The number of protests filed by contractors in fiscal 2019 is significantly down.

The number of vendors suspended or debarred by agencies in fiscal 2018 also dropped considerably.

But what agencies and industry need to really pay attention to is the fine print in the new reports issued last week by the Government Accountability Office and the Interagency Suspension and Debarment Committee, respectively.

Let’s start with the suspension and debarment committee’s report. While the number of suspensions, proposed debarments and debarments dropped for a fourth straight year in fiscal 2018 — the latest data that the committee released in late October — that trend may be over by 2020.

The committee created a cybersecurity subcommittee to track and report contractor compliance issues and developments.

“This should be a signal to the contractor community. Cybersecurity compliance activities are not only for national security reasons, but for the sake of your company and you need to be attentive to these requirements because noncompliance has significant ramifications,” said Fred Levy, a partner with the law firm Covington and the co-chairman of the firm’s Government Contracts Practice Group. “Anecdotally, we are handling more cyber compliance related cases. We have had debarment matters related to cyber matters and cyber as supply chain issues already. It will become an ever-increasing matter of focus as it becomes a greater item for focus for agencies.”

Levy and other procurement lawyers pointed to the “qui tam” case brought against Cisco that came to light earlier this year around cybersecurity flaws in equipment. Cisco settled the case by agreeing to pay $8.6 million.

Eric Crusius, a partner with the law firm Holland & Knight, said this is another example of how the government is concerned enough about cybersecurity that it’s attacking it on as many different angles as it can.

“It shows cyber is not just a contract administration issue anymore. It’s an issue that could render a company not fit to do business with the government,” Crusius said. “And, of course that can lead to a company going out of business. Even short of that, I wouldn’t be surprised to see cyber impacting contractor performance assessment ratings (CPARS) and resulting in termination for convenient and default.”

The Defense Department’s plan to develop and implement a cybersecurity maturity model certification will add another wrinkle to the suspension and debarment oversight.

Even if an agency receives approval from a third-party, experts say vendors are concerned about the liability of the flow-down provisions to second, third and fourth tier subcontractors.

“No one wants to be accused of not doing enough so every vendor wants to do everything so there is a bit of a gold rush of trying to make sure companies are doing everything they can to protect the data and systems,” Crusius said. “I think there are two reasons why there is this focus now. The first is it takes time for the bureaucracy to catch up after the cyber breaches. The second is what has been going with Kaspersky Lab, ZTE, and Huawei. I think the provisions were a wake-up call as was the creation of the Federal Acquisition Security Council.”

Along with the focus on cybersecurity, the suspension and debarment report also highlighted the continued increase of pre-notice letters, which has almost tripled in use over the last decade and increased by 37 since 2016.

Rob Burton, a partner with Crowell & Moring’s government contracts group and a former deputy administrator in the Office of Federal Procurement Policy, said these numbers reflecting agencies are giving vendors a better chance to explain any concerns.

“There’s never been due process at the suspension or proposed debarment stage and that’s been a real problem. The regulations have never been changed because politically it’s hard to do because it looks like you are soft on contractors,” he said. “Pre-notice letters are just a good practice. I think agencies realize it’s not fair to debar someone for a period of time without any ability to respond in a timely manner.”

Angela Styles, a partner with the law firm Akin, Gump, Strauss, Hauer and Feld and a former OFPP administrator, said the goal is not to keep companies from doing business, but for them to do business in an ethical way.

“Pre-notice letters help agencies to be more proactive versus suspension and debarment, which is really punishing companies,” she said. “It also makes for better outcomes because the agency can be more comfortable with how the company is doing business with the government.”

Bid protests down by 16%

GAO’s annual bid protest report to Congress shows an overall decrease in the number of cases filed as well as downward trends in nearly every other category.

But the one area that didn’t increase is the number of task or delivery order bid protests. GAO reported vendors filed 373 complaints last year, up from 356 in 2018 and 256 in 2017.

Congress first gave GAO the authority to hear task or delivery order protests in the 2008 defense authorization bill.

Procurement experts didn’t agree on why the number of protests increased.

Crowell & Moring’s Burton said agencies are driving more and more procurement dollars through task orders and since unsuccessful bidders can’t protest anything under $10 million, it’s an attractive path.

Akin Gump’s Styles said she would be surprised if the protest limit is driving agency acquisition strategies.

Holland & Knight’s Crusius said the increase in task and delivery order protests comes from the basic reason that agencies are spending more money through those vehicles.

For instance, the General Services Administration reported record sales in fiscal 2018 of $68 billion, which is 23% more than in 2017. GSA expects 2019 to reach similar heights.

“I think the limit on $10 million needs to be changed,” Burton said. “I think protests are a great check on the system, especially for small companies. There are a lot of their contracts that are below that $10 million threshold, and they have no redress or recourse, and it’s unfair to these companies.”

Hunter Bennett, a counsel with Covington, said the overall drop in protests can be attributed, in part, to the new filing fee GAO instituted. GAO charges vendors $350 per protest.

“My sense is that the fee is discouraging some of the people who file protests outside the box,” he said.

At the same time, Bennett said because the overall effectiveness rate, which measures how often the protestor receives some sort of relief, whether through the agency taking corrective action or by winning the protest, remained steady at 44%, the number of protests with merit remains strong.

“Agencies are willing to take a hard look at claims raised and the agency is willing to take corrective action and take another look,” he said.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The annual Defense Information Systems Agency’s forecast to industry typically is a must attend event, and one other agencies would be smart to replicate.

DISA brings together in one place nearly every senior executive running programs and offices to tell industry what to expect over the next year or more.

This year’s event, at Martin’s West in Baltimore—yes, the place where you probably had your senior prom if you grew up in Maryland—was well attended by more than 1,000 contractors and didn’t have the parking problems like the 2018 event.

While the overall content was a bit lackluster as it felt like the format focused more on getting through the presentations than providing the expected depth and breadth, it was clear DISA has a lot on its plate.

Here are my three takeaways from the forecast to industry day:

MilCloud 2.0 growing

Despite some challenges and potential hesitations, the Defense Department services and agencies are moving to DISA’s internal cloud offering.

MilCloud 2.0 is growing each month as the military services and agencies aren’t waiting for those four-letter cloud efforts to be ready. While the Joint Enterprise Defense Infrastructure (JEDI) or Defense Enterprise Office Solutions (DEOS) programs are mired in protests, DISA, the Army Materiel Command and the Defense Contract Management Agency are among those DoD components to have moved applications to the MilCloud 2.0

Army Maj. Gen. Garrett Yee, DISA’s senior procurement executive, said Army Materiel Command just committed to moving more than 100 applications to the cloud instance, while DCMA migrated 29 applications in less than 90 days.

DISA also moved 28 of its own apps to MilCloud 2.0 earlier this year.

“It will continue to be viable capability for mission partners now and into the future. The department recognizes that we will continue to be in a multi-cloud environment,” Yee said. “The reality is there will be a combination of a lot of cloud capabilities. It’s a matter of finding right capability for an application to be hosted some place.”

