Reporter’s Notebook

jason-miller-original“Reporter’s Notebook” is a weekly dispatch of news tidbits, strongly-sourced buzz, and other items of interest happening in the federal IT and acquisition communities.

Submit ideas, suggestions and news tips  to Jason via email.

 Sign up for our Reporter’s Notebook email alert.

Creative, responsive, agile underscored federal IT, procurement in 2020

When it comes to federal technology and procurement, 2020 will be remembered for many things, but maybe most prominently it was the year telework became the norm and not some luxury of a few forward-thinking agencies.

The year that is almost over also proved urgency and emergency can drive agencies and vendors to get hardware and software in place in record time and within federal rules.

Even if we put the COVID-19 pandemic aside for a second—if we can—2020 raised the cybersecurity stress level of agencies and contractors alike more than at any time over the last five years given the recent SolarWinds cyber breach and the rollout of the Cybersecurity Maturity Model Certification (CMMC) and supply chain risk management efforts. The Homeland Security Department’s decision to relax the burden of the Trusted Internet Connections (TIC) requirements as agencies put more applications in the cloud was one of the few welcomed reprieves.

The year also marked the continued rise of cloud services, the increased use of DevSecOps and agile development and everyone was talking about artificial intelligence, machine learning and 5G as they were darlings of the community.

I asked a panel of experts for their take on 2020 around federal IT and procurement.

The panelists were:

  • Jose Arrieta, former CIO at the Department of Health and Human Services
  • Mike Hettinger, president of Hettinger Strategy Group
  • Malcolm Jackson, former CIO at the Environmental Protection Agency and currently the principal director for CIO Advisory Services at Accenture Federal Services
  • Suzette Kent, former federal CIO
  • Essye Miller, former Defense Department deputy CIO

Biggest technology and procurement stories of 2020

Which new policy or updated policy from OMB was most significant this year, and why?

Essye Miller, retired as the principal deputy DoD chief information officer in June.

Miller: The Cloud Smart strategy set the stage for agencies to better envision the path to cloud adoption as a means to IT modernization. It shifted the conversation from counting data centers to use of emerging technology to support mission enhancement. Unknowingly, this ultimately set the stage for the successes we saw supporting the pandemic.

Jackson: Everything this year was centered around COVID-19. OMB updated its guidance on telework flexibilities in M-20-13, M-20-15 and M-20-19 – all accommodations designed to support broader telework and mission continuity in response to COVID-19, accelerating agencies down the path towards network enhancements, collaboration tools, cloud/platforms and heightened cyber awareness. Prior to COVID, many federal agencies had telework capacity that didn’t support access to capabilities required by the entire workforce. Updating the telework guidance sets the government up to be more aligned with commercial industry’s use of telework. This type of private/public sector parity can accelerate the pace of transformation for the government.

Suzette Kent left in July after more than two years as the federal chief information officer.

Kent: Although OMB M-20-19, Harnessing Technology to Support Mission Continuity did not introduce any new capabilities, it allowed agencies to prioritize and promote capabilities that were already available, eliminate adoption friction and maximize agency use in ways that further expanded technology and digital tools during the pandemic. This was a proof point of the importance of having clear priority directives from the top of agencies and supporting agency adoption of capabilities.

Hettinger: In my world, the most important OMB policies this year revolved around the response to the pandemic. OMB memos M-20-15 and M-20-16, which provided guidance for federal employees around expanded telework, M-20-18, on managing contract performance during the pandemic and most importantly, M-20-19, which called on federal agencies to harness technology to support the mission as employees and contractors moved to a work-from-home first posture. M-20-19 in particular was critical to adjusting the mindset and providing agencies with flexibility to acquire and leverage the tools they needed–like e-forms and e-signatures–to support remote work. The other key policy issued in response to the pandemic was the interim Trusted Internet Connections (TIC) 3.0 policy issued by the Cybersecurity and Infrastructure Security Agency (CISA). Like the OMB memos, the intent of this interim policy, which was really an offshoot of M-20-19, was to enhance the security of .gov networks against the backdrop of a massive surge in telework. The interim TIC policy has been instrumental in supporting secure remote work environments, enhanced virtual private networks (VPN) and virtual desktops as well as promoting zero trust environments.

What was the biggest surprise around federal IT or procurement this year, and why?

Kent:  Many have told me that the pivot to telework, teleservice and new product introductions (CARES Act-related) that moved quickly and performed well were a surprise…I was not surprised because it exemplified the great, often overlooked, work being done by agencies every day toward their strategic agendas. It demonstrated that they took action on cloud-supported solutions, modern email, electronic signature, digital citizen services, connected cybersecurity and scalable vendor solutions. It would be a massive failure for service quality, workforce experience and efficiency if the expansion and focus on these did not continue.

Hettinger: This is a tough question but I think I’ll have to go with JEDI. The fact that DoD stuck to its guns and kept this as a single award despite all of the protests and related legal action is pretty surprising. The easy way out would have been to rebid it, make multiple awards and let the vendors fight it out at the task order level.

Jose Arrieta was the HHS CIO until August.

