Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Agencies finally have a basic understanding of the threat landscape around the federal technology supply chain.

And chief information officers, acquisition executives and others shouldn’t feel good about what they’ve learned.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s Information and Communications Technology (ICT) Supply Chain Risk Management Task Force identified 190 threats across nine groups, including counterfeit parts, cybersecurity and economics.

The task force highlighted the supply chain topography as part of its interim report and four recommendations released last week.

“I think it’s important to make one note on the scope, the group focused on threats as opposed to risks. There was a lot of discussion in the group on that topic because it’s not necessarily immediately clear where a threat might end and a risk might begin. I think the easiest way to kind of explain about how the group thought about the interplay there is they defined risk as the intersection of threats with assets and vulnerabilities,” said John Miller, co-chairman of the task force and the vice president of policy and senior counsel for the IT Industry Council. “Through that lens, you can see why this group’s work was so foundational.”

Along with the threats, the task force outlined 40 scenarios mapped to each of the nine groupings, covering everything from ransomware attacks to contractor compromise challenges to supplier ownership changes to natural disasters.

“In building out those scenarios, several categories were considered by the group, including the interplay of particular vulnerabilities in that context: business impacts, potential business mitigation strategies and controls,” Miller said. “It was a very contextual analysis for each of them.”

All of this information comes at a time when the focus and concerns about supply chain threats are rising.

The two most obvious examples are the banning of Huawei and ZTE products in federal and contractor networks earlier this summer, and the prohibition on Kaspersky Lab products and services in 2018.

Interagency working group looking at OT

But it’s more than just a few well-known risks.

Jeanette Manfra, the DHS assistant secretary for cybersecurity at CISA, said supply chain is one of four priorities for an interagency working group focused on increasing collaboration and coordination to better secure industrial control systems.

“It can’t be your solution to say ‘I’m air-gapped.’ We all know you are not air-gapped,” Manfra said at CISA cybersecurity conference last week. “You have to make sure you understand both the hardware and software chain of those systems that you are putting into play, and you understand things like access.”

Manfra added it’s more than just understanding the prime supplier of the hardware or software, but getting to know the tier 2, 3 and 4 providers as well as business relationships and ownership.

“Sometimes that’s hard to completely understand, but it’s really important when you are buying a really expensive piece of equipment or system that you make it clear to whomever is selling that to you that you want that level of visibility,” she said. “That can go a long way to solving what I would say are individual supply chain issues.”

The task force’s report tries to gives agencies and industry more insight into all levels of the supply chain.

Bob Kolasky, the deputy director of the National Risk Management Center in CISA, said the task force’s recommendations focus on strategic and tactical aspects of supply chain risk management.

On the tactical side, the group suggested agencies only buy IT products from authorized resellers or from original equipment manufacturers (OEM). It also recommended agencies should rely on a trusted vendors or products list when the risk is greatest.

“There is a higher likelihood in the analysis we’ve seen that if you are not buying from OEMs or authorized resellers, there’s an increased risk of getting counterfeit products in the system, and with counterfeit systems comes a whole level of technical risk within that,” Kolasky said after a panel at the CISA conference. “We thought that this was a risk mitigation strategy that makes sense and there is an opportunity with federal acquisition policy to push that.”

The General Services Administration is considering rescinding the IT schedule special item number for refurbished or used products because of supply chain concerns. The Defense Department also adopted this policy in 2016.

Kolasky said the Federal Acquisition Security Council also is looking at this issue and may make additional recommendations.

“The more you buy from OEMs or authorized resellers, you have the ability to actually monitor their practices and make some judgements around that. There may be some source of concern with the original equipment manufacturer for different reasons, but it raises the bar of trust,” he said. “There was a general consensus that this was an issue we should take on as a task force. We talked about prospects of this and the premise of this was not that controversial.”

The use of an approved products or qualified bidders list came from research around the DHS continuous diagnostics and mitigation (CDM) program, GSA’s IT schedule and NASA’s SEWP contract.

Strategic ideas around threats, information sharing

The working group laid out 11 factors where the use of a qualified bidders or approved products list may make sense.

“That group probably didn’t go as far in the initial rounds as one might have thought. We didn’t come in with the recommendation that you have to establish as a qualified bidder or a qualified manufacturer list. Instead, we worked as a task force to come up with the characteristics you should consider if you do that,” Kolasky said. “I think that’s a little bit of a risk management approach to understand the qualified bidder or qualified manufacturer may be the right solution in certain cases, but not in all cases.”

He added industry was supportive of using this approach when appropriate, especially in light of the additional costs that using an approved products or manufacturer list could incur.

On the strategy side, the task force recommended agencies and contractors understand the cyber threats they face, and share information about those risks more broadly and more quickly.

Kolasky said the goal is to improve private-to-private information sharing and how to get that information into the broader ecosystem, including the government. He said that brings in a whole set of legal challenges, including liability

In the report the working group states that it “concluded that legal analysis and guidance are a prerequisite to developing a framework for any systematic, omni-directional information-sharing system relating to suspect suppliers. The result of these legal considerations could set forth the guidelines for addressing the process, operational and financial barriers that restrict effective implementation.”

The second strategic recommendation determined the 190 threats across nine groups and how to mitigate them through tools and controls.

Kolasky said the supply chain task force will figure out its next areas of focus, including helping small and medium-sized business manage their risks and connect with other critical infrastructure providers about how they are managing ICT challenges.

He said the task force will finalize its year two plan at the end of October or in early November.

Buried in an Aug. 27 blog post on identity management by Bill Zielinski, the General Services Administration’s assistant commissioner for the Office of Information Technology Category (ITC) in the Federal Acquisition Service, is a nugget of important news.

GSA announced that the Veterans Affairs Department is moving its smart card identity management program to its USAccess shared service.

By finally convincing VA to be a customer, GSA is almost doubling the number of customers using its identity credentialing service. Nearly 14 years after GSA launched the managed service, USAccess finally snagged its white whale, so to speak.

“This was a decision I wish I had made when I was there,” said Roger Baker, the former VA chief information officer during the Obama administration. “This was an ongoing project that never caused as much pain that the decision had to be made. VA decided to do its own PIV card system and that was a very complex and massive program. Anything at VA is like that because of the scale.”

And it’s that scale that makes this newsworthy, especially at a time when the Trump administration is strongly encouraging shared services and some agencies such as the Department of Health and Human Services are pulling back their shared services offerings, and the Interior Department is considering a similar move.

Historically, GSA provided managed services for smart identity cards for most small and micro agencies and several larger ones including USDA, Interior and Commerce.

But getting VA to join is a huge, long-time-in-coming win for the program.

“If you think about the system and the requirement to keep it modernized, the decision to move to GSA may have just come back to the modernization challenge and the fact that VA is better off just letting GSA deal with it,” Baker said. “These cards are more critical today than they were seven years ago because now they are required to access the network, to provide medical care and so much more. It’s not ‘just an access card,’ it does a lot of things.”