Dave Bennett, DISA’s director of the Operations Directorate, said moving DCMA’s applications in 90 days is both a big win and an example of the maturation of the platform.

“We are showing the ability to migrate cloud ready capabilities and progress at scale and at speed as opposed to taking a year or a very lengthy period to move to the cloud,” he said.

Additionally, Bennett said the classified version of MilCloud 2 should be ready to start accepting applications no later than January.

“Between MilCloud 2.0, the JEDI solution and other cloud solutions, we are working with the DoD CIO and others to establish a group of cloud shared services that are back-end capabilities that cloud providers and application owners would be able to leverage so they don’t have to create their own back-end services. It’s a way to speed the movement to the cloud, reduce the cost and get a more consistent look and feel in terms of delivering and leveraging services within the cloud,” he said. “We just implemented another instance of a cloud access point so as we are increasing the bandwidth to the access points, we also are increasing the diversity of the access points so everybody will be able to leverage the capabilities in the cloud without bandwidth being a constraint.”

4^th estate on the move

If each program and project is a plate DISA is spinning, consider the 4^th Estate consolidation and modernization effort one of those plates that Italian restaurants serve family style.

The initiative will add 1,200 employees, almost $1 billion in new work and 14 agency customers to make happy.

Air Force Col. Chris Autrey, the chief of the Defense Enclave Services Office, at DISA, may have the most fingers trying to balance that spinning plate.

Autrey said the first generation of the 4^th Estate Consolidation is to bring DISA and four other smaller agencies onto a single network called DoDNet by the end of 2021.

“We are doing that initial contract award to do the support and migrate those folks. The source selection is underway right now,” Autrey said in an interview after his speech at the industry day. “In addition to that, we also did the global services contract consolidation, which is allowing all of the agencies to use a single, larger competed support desk contract for cost efficiencies. They will all come onto that contract over the next year or so to help them reduce their costs while still giving them a source of someone to do their services desk work.”

Just this past August, DoD’s CIO signed out the 4^th Estate execution guidance, making the effort an actual program.

The memo grants DISA the official authority to direct the transition of the 14 agencies into a shared services environment by the end of 2024 and it lists all the common use IT services that DISA will now manage.

Along with DISA, those first four agencies to transition in 2021 include Defense Technical Information Center (DTIC), Defense Media Activity (DMA), Defense POW/MIA Accounting Agency (DPAA) and the Defense MicroElectronics Agency (DMEA).

Additionally, Autrey said DISA set up a products contract with NASA SEWP to standardize the purchase of hardware devices.

“Part of what we are doing is gain efficiencies in the workload so I can put less money against contracts to do this level of work. One of the ways we need to do that is standardized images for like desktops across the 4^th Estate. Today if I have 40 different types of laptops, that’s 40 types of baselines and images that I need to keep for those. I can’t afford to do that in the future. That’s a bridge too far,” he said. “By bringing the agency into a pre-competed set of equipment that is approved, meets all the cybersecurity requirements, we have a known good baseline to work with and if you are buying off that list we can support it.”

The products work with NASA SEWP is one of 10 IT services and capabilities DISA will assume responsibility for over the next few years. The other areas include storage, cybersecurity and network access services, according to the Aug. 15 memo.

DISA expects to release the solicitation for the larger DES contract for the remaining agencies in early 2021 with an award in early 2022.

“With the initial pilot, we will see how the initial capability will work. We hope the DES contract provider will come forward with innovative solutions for how to deliver services better and more efficiently,” Autrey said. “We would like to take that innovation and expertise to create a better solution as we migrate the majority of the 4th Estate to the solution.”

One of the biggest challenges with the 4^th Estate consolidation is getting every customer agency to agree to the path forward.

Autrey credits the DoD CIO’s office in creating a transparent and collaborative process.

“Danielle Metz [the principal director for the deputy CIO for Information Enterprise, meets with the seniors from the agencies and everything we are doing is an open book to these agencies, everything with the finances, with the plan for schedules, everything with our hardware buy so that open transparency,” he said. “In the end, it’s the same story that everyone gets, no one has a question and can say they haven’t been told, and has the opportunity to contribute to the conversation.”

Pilots everywhere

One of the common themes that emerged during industry day is DISA’s excitement over new and emerging technologies.

Diane Phan, DISA’s endpoint security program manager, said the agency plans to update an endpoint detection and response capability pilot from 2017 looking at new technologies like machine learning and automation in the cloud.

She said the agency will release a request for information in early 2020 and plan to make a contract award by the third quarter of the fiscal year.

Similarly, Phan said DISA is planning acquisitions for application containment capabilities and to expand the comply-to-connect effort across all of DoD.

Tinisha McMillan, the program manager for cyber situational awareness and network operations at DISA, said one of her major efforts is to look at tools and ensure they have an effective and consolidated approach to network defense.

“We need to align analytics to get after defense cyber operations space and ensure we have a rapid incident response,” she said. “That is a critical capability, but we haven’t had a lot of response from industry on it.”

McMillan said DISA will release a follow-on contract in early 2022 for continuous monitoring and risk scoring capabilities as part of obtaining more advanced tools.

Another technology DISA wants to build more capabilities around is mobile security.

Neil Mazuranic, the chief of the services development office, said DISA is developing a mobility prototype to improve how it is developing mobile applications and adhering to standards.

“Having such an environment will give us an opportunity for mission partners to develop applications and put them out to be used by soldiers more quickly,” he said.

Mark Long, who leads DISA’s mobility portfolio management office, said one of his goals is to bring managed mobile services to the secret and top secret levels for government-owned devices.

“We are looking for the next generation enterprise management mobility tool,” Long said. “Expect to see that soon.”

Securing the browser

And then there is Steve Wallace, who leads DISA’s emerging technology directorate.

Wallace is at the forefront of a majority of DISA’s testing and piloting of efforts.

His team has tested several prototypes for transform the way DoD ensures the identity of its users.

Wallace called the assured identity effort part of how DoD is modernizing its traditional approach using the common access card to ensure the right people have access to the network and data. He said the question this initiative is trying to answer is how can DoD continually monitor a user’s interaction with the military’s systems?

“Over the last year we were working with chip set manufacture to integrate the capabilities. Now we are working with a handset manufacture to integrate those capabilities. So we are working our way up the stack,” Wallace said. “We did one prototype that is all software based that is nine months into the cycle. The prototype with handset manufacture is integrating the capabilities focused on Android devices. In about a year, I would hope we will be much further along and have that continuous authentication going on in the background on the handset.”

Another initiative that Wallace expects to pay dividends in 2020 is the browser isolation pilot.

DISA awarded two Other Transaction Agreements in 2019 to look at better ways to defend the DoD Information Network (DoDIN).

“We have two vendors that we are baking off against each other. The challenge is this area is still fairly green in terms of technology so we wanted to see where the technology landed,” Wallace said. “We are at about 15,000 end points right now. Our goal is to reach 100,000 end points within the next 3-to-6 months, and then we will move into a transition period where we hopefully will move the entire department into this type of solution.”