Arrieta: I think the biggest surprise from my perspective was the speed with which OMB, HHS, White House Coronavirus Task Force, the Homeland Security Department, the Defense Department and the National Security Agency were able to respond to and drive the pandemic response once the policy direction was established. It is a testament to the training that the career workforce has received over the last five-to-10 years. For example, at HHS, the CIO function when I was the leader was able to fund some work eight hours after a large cyber attack, plan, negotiate and award a contract in less than 36 days, and implement a modern Managed Trusted Internet Protocol Services (MTIPs) fully in 119 days using a blended competitive process. Partnering with GSA, the HHS CIO and the contracting officer were able to drive a discount of over 70%. This is an example of the incredible planning and adaptability within the career acquisition and technology workforce at HHS.

 Jackson: Beyond COVID, the biggest surprise was how quickly agencies were able to expedite procurements in support of telework capabilities. Federal procurement officers can learn from this success and embrace similar agile practices moving forward. The pandemic proved that it can be done. Now it can be standardized and used for non-crisis environments as well.

Miller: The speed of technology adoption to support a remote workforce during the pandemic. Agencies were creative, agile and responsive to mission needs. The typical procurement obstacles were not barriers to success. The move toward a cloud environment was already underway. Agencies were already looking at commercial solutions for email and collaboration that met our cyber security requirements. The pandemic made those efforts visible very quickly.


From JEDI to CIA to TIC: The stories that made 2020

The Reporter’s Notebook started off as an idea to highlight all the tidbits and news nuggets that got lost or left out of a story.

It has, I’m pleased to say, morphed into what I hope is news analysis that not only highlights stories rarely covered day-to-day, but takes on well-known topics that make my audience think or reconsider their established positions.

It’s been eight years since I launched this feature and I still surprise myself nearly every week with how stories come together, the federal and industry experts and sources that provide me immeasurable support, insights and ideas that form the notebook and, hopefully have an impact on the three “Ps” of the federal government: Policy, people and programs.

As always, I encourage you to submit ideas, suggestions, and, of course, news to me at jpmiller@federalnewsnetwork.com. The 2018 top 10 list featured stories about change and turbulence in the federal IT and acquisition communities. In 2019, the top stories were more diverse with a mix of IT past, present and future.

In 2020, the top stories conformed to many of the most popular topics that played out across the government with three follow-ons from the previous year.

Here are the top 10 Reporter’s Notebook stories of 2020.

1. A cyber cautionary tale: Unnamed agency suffers sophisticated, possibly nation state attack

It’s a little surprising that this story was the most read of this year. It came together almost as an after-thought where the Cybersecurity and Infrastructure Security Agency (CISA)-issued use case was an interesting read. After talking to several experts, the story ended up revealing just how serious the cyber incident was for that unnamed agency. In retrospect and knowing what we do now about the SolarWinds cyber breach, it’s no surprise cybersecurity continues to drive the interest of readers.

2. Time for DoD to cancel JEDI, ride the CIA’s cloud coattails

The Defense Department’s cloud saga known as the Joint Enterprise Defense Infrastructure (JEDI) is the story that just keeps on giving. We wrote at least 17 stories about JEDI in 2020, and the epic doesn’t seem to have an end in sight. In this specific story, the IT Acquisition Advisory Council tried to convince lawmakers to do more to force DoD to rethink its approach to the single-award contract and follow the lead of the CIA. As we know, DoD leadership continues to hold on to JEDI strategy. It will be interesting if the new chief information officer coming into DoD under the administration of President-elect Joe Biden decides reconsider the JEDI program.

3. Agilefall: The place between agile and waterfall development where most agencies live

Nearly every agency chief information officer and many vendors love to talk about just how DevSecOps and the agile development methodology has taken over from waterfall. But when you look closer, as we did in this story, many agencies aren’t quite out of using the much-maligned waterfall development approach. This story highlighted three case studies from the Small Business Administration, the General Services Administration and the Education Department demonstrating that agile and DevSecOps are gaining ground. It’s just not as fast as many would like or contend.

4. DoD warns vendors about fake third party CMMC certifiers

DoD’s Cybersecurity Maturity Model Certification (CMMC) is probably the most talked about topic for vendors this year. The concern is about how the Pentagon will roll it out, when the third-party certifiers will be in place and which contracts will include the standards. While DoD has answered most of those questions by now, back in February Pentagon leaders were telling vendors not to spend money on CMMC quite yet — no matter what services providers told them what they can do. It’s not new for companies to try to take advantage of contractors looking to get ahead of a new program. What was interesting was DoD’s public warning of these scammers.

5. CIA cloud program awarded; CISA cyber program under protest

The interest in the CIA’s cloud contract known as C2E was always high among contractors, but the breaking news of the award seemed to resonate across the federal market. Maybe it’s because the CIA has been out in front in using cloud services when compared with most other agencies? Or maybe it’s because the C2E program often has been compared favorably to the DoD’s problematic JEDI program? Then again, it might have been the second half of the story about a contract award protest faced by CISA that drew the readers. It’s hard to say.

6. Einstein, TIC never got along, and TIC 3.0 makes their break-up official

I wrote this story before the COVID-19 pandemic but it foreshadowed what was coming. Agencies and vendors complained for years that the Einstein intrusion detection, intrusion prevention software and the Trusted Internet Connections requirements made cloud services more cumbersome. This news highlights how the Department of Homeland Security finally was outlining a path to ease that burden and why it was such an important story in early 2020. And when the pandemic hit, DHS acted fast with a new remote working use case that brought TIC 3.0 to reality.

7. Policy winners, losers in the defense authorization bill

Of all the stories in the top 10, I was most surprised this one made it. But, I guess it goes to show you that readers appreciate the research and analysis of the IT and procurement policies in the annual defense authorization bill.