Move to new provider done by January

Since 2005 when President George W. Bush signed Homeland Security Presidential Directive-12 establishing the requirement to issue and use smart identity cards, VA provided the services to its employees. It operates and maintains its own personal identity verification (PIV) card management program. VA created an Office of Identity, Credential and Access Management (OICAM) to provide program management and oversight for the system, and the VA’s Office of Information and Technology (OIT) maintains it.

Baker said at one time during the mid-2010s the agency considered adopting the Defense Department’s Common Access Card, but decided against it in the end.

A VA spokeswoman said the decision to move to GSA came down to ensuring IT resources are more focused on serving veterans and their families.

“While the current VA card management system is hosted at a VA data center, USAccess will be hosted outside of VA’s infrastructure. By outsourcing this system to GSA, VA leadership will be able to focus VA IT resources to improve the Veteran Benefits and Health systems,” the spokeswoman said. “Veterans, taxpayers and VA employees will benefit from this move in numerous ways, including strengthened security at VA facilities, and reduced VA IT resources — both personnel and IT infrastructure. The new GSA equipment and the option to use GSA PIV card issuing facilities (PCIFs) will enable VA to focus on providing support to our Veterans instead of producing PIV badges. It also enhances VA’s capabilities to interoperate with other federal agencies by using the same PIV card that over 100 other agencies are using. Lastly, it stabilizes PIV badge costs for the VA, while eliminating the requirements to manage acquisition and maintenance contracts, freeing up resources across VA funding, acquisition, and contracting to focus on delivering support to our veterans.”

The spokeswoman said the move to GSA should take about four months starting in October to install new smart card facilities through USAccess. By January 2020, VA employees who need new or need to renew their PIV cards will go through the shared service.

Another reason for VA’s move is the Office of Management and Budget’s new identity management policy makes it easier for agencies to adopt current and emerging technologies for authentication and verification of users. While the requirements under HSPD-12 are not going away, per se, agencies now have a lot more flexibility for how to meet them. By getting out of the issuance and management of cards, VA OIT could focus its time and resources making identity access and verification more convenient.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

CLARIFICATION; GSA and USDA updated their statement about the future of their CoE partnership on Oct. 4.

The Agriculture Department is so confident in its ability to modernize everything from its call centers to its infrastructure to how it uses and analyzes data that it’s sending most of its contractor and government experts home.

After receiving less than a year of assistance, USDA made the surprising decision to end its long-term relationship with the General Services Administration’s IT Modernization Centers of Excellence and many of the 12 vendors, who GSA awarded six contracts to last October to support this effort, in three of the  five areas.

On Oct. 4, GSA and USDA released an updated statement of its plans to work together going forward:

“USDA and GSA are proud to have completed their CoE workstreams of data analytics, infrastructure optimization, and cloud adoption ahead of schedule and on budget. Our work together will continue on implementing the ASK USDA Contact Center and the creation of ‘one front door’ for USDA customers. USDA and GSA’s partnership will further be highlighted by Secretary Perdue and Administrator Murphy at GSA’s IT Modernization event on Tuesday, Oct. 8,” the agencies said in a joint statement.

The spokesman confirmed that all Phase II CoE contracts will end on or before Oct. 15.

A GSA spokesman added the end of the partnership between the two agencies was scheduled to close at the end of fiscal 2019.

“The agreed upon plan is that USDA will take ownership at that time and sustain what has been delivered from GSA to USDA. It was a business decision to honor the original agreement. This has been a successful partnership,” said a USDA spokesman in a statement to Federal News Network. “Three of the five CoEs have been transitioned to USDA. USDA is currently transitioning the remaining 2 CoEs to the appropriate organization in USDA. We are implementing our contingency to have USDA sustain these COEs and institutionalize practices learned from the COEs.”

So while both agencies, and even the Office of Management and Budget, are all saying the right things publicly, there are few questions that arise.

First, if the schedule all along was for only one year of support from those 12 vendors, which GSA and USDA pulled out all the stops to develop the request for quotes, hold public industry days and aggressively announce the awards to, then why did four of the five contracts have options years?

• Customer experience digital support services—The performance period of this contract is from the effective date of this order and continuing for 12 months, with one option period of up to 12 additional months.
• Data analytics—The performance period of this contract is from the effective date of this order and continuing for 12 months, with one option period of up to 12 additional months.
• Business modernization office support—The total duration of this contract, including the exercise of any options under this clause, shall not exceed 2 years and 6 months.
• Infrastructure optimization and cloud adoption—The total duration of this contract, including the exercise of any options under this clause, shall not exceed 2 years and 6 months.
• Contact centers—No option period.

Industry sources say it’s almost unheard of for an agency not to pick up an option on a contract after just a year without a good reason, such as poor vendor performance or a major change in policy.

Since the Trump administration continues to support and expand the CoE concept and industry and government officials say USDA has been pleased with the support contractors provided, there must be another reason.

That leads us to the second question about the agency’s decision: multiple sources say USDA didn’t have the money to renew the contracts and that’s why they are taking over the CoEs.

The USDA spokesman didn’t directly respond to the question about funding, saying the decision to take over the CoEs is “not a matter of whether USDA has the money or not,” and there was no need to ask for more money in fiscal 2020.

“Due to where we are in our engagement with the CoEs, there has not been a business need to work with OMB or Congress to request additional funds for the COEs,” the spokesman said.

And the third question that arises over USDA’s decision focuses on the contractor support and how much progress could’ve been made in a year given a typical engagement usually needs a year to begin to see significant change. It’s clear there is still plenty of work around cloud adoption, data analytics and the other areas that may need contractor support in the near future. So by not picking up the options means USDA may have to go through another series of RFQs and awards that potentially would delay progress.

For instance, sources say USDA didn’t issue any task orders against the infrastructure optimization and cloud adoption contract. It also means the 10 contractors who won spots on the contract received nothing for their bid and proposal investments.

“Contractors are not happy, particularly small businesses, who feel they were left not winning any work,” said one industry sources, who requested anonymity in order to speak candidly about the program. “And large businesses thought they would make themselves invaluable and didn’t expect USDA to have them embedded with employee teams and do knowledge transfer. Once that happened, USDA is saying goodbye.”

The source said USDA was edging out contractors by spending every day and learning from them.

“You don’t see this very often, and it’s a model of not having to rely on contractors,” the source said. “It doesn’t say a lot about the contractors either and possibly puts fear in them.”

A GSA spokesman said USDA employees were detailed to the CoE teams to understand how to drive adoption.

“Training, outreach and community of practice development activities were also used to both ensure fiscal 2020 CoE self-sustainment and continued adoption,” the spokesman said. “Training activities were used to address individual mission area adoption of data analytics, increased agile adoption, cloud adoption alternatives, DevSecOps approach and other CoE related topics. Both data analytics and cloud CoEs have initiated communities of practice that will exist long after GSA CoEs leave USDA.”