He added the feedback so far has been positive with an equal or better browser experience for the users.

“I don’t want to rush into a selection until we have had time to properly exercise it. We wanted a large cross section of the department to get experience with it and give us the feedback so we could make a more educated decision,” Wallace said.

A third area where DISA is just wading into is distributed ledger technology. Wallace said he believes blockchain is a useful technology and he wants to see how DISA could offer blockchain-as-a-service.

“The answer right now to every IT problem is not blockchain. We are finding useful areas to leverage it,” he said. “We are testing it in our Mechanicsburg data center. It’s really allowing us to explore the technology. There’s been a lot of attempts over last few years to use blockchain in any number of ways, and, more often or not, it can be solved with a simple relational database and you don’t need all that overhead. But where it gets interesting is in the logistical space where you potentially want to share that dataset out among multiple groups of folks and you don’t want to give them access to a database or web service. But you can have this ledger that you can distribute and it’s secured in a cryptographic manner so that everyone has the ability to read if not potentially write to it. But we can make it more robust than it needs to be. Logistics is a good use area for something like blockchain.”

Chris Krebs, the director of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, admitted he had a lot of sleepless nights earlier this summer. He spent long hours worrying about how Baltimore City, five school districts in Louisiana and 22 jurisdictions in Texas would get out from under a ransomware attack.

During those long nights where DHS provided technical and operational support to those and other cities who fell under the scourge of the latest cyber assault, Krebs said it occurred to him that the government doesn’t have the same doctrine for a large-scale cyber event as FEMA has for man-made and natural disasters.

“If you look at FEMA, they have operational plans, exercises and drills. They have an incredible wealth of doctrine, experience and understanding of who does what and when,” Krebs said at the CISA cyber summit in August. “We have to develop that underneath the National Cyber Incident Response Plan (NCIRP).”

The NCIRP and Presidential Policy Directive (PPD)-41, which the Obama administration released July 2016, was supposed to serve as that detailed response plan. Experts say the goals of the NCIRP and PPD-41 never materialized, and, in fact, some say the government is in a more precarious position today than it was four or five years ago.

Krebs seems to realize that and is calling for an implementing doctrine that more specifically details how CISA, the FBI and law enforcement and the intelligence community can work together to respond to a major cyber attack against the country’s critical infrastructure or federal networks.

“The NCIRP is not an actionable plan. It’s more of something closer to a framework that gives a broad overview of the general responsibilities across all federal agencies,” he said. “We have to know what if all 254 counties in Texas get attacked by ransomware. What should states anticipate come from the government, from CISA, from the National Guard? We just need to be clear on expectations and what we will do to solve issues together.”

Krebs added unlike FEMA, which drills and gets to know the first responders and others who would help during a hurricane or wildfire, CISA doesn’t do the same thing. The closest thing is the biannual cyber storm exercise, which happens every two years to test the NCIRP.

Industry experts say while the cyber storm exercise is helpful, it is not enough.

“The one thing we are looking for is a consistent and repeatable way for the government to engage with industry. Previously there was the unified coordination group (UCG) that included each of the critical infrastructure sector on it. Its primary role was to staff and support the UCG. This was a forum if there was a national level cyber incident we could work through how to respond to that incident,” said Scott Algeier, executive director of the IT-Information Sharing and Analysis Center (IT-ISAC). “When DHS updated the cyber incident response plan at the end of the Obama administration, they took out the industry role with the UCG and said they would reach out to industry as needed. Considering the interdependencies across critical infrastructure community and the large amount of subject matter experts industry has, we hope to get to the point to restore industry representation in the cyber UCG as part of any updated response plan.”

Seat at the table disappeared

Bob Dix, an industry cyber expert and former vice present of government affairs and public policy at Juniper Networks, said the incident response plan triggers certain activities depending on the threat or attack, but there isn’t a defined role for critical infrastructure owners and operators.

“DHS brings owners and operators in on an as-needed basis and at the will of the government, particularly who they invite to the table. I think that is a flawed approach,” Dix said. “There should be a designated representative from various sectors who can work with the government to identify the companies and stakeholders who are impacted and need to have seat at the table during a cyber attack.”

Dix said in the early 2010s, critical infrastructure providers had that seat at the table, but for some reason the Obama administration decided to change that approach.

“The notion of a cyber exercise program is a perfect candidate for testing out this approach with relevant stakeholders federal, state and local leaders and critical infrastructure providers,” Dix said. “We need to organize the scenario, test it and get recommendations and lessons learned and then apply them so we can prepared for any major cyber incident.”

Algeier said one of the key findings from the 2018 cyber storm exercise was the need to have an industry representative on the UCG. But he said national exercises are not a substitute for monthly or quarterly interactions between government and industry experts.

Algeier added in the past the cyber UCG brought the right people together to create relationships that made the sharing of threats and vulnerabilities easier and created that all-important familiarity during times of crisis.

“The relationships have been lost as have the opportunities to develop a playbook for responding to different types of attacks,” he said. “You need an ongoing framework for how to respond. You can adjust and adopt as you go. You have to know who the right people are that need to respond to an incident. But right now, there is a huge gap because there is no standard way for industry and government to engage during a crisis.”

Dix added that the critical infrastructure providers and the government are so interconnected that by not including the private sector more broadly, predicting and reacting to potential and real cyber threats will fall woefully short.

Based on what Baltimore, Texas and Louisiana suffered through earlier this year, and that many cybersecurity researchers expect the threat of ransomware and other disruptors only to increase, it would seem that the time is right for Krebs to reconstitute the cyber UCG with full critical infrastructure sector participation.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

One of the best questions that came up at the recent 2019 Imagine Nation ELC conference in Philadelphia, Pennsylvania was during a panel on acquisition. It went something like this: If the Federal Acquisition Regulations are a Frankenstein monster of cobbled together rules and requirements, why not just start over?

A question many federal acquisition and program managers probably have asked themselves at least a dozen times a year.

While the 2,000 page FAR probably has some body parts that agencies could do without, there is no reason to kill the monster.

Meagan Metzger, founder and CEO of Dcode, which promotes the use of commercial technology in the public sector, said there are important concepts that the FAR promotes that every contracting officer or program manager needs to know.

Chris Hamm, the director of FEDSIM at the General Services Administration, offered a common refrain—the FAR lets you do almost anything, especially under Parts 8.4 and 12.

Then why are agencies and vendors alike so excited about Other Transaction Authorities (OTAs) or Commercial Solution Openings (CSOs) as a way to avoid—get around—using the FAR?

New data from the Professional Services Council’s 2019 Vision Forecast found the Defense Department’s use of OTA’s mushroomed by 40% in 2018 over 2017 and some estimates say the Pentagon could spend as much as $7 billion through this approach in 2019.

GSA and the Department of Homeland Security also have begun using similar authorities.

GSA, for instance, has done eight awards under its CSO authority. Tom Howder, the acting deputy commissioner of the Federal Acquisition Service, said at the PSC event that 75% of the awards went to companies without a GSA schedule, meaning non-traditional contractors.

