything has been delivered per contract specification they will not make payments,” the source said. “Whether this is a way to prolong the process because they don’t have the money or they are trying to find out what happened, we get a sense there is some disarray within PSC’s contracting shop about how to close these contracts out.”

That disarray comes from another decision HHS made over the summer. Sources say PSC went from having three people — 1.5 full-time equivalent federal employees and 1.5 FTE contractors — processing invoices to having eight untrained federal contracting specialists take over these duties.

Read more: Acquisition News

“They brought in a new invoicing team and they still are going through a steep learning curve,” said one industry source. “Eight people could not do what three people could do who were properly trained. Being a contracting specialist is very different [from] being a financial manager. Contracting specialists may know the verbiage of payments, but not the specifics. They also have to learn two systems they have never been in before in a short span of time. That led to many problems, a lot of errors and these delays.”

Invoicing is a dirty process

Sources say the training HHS provided these contract specialists was inadequate.

“PSC had to bring in a second trainer because the first one didn’t know how to train people for invoicing,” the source said. “This put contractors a quarter behind in getting paid. And processing an invoice is a complicated process. It’s a five-step process before it even goes to Treasury, and you have to make sure it’s on the right line of accounting, aligns with requisitions and a lot of other steps.”

The source added the invoicing process at PSC has been in bad shape for years, filled with manual processes and email approvals.

“The backlog had been in the hundreds of thousands of dollars and this only expanded it,” the source said. “The accounting folks will find errors from two or four years ago. There are some areas that couldn’t close their books because invoices never got fully resolved. There are just a lot of errors, and it’s always been a dirty process.”

Over the last year, questionable decisions, such as getting rid of experienced invoice processing employees has marked this story.

HHS’ first reason for ending assisted acquisition services was it decided it didn’t have the oversight in place to do classified work. Robinson, the former Copper River Technologies program manager, said the HHS general counsel, all of a sudden, had some concerns about misuse of form DD-254 for classified work.

“It was an absolute surprise. I’m not sure why there would be any great concern about it as we had been dealing with them for years without any problems,” he said. “Their concerns were about the handling of classified information, but we never had classified information. The majority of DD-254s were attached to an action that was more for facility clearances. We did a lot of IT contracts so contractors may have access to secure facilities, but it wasn’t doing what you’d think of as hard classified work.”

OGC driving the decision

Robinson said the Office of General Counsel was driving a lot of these “problems” at PSC and found willing partners in people like Scott Rowell, the assistant secretary for administration, and James Simpson, the acting deputy assistant secretary for acquisitions in the Office of The Assistant Secretary of Administration.

“It goes back to OGC driving the ship and OGC, in my experience, was extremely risk averse. They saw an issue or problem as a risk, even though we had operated for years and years without issues,” Robinson said. “My belief is the Office of General Counsel at HHS was never a fan of assisted acquisitions. When Simpson got in there, OGC found someone who would listen to them and they used it.”

Read more: Technology News

HHS used the DD-254s and the claim of a missing $40 million as the first two reasons for ending its services and suspending the four executives. But when both motives fell apart sources say HHS used a potential criminal conduct claim at the Space and Naval Warfare Systems Command in San Diego as the reason for shutting down the assisted acquisition services.

Federal News Network previously reported both the alleged missing $40 million from the acquisition fund and the DD-254 problems were debunked. In July, sources familiar with PSC’s operations say a recent audit found the organization does no classified work. And in August, Federal News Network reported that the “missing” funds had to do with the new leadership lacking the understanding of how the acquisition supply fund works. Sources said once the Office of Management and Budget got involved and explained how the fund works and therefore $40 million was not missing, HHS management “drummed up” this national security concern with the DD-254s.

Robinson said one of his former colleagues was called to testify before special investigators in January on the alleged criminal activity. But special investigators called off the meeting as he was preparing to leave.

“It seems that’s not legitimate and it seems to fit in with the fact they couldn’t get the DD-254 accusation to work,” he said. “To say there may have been criminal things going on as another reason to shutdown assisted acquisition services … it’s part of how they are blowing smoke to find fraud waste and abuse issues.”

Sources say it could take three-to-five years for PSC to fully shut down its assisted acquisition services, and the organization may have to award another contract to clean up the mess its executives created by not understanding the situation.