Another industry source said the way USDA and GSA constructed the support contracts in a way that required the vendors and/or the agency to “sell” or “market” these services to other parts of the agency and that never happened.

“There wasn’t as much interest or clarity in that process,” the source said. “This was all a learning process for how to use these vehicles. I think it’s less about money and more about the clarity of the process in terms of how the agency could use the contracts with existing procurements and programs. That’s the biggest thing CoEs had to find out as they went through these efforts.”

The second source said despite these challenges, the CoEs were successful as a vehicle for moving faster and bringing innovation into the federal IT modernization process.

“The execution of the CoE idea was challenging. I think getting the first two going was hard, but by the third or fourth one, it will get easier,” the second source said. “As a business model for industry, that’s a different issue. Vendors are putting lot of bid and proposal dollars to get these contracts and aren’t getting much in return. I think this is part of the learning process for both government and industry.”

Since the beginning of the CoE effort, GSA and OMB wanted to disrupt the federal market.

Federal CIO Suzette Kent said in a statement to Federal News Network that OMB supports the concept that the CoEs are an accelerator to drive modernization and transformation across the government.

“We are thrilled at the success agencies and GSA have had with CoEs and look forward to continuing expanding the administration’s efforts for a 21st century government,” she said.

USDA and GSA say all five CoEs met their goals in almost all respects.

“The USDA and GSA CoE partnership met or exceeded all IT modernization implementation objectives,” said the GSA spokesman. “The CoE partnership measured its success in terms of adoption and its impact for both taxpayer citizen and the many stakeholders in the U.S. agricultural supply chain.”

USDA said the 5 COEs are providing value and have delivered the technology ahead of schedule and on budget: Below are some of the results USDA says it achieved over the last year:

Data Analytics modernization has enabled USDA to become more customer-focused, data driven and fact-based to provide results for the American People.

• Established enterprise data analytics services and developed 200+ dashboards to support USDA business decisions with wide adoption across all eight mission areas. Enabling data-driven decision making with high impact, customer facing programs.
• One dashboard is saving three-and-a-half weeks of report creation time per year.
• Avoided $10 million in duplicative infrastructure costs.

Cloud and Infrastructure COE – USDA is becoming more secure and efficient on behalf of the American taxpayers.

• Achieved closure of 26 data centers, on track to meet goal of 37 data center closures. Data center closures resulted in cost savings/cost avoidance of $42.3 million.
• Designed and launched a centralized USDA cloud office to facilitate cloud acquisitions, information resources and communities of practice to support cloud migrations
• USDA is now providing multi-cloud services and capability in a fully managed 24/7 environment, called AgCloud. Approved departmentwide solution for all agencies to leverage providing more secure, scalable and efficient cloud services.

Voice of the Customer COE – USDA is improving the overall customer experience through digital modernization and service delivery to its citizens.

• Launched customer feedback platform (Tell Sonny 2.0) with automated case management. Increased customer listening post from 12.5 million to 20 million people.
• Launched Farmers.gov to serve Farm Production and Conservation (FPAC) customers and employees through increasingly valuable interactions, both digital and in-person

Contact Center – USDA is improving the overall customer experience through digital modernization and service delivery to its citizens.

• Deployed the AskUSDA pilot contact center to establish industry capabilities, including enterprise customer relationship management, centralized knowledge management and performance management capability.

Customer Experience COE – USDA is improving the customer experience through our public facing customers. 

• Designed and Launched Farmers.gov’s farm loan discovery tool and farm loan guides using human centered design principles. USDA farm loan approval rate in fiscal 2018 was 72%, which was up 3% from 2017. In 2018, there were 34,628 farmers with $5.5 billion in USDA loans.
• Launched a departmentwide website modernization effort and developed a USDA digital strategy website and roadmap.
• Launched the farm loans program view allowing customers to view their farm loan information, history and payments on their desktop computer or mobile phone.
• Developed the H-2A farmer facing portal.
• Developed the broadband reconnect program expanding broadband service to rural areas without sufficient broadband access.

GSA also says it’s using the lessons from the USDA experience with other agencies, including the Department of Housing and Urban Development, which is preparing to move into Phase II, and the Office of Personnel Management, which is in the discovery or Phase I of the CoE program.

“There were multiple lessons learned that will be applied at future CoE engagements. First, change management is a bigger challenge than technology complexity. Coordination within leadership is essential to ensure strategic alignment around the work and components,” the GSA spokesman said.  “A second lesson learned was to use agency resources and leverage previously started IT modernization initiatives to drive increased interest and adoption. A key lesson learned was the importance to identify these capable in-house resources to leverage prior progress and also leverage their organizational understanding to drive increased adoption. The CoE also brings highly skilled IT resources that an agency would not normally have.”

The National Security Agency’s new cybersecurity directorate is less than a month away from reaching initial operating capability (IoC) and three-and-a-half months from full operational capability (FoC).

In the meantime, NSA is reorganizing some of its mission areas to fit better under the new directorate, and along with that comes the shifting of people and resources.

Anne Neuberger, the director of cybersecurity at NSA, said at the 10^th annual Billington Cybersecurity Summit that the new organization will bring together four cyber communities, including the threat intelligence and vulnerability assessment offices.

She said the two other offices are more on the operational side.

“Our traditional keys and codes mission … that builds a million plus keys a year that are at the root of all secure communications across the armed forces and allies,” she said after her speech in a briefing with reporters. “Our operational mitigation teams that generate the various indicators that we tip to partners across the U.S. government and others. We want our folks to see that the directorate coming together gives them a way to have diversity in their careers and to really learn from those other communities to have that more unified, holistic impact.”

NSA also is preparing the workforce for both the Oct. 1 IoC and Dec. 31 FoC by addressing some typical and necessary administrative changes as well as creating work space so the different communities can work more closely together.

“There are certain priorities we are changing, and there are certain ways we are massing resources on particular problems. So if you are a vulnerability researcher, we will change the way we do vulnerability research by, for example, doing it more in an unclassified space and bringing different kinds of people together to do that mission,” Neuberger said. “But other than that, we want people to have that stability within the confines of the changes we are making to deepen our impact.”

NSA also will be opening up new jobs for current employees or other cyber experts to apply for as part of this reorganization.

“In our traditional security mission, the security and cryptographic standards and cryptographic systems, we are really investing in that mission again,” Neuberger said. “In the broader national security shift, we are moving from our counter terrorism fight, though we are still focused on it, but we also are recognizing that nation states are key adversaries today and we have to make shifts to ensure we are keeping up on that.”

The shift Neuberger is talking about isn’t just with people, but in the strategy and operational areas too.

Neuberger said over the course of the next few months she is focused on unifying the cyber organization, focusing on the hardest problems and enhancing collaboration across the public and private sectors.