It’s clear agencies want to find a way around the both real and perceptive arduous requirements of the FAR.

But if the only way to reduce the friction of the federal acquisition process is by not using the FAR, then something more has to be done.

Dr. Michael Wooten, the administrator of the Office of Federal Procurement Policy, seems to recognize this fact as the calls for expanding OTA and CSO authority continue to grow.

At the PSC Forecast event, for instance, Howder said he’d like OFPP to continue to focus on the simplification of federal procurement and even roll out the tools like OTAs and CSOs more broadly across government.

Wooten’s response is to call on technology such as artificial intelligence and robotics process automation to begin to reduce the friction causing requirements like market research or paperwork requirements.

“Things like professional services and IT development can be managed better. Customers should understand what it takes to deliver the solution that is required and we should have a reliable dialogue with industry to make that happen,” Wooten said at the ImagineNation ELC conference. “The power and potential of AI, machine learning and natural language processing is real and imagine what we can do to manage customer expectations of our customers. We can harvest data and return value to the taxpayer.”

Elements of acquisition innovation

In the short term, OFPP and ACT-IAC are trying to reduce the friction of acquisition through a new Periodic Table of Acquisition Elements.

Lesley Field, the deputy administrator of OFPP, said at the ImagineNation ELC conference that the goal a year ago when this project started was to come up with approaches to help the workforce be more creative and innovative.

“How do we make the FAR come to life?” Field asked. “We have a lot of flexibility in the FAR. Contracting officers have more authority than they think they do.”

The Periodic Table, which Gissa Sateri, an account executive with REI Systems and one of the team leaders, credited David Zvenyach, the former executive director of GSA’s 18F organization, with creating, details steps in each of the five phases of federal acquisition to promote innovation, creativity or just remind acquisition workers of the tools they have at their disposal.

Each entry includes a description of the item, the problem to be solved, the benefits of using this approach and any use cases or documentation that would be helpful to accomplish the goal.

“We are looking for wormholes through the FAR to get from point A to B faster, with less friction and with fewer obstacles,” said Tim Cooke, another project lead and president and CEO of ASI Government. “The bigger picture of this initiative is to speed up adoption of things that have been working. We have been finding those things, describing those to the workforce and giving them a place to find and learn so then they can begin to try them on their own.”

Not another playbook

Sateri said the group wanted to steer away from another playbook or white paper “that no one would ever read,” and create a public facing website that can be updated and improved over time.

“We laid out the stages of acquisitions, the steps under each phase, what is behind each of those steps, the description of those steps and what the benefits are for the use of that step and the samples we found,” she said.

Field said over the next year the working group will continue to look for innovative approaches that they can add to the periodic table. Additionally, she said OFPP will promote the website across the acquisition community. Field said OFPP and the Chief Acquisition Officer’s Council know it’s difficult to reach frontline acquisition workers so they want to raise the level of visibility of the new tool.

“We will work through the agency innovation advocates, industry liaisons, directors of Offices of Small and Disadvantage Business Utilization, category managers and others to create networks to share and let acquisition workers be more innovative,” she said. “We also will meet with the procurement lawyers and provide a demonstration to them and others as another way to promote the tools.”

The most important thing Wooten, Field and other federal acquisition leaders can do is provide contracting officers with the top cover to use the FAR without having to worry about auditors or Congress coming down on them for problems or failures. The best thing Wooten could do is share the Periodic Table with auditors and other overseers, explain to them OFPP’s goals and ensure agencies are working with them throughout the entire process of using an innovative method. If OFPP just puts the website out there, the “Field of Dreams” approach will not work.

Editor’s Note: The industry-government organization American Council for Technology and Industry Advisory Council, or ACT-IAC, rebounded nicely with the 2019 edition of its ImagineNation ELC conference.

With more than 1,000 attendees and dozens of sessions focused on all the typical hot topics in federal IT, the conference covered the range of discussions from thought provoking innovation that is happening across government, to the usual trite comments around “cyber is a team sport” or the oldie-but-goodie, “It’s not the technology, it’s the culture that needs to change.”

Several industry attendees told me they wish more government people attended, and others said they would liked to have seen a more non-IT discussion. But overall, the reaction is the 2019 version was much better all-around than the 2018 conference.

Here is part 2 of my takeaways from the 2019 edition of its ImagineNation ELC conference. Find part 1 here:

This December, the Federal IT Acquisition Reform Act (FITARA) turns five years old.

Step back and think about that fact for a second—it has taken half a decade for chief information officers to only begin to truly have the power to manage and control their agency’s technology spending.

NASA is the latest example of the change for CIOs that finally is happening. Renee Wynn, the NASA CIO, said at the ImagineNation ELC conference that starting in October 2020 all employees whose job it is to do IT will fall under her office.

Wynn called it having more “custody and control” of all IT across NASA.

“I now have full responsibility for software lifecycle management across NASA. It was just given to us. I hope to get the plan approved in December to begin implementation,” she said. “That means if engineers need software they are coming to us or if rocket scientists need software, they will come to us too.”

That has not been the case at NASA for decades where the CIO had limited visibility and control into the mission area IT. That caused huge cybersecurity risks and real problems that Wynn only now is starting to address.

“This is one step toward managing our supply chain risks. We have processes in place, but cannot scale fast enough. We are all beginning to recognize it’s a rich field for attack,” she said. “I now have a cyber professional embedded for entire set of phases for Artemis, our mission to get boots to the Moon and then Mars. That embed is pulling together the highest risks we face. It’s not just landing on the moon or Mars, but the hardware and software risks associated with it.”

NASA earned a B+ grade in the December 2018 scorecard only to see a huge drop in the June 2019 report down to a D-. Part of the reason for the drop, Wynn doesn’t report directly to the NASA administrator or deputy administrator, and poor cybersecurity scores.

SBA CIO approves more IT buys

Wynn’s experience to get more control of NASA’s IT is but one example of FITARA in-action across the government.

Maria Roat, the Small Business Administration CIO, said it took her 2-to-3 years to lower the requirement that SBA offices seek her approval for any IT buy worth $50,000 and above. The approval level used to be set at $150,000 or more.

“Now I’m trying to get my arms around credit card spending, which is up to $10,000,” she said. “Last year, one of our offices bought servers at the end of the calendar year and we didn’t know about it. But once they tried to connect it to our network, it was flagged and the servers still sitting there unconnected.”

SBA received a B+ on the FITARA scorecard for the last two grading period, receiving three As in the process.

So here we are five years later, and many agencies only now are seeing the impact of FITARA. Part of the reason is change in culture and in policy doesn’t come easy to government—no surprise there—and another part of the reason is the having the right CIO and agency leadership in place.  ACT-IAC has been trying to help out, releasing a FITARA maturity model and updating it in August. Project leaders say another revision already is in the works.

David Powner, the former Government Accountability Office director of IT management and now director of strategic engagement and partnerships at MITRE, said GAO and Congress designed the FITARA scorecard initially to get the right attention and drive the outcomes desired by the law.