It is HHS’ right to get out of the assisted acquisition services – no one in industry or government would disagree. But HHS officials’ failures – their lack of transparency and poor decision-making created unnecessary hardship on agencies and contractors and paint an avoidable black cloud over the government. And that’s sad.

You have to wonder if Ashley Mahan and her co-workers running the Federal Risk Authorization and Management Program (FedRAMP) ever feel like they can make anyone happy.

Despite a record fiscal 2019, which saw a 30% increase in the number of cloud services authorized and 50% increase in the number of cloud products reused across the government, industry, Congress and agency customers want more.

Oversight and Reform Subcommittee on Government Operations Chairman Gerry Connolly (D-Va.) and Ranking Member Mark Meadows (R-N.C.) saw their FedRAMP Authorization Act of 2019 pass the House on Feb. 5. The bill is now before the Senate Homeland Security and Governmental Affairs Committee. Among the things the bill would require is for agencies to provide a “presumption of adequacy” to vendors that have already gotten FedRAMP-certified at other agencies.

Agency chief information officers and other technology executives publicly praise FedRAMP, but privately don’t trust the authorizations in the way the Office of Management and Budget originally hoped they would. Just take a read of this December 2019 Government Accountability Report, which found 15 agencies reported that they did not always use the program for authorizing cloud services, for a bit more evidence of this public-private disconnect.

And now a non-profit led by former Office of Management and Budget and National Security Council executives have issued a white paper with recommendations to move FedRAMP to the next level—as a risk management and continuous monitoring program.

The Center for Cybersecurity Policy and Law, a nonprofit dedicated to promoting education and collaboration among industry and policymakers on policies related to cybersecurity, say the program, which OMB and the General Services Administration launched in June 2012, is no longer the best approach for the current security needs of today.

“It is unsuited to the growth of emerging technologies like internet of things (IoT) and artificial intelligence/machine learning (AI/ML) and is not dynamic enough to incorporate new innovative products,” the white paper states. “These deficiencies are a result of FedRAMP’s limited resourcing and ability to keep pace with agency and cloud service provider (CSP) demand for review and authorization, agencies’ limited reuse of authorizations to operate (ATOs), and the compliance focused, manually driven certification and maintenance process that underpins the interaction between agencies and CSPs. These deficiencies create an opportunity to revise FedRAMP in a manner that reflects a maturation of the government’s risk-management approach and improves IT modernization outcomes.”

Read more: Reporter’s Notebook

The group’s three recommendations focus on how to improve not just FedRAMP, but federal cybersecurity more broadly:

• Redefine federal IT risk management, including FedRAMP, to place continuous, incremental and automated monitoring at the heart of the process.
• Consolidate and standardize the process for risk acceptance across the federal government.
• Enable the federal government to leverage the full scope of emerging innovation in the cloud computing and information technology markets.

Ross Nodurft, who works with the Center for Cybersecurity Policy and Law, said in an interview with Federal News Network that the center has been working with the FedRAMP team at GSA and have a commitment from them on how to move forward from a tactical perspective.

“Our plan going forward is to continue to socialize the recommendations and ask for feedback about how to do it tactically,” Nodurft said. “Both the cloud service providers and agency folks have a lot of different ideas of how to do it. What we need to do is push this paper into the conversation at the agency level. We will ask at a more tactical and granular level how the practitioners think the best way to move forward is. We have ideas ourselves, but we want to make sure we are continuing to engage in that conversation.”

One way to do that is to take the subjectivity out of FedRAMP. Yes, there are standards that every CSP must meet to receive authorizations, but how agencies interpret the certifications is many times where the problems exist.

Nodurft said one way to take out the subjectivity is to mandate standardized configuration settings, which would also help the automation tools to confirm the CSPs are meeting the security requirements of the system.

“It takes the human judgement out of compliance, and that is a big part of it,” he said. “We also have to create the policy environment that builds the trust pathways. We have to look at shared services. We have to look at systems that are similar across agency environments and we have to identify the standard configuration settings and point to them and say ‘it’s OK for you to adopt the work done by one agency and by one authorizing official.’ We have to work with oversight officials whether it’s from an inspector general to identifying good practices or OMB tweaking a policy to say ‘you shall do this more,’ or whether it’s Congress holding up and highlighting good use cases for agency ATO reuse and tracking how much of that reuse is happening, it has to be top down and we have to take as much as the human decision making process out of it to speed this up.”