“We want to deepen the collaboration between our threat analysis community, our vulnerability assessment community and our mitigations communities, and most importantly the people in those communities,” Neuberger said. “NSA generates hundreds of threat intelligence reports on cybersecurity. In those we detail adversary capabilities and threats. We also have a defensive mission that builds the cryptographic algorithms, cryptographic solutions and provides security advice for the nation’s most sensitive systems. They work together, but we need to deepen that and generate one product, ideally unclassified and quickly, to make it really usable.”

She said by concentrating on these areas, NSA will bring offensive and defensive capabilities closer together, and share threat analyses and offer more tactical intelligence to partners.

“There is a shift because we’ve heard a lot of feedback that some of the information we would share, for example IP addresses or domain names, are temporary and by the time they are shared they are no longer useful,” Neuberger said. “And when we share threat information at the unclassified level, there needs to be more context. What are the overall goals of the actor? How do they pull together those goals using an exploit or a particular infrastructure against a particular set of targets? We want to change from the more tactical elements being shared to pictures that help cybersecurity individuals who work the mission each day use that information each day to better impact.”

Those cybersecurity experts who rely on NSA is growing. The Homeland Security Department is relying on the DoD for threat and vulnerability information in a much larger way.

Chris Krebs, the director of the Cybersecurity and Infrastructure Security Agency (CISA) said at the Billington event that working with NSA and other agencies as the Energy Department to improve the security of the nation’s critical infrastructure and federal networks is vital.

“It’s almost like a concept that is widespread in the military where there is a supporting command and a supported command. We are the supported command and NSA is providing us with information to help us execute our mission — elections is just one example — but broader critical infrastructure,” Krebs said after he spoke at the summit. “There is no overlap [with the NSA]. This is understanding the lanes in the road and being able to execute in the same direction.”

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Over the course of one-and-a-half days at the 10^th annual Billington Cybersecurity Summit, more than 70 speakers hit upon nearly every unclassified topic you could imagine. Attendees even heard from Israeli and U.K. cyber executives, who helped make the world a little smaller by demonstrating their challenges are no different than the ones faced by US federal agencies.

The one common theme that permeated across nearly every keynote, panel and breakout session was the safe discussion about the cyber workforce.

And while discussing the cyber workforce is both a nonthreatening and easy topic for most of the industry moderators, who are worried about making a current or future customer mad by asking more pointed questions, the panelists actually offered some real updates about how they are addressing this long-term challenge.

Let’s start with a little background.

The Center for Strategic and International Studies found in a survey of IT decisionmakers across eight countries that 82% of employers report a shortage of cybersecurity skills, and 71% believe this talent gap causes direct and measurable damage to their organizations. According to CyberSeek, an initiative funded by the National Initiative for Cybersecurity Education (NICE), the U.S. faced a shortfall of almost 314,000 cybersecurity professionals as of January.

There are dozens of studies and surveys that add to the cyber workforce shortage narrative, and how it’s only going to get bigger when agencies and private sector organizations add the need for data scientists and software coders to this cyber workforce.

In the federal sector, the Office of Management and Budget, the CIO Council, the Department of Homeland Security, and the National Institute of Standards and Technology have all sprung up initiatives to tackle the cyber workforce program from a grand scale—think of the cyber workforce reskilling program and the executive order creating a rotational program for public and private sector experts.

“The workforce work under OMB has been incredible in that we’ve actually divided it up amongst the CIO and CISO councils where we are not taking work streams and putting people in work groups to develop an approach to developing data analyst to make sure it’s the same whether at departments of Energy, Veterans Affairs or Treasury,” said Paul Cunningham, the VA chief information security officer at the Billington event. “What’s really important about that, when they get categorized, and their level and coding are done correctly, we can now move them across the federal space and we will know where they are at, what we are getting and what they need to move to the next branch. While it’s important to have the historical side of cybersecurity in a federal organization, it’s also beneficial when we can leverage what is being done in other federal elements.”

For our purposes, let’s delve deeper into a few examples of how specific agencies are adding more cyber firepower to their workforce.

CIA

Sometimes agencies have to take some risks with their workforce and while these aren’t the typical risks for CIA employees, the changes make sense for the overall direction of the agency over the last decade.

Sean Roche, the associate deputy director for Digital Innovation at the CIA, said the spy agency changed its pay scale, altered the way it hired by putting some of their business and mission leaders in the field to recruit new employees and decided promotions don’t necessarily have to mean management.

“We did something that hadn’t been acknowledged before which was we now promote people up through the Senior Executive Service as experts and they don’t have to manage. They are better with machines than people and we want to keep it that way,” Roche said. “To be promoted up to an SES, they have maintain the skills, but they have to be mentoring and bringing on others. It’s a significant portion of the people we promote to SES every year. That has really given people a path.”

While the CIA transformed its human resources approach when it launched its digital innovation directorate in 2015, the lessons they offer can be applied to the cyber workforce.

DoD

The Defense Department’s implementation of its Cyber Excepted Service has been slower than many would’ve liked. The recent decision by Congress to reject the Pentagon’s request to reprogram $4.8 million for this program tells you a little bit about lawmakers’ frustration with the military’s efforts.

Still, Tom Michelli, the vice director of command, control, communications and computers (C4)/cyber and deputy CIO for the Joint Chiefs of Staff/J6, said the initiative is picking up steam.

DoD has converted 2,500 people in the Cyber Excepted Service and reduced time to hire at the U.S. Cyber Command to 80 days from 111 days.

“We can hire folks at higher grades than we would normally hire and through direct hire. We are able to bring in military folks at different grades than we would normally bring them in at,” Michelli said. “Once they are in, we have the ability to provide additional education and training and a higher pay scale on the civilian side and bonuses on the military side.”

Even though Congress provided DoD with the authorities under the Cyber Excepted Service, there is enough evidence that every agency would benefit from similar rights. The Office of Personnel Management gave all agencies in October 2018 the ability to hire cyber workers directly

DHS

DHS, like DoD, has been out in front of addressing cyber workforce shortages.

DHS has used retention bonuses of up to 25% of an employees pay back in 2016. The department also held cyber and technology job fairs where it made on-the-spot offers to 150 candidates. And it has been developing a new cyber talent management system for the better part of two years.

John Zangardi, the DHS CIO, said the goal is not just to find people who know cybersecurity but the skills and abilities they bring to the agency.

“We have to make salaries more comparable to what industry earns. It’s about flexibility. It’s about using technology. And it’s about creating an environment where people can move back and forth [between government and industry],” he said. “How can I actually get on board the right technical skills that can help me with mission? Being in government, I cannot match the salaries of industry so I have to work some unique ways. I have to appeal to their sense of mission and their patriotism.”

Zangardi said the new talent management system should help create more automation in how DHS hires people. He also said a new cyber internship program, which ran this summer with 10 individuals, will help create a pipeline of qualified workers.

“You have to help the team deal with the growth in data and we have to face up the unique challenge the government has in hiring,” he added.