8. Agencies expected to spend almost $200B on acquisition in the fourth quarter of 2020

This story came from a Government Accountability Office graphic showing just how much acquisition funding was left to spend. While the graphic was a starting point, the real story evolved as DHS, the IRS and GSA began detailing new solicitations or draft requests for proposals that would make the federal fourth quarter a contracting bonanza.

9. The downside of a wildly successful governmentwide 8(a) contract

This story was one of the few instances where GSA either miscalculated the reaction from industry or decided it was just the messenger of the bad news, but held little to no real authority to change the situation. All but shutting off the spigot for agency customers and 8(a) companies right as the fourth quarter of the federal fiscal year was about to start was inconceivable for many companies. The story continued to expand during the year as frustration grew among 8(a) firms and capped off a rough year for small firms working with GSA.

10. HHS’ shutdown of assisted acquisition services remains painful, wasteful

This was the fifth in a series of stories starting in July 2019 on the decision by the Department of Health and Human Services to shut down its assisted acquisition services. More than a year after the decision, this story continued to demonstrate the impact of what many called a horrible, vindictive decisions based on faulty logic. The follow-on story in November brought the saga to a sad conclusion where certain HHS leaders resorted to finding a scapegoat to rationale their poor decisions.


SolarWinds incident should be a catalyst to rethink federal cybersecurity

Federal chief information officers and chief information security officers didn’t get a lot of sleep last week, and may not for the foreseeable future.

CIOs and CISOs have spent a long week trying to get a handle on the impact on their networks, systems and data from the SolarWinds cyber attack.

After the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive on Dec. 13, the race was on to detect, mitigate and respond.

And when CISA followed up with an updated cyber alert on Dec. 17, the agencies had yet to begin to fully realize the depth and breadth of the attack.

“The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged,” CISA wrote, “CISA is aware of compromises, which began at least as early as March 2020, at U.S. government agencies, critical infrastructure entities, and private sector organizations by an APT actor. This threat actor has demonstrated sophistication and complex tradecraft in these intrusions. CISA expects that removing the threat actor from compromised environments will be highly complex and challenging. This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks. It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered. CISA will continue to update this Alert and the corresponding indicators of compromise (IOCs) as new information becomes available.”

So much for the holiday season as the SolarWinds cyber breach added to what many have called the dumpster fire that is 2020.

Promise to elevate cybersecurity

While the details of the cyber breach continue to emerge and the agencies impacted come to light, Congress and the incoming administration of President-elect Joe Biden are promising to make 2021 an even busier year for CIOs and CISOs.

“I want to be clear: My administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office. We will elevate cybersecurity as an imperative across the government, further strengthen partnerships with the private sector, and expand our investment in the infrastructure and people we need to defend against malicious cyber attacks,” Biden said in a Dec. 17 statement. “But a good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place. We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners.”

Add to that a growing number of House and Senate legislators who are calling on CISA, the FBI and other agencies to provide details about the extent of the attack on federal networks and systems.

“The [CISA] directive is not optional and mandates federal agency networks to remove the affected software components for the foreseeable future. While this initial protective step was taken and SolarWinds similarly issued a security advisory, Congress needs to be informed of the size, scope, and details of the cyberattack campaign’s impact on the federal government to appropriately respond to this risk,” wrote a bi-partisan group of six Senators from the Committee on Commerce, Science, and Transportation and the Appropriations Subcommittee on Commerce, Justice, Science, and Related Agencies in a letter to the FBI and CISA.

The lawmakers asked for answers to six questions and a briefing as soon as possible.

Not to be outdone, four Democrat leaders of the House Homeland Security and Oversight and Reform committees wrote to the FBI, CISA and the Office of the Director of National Intelligence on Dec. 17 seeking more details on the attack and impact on agencies.

“To that end, we ask that you provide our committee members with any damage assessments of this attack, including interim analyses, as soon as practicable,” the letter stated.

A day later, Sens. Rob Portman (R-Ohio) and Gary Peters (D-Mich.), the expected chairman and ranking member of the Homeland Security and Governmental Affairs Committee depending on how the special election goes in Georgia, pledged to “plan to hold hearings and work on bipartisan comprehensive cybersecurity legislation in the new year.”

Reps. Adam Smith (D-Wash.), chairman of the Armed Services Committee, and Jim Langevin (D-R.I.), chairman of the Armed Services Subcommittee on Intelligence and Emerging Threats and Capabilities, also released a statement promising to “continue to push cyber-and technology-related issues to the forefront of national security.”

‘Current system is broken’

Basically, CIOs, CISOs and other career executives will face a series of tough questions from Congress over the next year. The question is whether lawmakers and the Biden administration will ask the right set of questions.

A senior federal cyber official, who requested anonymity because they didn’t get permission to talk to the press, said the focus from the federal and Congressional leadership has to be around three areas: Why the cybersecurity approach continues to be faulty? What should the priorities of CISA really be? And how can agencies build better resiliency into their networks and systems given cyber incidents will only increase?

“The current way we are doing cybersecurity is broken and for anyone to say otherwise is mistaken. In many ways we were put on notice by the OPM hack and this one is worse just based on the breadth and depth we are seeing. To solve a problem you first need to admit you have one,” the official said. “DHS is trying to protect everything. It needs to focus on the things that are most meaningful. They have plenty of authority. You can surely argue they may not have enough resources or people, but then again no one does. It’s a matter of knowing protecting those things that can cause real death and harm in our society like the health or electric infrastructure. [It] also means we need to do better job of making it harder once the hackers are in the system, which means we make it hard to understand what is real and what is not. We’ve got to be creative and that’s where you use deception and honey pots. If there was some concern about going down that road before, we can’t have it any longer and we have to be more creative.”