Speed always has been a bugaboo for FedRAMP. When the program first started, it would take 12-to-18 months to get a CSP through the process. Now, it’s down to 9-to-12 months, and in the case of FedRAMP Accelerated, much quicker.

The center, however, says in its report that the speed of change in the threat landscape as well as the emerging technologies require a better approach.

“Through the mechanisms we have now for interagency discussion, there is an opportunity to identify those use cases, hold them up and say ‘agencies you shall do this when you can, default to reuse first,’ which is a shift in the risk ownership, or we can be softer and say, ‘we encourage you to do this. We’ve recognized people who have done this well and here are the current best practices,’” he said. “We have to continue to promote this and drive agency thinking. I think they should take a hard look at both approaches.”

Nodurft said the first recommendation is about bringing speed to the process by placing the continuous, automated and incremental monitoring at the heart of the process.

“Under that, we had four sub-recommendations. We need to identify those FedRAMP controls that can be automatically assessed for all systems. We need to continue efforts to develop fully automated standards for security assessments,” he said. “We need to update the FedRAMP secure assessment framework to make it consistent with the NIST cybersecurity framework. We need to develop dashboards for the real time monitoring in government cloud environments.”

FedRAMP’s evolution continues

Joe Stuntz, director of federal and platform for Virtru and a former OMB chief of the cybersecurity and national security unit, said the white paper frames the challenge correcting around redefining IT risk management.

“FedRAMP gets a lot of feedback as the public face of Cyber and IT risk management in government, but many of the challenges of the FedRAMP program are due to risk management requirements and especially the ATO process so only addressing FedRAMP will not lead to faster and more effective authorizations of technology for federal agency use,” he said. “The focus on reuse and possible shared services is good, but these initiatives will run into the fundamental challenges around ATOs and risk acceptance. This paper can’t solve these broader challenges and the incentives involved that lead to more risk avoidance, but by improving FedRAMP, it will hopefully drive change in the broader risk management processes.”

Read more Technology news

To be fair, Mahan and her colleagues have not sat idly by and watched the world around them change. FedRAMP listens to industry and agency customers, implements updates and continues to evolve the requirements. The best examples are the FedRAMP Accelerated process for systems that do not require moderate or high levels of security. It also recently began work with the National Institute of Standards and Technology and industry to develop the Open Security Controls Assessment Language (OSCAL), a standard that can be applied to the publication, implementation and assessment of security controls.

Nodurft said the development of the OSCAL standard is something that could produce the near-term improvements for agencies and CSPs alike.

Over the long-term, Nodurft said the real goal is to change how agencies accept risk. He said since the 2015 cyber sprint, the overall trend for agencies has been to accept less risk.

“We need to continue to push the innovation message and continue to hold up the people who are embracing the innovation and the risk that goes along with the innovation and not penalize them for doing that,” he said. “That is extremely important for this conversation.”

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

More eyes than normal are on the Defense Department for the next year.

It’s not just the usual set of contractors, overseers on Capitol Hill and auditors, and nation state friends and foes. Now there’s a whole community watching how DoD implements the new Cybersecurity Maturity Model Certification (CMMC).

Along with the government contractors impacted by the new requirements, civilian agencies and allies like Canada, Sweden, Italy, the United Kingdom and others are paying close attention to how the Pentagon begins to fix supply chain and other cybersecurity challenges through this new initiative.

“They are all watching to see if we fall on our face or not. If we roll this out and make it work, they have indicated they will adopt CMMC as well,” said Stacy Bostjanick, the director of the CMMC policy office in the Under Secretary of Defense for Acquisition and Sustainment, at the recent AFCEA NOVA Intelligence Community IT day in Herndon, Virginia.

After her speech, Bostjanick said she was hesitant to offer more details about which civilian agencies might be interested. But it’s clear there are several that are watching including the Department of Homeland Security and the Federal Acquisition Security Council.

DoD, which finalized the CMMC requirements in late January, also is turning its CMMC glare back on the community.

First, Bostjanick said there are rising concerns about companies falsely claiming they can get other vendors certified under CMMC.

She said if you do a Google search, there are plenty of examples of these fake offers.

“If anyone tells you they can get you certified, they are lying. The test isn’t done yet,” Bostjanick said. “We are pressed right now and we have a small team working to get this done so there isn’t a lot of time to stop and go after the fake companies. The accreditation body is getting ready to take that on more than we are. We are aware of it and want to make sure companies know not to go to someone who is engaging in false advertising.”