Powner said after focusing the scorecard on the initial goals of FITARA and expanding it to include software license management, it’s time to update what it measures and what new behaviors it should drive.

“The scorecard should be a federal government and not a Congressional scorecard. The legislative branch and executive branch need to come together more on what is measured, and I think they both need to give a little bit,” he said.

Powner said that means the scorecard should follow the President’s Management Agenda areas like mission fulfillment, workforce training and even something like customer satisfaction.

FITARA scorecard overhaul coming

Margie Graves, the deputy CIO of the federal government, said OMB recognizes the FITARA scorecard needs to evolve and is working closely with GAO and the CIO Council on what the new grading areas will look like.

“We are redesigning what measures should be and how we can drive the change we want in the future around citizen services, customer satisfaction and mission delivery,” Graves said. “All these things put the end recipient at the center of the equation. The other thing that we will see change is meeting each agency where they are. Some measures do work for one-size fits all, but they are few and far between. We need to lay out a plan that is relative to that agency and have them hit milestones they have laid out. Those are measures to make sure people are scored fairly. This is not about blame and shame, but moving the needle and getting people to right place.”

Tony Scott, the former federal CIO during the Obama administration, offered a different perspective on what the scorecard should measure.

He said agencies don’t do a good job measuring debt because that will tell them where to put money and resources.

“From a transparency and visibility perspective, we need to measure technical debt we are incurring when we don’t address the legacy stuff we have, and how far we are falling behind. It’s no different than measuring the national debt,” he said. “Then there is architectural debt. That measures old models versus old technologies and how the organizational structures are part of the systems we create. If you look at the way organizations outside of government digitized, they focused more on horizontal integration not vertical integration.”

Scott said the final debt that OMB should measure is around policy or process debt.

“We have to clear the dust or cobwebs out of attic and create an environment where things can survive when there is change. It’s about having the best rules under which we operate,” he said. “I’d love to see the scorecard measure those three things, and figure out if we really are making progress.”

No matter what the scorecard ends up measuring, the fact is the agencies are starting to feel the impact of the 5-year-old law. The scorecard combined with Congressional oversight has driven better behaviors across the government—admittedly far from perfect, but the progress and impact are real.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Editor’s Note: The industry-government organization American Council for Technology and Industry Advisory Council, or ACT-IAC, rebounded nicely with the 2019 edition of its ImagineNation ELC conference.

With more than 1,000 attendees and dozens of sessions focused on all the typical hot topics in federal IT, the conference covered the range of discussions from thought provoking innovation that is happening across government, to the usual trite comments around “cyber is a team sport” or the oldie-but-goodie, “It’s not the technology, it’s the culture that needs to change.”

Several industry attendees told me they wish more government people attended, and others said they would liked to have seen a more non-IT discussion. But overall, the reaction is the 2019 version was much better all-around than the 2018 conference.

Here is part 1 of my takeaways from the 2019 edition of its ImagineNation ELC conference:

The cybersecurity reskilling initiative is, without a doubt, one of the highlights of the Trump administration’s management agenda.

The concept of training federal employees with new, in-demand skills addresses two big challenges every agency faces: The changing nature of work across the government and the inability to hire new employees quickly enough.

In fact, reskilling combined with the swift acceptance of robotics process automation are setting up the government to be much different place in the next decade. That is, if the administration can solve the systemic problems with the General Schedule system.

Margaret Weichert, the deputy director for management at the Office of Management and Budget, expressed real frustration with the GS system after revealing 50 employees graduated from the cybersecurity reskilling program, but only one moved to a new position using those new skill sets.

“We have people who want new jobs. We have jobs, but we have a very old, well-intentioned code related to fairness in hiring, but it’s not agile and it’s not responsive to the needs of the 21st century,” Weichert said at the ImagineNation ELC conference. “I’m deeply concerned about structural impediments to bring agility to government.”

Weichert told me after her speech in a brief conversation that she realizes the GS system’s rigidness is a huge impediment to the governmentwide reskilling effort and wants to do something about it.

The administration will have a similar challenge if, or when, it gets its data scientist reskilling initiative off the ground, addressing another huge need across the government.

“Agility is built-in in the private sector. These companies know you can’t survive forever so they have to earn it every quarter,” she said. “It is critical for government to get where we need to be in the 21^st century. I continue to ask for innovative thinking. Don’t stop because you know why it will not work, don’t stop giving us your ideas and how we can get to yes in the 21^st century and turn good intentions into actual execution.”

One short-term approach to addressing the GS challenge is through a new cybersecurity rotational program for graduates of the academy. The job rotational program would last for nine months after the three-month academy.

Biggest obstacle to reskilling effort

But this will not solve the long-term inflexibility of the GS system.

The need to address the rigidity of the GS system is probably the biggest obstacle to the reskilling initiative being anything more than another good idea that another administration had but failed to deliver on because of a lack of  internal fortitude.

The past two administrations are littered with these examples. The Obama administration wanted to decrease the “time-to-hire” for an employee. The Office Personnel Management under John Berry made real progress, that is until Berry left to become the ambassador to Australia and no one picked up the mantle to run with it.

The administration of President George W. Bush showed the power of shared services when it consolidated payroll providers, but the other efforts around human resources, financial management, grants and several others petered out for an assortment of reasons, including the lack of strong leadership that understood how to work with Congress.

Some may wonder if Weichert has enough time to begin making the GS system more agile given it’s an election year, there isn’t much appetite on Capitol Hill for good government initiatives, and since she may have only one year left in her role.

Additionally, others may wonder if Weichert had spent her year as both OMB DDM and acting OPM director fixing the GS system instead of pushing the ill-fated General Services Administration-OPM merger, if the reskilling initiative would’ve met the Trump administration’s transformation goals in a much more productive and impactful way.

Of course, there are big “P” politics in play for Weichert and the management agenda priorities, too, that went into her and others’ decisions.

Automation plus reskilling is a powerful combination

Let’s digress back to the agility discussion. One of the ways agencies can become more agile is through the use of automation.

GSA is one good agency example of applying automation and data to drive agility in how they meet their mission. GSA Administrator Emily Murphy said the Public Building Service is applying RPA to do bilateral modifications for more than 8,000 leases to add the provision that prohibits the use of ZTE, Huawei and other Chinese made telecommunications and video surveillance equipment.

“That means instead of leased contracting officers filling out forms and sending them out to everyone. We instead now have them press a button to send out the modified lease and then they can sign and ratify when it comes back,” Murphy said. “This is saving time and money.”

GSA is just one example of agencies applying automation to take care of the manual and the mundane.

Weichert said when she mentioned RPA to her staff at OMB more than two years ago, no one really knew much about it.

“Two years later how many RPA projects are there?” Weichert asking the audience at the conference with hundreds of hands going up in response. “That represents hours and hours of effectively wasted effort from people who had good intentions to serve customers who now are in better positions to serve customers and no longer have to do remedial menial tasks.”

The reason why agencies moved to RPA so quickly is the agility in the procurement system — which many would say is an oxymoron. But the fact is, vendors could add these services to the GSA schedule or other contracts and agencies could put out contracts to get the bots installed and see value in a relatively short amount of time.