For two former federal senior IT officials, both of whom requested anonymity because their current companies provide cybersecurity services to agencies, echoed that same line of thought, saying the question Congress should be getting to isn’t who to blame, but what can be done differently going forward.

Both former executives say agencies are in much better shape than in 2015 when the massive hack of the Office of Personnel Management came to light. But the SolarWinds breach is a different type of incident and requires a different discussion that both Congress and the Biden administration must lead.

“The fact we have multi-factor authentication deployed as widely as we do is just one sign that agencies are significantly more focused on cyber than in 2015,” said one former executive. “But I want to be clear, that doesn’t mean nation state actors who are interested in looking for and deploying zero days and custom written malware can’t get in the door. If they want to, they can get in the door against almost any defenses. So the question is how do agencies approach cyber defenses going forward?”

Poor understanding of Einstein

This brings me to an aside — stories by major, well-respected news organizations about the “failures” of DHS’ Einstein program are both sad and misinformed.

As someone who has followed Einstein since its beginning, it wasn’t designed to stop custom written code, malware embedded in patches and other unknown threats. It wasn’t difficult for the Washington Post or The New York Times to figure that out with a simple Google search. It’s poor reporting and at least some of their former government sources should’ve known better and explained the goals of the intrusion detection and prevention initiative.

Einstein is not perfect by any means, but the money spent to implement is not wasted in light of this attack.

Let’s return to the issue at hand. Agencies continue to face major problems in securing their data and systems despite the progress since the OPM hack. The current federal cyber official disagreed with the premise that agencies are better off since OPM. The sources said there may be some areas like the requirement to have multi-factor authentication and the use of continuous monitoring tools under the Continuous Diagnostics and Mitigation (CDM) program.

“DHS consistently asks for more. They needed the Cybersecurity Information Sharing Act. Then they needed a new name, and now they are getting administrative subpoena authority. But what’s fascinating in all of this is it was the companies telling the government about the hack,” the official said. “So where is DHS or where is the government today in terms of being in better shape to detect, mitigate and respond to this type of attack?”

This is why experts say any future cybersecurity programs, whether the move to zero trust or security operations-as-a-service (SOCaaS), will not be panaceas.

Resiliency is the key

But as the former executives said, the goal is to lower the risk posture of agencies and make them more resilient.

“The question is after this is all over, are agencies going to be still talking about managing risk only from an agency perspective or will they talk about it from an enterprisewide government perspective?” said the second former official. “If we move to SOCaaS, it lets agencies more quickly manage risk from a governmentwide perspective and change the dynamic.”

The former federal executive said that’s where Congress should focus its attention and appropriations efforts and the Biden administration should focus its budget requests to put resources into a solution and not into blaming someone or some agency.

“With the OPM breach, OMB had the ability to shape agency’s actions by holding them accountable publicly and through the budget process. OMB could move funds in 2015 and plan for new investments in 2016,” the former executive said. “The question today is do we know where dollars need to go to accelerate change? I don’t think OMB or CISA have identified what capabilities would have helped protect agencies from the SolarWinds attack. There may not have been any. But at least with SOCaaS and more threat hunting teams, the identification, mitigation and remediation would be faster and less complex.”

The former executive said CISA and its Quality Services Management Office (QSMO) is best to address these and other challenges. Agencies, generally speaking, rely on CISA to provide many of these cyber capabilities already — which is another challenge that CIOs and CISOs faced over the last week that may have impacted their ability to react and adapt.

The first executive said the move to zero trust also would enable the hunting for attacks and the ability to remediate and maintain resiliency.

“In order for agencies to more effectively secure their environments, agencies need to harden their systems and data all the way to the center. They need to encrypt their data and continue to look at what continuous monitoring means going forward,” the former executive said. “What are the investments to get agencies there? Congress needs to understand that and can’t just decry the incidents and point fingers.”


Exclusive

Vendors, consultants describe an increase in ‘bullying’ tactics by GSA to get lower schedule prices

The General Services Administration’s schedules program brings in more than $38 billion in revenue each year. It’s one of the most well-known acquisition programs in the country with a reach across more than 100 agencies, state and local governments and the private sector companies. If a company wants to play in the federal market, usually their first step is to get on the schedule.

This is why recent actions by some GSA contracting officers trying to drive down prices, particularly for services, that some say to an unreasonable level is causing so much concern and eliciting words like “bullying” and “holding hostage” from those vendors facing this pressure that has re-emerged over the last four to six months.

Multiple vendors as well as consultants, lawyers and a major GSA-focused trade association representing hundreds of schedule holders say the pendulum has swung too far in how the Federal Acquisition Service is requiring vendors to renegotiate prices, with some being reduced by as much as 40%.

“We are getting our next five years on the schedule and [were] just finishing our 10 year[s] in total. In our entire time on the schedule, we’ve never gotten an economic price adjustment so we have not increased our rates since 2009 or 2010. GSA deemed our rates fair and reasonable at the time,” said one vendor executive, who requested anonymity for fear of reprisal. “When we recently went to modify our schedule contract, the GSA contracting officer said our prices were no longer fair and reasonable and asked us to reduce five of our rates. That just shocked us. We have multiple blanket purchase agreements and other contracts against these rates so for us to back track was unthinkable.”