She said the accreditation body, which is independent of DoD, is considering sending “cease and desist” letters to any company saying they can get another vendor certified under CMMC.

“The training and examination requirements are not in place yet. A company can evaluate another company against model, but you are taking a risk because you can’t pay them to get you certified,” she said. “We have conflict of interest rules that say you can’t assess someone you’ve counseled.”

Bostjanick said the first set of third-party assessment organizations likely will be available no sooner than late summer.

CMMC schedule for the spring, summer

DoD plans to finalize the CMMC training and assessment guides in March.

Bostjanick said those documents will tell vendors what it takes to be certified at levels 1, 2 and 3.

“These guides are where people can find answers and what artifacts are needed. It is where all the answers to all your questions will be if you go through the assessment guide,” she said. “It’s not our intent to fool anyone.”

Read more: Reporter’s Notebook

Then sometime between April and June, she said the accreditation body will develop the training classes for third party assessors. Finally in the June or July timeframe, the first set of vendors can begin going through the assessment process in preparation for the first 15 procurements to call out CMMC requirements.

“The accreditation body is working with us to develop training material to accredit third-party assessors. There will be a marketplace for them as they go through the two-week course and test for level 3 accreditor certifications,” Bostjanick said. “We also will have Defense Acquisition University training where we will be working with program managers and contracting officers so they understand what the different CMMC levels are and give them a layman’s guide to controlled unclassified information so program managers can figure out how to disaggregate the data and flow down the CMMC requirements.”

She said DoD realizes there are steps it can take to lessen the burden on vendors.

For example, DoD plans to do a cross-walk between CMMC requirements and those under the cloud security program known as the Federal Risk Authorization Management (FedRAMP) program.

“If you are FedRAMP compliant, you will get credit for what you’ve done under FedRAMP compliance as it aligns to CMMC,” she said. “That’s another thing we will do with the accreditation body is make sure we have a reciprocity policy. We’ve been talking to the guys over at Energy because they have their Cybersecurity Capability Maturity Model compliance because eventually phase 2 will roll out and we will be talking about systems. And then, when you talk to the security guys, they are talking about a security ratings score. What they are thinking about is setting up a process similar to CMMC where they would come out to your facility to check your policies and procedures with regard to insider threat and facility security. They would assess you a score based on your policies and procedures.”

New DFARs rule coming

DoD expects CMMC to take five years to fully roll out, and not really get going until 2021. The Pentagon estimates the third-party assessors to certify about 1,500 vendors in 2021, 7,500 more in 2022 and 25,000 more by 2023.

DoD also is trying to reduce the time of the regulatory process because it has to publish a final defense federal acquisition regulations (DFARs) notice for CMMC.

Bostjanick said DoD is working with the Office of Management and Budget’s Office of Information and Regulatory Affairs to get the DFARs rule through the process faster than normal. She said she hoped to have the clause out this fall.

There is so much still to do to get CMMC ready by the fall, DoD may want to consider pushing back the initial implementation of the standard and find a short term way to secure the supply chain from cyber attack and protect important information.

The crown jewel of the Modernizing Government Technology Act isn’t the Technology Modernization Fund. If you’ve paid attention to federal technology over the last 20 years, Congress rarely throws much support behind what appropriators like to call “slush” funds.

Instead, as Rep. Will Hurd (R-Texas) will tell you, the best thing about the MGT Act is the ability of agencies to retain or save money and apply it to IT modernization programs through working capital funds.

But what Hurd and Rep. Gerry Connolly (D-Va.), the two main authors of the bill, either over looked or didn’t quite grasp is how difficult it would be for agencies to establish these working capital funds.

Since President Donald Trump signed the MGT Act into law in December 2017, only the Small Business Administration persuaded lawmakers to give them the authority to set up a working capital fund and transfer unexpired funds into it. SBA says in its fiscal 2021 budget request it expects to have $4 million in 2020 and another $2 million in 2021 in the fund.

Besides the SBA, no other agency got through the appropriators’ gauntlet. Three agencies, the departments of Education and Commerce and the U.S. Agency for International Development, asked for working capital funds in their 2020 requests.

Two others, the Labor Department and the General Services Administration, satisfied the spirit of the MGT Act using existing working capital funds, which led them to earning “As” on the most recent Federal IT Acquisition Reform Act scorecard.