One way DHS is taking advantage of the skills and abilities of its workforce is through new training for cloud computing, which includes some cybersecurity aspects.

Zangardi said the Cloud Stand Down effort is about training and educating technology and non-technology workers about how cloud works and what they need to consider as they buy, manage and use these services.

All three of these agencies have added authorities that others don’t, but it’s clear there are steps every department can take whether it’s asking mission leaders to recruit new employees or investing in training and education resources. It would be nice if we could stop talking about the cyber workforce at every panel as this is a fixable problem.

Over the last few weeks, several lesser known, but significant changes came to the federal IT and acquisition ranks.

While these federal executives may not be  known as well as some of their chief information officer colleagues that we usually write about in this space, they nonetheless have a big impact.

Let’s start with Kamela White, who left the Office of Management and Budget in August after 19 years. White joined the Senate Appropriations subcommittee on Homeland Security as a professional staff member.

Many of you may not recognize White’s name, but you’ve been impacted by her efforts. She was a senior program examiner at OMB starting in 2000 where she initially worked on some of the e-government initiatives around cybersecurity and later around shared services.

She later worked on homeland security issues, including immigration and visas.

Since July 2017, White has been the director of enterprise analytics at OMB where she helped accelerated the adoption of advanced analytics to support more data-driven policy, budget and operational decisions.

White is one of those people who made OMB work, putting her head down and drawing little attention to her successes.

Jimmy Jones is another person in the same mold of making the trains run on time and helping agencies find success.

Jones left the Transportation Department, where he was a program analyst in the CIO’s office, after four years working on a host of issues from creating an open source repository to working on emergency response for hurricanes on behalf of the agency.

In a note posted on LinkedIn, Jones writes, “I have decided to take a job offer with Pinellas County’s Tax Collectors Office as a senior project manager around the first of September. This job opportunity came to me as a total surprise, but it is the right position for me at the right time in my life. Therefore, I am moving from a federal position into a county position. As many of you already know, I have been commuting back and forth from D.C. to Florida for over the last four years. Please note that I have been provided a lot of wonderful experiences and challenging assignments during my career.”

Jones started his federal career on Capitol Hill where he worked for the National Republican Senatorial Committee. He moved over to the Education Department shortly after and spent five years developing IT business cases.

He joined the Interior Department in 2006 and then the Recovery Accountability and Transparency Board in 2010.

“I was able to improve to enhance my knowledge while working on so many areas that allowed me to grow at each of my positions,” Jones writes.

Over at the Homeland Security Department, Beth Cappello joined as the new deputy CIO replacing Stephen Rice.

Cappello comes to headquarters after spending the previous almost-three years with the Immigration and Customs Enforcement directorate as its deputy CIO and acting CIO.

She also worked at the Customs and Border Protection directorate for five years as its head of the Enterprise Networks and Technology Support office.

Rice left in June to be the deputy CIO at the Navy Federal Credit Union.

Also at DHS, but on the procurement side, Milton Slade is a new industry liaison. He comes to the headquarters office of the chief procurement officer after spending the last nine years as a contract specialist at DHS.

“As I transition, I look forward to this challenge and the opportunity to engage with many of you on strategy, innovation, outreach and better communication in order to build a stronger, more robust DHS,” Slade writes on LinkedIn.

Over at the Office of the Director of National Intelligence (ODNI), Benjamin Huebner joined as the new chief of the Office of Civil Liberties, Privacy, and Transparency (CLPT).

He also will be the Intelligence Community’s (IC) Civil Liberties Protection Officer, a position established by the Intelligence Reform and Terrorism Prevention Act of 2004, and as ODNI’s Chief Transparency Officer.

Huebner replaces Alex Joel, who held the position since 2005 and left in July.

And finally, Terryne Murphy, who left in August as the Commerce Department’s acting CIO, announced her new position as CIO at U.S. Railroad Retirement Board in Chicago. She replaces Ram Murthy, who held that position since 2013.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Ron Ross’s patience is wearing thin. The fellow at the National Institute of Standards and Technology, who by all intents and purposes is the godfather of federal cybersecurity standards, is waiting for the final approval of Special Publication 800-53, revision 5 by the Office of Information and Regulatory Affairs (OIRA) in the Office of Management and Budget.

The fifth iteration of that seminal publication, which since 2013 has been downloaded or accessed on NIST’s website more than 20 million times, is the release switch for a half a dozen other critical cybersecurity and privacy documents from NIST.

“When you get a chance to see revision five in final draft, the things we are adding are unbelievable and will help you immensely as you go forward in the 21^st century,” Ross said at the recent 930Gov conference sponsored by the Digital Government Institute. “It’s just over there waiting for the final review to be completed. Once that happens, that information will go out for a final public review and that will open up about six other publications, which are waiting on that content. It’s kind of a bottleneck right now. Hopefully it will get resolved soon.”

The problem is OIRA has been reviewing the documents since January—an extraordinary long time by all accounts.

OIRA’s part of this process is larger than ever before because NIST expanded and integrated privacy controls throughout the entire document instead of just in an appendix.

At the same time, Ross said less than 2% of all information in revision 5 is privacy related so for it to take nine months is trying to say the least.

Ross and other experts don’t question OIRA’s involvement, especially since the office’s role in overseeing federal privacy requirements is well understood. Still, nine months is ridiculous.

A disagreement among agencies?

Susan Dudley, a former OIRA administrator under President George W. Bush and now director of the George Washington University Regulatory Studies Center, said based on her experience in running the office for almost two years if a document is taking this long there’s a disagreement among agencies.

“One of the hats OIRA wears is coordinating across the government. So if this is a cornerstone of several other documents, there could be if there is an issue with this one document that people want to make sure they get it right, especially if it influences other policies,” Dudley said in an interview. “I imagine there are a lot of cooks in the kitchen, which is not necessarily a bad thing. If different agencies are using this guidance, they have a legitimate reason to be involved in how it will affect them.”

She added privacy and security documents are getting more attention today than ever before because recent data breaches and other cyber incidents.

At the same time, Dudley said it’s unusual for an agency to speak publicly about delays from OIRA.

This is why Ross’s decision to come out publicly about the bottleneck and it the impact it’s having on federal cybersecurity is important to highlight. Ross played the role of neutral career government executive saying he’s not sure what’s taking so long and has not tried to reach out to OIRA.

But his message was clear: It sure would be nice if they hurried up.

OIRA’s bottleneck is causing NIST to wait to get comments on six publications that all will provide more context and understanding for public and private sector cyber experts and companies.

For instance, SP-800-171, revision 2 is for protecting controlled, unclassified information must wait for the 20 new family of controls in 800-53, Rev 5 before going out for public comment.

Another one, SP 800-171 B is for addressing advanced persistent threats, which is brand new for agencies and vendors.

A third and fourth ones are SP-800-53 A and B—A is creating new security assessment procedures and B is developing new baseline controls for systems.