The vendor said after a lot of back-and-forth, they eliminated one labor category and were forced to reduce the rates of two others.

The vendor’s experience is turning out not to be an aberration. Consultants and lawyers say they know more than just a few companies, mostly in the services market as well as in the IT sector, who say GSA contracting officers have been put them in the unenviable position of reducing their rates or losing their schedule contracts.

Frustrations rising among vendors

Jennifer Aubel, a principal consultant at Aronson, said she has three clients who did more than $115 million in total revenue through the schedule contracts last year and were forced to drop their rates in order to add new capabilities or renew their schedule contracts.

Jennifer Aubel is a principal consultant in Aronson’s Government Contract Services Group.

“GSA sent one a notice that said their current pricing is not fair and reasonable and they are expected to lower the rates of about 60% of their labor categories, including some that would decrease by as much as 33%,” Aubel said in an interview. “This is not normally how it goes during an option period, especially to say current pricing is not fair and reasonable, which GSA approved.”

Aubel said GSA asked another client to drop 80% of their rates — by as much as 40%.

“It’s really frustrating. The prices awarded were all of sudden no longer reasonable. GSA is not sharing data so there is no way to tell if it’s a legitimate comparison,” she said. “What was striking about the negotiations was GSA was unwilling to negotiate. We provided comparisons with direct competitors and GSA said we were cherry picking and can’t use the data.”

Jonathon Aronie, a procurement attorney with Shepperd Mullin, was less forgiving than Aubel when describing the negotiations with GSA.

“I’ve seen multiple clients accept wholly unfair pricing demands just because GSA is holding their schedule hostage as a big solicitation is coming down. GSA will say sorry we will not add these labor categories until you accept this pricing. This is not what you’d expect of a good partner,” Aronie said. “Most companies just succumb to the bullying. It scares them to push back. Contracting officers just threaten with no renewals, and the idea of fighting with an important customer doesn’t work with some people.”

Fair and reasonable determinations

Mark Lee, the assistant commissioner in the Office of Policy and Compliance in GSA’s Federal Acquisition Service, said in an email that contracting officers use a variety of analysis techniques to determine fair and reasonable pricing.

“FAS is committed to continuous improvement and has updated guidance to ensure thorough documentation of use of these techniques in the contract,” he wrote. “GSA continues to provide contracting officers with better tools to focus on obtaining best value for customer agencies and the taxpayer, and where improvements in our pricing practices have been needed, we have made them.”

He said contracting officers establish negotiation objectives and determinate fair and reasonable pricing based upon a variety of pricing analysis techniques including:

  • Comparison of proposed prices received in response to the solicitation.
  • Comparison of the proposed prices to historical prices paid, whether by the government or other than the government, for the same or similar items.
  • Estimation methods to highlight significant inconsistencies that warrant additional pricing inquiry.
  • Comparison with competitive published price lists, published market prices of commodities, similar indexes, and discount or rebate arrangements.
  • Comparison of proposed prices with independent government cost estimates.
  • Comparison of proposed prices obtained through market research for the same or similar items.
  • Analysis of data other than certified cost or pricing data provided by the offerer.

But Aubel, Aronie and others said the reason why contracting officers are playing such hardball on prices is directly tied to getting slapped on the wrist by the inspector general.

In December 2019, the IG found FAS’ pricing determination tools were not sufficient and resulted in flawed price determinations. Auditors said this led to invalid price analyses and price reasonableness determinations that failed to leverage the government’s buying power in negotiations.

In April, the IG released an annual review of pre-award audits of 130 new or renewed schedule contracts and again found problems with price reasonableness determinations.

The experts said these and other reports created an environment of fear, thus pushing the pendulum too far in the wrong direction.

“This is reaction to the IG. This is a result of when the IG runs the program and not agency management,” said one industry source, who requested anonymity.

IG role questioned

Larry Allen, a GSA expert and the president of Allen Federal Business Partners, said this isn’t the first time he’s seen a push for lower prices, but because it’s seems to be an across-the-board effort, there is something more going on.

“The IG has a role to play, but its role isn’t to be co-program manager,” he said. “The IG gets to advise and consent, but they are not warranted contracting officers and they should leave the decision on what’s fair and reasonable to contracting officers. FAS leadership should be able to stand up to IG that contracting officers do get fair and reasonable pricing. It’s not like contracting officers are pulled out of checkout stand at Walmart or something. They go through extensive training.”

Two studies in 2018 found pricing on GSA Advantage was lower or equal to commercial pricing, thus creating more frustrations among industry.

Lee said while GSA does not comment on individual negotiations, senior leadership, acquisition managers, the acquisition workforce and the Office of Inspector General actively work together to ensure integrity and fairness in our acquisition process.

Mark Lee is the assistant commissioner of the Office of Policy and Compliance in the Federal Acquisition Service at GSA.

“GSA’s acquisition workforce and OIG contract auditors are well trained professionals and adhere to these standards,” he said. “This past year, GSA achieved an all-time high on vendor and customer satisfaction rates which reflects the outstanding work the GSA acquisition workforce does with customer agencies and industry partners to obtain best value for the taxpayer.”

A GSA spokesperson added in fiscal 2020, the customer loyalty survey and supplier relationship management survey reached all-time highs.