This is not the case with the reskilling academy, which why Weichert, new OPM Director Dale Cabaniss and others should make fixing the GS system a top priority.

Because if Weichert wants her agile government that is powered by IT, people and data and one that builds trust, then it’s hard to see another path forward.

The end of fiscal 2019 brought plenty of excitement in the federal acquisition sector over the last week.

We saw protests—of course—much-anticipated contract awards and new acquisition strategies to set the stage for 2020.

All of this culminated what the data likely will show as one of the busiest fourth quarters in a long time.

Let’s start with the big contract awards.

Late on Friday, the Army took a major step toward the goal of getting out of the day-to-day management of its IT services.

The Army awarded three contracts worth a total of more than $34 million under its enterprise IT-as-a-service (EITaaS) program to AT&T ($5.6 million), Verizon ($9.7 million) and Microsoft ($18.2 million).

Using the other transaction agreements (OTA) process, the Army will pilot this concept under a fixed-price contract to install contractor-operated networks on small, medium and large-sized bases.

And because it’s an OTA, the Army turned the awards around in about six weeks. The service released the OTA announcement in July.

At the same time because it’s an OTA, it’s unclear how many other bids the Army received and the likelihood of a protest is minimal.

The awards also put the Army on a similar path as the Air Force and the Navy in outsourcing the management of all IT services.

Army CIO/G6 Gen. Bruce Crawford has said in the past that the goal is to modernize the service’s network and IT services, and keep them updated as technology and needs change.

The Army estimated earlier this year that 70 percent of the servers, routers and end-user devices on its 288 worldwide facilities are at or near the end of life. The figure is even higher for the equipment that handles voice communications — about 90 percent.

While the Army is just getting started, the Air Force announced on Sept. 27 it is expanding its pilot with Microsoft for EITaaS.

Microsoft won a $44.9 million modification to its previously awarded contract for network-as-a-service.

The Air Force says under this contract adjustment Microsoft will provide WiFi, public cellular connectivity, base area network transformation and dual path wide area network connectivity at the three bases—Cannon Air Force Base, New Mexico; Hurlburt Air Force Base, Florida; and Maxwell Air Force Base, Alabama—that are part of this pilot.

This new work extends the pilot effort to Sept. 30, 2021 and means the total OTA now is worth more than $109 million.

Bill Marion, the Air Force’s deputy chief information officer, said at the recent Billington Cybersecurity Conference that EITaaS pilot will pick up steam over the next month or so.

DHA details new approach to IT

Meanwhile, the Defense Health Agency issued a request for information seemingly following the service’s path for EITaaS.

While the RFI doesn’t specifically mention this as-a-service construct, DHA is asking for everything from IT operations support and lifecycle management to IT asset planning and management to identity management services to help desk to end-user device support to local area network administration.

“The DHA Deputy Assistant Director Information Operations/J-6 (DAD IO/J-6) has identified a significant and pressing need to refine its operational IT service delivery model,” the RFI states.

The delivery model focuses on having a “standardized, consistent and repeatable processes for delivery of IT services across the DHA enterprise to optimize use of shared resources. A data-driven, evidence based and measured improvement of operational processes and IT services through the adoption of industry best practices. A continuous assessment of value and on-going operational optimization that drives efficiencies through redesign, redirection and/or automation.”

Responses are due Oct. 4.

DHA says it will review the RFI responses and ask selected companies to discuss specifics between Oct. 15-17 in San Antonio, Texas.

While DHA didn’t discuss its contracting strategy, it wouldn’t be surprising if it followed the Army and Air Force’s approach and used an OTA.

The question, however, continues to come up: if OTAs are supposed to be used to bring in innovative or non-traditional government contractors, then why are the services hiring companies like AT&T, Microsoft and Verizon? If there are innovative companies working as subcontractors, then it’s incumbent on the Army and the Air Force to be transparent about who those non-traditional vendors are and what services they are providing.

Otherwise, it just looks as though the Army and Air Force went around the federal procurement process and exploited the OTA process.

Air Force cloud award protested

One reason why DoD, and now potentially other agencies, are so attracted to OTAs is because of the fear of bid protests.

The Air Force experienced this with its recently awarded $728 million contract to SAIC to run its common cloud environment (CCE), now known as Cloud One.

Leidos filed a protest on Sept. 20 with the Government Accountability Office. GAO has until Dec. 30 to decide.

In the meantime, the Air Force’s plans to expand this enterprise commercial cloud platform for applications is delayed.

“The first CCE application went live in March 2018. To get there, the program has had to make initial investments. Each migration costs the U.S. Air Force approximately $446,000, and the total cost for the CCE program since 2015 is $136 million,” the Air Force states in an April 2019 release. “This shift frees up money and manpower for other requirements, like building better apps and improving network security.”’

The goal for the Cloud One program is to create a standardized platform that uses zero trust architecture concepts to host legacy and new applications while providing the Air Force with better security and more agility to change the application as required by mission needs.

Army wants more from its data

The Army is doubling down to ensure its making the most of its troves of data. As part of the Program Executive Office for Enterprise Information Systems (PEO-EIS) reorganization, the Army named a new project manager for data.

Chérie Smith, the program executive officer for PEO-EIS, said last week that Col. R.J. Mikesh will be the Project Manager for Army Data and Analytic Platforms. He will focus on improving Army information readiness and data agility to facilitate fact-based and informed decisionmaking.

The new organization is still in the planning phase, but the goal is to align the PM AR-DAP under the assistant PEO for Business Mission Area within the next year. Mikesh comes to the new PM for data after serving as the PM for Army Enterprise Systems Integration Program.

CIO Council website upgrade

The federal CIO Council is making it easier to find and understand federal technology policies. The council launched a redesigned website on Friday with a new policy and priorities catalog detailing 19 items such as A-130, data center optimization and several others.

Federal CIO Suzette Kent wrote in a blog post that the council took a customer focused approach to the content and information architecture as part of the redesign.

She said by interviewing stakeholders, conducting user testing and looking at visitor data the council determined what information users were looking for and how to approach design so that they could find it quickly and easily.

This is the first update for CIO.gov since 2017 when it moved to a new hosting site and fixed some back-end challenges.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Over the last 18 months, the Office of Management and Budget painstakingly went over nearly every federal technology policy that came out in the last 20 years with an eye toward modernization.

Every new policy, whether for cloud or identity management or data center consolidation and optimization, that came from that effort included a list of rescinded regulations which had grown old and held no value any more.

The most recent update to the Trusted Internet Connections (TIC) initiative rescinded four policies, some dating back 12 years.

The identity management policy from May terminated five policies, of which some went back to 2004.

As you can see, OMB did more than a little spring cleaning.

This exercise over the last two years or more has led to a new way of thinking about policymaking. OMB and other agencies are taking a page out of the agile software development playbook and applying this methodology to policymaking.