But for the most part, Congress has applied only lip service to its support of the MGT Act.

Despite this limited success, the Office of Management and Budget and six agencies are making their cases again as part of the 2021 request. The departments of Education, Labor, Agriculture, Treasury and Commerce, and USAID are asking for the authority to either expand existing working capital funds or create new ones.

“Importantly, the budget is signaling two very important points — (1) that IT modernization can often take time and that the limitation of one-year appropriated funds can prohibit the ability of agencies to thoughtfully plan for and execute modernization projects and (2) that OMB is willing to work on a subcommittee by subcommittee basis to help achieve agreement on both the critical need for these transfer authorities and the level of oversight necessary to ensure Congress is comfortable in enacting such necessary legislative language,” said Matt Cornelius, the executive director of the Alliance for Digital Innovation and a former OMB cybersecurity and senior technology adviser.

Part of the challenge for agencies when it comes to working capital funds is many already have one. When Congress passed MGT Act, 17 agencies already had this authority in one way or another, so why should lawmakers give them one more of these “slush” funds?

Adding to existing working capital funds

For instance, the Commerce Department has working capital funds at the headquarters level, the Census Bureau and the National Institute of Standards and Technology. Additionally, the Environmental Protection Agency, GSA and the departments of Justice, Treasury, State, Labor, Transportation and Interior are among the agencies with working capital funds.

This is why after two budget cycles and little support from Congress, some agencies are taking a new approach to obtaining the authority to save money and apply it to IT modernization programs.

Treasury, Labor and Agriculture want to add the MGT Act authority to existing funds.

For instance, Treasury proposes to “change the name of this account to Treasury Capital Investments and Modernization Fund (TCIMF) from Departmentwide Systems and Capital Investments Program (DSCIP). This proposed name change reflects the evolving vision for the account to focus on modernization of Information Technology (IT) and increased cybersecurity along with the existing authorities supporting repairs and renovations to Treasury’s White House complex buildings and facilities.”

Treasury would like to put $7 million in the fund in 2020 and $10 million in 2021 to “provide greater flexibility for Treasury bureaus to invest in IT projects that advance their mission and align to departmental chief information officer priorities. Funds transferred into the account from bureaus are intended to be used for IT modernization efforts to address Treasury’s technology needs and modernize business processes.”

USDA is asking Congress for permission to transfer $3 million into its existing working capital fund for IT modernization.

In Labor’s request, it would “establish an Information Technology Working Capital Fund (IT WCF). This IT WCF would include all activities currently financed through the WCF, as well as the development and operational costs for agency-specific applications currently funded directly by agencies. Shifting these activities into an IT WCF has no impact on total spending at the department.”

Commerce asks for $20 million

Meanwhile, Commerce, Education and USAID want to create new working capital funds.

In Education’s request, it said it would create “the Information Technology System Modernization and Working Capital Fund (IT WCF), authorized by the Modernizing Government Technology (MGT) Act in 2018, [which] may only be used: (A) to improve, retire, or replace existing information technology systems to enhance cybersecurity of existing systems and to improve efficiency and effectiveness; (B) to transition legacy information technology systems to cloud computing and other innovative platforms and technologies, including those serving more than one covered agency with common requirements; (C) to assist and support covered agency efforts to provide adequate, risk-based and cost-effective information technology capabilities that address evolving threats to information security; and (D) to reimburse funds transferred to the agency from the Technology Modernization Fund. Establishing this account under the MGT authority would enable transfers of expiring administrative funds to this account with a three-year period of availability for use on IT modernization activities.”

Commerce asked for permission to establish a “Nonrecurring Expenses Fund,” which would let it transfer $20 million to be used for business system modernization through Sept. 30, 2022 as well as any expired discretionary funds over the next five years.

“Funding is requested to continue phase I implementation activities to support administrative management systems (financial management, acquisition, property), enterprise data warehouse (EDW) and business intelligence (BI) reporting solutions across Commerce,” the agency wrote in its 2021 budget justification to Congress.

And finally, USAID is asking for an IT working capital fund to hold up to 5% or $30 million of discretionary funding from five different operating expenses and those funds would be available for three fiscal years.