The FAS supplier satisfaction increased from 3.7 in 2019 to 3.8 in 2020 (on a 5-point scale). The 2020 FAS supplier satisfaction score is an all-time high for GSA, which it began tracking in 2013.

Lee also highlighted the extensive training contracting officers receive in order to negotiate with vendors.

“GSA has added a number of agency unique training requirements to ensure it maintains a well-qualified, well-equipped acquisition workforce,” he said. “To obtain a senior level warrant, GSA contracting officers must possess a 4-year degree, have 24 or more semester hours in business and complete 592 hours of training. To maintain the warrant, they must take a minimum of 80 hours of training every two years. Market research, price analysis and negotiations are key areas of that training.”

Low price vs. best value

Shepherd Mullen’s Aronie and others say it’s true not every contracting officer is “bullying” or “holding schedules hostage,” but it’s happening enough to be a concern for more than a few companies.

Aronie and others say contracting officers also are telling them that FAS released updated guidance or pricing handbook that directs them to take a harder line on pricing.

Lee would neither confirm nor deny the existence of a new or updated policy, just saying in an email that “GSA continues to provide contracting officers with better tools to focus on obtaining best value for customer agencies and the taxpayer, and where improvements in our pricing practices have been needed, we have made them.”

Whether or not there is a new policy or updated handbook, expert say the issue of pricing comes down to two things: FAS’ communications with its industry partners, and what are the outcomes FAS is trying to achieve through the schedules program.

Roger Waldron, the president of the Coalition for Government Procurement, said the return of the hardline price negotiations is disappointing.

“This is counter-productive. We are at a time where we need best and brightest capabilities to support agencies across the board and the drive to low price will drive commercial firms to provide the B, C or even D teams and not the A teams at a time when we are dealing with pandemic and return of near peer competition and to drive a brain drain in schedules program is a long term mistake,” Waldron said. “It’s short sighted and goes against ensuring the best mission capabilities to meet agency needs because it’s driving to lowest price. That will undermine mission capabilities and companies will be forced to provide less capabilities while they focus greater resources on what’s best value for them.”

Waldron pointed out that GSA, like most organizations, are paying more for people. He said over the last 20 years the average pay of a contracting officers increased to $108,000 per year from $54,000 a year.

“The cost of people and to maintain their capabilities doesn’t go down,” he said. “If you want great capabilities to support customer needs, you have to find right balance for best value and that is what they should be focusing on.”

Waldron said he would hope GSA brings in industry to discuss the challenges with pricing and the future of the schedules.

 

“If they want to be responsive to customer agency needs and be a bridge between the commercial market and the customer they need to understand how the commercial market works and seeking arbitrary price reductions is not understanding the value of people,” he said. “GSA put itself in a position to accelerate the market through schedules consolidation, eliminating stovepipes and making it more dynamic marketplace. But it remains inefficient and counter-productive if the barriers to entry are using this arcane approach and are based on the tyranny of low price, when we are really talking about best value. In some cases, it will be based on low price, but in the services arena, you have to be creating conditions where commercial firms are willing and interested in bringing their capabilities to the federal customer and part of that is reducing risk for all parties and focusing on value. Focusing on low price is not focusing on value.”


First Look

State Department grants new enterprise CISO far-reaching oversight authority

For decades, the State Department bifurcated the oversight, accountability and implementation of its cybersecurity defenses. The Information Resource Management office, where the agency chief information officer sits, and Diplomatic Security Bureau each play separate and not always complimentary roles, drawing the ire of Congress and the inspector general, and, at times, creating unnecessary challenges.

Sen. Mark Warner (D-Va.), vice chairman of the Select Committee on Intelligence and co-chairman of the bipartisan Senate Cybersecurity Caucus, wrote to the department earlier this year asking questions about the reporting structure of the CISO after an inspector general report found the CISO “lacked necessary seniority for effectiveness or accountability. My understanding is that the current CIO reports to the Undersecretary for Management to the Secretary of State, and that the CISO reports to the CIO.”

Just about a year after that letter and IG report, Undersecretary of State for Management Brian Bulatao is creating a new position — the enterprise chief information security officer — to once again try to address what could be seen as a disparate approach to cybersecurity across the department. Bulatao announced the new position, which will report to the CIO, in a Dec. 7 memo to staff, which Federal News Network obtained.

Stuart McGuigan is the CIO at the State Department.

“The E-CISO will have broad authority (on behalf of the CIO) to oversee all aspects of cybersecurity. Any bureau that maintains their own cyber infrastructure will be responsible to the E-CISO for meeting all required cyber standards,” said Stuart McGuigan, State’s CIO, in an email to Federal News Network. “The E-CISO will be responsible for developing and implementing enterprise information security programs, including policies and procedures that are designed to protect the department’s enterprise communications systems from internal and external threats. The central E-CISO position was created to ensure that one entity is responsible to oversee cybersecurity on behalf of the CIO and follows industry best practices.”

Within the E-CISO, State also is creating the Office of Global Information Technology Risk.

“GITR will develop policy, procedures and templates to guide organizations within the department responsible for IT to conduct their own IT risk assessments and report results,” McGuigan said in a memo to Bulatao from earlier this fall, which Federal News Network also obtained. “These results will be analyzed and presented to department leadership for situational awareness and to inform decisions to manage risk.”

The E-CISO role, however, likely will have the bigger impact on addressing State’s cyber coordination challenges.