“Because our environment is changing so quickly many of the things we’ve done was create methods, whether it was as simple as a timer to reevaluate every six months or every year and evaluate if this is still effective, or approaches and partnerships like the one with the [the Department of Homeland Security’s] Cybersecurity and Infrastructure Security Agency (CISA) on TIC. If there is a better way or a better idea, we are not changing any of our security expectations and we continue to raise the bar, but we are creating a pathway to ask the question, ‘Is there a better way?’ And make that happen very quickly versus a decade or a long study,” said Suzette Kent, the federal chief information officer, at the CISA Cybersecurity Summit in September. “That is the kind of agility and nimbleness we have to have in this space because cybersecurity is a perpetual state of hyper vigilance. We have to constantly be evaluating what are we seeing, how do we act and what’s the next step?”

For the TIC policy, OMB worked with CISA, the Defense Department and several other agencies who tested out potential new approaches to securing internet gateways between the public and agency networks.

IT policy moving as fast as the threats

Jeanette Manfra, the assistant secretary for cybersecurity at CISA, said her office worked with OMB in coming up with both the key policy priorities and implementation guidance.

“The concept is to continue to be able to move fast as technology or the threat changes,” Manfra said in an interview. “We are just now in the last six or seven months realizing the benefits of that.”

OMB and DHS recognized that policies can’t be so broad that they can’t measure what successful implementation looks like, and at the same time implementation guidance can’t be so prescriptive that the policy is not effective.

“The concept is you can potentially renew the implementation guidance on a faster basis than the policies. We are still developing this,” Manfra said. “It also means getting everybody on the same page of what we are going to focus on and it provides a more enduring framework as well.”

A senior administration official, who provided answers to Federal News Network questions, said the feedback loop is critical to achieving the right balance in agile policymaking.

“Through the CIO Council and engagement with industry we are better able to identify opportunities for improvements with existing policy while looking forward to areas where we can set the foundation to accelerate the adoption of new tools and innovative approaches,” the official said by email. “We also leverage pilots through the CIO Council to get hands-on practical perspective on pace (Microsoft Azure sandbox, Zero Trust, TIC, etc).”

At the same time, DoD is mirroring federal civilian efforts on its networks.

Jack Wilmer, the deputy CIO for cybersecurity and chief information security officer for DoD, said at the CISA event this agile approach to policymaking and implementation is a key piece to the defend forward notion around cybersecurity.

“How do I say ‘here is an interesting approach that one of the agencies wants to do in terms of how to connect to cloud or something else’ so let’s get the right set of people together to assess the risk of what that is, to look at the results, to look at how it works, and if it seems like it worked well and it’s a good approach, let’s go ahead and modify the policy to say any other federal agency can use that model,” he said. “The intent is as the threat evolves if we find out that we were letting people do this but now we understand it’s not a good idea, we should be able to rapidly evolve our policy so no new connections use that model that we know now is not the right approach. I am absolutely trying to figure out how do I bring that into the DoD so the policies that I write and we update are things we can evolve in a more agile manner.”

Wilmer said the goal is to increase the cost to hackers for trying to attack federal systems.

Agile for government, not just policy

The concept of agile policymaking for IT actually started several years ago when OMB began releasing draft policies for industry and other expert comments.

Dan Chenok, a former OMB branch chief and now executive director for the IBM Center for the Business of Government, said putting out draft policies is one step toward the move to agile because it’s a good way to get customer or stakeholder feedback.

Chenok added OMB’s use of GitHub also helps to promote agile policymaking because the site promotes a transparent and fast exchange of questions or comments and answers.

“GitHub lets OMB or any agency see the comments, and comments on others people’s comments, and then iterate, instead of having to receive 30,000 comments and figure out what everyone is saying,” he said. “It’s not just policy making, but policy execution as well. If through this iterative process OMB or the government get more buy in, you have a far less cost of compliance because there are fewer people you have to chase and can move to next the policy faster.”

In fact, IBM and the National Academy of Public Administration wants to expand the concept of agile beyond technology policy to all parts of government.

In a blog post from July, Ed DeSeve, a visiting fellow for both IBM’s center and for NAPA, wrote that government reform must adopt the concept of agile software development.

“It is critical that we develop a reform agenda to make governments at all levels more agile.  For example, we should work to identify key agile government principles; identify instances of agile government around the country and around the world in order to develop ‘best practices’ that can be available to governments and researchers; and collaborate with governments that wish to use agile principles in their projects, programs, and overall organizational design to assist with strategy and implementation,” DeSeve wrote. “Success will require a new mindset in government and new organizational models.”

Terry Gerton, the president and CEO of NAPA, said the change the government has to make is toward a more proactive rather than reactive policy process.

“It is more response to the environment we are in now. We know some of the regulations are outdated, and there can be volumes and volumes of them. We have a sense that these regulations are very controlling and they may not advance government,” Gerton said. “There are new ways to do government so we are citizen or customer responsive, more timely and using a more cross-functional approach. Virtually no problem we have can be solved by one branch or one agency any more so how do we help users of the regulations be more successful so we have better government.”

The senior administration official said there are several changes needed to move to an agile policy mindset.

“Agencies are well on their way to embracing this cultural mindset and OMB is best positioned to act as an enabler by removing barriers that have long plagued the modernization journey,” the official said. “As we continue our journey, we are looking across the board at opportunities to take a more agile approach to policy development and service delivery. As evidenced through our work with the Technology Modernization Fund and shared services, iterative approaches will enable the federal government to more rapidly improve the digital service experience provided to the American public.”

Kshemendra Paul spent 6 of his 13 years in federal service focused on data and information sharing.

Now in many ways, he’s going back to that world.

Paul, who was the program manager for the Information Sharing Environment from 2010 to 2017, is the new chief data officer at the Department of Veterans Affairs.

He joined VA earlier this month after spending the last almost three years with the Department of Homeland Security as its cloud action officer and deputy director of mission and strategy in the Office of the Chief Information Officer.

Paul replaced Dat Tran, who was the interim CDO and moves back to his current role as deputy assistant secretary for data governance and analysis.

The Evidence-Based Policymaking Act required every agency to name a chief data officer by July 13.

In his new role, Paul will have a great opportunity and huge challenge. VA collects mounds of data from assorted mission areas, and given the complex nature of its network, making the information more valuable will not be easy.

VA launched an open data portal in 2013 and now lists more than 1,500 data sets on the Data.gov site.

“Open Data is an initiative that seeks to advance government transparency and promote innovation by making data accessible to the public. Using machine-readable data that the public can access, use and share, federal agencies can promote a more open and efficient government, identify creative solutions that can address existing challenges, and spur economic growth,” VA states on its open data portal. “VA’s Open Data team is working to establish a new and robust portal where users can access data, application programming interfaces (APIs), tools and resources that can be used to develop web and mobile applications, design data visualizations, and create stories directly from VA resources. When VA establishes this new tool, a more comprehensive Open Data Portal will be made available.”

Before coming to VA and working at DHS and as the PM-ISE, Paul also worked as the chief architect at the Office of Management and Budget and at the Justice Department.