“The other thing we’ve done with Revision 5 is we’ve integrated a lot of our systems security engineering guidance. We have controls now for security design and system security engineering so you can actually use controls in procurements when you are going out for new systems to make sure the systems have the right requirements for protecting those systems, not after they are delivered to you, but you send them out in the RFPS so that industry can produce the technologies and systems we need to better protect our systems,” Ross said. “Revision 5 has a tremendous amount of content in it and it’s just waiting to pop.”

Cyber isn’t the only regs delayed

While Ross wouldn’t offer any opinion, some experts could easily say OIRA’s delay is hurting federal cyber efforts.

SP 800-171 revision 1 impacted more than 65,000 contractors and more than 1 million contracts within DoD alone. The Federal Acquisition Regulations Council is adding the requirements in Revision 2 for all federal contracts and grants.

SP 800-171 B will add more rigor to the requirements to protecting data particularly against nation state attacks.

“In record time, we produced those additional, enhanced requirements,” Ross said. “This has about 30-plus new requirements that deal with specifically stopping the advanced persistent threat. These are some of the best ones we’ve ever done.”

NIST received about 600 comments on that draft and it will go final later in 2019 once 800-53 Revision 5 is done.

OIRA’s slow pace isn’t impacting only NIST’s special publications. The FAR Council has seen few new final rules over the last two years.

In 2017, OIRA finalized no new procurement regulations. Today, there are 49 FAR Council rules, including 14 in the final stage, under consideration, which is up from 45 in December 2018.

Dudley said the Trump administration’s requirement to get rid of two rules for every new one proposed has slowed down the pace of regulations dramatically.

She said even though the NIST cyber publication wouldn’t fall under the 2-for-1 requirement, OIRA’s delay isn’t surprising.

GW found by every statistical measure of OIRA and federal regulations is down over the last two years since Trump took office. The number of “economically significant rules,” the number of “significant final rules” and the “final major rules” published are lower than at any other time over the last 10-plus years.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The government’s experiment with Google apps is over.

The Homeland Security Department bucks a recent trend for large multiple award contracts.

And the General Services Administration rethinks and expands one of its major governmentwide acquisition vehicles for small businesses.

Welcome to another edition of As the Federal Procurement World Turns.

Let’s start with drama of a $94 million contract award by the Interior Department.

Or more precisely, the lack of drama.

Interior awarded Planet Technologies and its partners Definitive Logic and Minburn Technology Group a 10-year contract to move the agency’s 84,500 users from Google Apps for Government to Microsoft Office 365 email and collaboration.

The contract, which didn’t face a bid protest, essentially means one of the government’s largest user of the search giant’s tools decided to go back to Microsoft.

The story was much different in 2012 when Interior was one of the first agencies out of the gate to consolidate its email in the cloud. The battle for the contract between Microsoft and Google implementers was dramatic and intense. In the end, Onix, which provided Google, won out after several protests and reconsiderations.

Interestingly enough, the cost seven years ago to move Interior to cloud email was $34.8 million over five years—it was extended by two years to allow for the recompete—for an average of less than $7 million a year. The new contract averages about $9.4 million a year. To be clear, the capabilities and technology are much better than in 2012, which accounts for some of the increased cost.

“The cloud based solution will support DOI employees by improving work collaboration methods, documentation flows, communication capabilities, streamlined email usage and management and overall increased business performance of DOI’s mission, cost and support objectives,” the statement of work states. “DOI goals include developing an integrated partnership to build a project that transitions accounts, data, technical controls, authentication or access capabilities and applications that make up the current cloud email and collaboration system into a modernized, secure, service enriched, email and collaboration system.”

The fact the unsuccessful bidders didn’t file a bid protest is both a testament to Interior’s acquisition effort as well as the fact that email in the cloud has gotten passé.

The Office of Management and Budget reported in June that agencies have 75% of their email in the cloud, including 14 departments that have achieved at least the 95% mark.

Other big users of Google Apps for Government are the General Services Administration and the National Oceanic and Atmospheric Administration, but not the Commerce Department at large.

DHS offers some acquisition intrigue

Now for the intrigue part of this federal procurement soap opera.

The Homeland Security Department’s alert to industry about its acquisition strategy for the FirstSource III vehicle surprised some observers.

DHS told contractors to expect a solicitation in January 2020 with multiple industry engagements scheduled between now and then.

“To ensure that there is no gap in the department’s ability to have continued, streamlined access to IT goods and services, and to uphold our long-standing commitment to small businesses, we have decided to extend the FirstSource II contract vehicle,” Soraya Correa, DHS’s chief procurement officer, stated in the notice on FedBizOpps.gov on Aug. 19. “The ordering period for all FirstSource II contracts will be extended to Sept. 15, 2020. Performance under any orders shall not extend beyond Sept. 14, 2021.”

The intrigue in this drama comes from DHS’s decision. If you remember, Correa boldly decided not to recompete its highly successful EAGLE IT services multiple award contract vehicle, and instead move it to the GSA schedules.

Brian Friel, a principal with BDSquared, a market research and data analytics firm, said DHS’s decision was a bit surprising given the agency could achieve the same goals using existing contracts like NASA SEWP or the National Institute of Health’s CIO-CS.

“FirstSource is a reseller contract. The decision represents to me that there is a strong sense in the department that their needs for products in IT are unique and they need to continue their own IT commodities vehicle to make sure the kinds of products that their buyers want are available,” Friel said. “You can argue that point. But I think folks at SEWP or NIH would say anything you buy on FirstSource you can buy on SEWP or CIO-CS. DHS also could achieve their small business goals by switching to one of these existing contracts since most of the vendors on these contracts are small businesses.”

Without a doubt, FirstSource has been a popular and successful contract for DHS. Friel said his analysis found that DHS used FirstSource for 47% of its IT commodity purchases last year, up 21% over the last four years.

The trend over the last two years, especially with the focus on category management, has been for agencies to move away from standalone multiple-award contracts

Friel said there are several examples of this change of thinking, from the Special Operations Command and the State Department creating blanket purchase agreements on top of the IT schedule to replace existing contracts, to the Agriculture Department shifting a lot of its IT services and commodity work to CIO-SP3 from NIH and GSA’s 8(a) STARS contract.

“The view is that moving to a GSA schedule with BPA is better than creating an indefinite delivery, indefinite quantity contract off the schedules where you have to establish pricing and terms and conditions that are totally unique. By creating a BPA, you are taking advantage of existing pricing and terms and conditions so you are achieving some efficiencies,” he said.

Comedy or tragedy around Alliant small business

And now to the tragedy or comedy, because this part of the soap opera is as sad as much as it hurts.

GSA announced it would reopen bids for its Alliant 2 small business contract, but first it wanted to collect comments on its proposed changes.