McGuigan expanded on the E-CISO role in a video shared publicly on the internet and provided to Federal News Network. He said all cyber policy and oversight activities performed by the information assurance organization will be elevated to the new E-CISO, the deputy CIO for information assurance will be renamed the deputy CIO for cyber operations and will be responsible for all IRM cyber operations.

“These new enhancements will increase transparency throughout IRM’s cybersecurity efforts and strengthen the partnership we have with the Bureau of Diplomatic Security,” he said in the video.

McGuigan said the E-CISO has not been selected yet. State advertised the position on USAJobs and are now reviewing applications.

Two reasons for the reorganization

In the memo to Bulatao, McGuigan said the decision to realign cybersecurity oversight and responsibilities are two-fold. First, it’s in response to senior leadership direction, and second from multiple inspector general recommendations.

“IRM seeks to formalize its cyber risk management program as an office within the E-CISO office and expand its responsibilities for all dimensions of IT risk,” the memo said. “The office will be staffed with two divisions, Risk Management and Risk Solutions, with distinct capabilities to advise, assist and guide the department on taking calculated risks in support of the conduct of diplomacy.”

The one big question that the E-CISO doesn’t answer is something Congress and auditors have been trying to address across the department for decades. The E-CISO nor the CIO will have day-to-day responsibilities over operational management, workforce performance and non-IT resource allocation.

The hope is that by requiring each bureau to conduct risk assessments and share them, the E-CISO can work through senior leadership, including the CIO and the undersecretary of management, to force improvements.

The IG issued reports in 2019 and again in 2020 saying the agency’s CIO continues to struggle to address systemic cybersecurity challenges.

“The OIG found that numerous control weaknesses affected program effectiveness and increased the chance of cyberattacks and threats to the department,” the IG wrote in the fiscal 2020 management challenges report. “The department’s Field First initiative to align technology to conduct diplomacy on the foreign affairs frontlines continues, with a new chief architect now in place. Under the Field First initiative, the department is identifying existing IT gaps, costs to close them and establishing post-specific roadmaps for implementation. Preliminary analysis shows that our greatest needs overseas are bandwidth, collaboration tools, and new equipment. IRM has been working with the Bureau of Administration to deploy an IT Service Management portal in myServices that will manage employee requests for IT solutions.”

In 2019, the IG was more specific about the lack of coordination between IRM and Diplomatic Security Bureau.

“OIG remains concerned with the overlapping and poorly defined responsibilities between DS and IRM and the organizational placement of the CIO, which impedes the position’s ability to effectively implement an agencywide information security program,” auditors stated in the management challenges report for 2019. “In addition to addressing these structural and organizational concerns through its reports and recommendations, OIG has repeatedly emphasized these matters in testimony, presentations, and other communications with the department and with Congress.”

Diplomatic Security created CTS

This challenge is not new for State. In 2017, the Diplomatic Security Service established the Cyber and Technology Security (CTS) directorate to improve security at embassies, consulates and among foreign affairs officers.

Despite these efforts and the ongoing auditor reports, State has been slow to fix these long-standing problems and now the agency is trying the E-CISO approach.

The changes to State’s cyber oversight and policy offices is part of a targeted IRM modernization.

McGuigan said recently he reinvigorated the IT Executive Council to include six working groups, including cybersecurity, mobility, architecture and workforce.

He said the goal is ensure bureaus help develop and take part in enterprise capabilities like cloud services or other new technical capabilities.

Outside of IRM, State wants to create a new Bureau of Cyberspace Security and Emerging Technologies (CSET), which would consolidate many disparate functions and improve coordination internally and across the government. The technologies CSET will look at include things like 5G, supply chain security and similar national security issues.

State told the Government Accountability Office that it expects to establish the new office in early 2021.

The creation of the E-CISO comes nine months into the COVID-19 pandemic where State’s cyber challenges, like many agencies, increased as its risk profile expanded with remote working.

“In order to meet the growing demand for remote work in response to the pandemic, IRM undertook a multi-pronged approach to ensure that the department could continue to operate while many employees worked from home, and provide users with more options to overcome IT challenges,” McGuigan said. “First, the department enabled the Office 365 environment, coupled with multifactor authentication, for all employees. Next, the department increased the concurrent virtual desktop interface (VDI) capacity to 15,000 users, previously it was limited to 5,000 concurrent users, and procured and imaged several thousand laptops. Additionally, the department enabled a video collaboration capabilities through WebEx and Teams to ensure that users could continue to meet virtually throughout the pandemic.”


Air Force’s next hack of the federal procurement system: One-year funding

Air Force Maj. Gen. Cameron Holt knows a little something about the complexity of federal contracting.

The deputy assistant secretary for contracting, in the Office of the Assistant Secretary of the Air Force for Acquisition, Technology and Logistics, started his career as a contracts manager. He served as the procuring contracting officer for the F-22 fighter and held an assortment of executive positions during his 19-year career in the service.

So when he gave the House and Senate armed services committees a list of regulations that need to be revoked, removed or replaced a few years ago, he knows what he’s talking about.

Cameron Holt, Jason Miller
Air Force Maj. Gen. Cameron Holt (right) speaks to Federal News Network Executive Editor Jason Miller at the 2019 NCMA Government Contract Symposium conference.