Paul was one of several federal executives on the move over the last month.

Joining in the migration to new agencies are Bill Hunt, Nicholas Andersen and Shila Cooch.

Hunt, who spent the last two years as the cloud policy lead at OMB as part of the U.S. Digital Service, is the new chief architect at the Small Business Administration.

Hunt led the effort to update key cloud policies, including the Cloud Smart strategy and the new data center optimization and consolidation regulation.

In joining the SBA, Hunt becomes another impressive team member to the group CIO Maria Roat continues to build.

Over the last two years. SBA has been on an IT modernization journey. Hunt will help the agency rationalize more than 50 applications, continue its move to the cloud and ensure the security of its data through innovative approaches.

“I’m looking forward to applying the lessons I’ve learned working on the Cloud Smart, Data Center Optimization, and Application Rationalization policies — and discovering where I got it wrong,” Hunt tweeted earlier this month.

While Hunt left OMB, the Federal CIO’s office started to fill some key openings.

Andersen joined as the federal cybersecurity lead in OMB and Cooch is the new senior policy adviser.

Andersen joined OMB after serving as the chief information security officer for the Vermont government over the last nine months. He replaces Josh Moses, who left in November to join the private sector.

In addition to his time in Vermont, Andersen also is a Marine Corps veteran and worked as a civilian for the Navy and Coast Guard in cybersecurity roles.

Meanwhile, Cooch also fills a key position at OMB. She comes to the Federal CIO’s Office from the Homeland Security Department where she was the chief of staff for the CIO for the last four years. In all, she worked at DHS for the last 15 years.

In her new role, Cooch will lead the development and implementation of IT policy across the government.

And speaking of DHS, the U.S. Immigration and Customs Enforcement is looking for a new CIO.

Michael Brown left ICE after four years to join Gartner as a senior director analyst.

Irfan Malik is the acting ICE CIO. He joined the agency in 2015 as the chief of IT Operations Division where he oversaw the operations and maintenance of IT across the agency.

Brown worked in government for more than 24 years, including for DHS components since 2000, before Congress created the agency, and for the Navy and Marines Corps.

Finally, Lou Charlier is the Labor Department’s new deputy CIO.

He has worked at the agency for 13 years spending time as its director of infrastructure services where he was the principal adviser to the CIO leadership, departmental executives, and key agency managers for large-scale IT initiatives. He also assisted in the planning, directing, and administering of a comprehensive IT program for the department that provided tactical day to day leadership, organization stability, and technical expertise.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Michael Wooten became the 15^th administrator of the Office of Federal Procurement Policy about six weeks ago. More importantly, he became the first permanent head of federal procurement during the Trump administration.

In his first two public speeches last week, Wooten hit all the expected notes that an OFPP administrator is supposed to reach—building on existing efforts like category management, upskilling the workforce, unlocking technology to create innovation and harnessing acquisition data to turn it into business intelligence.

“There is a considerable alignment that supports what we are doing. This is a good time to be the administrator. There are a lot of people who are cheerleading, saying ‘go, go go and do things for us.’ It’s a good time to cut regulations that get in our way and I’m happy about that,” Wooten said at the Tech Trends conference sponsored by the Professional Services Council in Washington, D.C. “This is a good time to skill up the workforce. I have a mindset that we need to help the workforce shift to the right or use those human judgement skills as opposed to the rote stuff that software can do.”

That concept of using software — take your pick of a buzzword: Artificial intelligence, machine learning or robotics processing automation — to address manual processes and compliance requirements would be a huge accomplishment, and maybe the biggest of any OFPP administrator in the last two decades.

One of the main reasons why federal procurement has a bad reputation for being too slow, inflexible and lacking innovation is contracting officers and acquisition workers are rightly concerned about auditors and Congressional overseers getting all up in their processes. If not every “T” is crossed and “I” is dotted, the consequences are severe so that tends to cause the risk averse contracting approach we’ve come to know so well.

‘We are in alignment with the Federal CIO’

The Section 809 Panel looking at Defense procurement found in its compendium of recommendations this concept of risk aversion cuts across much of the procurement process.

“In many cases, the Federal Acquisition Regulations (FAR) and other regulations allow for more interaction with industry than is common practice,” the panel states in volume three of its recommendations. “The recommendations … work together in an effort to foster behavior that values interaction with industry and reduces fear of missteps and risk-taking normally associated with interacting with marketplace.”

The panel also says the FAR and even the Defense regulations make it “difficult to effectively navigate and understand the regulations, which prevents acquisition personnel from leveraging the flexibilities, methods and authorities available to maximize speed in the acquisition process and encourage innovation, competition, and investment by the private sector.”

This is why Wooten, who was nominated in February and confirmed in August, wants to, and should, focus on using AI/ML and/or RPA to reduce some of the risks that are inherent in contracting.

“It is time for procurement leadership to engage in conversations with industry and government [about automated technologies],” Wooten said. “We will be in alignment with the federal chief information officer. We need to make sure that we share a common understanding on what AI is. We need to understand government’s AI requirements and we need to understand industry’s AI capabilities. We need to spark innovation in AI in a manner that includes small businesses to the maximum extent practicable. If we get this right, our AI acquisition is not outpaced by obsolescence and is not outpaced by our near peers.”

Wooten said the acquisition system can’t get in the way of delivering on mission needs in a faster, more flexible and more efficient way.

Time to foot stomp OFPP plans

Speaking at the FedInsider event on IT modernization and moving the cloud last week as well, Wooten said one way to do that is to apply AI or other automated technologies to the flow chart processes of acquisition.

“If you have a job that lays out step-by-step-by-step what is prescribed, if you have a flow-chartable job, then I can replace you with software or at least that part of your work that is done with software. We don’t want to replace workers. What we want to do is augment workers and relieve them of the burden of these step-by-step, tedious types of jobs,” he said. “That is one of the things that is on the horizon. This is not the big evil plan of Dr. Wooten to move workers off to the side. I think the leverage of AI into doing those mundane processes faster than we can, cheaper than we can and very regularly. The prospect of that makes the shifting to the right necessary and supplanting workers out of these mundane positions make it inevitable.”

He said he wants to empower contracting officers to be solve problems, and to do that, they need a different set of skills than they have today. He said he wants contracting officers to spend more of their time to make business decisions versus following a flow chart of processes.

At the same time, Wooten admitted that OFPP needs to do more to get the word out about his plans and goals, and ensure contracting officers know his office can help them.

“We have to get out to the folks in the acquisition workforce to help them understand it’s our responsibility to shape the rules, the tools and the schools for them to be successful,” he said. “We have a branding problem. We need to do a better job makings sure they get the content and handle the communications to ensure people understand what OFPP does for them.”

The best thing OFPP could do for them is to do more than talk about the promise of AI/ML or automation, but look at agencies like the Department of Health and Human Services, the Department of Homeland Security, the General Services Administration and others to expand the work they are already doing in these areas to more agencies. Wooten would be well served to move quickly on implementing automation as his time in office may be limited to 17 months, and that’s not a lot of time to get things done.