“It appears that with the FY2021 President’s Budget, OMB has worked with agencies to push for the establishment of new IT WCFs or to modify existing an Working Capital Fund (presumably with the agreement of the agency CIO and CFO) to ensure that the agency has both the authority and scope to effectively manage IT Modernization projects and finances from a current Working Capital Fund,” ADI’s Cornelius said. “We imagine this is in part due to current appropriations law and the continued negotiations between the executive branch and the Congress on the appropriate use and oversight of taxpayer dollars.”

He added that both the appropriators and authorizers should look at these requests seriously as the time is right to make the MGT Act more than just a feel-good talking point.

“These select agencies will be more empowered to deliver IT modernization in a smarter, more cost effective way and can invest more wisely in commercial capabilities,” Cornelius said. “OMB and Congress get enhanced oversight of IT spending and deliverables, and can ensure better accountability for precious taxpayer dollars. And citizens will get the modern digital services they deserve from the government. Ultimately, IT modernization is about delivering better mission outcomes through technology and IT WCFs can be powerful, helpful tools to achieve that goal.”

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

In the three months since the General Services Administration transitioned to the beta.sam.gov portal for contract opportunities from the decades-old FedBizOpps.gov site, the raw numbers show concerns over the site have settled down.

The site has seen almost 900,000 visitors and 120,000 registered users since November. The number of calls to GSA’s help desk is at or below the levels that came in during the pre-transition time.

“We don’t get any more help desk calls or asks for intervention than we did with the legacy FBO. And the calls we do get are generally around two things: how to log in and do multi-factor authentication and the second is how to use the new search features because they look very different than the legacy site,” said Judith Zawatsky, assistant commissioner in the Office of Systems Management in GSA’s Federal Acquisition Service, in an interview with Federal News Network.

But if you dig deeper, particularly the folks who understand the inner workings of the new site, frustration and disappointment over the transition and functionality of beta.sam.gov continue.

The dissatisfaction came to a head last week when the Professional Services Council sent GSA a letter detailing complaints and concerns brought to them by their members.

The 22-page letter highlighted concerns around four main areas:

• Access challenges;
• Search Parameters;
• The capability to receive contract information;
• Difficulties in how the site displays information.

“[T]he new system has been judged by many of our member companies to be a far cry from its predecessor,” wrote Alan Chvotkin, the executive vice president and counsel for PSC. “And while the respondents included many mid-tier and large companies, feedback from many of our small businesses was particularly critical. The volume, consistency and detail of the responses we received demonstrate how vital this portal is to our partners.”

While some of what PSC highlighted, including questioning the need for multi-factor authentication and the way GSA set up the search terms are more about aesthetics and the need to get used to the new site, there are some real problems with beta.sam.gov.

Users not seeing the right data

“GSA didn’t go a good job bringing functionality to beta.sam.gov from FBO, like emailing opportunities,” said Amber Hart, co-founder of the Pulse of GovCon, a market intelligence firm, and an outspoken critic of beta.sam.gov, in an interview with Federal News Network. “We work in the back end of the system a lot, and there are a lot of complaints about how the opportunities are organized, how the contract awards are organized, whether you are pulling up everything that is part of an active procurement or not. The naming structure isn’t correct, information is not organized by date correctly and the search functionality is degrading.”

Hart offered one example of this problem. When a contractor wants to search all awards or all opportunities from a particular agency, but if the contracting officer puts in only a specific office that made the award, the system isn’t recognizing that the award should be part of the headquarters agency full listing. So the user may be missing important information because of the way GSA designed the system.

Lisa Mundt, who is the other co-founder Pulse of GovCon, said the federal hierarchy of agency listings do not match up, meaning there is a lack of standardization and that is affecting how the site is providing information.

“Most users are not seeing the data they expect and then they get frustrated. But there are technical reasons why they can’t trust the data and why need to rely on more expensive intelligence providers,” said Spence Witten, the vice president of global sales for Lunarline. “We have identified real issues on the back end that are not being fixed. We have heard nothing that is in GSA’s development pipeline to address many of these underlying concerns. It’s shades of Healthcare.gov but on a lesser skill. We are not getting warm fuzzies that they have figured it out.”

Agile approach to adding new capabilities

GSA is quick to admit beta.sam.gov isn’t perfect and there is plenty of room for improvement.

Zawatsky said her office’s list of new capabilities they want to add to the site is growing. Almost immediately after launch, GSA responded to user requests and it added the ability to receive email push notifications about new information.