“The GSA A2SB procuring contracting officer recommends that offerors DO NOT significantly invest their company resources, specifically ‘bid and proposal dollars,’ into developing proposal revisions in response to this draft amendment because (1) that is not the purpose of this draft, and (2) changes to this draft amendment may occur before the official amendment 9 is released,” GSA states in its notice on FedBizOpps.gov.

Comments are due by Sept. 3.

Friel said GSA’s decision to reopen the contract means it will be another 6-9 months at least until Alliant 2 Small Business is up and running. The first version of this IT services contract expired in February after agencies spent more than $8.7 billion on 695 task orders since 2009. And that’s the tragedy of Alliant 2 SB—a popular and successful contract remains tangled in protests and revisions.

Or is it comedy that GSA refuses to evolve with these “winner-take-all” type of contracts and just let the real competition happen at the task order level.

Friel said in the first round of bids for Alliant 2 SB, GSA received 493 responses and awarded to 81 winners in February 2018.

After a successful protest before the Court of Federal Claims, GSA rescinded all 81 awards in April and has been planning its next steps since then.

“All bidders have to resubmit those two sections and have opportunity to resubmit their entire proposals,” Friel said. “GSA says it will award 120 contracts this time, but that still leaves hundreds of companies that will miss the cut of the self-scoring system.”

Friel said since there are only five incumbents from Alliant SB out of the 70 who won, this is a big second chance for all those contractors who failed to win the first time.

“The problem the first time was GSA didn’t use same evaluation process for everyone so as long as they go back to contracting 101 and apply standard evaluation criteria, they should get the contract up and running this time. But there is no question that it will take a year,” he said. “The good news is the scorecard concept has succeeded on every protest that has been filed against it.”

What’s also both tragic and ironic is OMB designated Alliant 2 SB a “best-in-class” contract in September 2017, and here we are two years later and the vehicle doesn’t even exist yet as it’s mired in protests and mistakes. Does that make it still “best-in-class?”

D-Day for GSA’s schedules

And finally, the preview for the next episode of As the Federal Procurement World Turns.

GSA will release its new consolidated schedule by Oct. 1, according to a blog post by Centre Consulting’s Barbara Kinosky.

This also means contractors can start accepting the mass modification that includes the new terms and conditions in mid-January 2020.

“We understand modifications to add the new consolidated special item numbers will not be accepted after Sept. 30 until sometime in mid-January 2020 after contractors have accepted the mass modification incorporating the new consolidated Schedule terms and conditions,” Kinosky writes. “New offers for new schedules that have been submitted prior to Sept. 30 but not finalized will still be reviewed and awarded. This includes the streamlined/successful legacy offers.”

GSA announced its plans last November to move vendors to one consolidated schedule from the current 24 by the end of fiscal 2020.

This and the effort to finally modernize of the FedBizOpps.gov website should make for an interesting fall and winter.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

There is little disagreement among industry experts that the threat coming from Chinese companies ZTE and Huawei is tangible and needs to be addressed.

There is also little disagreement among contractors that the responsibility to do something about the security of not just telecommunications and video surveillance, but of all technology products rests jointly on the shoulders of government and industry throughout the supply chain.

And there is little disagreement that a rule in the Federal Acquisition Regulations is a good starting point, but far from the solution to the ever-growing problem of supply chain risk management.

The problem is that’s as far as industry and government have gotten. And the interim final rule that the FAR Council seemingly rushed out on Aug. 13 that bans the use of ZTE and Huawei products in the federal supply chain starting immediately didn’t help much, and may have made things worse.

Three industry associations expressed support for the overall idea of improving the federal supply chain, but said the interim final rule opens the door to some serious questions. Meanwhile two other groups declined to comment for assorted reasons; however, not because they fully supported the government’s regulations.

“It’s a complex rule for vendors and agencies to implement. It puts a burden on the vendors to exercise due diligence down through multiple levels of subcontractors. It’s not clear what will constitute reasonable due diligence given all the contracting levels and players that will be involved,” said Tom Sisti, executive vice president and general counsel at the Coalition for Government Procurement. “It would’ve been helpful to have some guidance on how to exercise due diligence so that an erroneous representation wasn’t viewed as a potential misrepresentation. This is a burden on vendors and agencies, there is no question about it. That’s not a criticism, but the due diligence will be important.”

Now because it’s an interim final rule, agencies, vendors and other stakeholders will have an opportunity to comment, and the government could make modifications to the final rule.

Small, large businesses face burdens

Sisti and others believe changes, maybe even significant ones, are possible given there are so many unanswered questions.

“We understand the need for immediacy, but it was drafted without a lot of industry participation, and coming out with immediate implementation means it will be relatively burdensome for companies to adjust their supply chains and respond to the rule in rapid fashion. That’s especially true as you drive this down through the supply chain of smaller businesses. It’s onerous on larger ones too but they have more resources,” said Wes Hallman, senior vice president for strategy and policy at the National Defense Industrial Association (NDIA). “Industry will have to think about the burden the rule is placing on them and how deal with that. That is why there needs to be more back and forth when writing rules.”

Industry knew the FAR Council was working on the rule for about a year as instructed by Congress in the 2019 defense authorization bill. And the council held a public meeting about a month before it published the interim final rule, which left some believing the event was pro forma and the interim rule was all but decided.

“We are disappointed that they waited a whole year and released the interim final rule five days before it became effective. There was no time for companies or agencies to prepare for that kind of overnight preclusion,” said Alan Chvotkin, the executive vice president and general counsel for the Professional Services Council. “We are disappointed that we received no real heads up for how to proceed even as they worked through text of rule. There were no advanced notice of proposed rulemaking. We knew the procurement policy folks were working, but we received no heads up from the procurement staff who will have to implement this.”

Aside from the immediate implementation challenges, experts say the interim final rule doesn’t address potential False Claims Act violations or how it fits together with the Section 846, the e-commerce provision, of the 2018 NDAA.

CGP’s Sisti said if vendors have to certify they and their subcontractors are not using ZTE or Huawei products, then what are the protections for industry if they make a mistake?

“You have to think about where things like telecommunications are involved where there isn’t a definition, do you revert to the Telecommunications Act? How does this impact software? Also how do you address the fact that it’s tempting to over report because it’s not something you can just say ‘yes’ to and cover your bases. This is very serious.”

Visibility is key to implementation

Corbin Evans, the regulatory policy director for NDIA, said before a vendor can even make that certification, they must gain visibility into their entire supply chain.

“The interim rule creates a pretty big disruption in the supply chain and it could hinder a company’s ability to deliver on contracts they submitted bids for or are developing bids,” Evans said. “The immediate implication of the rule is increased costs across the defense industrial base as they have to get new suppliers and reconfigure their supply chains in order to source materials from new partners. This will cause administrative costs across the industry related to contract reconfigurations.”

Evans added, those additional costs likely will be borne by the government and taxpayer.

Evans and others aren’t arguing against the need for supply chain security, even if there are additional costs, but some dialogue to figure out the best way to mitigate costs would’ve been a better approach.