“We are using an at-scale, agile development both process and deployment,” she said. “We have been working on several other things in order to be able to improve the site. In some cases, we are just now going through and designing some of the things. When we met with the users prior to developing the new interface, one of the things we heard is they wanted a lot more flexibility in our search capabilities and they wanted to set the parameters. That’s what we designed. What we found is people miss the old search parameters so the team has architected out moving back to some more defined search parameters as the default. We are in the process of testing those and getting ready to prioritize those for delivery.”

Read more Contracting news

At the same time, Zawatsky knows the user base is diverse so a change that makes one person happy could make another frustrated.

Vicky Niblett, the deputy assistant commissioner for the Integrated Award Environment (IAE) in GSA’s Federal Acquisition Service, said that is why GSA is constantly talking to and educating industry and contracting officers about the site’s functionalities.

She said since November GSA participated in more than 30 events targeting contractors and have another 10 planned in the next month.

“I spoke at the national 8(a) event and was quite encouraged by the feedback I received after the session. The favorite feedback I received was from a self-proclaimed complainer with the initial launch. He did tell me after hearing the session and after the time he’s had with the system, he is quite pleased with how things are with the system, especially after we released the functionality to provide email notifications for saved searches,” Niblett said. “Overall, what we are hearing is once we get out there and we are able to engage with the users and they have time to get used to the system and adjust to the change, they are feeling more comfortable with the system and being able to perform their job.”

Change is never easy

But Pulse of GovCon’s Hart and Mundt say GSA hasn’t done a good job listening to its users. They have tried on multiple occasions to offer feedback, to be a part of user testing, but their requests have gone unanswered.

“We emailed them a lot of our concerns when the beta testing become public. We went to social media. We went to events. We submitted questions online, but never heard anything back,” Hart said. “Now we have been working on the back end so we understand how complicated the task is. And this is why it feels rushed and GSA didn’t take time to understand what industry needs. How can they replace FBO with a beta system that was not ready for launch and it’s still not? For a system that is incredibly important, it’s extremely irresponsible for them to launch this system that wasn’t ready.”

Other users of the beta.sam.gov attribute the frustrations to the issue that change is hard.

Roger Waldron, the president of the Coalition for Government Procurement, said GSA has been receptive to his members’ feedback and is working hard to address any concerns.

Kevin Plexico, the senior vice president of information solutions for Deltek, a market research firm, said the firm’s analysts run into some minor frustrations, but the transition hasn’t had a huge impact on how they pull data.

“I think there is a bit of both frustration over problems and the fact people don’t like change,” he said. “I think because companies’ revenue generation is at stake when they are held up by the site and there is a potential economic loss if they miss an opportunity, the frustration seems great.”

Plexico said Deltek is watching GSA’s next transition of data reports that run in the Federal Procurement Data System-Next Generation and now will run through beta.sam.gov.

He said if those reports don’t work or if there are problems, the uproar will be as great or greater than the move of Fedbizopps.gov to beta.sam.gov.

Testing underway for FPDS-NG

Zawatsky said her office is aware of the importance of the FPDS-NG reports generating capability and is taking steps to mitigate any risks.

“We are testing the existing ad hoc reporting capabilities and getting ready for the March migration,” she said. “We’ve worked a great deal with users who have a substantial amount of ad hoc reports prior to the migration to make sure that they understood. We’ve used robotics process automation (RPA) to be able to migrate over the existing ad hoc reports and data. It is incredibly innovative work. The other thing we are doing because we knew there was latency on system last time and we know migrating of the reports will drive greater usage on the platform. We know historically how many people pull a report or go into the reporting feature on FPDS, and we are designing for many, many times that load. But in the first day or two and everyone jumps in there and there is 20 times that load, that’s not something we can architect to because that is not what the sustainable usage will be. But the team is designing for a heavy push in the beginning so that do not cause any issues with access to the system.”

As for beta.sam.gov, Zawatsky said GSA is listening to industry feedback both through the help desk and through the feedback button on the site to continually improve the functionality.

“If somebody is having a problem, we definitely want people to call the help desk. We have a large team of people there who can give very standard answers and people who can escalate problems and provide help,” she said. “The feedback mechanism, however, is not a help desk. You will not get a response back from someone. We’ve gone through PSC’s list of things brought to our attention and we are looking at it to determine where we can educate the public and users, and where there are opportunities to enhance the system to ensure people are able to compete for opportunities.”