And then there is Section 846, the requirement for the General Services Administration to develop online approaches to make buying products and services below the micropurchase threshold easier.

The interim final rule covers those purchases too, so experts say it complicates the e-marketplace effort.

“The rule says there is risk and it’s not affected by commercial items or dollar value. So now there are two paths going on with the Section 846 effort. How is this going to be implemented in context of the e-commerce rule now that they have made this determination?” Sisti said. “How do you rationalize that with purchases under the micropurchase threshold? This interim rule says the risk is too great.”

He added the risk of purchases below the MPT is one that CGP and others have raised for a long time, particularly around who is liable for a violation or breach—the platform, the vendor or the purchaser?

“If an agency user now has to make a risk decision with every purchase, is that where we want to go in this environment?” Sisti asked.

PSC’s Chvotkin said applying this rule to commercial items also adds another layer of complexity to federal procurement at a time when Congress and agencies, through the use of other transaction agreements (OTAs) and commercial service offerings (CSOs) are trying to simplify it.

“We understand these will not be the last two companies subject to this type of ban,” said NDIA’s Corbin. “We have to create a system and expectation where DoD and industry better understand the tradeoffs between security and costs.”

Let’s talk about the word “satisfactory.”

For most of us, the first thing that comes to mind is the grade of a “C.” If you received a “C” in high school, your parents probably asked you what happened, as if satisfactory wasn’t good enough. Of course, there are some of us in certain subjects, say math, where a “C” was excellent.

But for the most part, getting a “C” in many households was unacceptable.

That word “satisfactory” is at the crux of what is wrong with the Contractor Performance Assessment Retrieval System (CPARS).

Too many contracting officers are saying a vendor’s performance is satisfactory for two main reasons: A lack of time to explain why the contractor was outstanding or exceptional, and to avoid any lengthy back-and-forth if a rating is below average or poor.

But as Greg Rothwell, the former Department of Homeland Security’s chief procurement officer, said at a recent event on CPARS, “If you are a vendor, getting a satisfactory kills you.”

This is because contractors and contracting officers should be using CPARS as one way to differentiate themselves from their competition. But if everyone is rated “satisfactory,” then CPARS loses most of its value.

Not everyone believes earning a satisfactory rating is a killer.

Jeff Thomas, the director of the acquisition and grants office at the National Oceanic and Atmospheric Administration, said vendors shouldn’t see receiving a satisfactory rating as a bad thing.

“When we have vendors who deliver on time, that is satisfactory,” he said at the Professional Services Council event. “It will not be a killer for you. People looking at CPARS will be able to differentiate between what was a complex project and what wasn’t.”

Data compiled by GovConRx, an contractor consultancy, found between 2014 and 2018, the number of satisfactory CPARS ratings increased across all four metrics — quality, management, schedule and cost control — while the number of exceptional and very good rating steadily declined.

 

 

“CPARS are rising in importance as many agencies have increased their reliance on past performance questionnaires,” said Mike Smith, a former DHS director of strategic sourcing and now executive vice president at GovConRx. “This is why vendors need to get agreement with their government customers on what it means to get an exceptional CPARS rating. What are the additional things you need to do to get an exceptional or very good rating? The government will not answer that up front, but it’s imperative for industry to work with your government customers throughout the contract. The bottom line is that CPARS is an active element to managing excellence, and not just a reporting or compliance activity.”

Shanna Webbers, the IRS’ chief procurement officer, agreed with Smith, saying vendors should ask their program managers what excellence means to them.

“While it’s beaten into the federal government that satisfactory is good, how do you get an excellent? When I get a new supervisor, that is what I ask. What do I need to do to show exceptional performance? Having those conversations at the beginning, and the middle of a program are critically important. You help document what that is and at end of the fiscal year, you show specific results to prove you were excellent.”

DHS looks to artificial intelligence

It’s also that thinking of making CPARS more than a reporting or compliance activity that is behind DHS’ recent solicitation under its Commercial Solutions Opening (CSO) pilot program.

“The government desires one or more demonstrations of a proof of concept/viable prototype to determine the extent to which artificial intelligence can assist contracting officers conducting past performance evaluations in making efficient and effective use of CPARS information,” the solicitation states. “The government hopes, as a threshold, that the demonstrations will show that AI can help the contracting officer identify which records in CPARS contain the most relevant information to the past performance evaluation in question. The government also desires data-driven and evidence-based recommendations about opportunities to improve the data quality of the past performance information inputted by contracting officers into the CPARS, based on the provided test data set and informed by the development of the proof of concept/viable prototype.”

The CSO approach is in the same vein as the increasingly popular other transaction agreement (OTA) where the agency is using a streamlined approach to test out or invest in innovative ideas.

DHS says it will award up to five CSO agreements worth $50,000 per awardee to test their AI or machine learning technology against approximately 1,000 records of about 50 contractors. The agency said the test data is actual CPARS information for non-systems services contracts.

“The awardee to those contractors who can demonstrate through a proof of concept/viable prototype that AI can help the contracting officer identify the few CPARS records related to each contractor being evaluated in a specific source selection/evaluation that are most relevant based on the solicitation and related requirements,” the solicitation states. “In this context, AI is most likely a set of autonomous or semi-autonomous system methods that will enable advanced automation, continual learning, prediction and decision aids to solve complex, dynamic problems. Additionally, in this context, AI that is human readable (humans can understand what the AI is doing and how the AI processes the data to achieve the intended results) as well as AI that is verifiable (techniques are utilized to produce objective results that can be trusted, are free from biases, and that produce intended outcomes in a repeatable and objective manner) is of utmost importance.”

Winning vendors will have to demonstrate their prototype within 120 days after receiving the award.

Responses to the CSO solicitation are due Aug. 27 with awards expected by Sept. 25.

“An AI tool would allow contracting officers the ability to scour all offerors CPARS performance ratings to get a more accurate and balanced view of the contractor’s performance for the type of work they’re bidding on,” GovConRx’s Smith said. “Additionally, a CPARS AI tool could allow for new acquisition strategies that may use past performance in a source selection as the primary basis to determine which contract vehicle to use, as a primary technical evaluation for ‘capability,’ or even use past performance as the primary basis for a technical evaluation, which has already occured on a limited basis, and was upheld by the Government Accountability Office. This will probably increase as AI provides contracting officers with more recent relevant and accurate CPARS data.”

The IRS also is looking at how to automate the CPARS process.

The IRS’ Webbers said the tax agency may be looking to test out ways to use technology to automate and standardize information to make better decisions.

“We are looking at it and possibly exploring how to move forward so we get speed, accuracy and consistency,” she said at the PSC event.

While AI may be useful, the real issue in fixing CPARS is comes back to language. Agencies should rethink the definition of what it means to be successful and the use of the word “satisfactory.” It has a perceived meaning — fair or not — that has negative connotations and a new approach would make CPARS more valuable for both industry and agencies.