“I told them that you’ve written so many laws that we need to implement that our contracting officers in the trenches can’t even follow them all because they actually start to conflict with each other,” Holt said at the annual Government Contract Management Symposium sponsored by the National Contract Management Association. “That environment is not really paying attention to the opportunities that, for instance, the 809 panel gave to them to update the system. I think they are really focused on a different agenda right now. I hope they will join us in really streamlining, especially the defense contracting environment, but really the federal contracting environment.”

And the most recent version of the National Defense Authorization Act adds dozens of new provisions, including a new requirement for the Defense Department to develop a “strategic framework for prioritizing and integrating sustainment of major defense acquisition programs in support of the national defense strategy, the development of materiel readiness metrics and objectives for major weapon systems and a report on these metrics with each annual budget request.”

Holt and other Defense Department acquisition experts, however, are not waiting for Congress or even their own regulations to catch up with the times.

“On the other side of the coin, I see a renaissance going on. I see people tired of being told ‘no.’ People being tired of all the red tape, a real weariness of overly prescriptive items, and a vastly long time frame and risk averse approaches to contracting,” he said. “In large part led by NCMA and others, I see people really opening the aperture, pushing authorities down and trying new things, and providing blast shield support because the D.C. recrimination culture continues. The difference is we have a lot of courageous leaders in key positions who have had enough of that and are willing to let their folks try new things, make decisions on their own and move a lot faster.”

Holt said Congress gave the Air Force, and DoD more broadly, some of those new authorities through Other Transaction Authority, Commercial Service Offerings and a rapid acquisition approach through the mid-tier acquisition provisions.

Two steps forward, a step backward

But now, he is worried, that Congress and others are taking a step backward by adding more oversight and compliance requirements.

“We have to stop worrying about who signs your performance report and drive unity of effort rather than just unity of command. Our organization structures were born out of the industrial revolution and we haven’t really thought innovatively about it until recently,” Holt said. “We are now making a lot of progress in breaking down some of the barriers of communication and starting to drive unity of effort across functions and across organizations.”

Holt pointed to the Air Force’s focus on digital acquisition, calling it a renaissance where the service is embracing open systems architecture, digital engineering and agile software development.

“Underlying all of that is digital contracting. As we develop that digital thread in using really high speed tools for a digital and technical environment for the prime and all subcontractors to operate within, we are asking new questions in contracting like why do we write proposals to begin with? Why can’t we just attach the cost and overheads inside that digital environment so that there is ultimate transparency and you can turn on or off people’s views of what they can see to protect cost and proprietary information?” he said. “At the same time instead of the standard process we go through where we write a proposal that takes months and months to come in and that proposal has very little to do with actually what’s going on, and in some cases it’s way high. We could leverage data and technology to get to the point where the actual negotiation is just a discussion about risk and then we hit print or not hit print on the proposal and move forward.”

Will Roper, the assistant secretary of the Air Force for Acquisition, Technology and Logistics, said at the NCMA event that the service is “using MacGyver-like techniques to make the system do things it wasn’t originally envisioned” to do.

“We have to explain, both upwards to leadership above us as well as to the field why we are encouraging this behavior,” he said. “The period in which the FAR was created is very different than today. The government was still the central driver of the technology in this nation. We represented most of the research and development in the nation during the height of the Cold War. I don’t think the original drafters of the FAR would’ve imagined a complete 180. So we must hack the system to be relevant.”

New memo on one-year funding

One way the Air Force is hacking the system is by rethinking current regulations. For instance, funding for operations and maintenance of systems.

Roper said he’s writing a new memo with the general counsel and financial management offices to bring more flexibility into one-year O&M funding-known as 3400 money.

“I don’t think the original envision of different colors of money was not to allow us to do common sense things. It’s to operate and sustain. I think the implication is operate and sustain relevant things. If you are creating a completely new bomber instead of sustaining your old one, you’ve crossed the line and you know that,” he said. “If you are making reasonable improvements to your system to keep it relevant for the original purpose to which it was built, that is what that account is for and we have given that up. It’s a great example of the kind of conservatism that has now overwrought our system into being intransigent and inflexible.”

Rebecca Weirick, the Army’s deputy assistant secretary for procurement, said changing the way agencies are funded to eliminate single-year funding is one of biggest changes that is needed.

Rebecca Weirick is the executive director of the Services Acquisition Office of in the Deputy Assistant Secretary of the Army for Procurement.

“Our program managers are rated not only how well they spend money, but how well they disperse it. That is not the right motivation,” she said. “This is something we have been pounding on for years to no end, but we are hopeful.”

These “hacks” are not just happening in the Air Force. The Army released a new strategy for the contracting enterprise that is focused on training its contracting officers and program managers.

Weirick said one of the big improvements is using virtual reality to speed up the education process of contracting officers to become experts.

“Is there a way, like we do flight simulation, which is at least as complex as contracting, to simulate the entire process with some artificial intelligence and imagine all different outcomes to give them experience,” she said. “It’s very early in that discussion. But we see that as a great future.”

She said automation particularly around things like compliance requirements and pricing determinations also will play a big role in the future.

Weirick said the Army also is asking for exceptions to the Competition in Contracting Act (CICA) and to the AbilityOne program.

She said the CICA exception would be a pilot through category management where the Army would demonstrate savings when buying commercial items.

The AbilityOne competition exception would let the Army buy certain items from other sources that they deem less expensive, but continue to support companies that hire workers who are disabled.

“We’ve asked for and have received that and are piloting two in the Army. I’m leading a subcommittee to expand that across the federal government. We are really excited about that too,” Weirick said.

What the Army and Air Force, and for that matter several other agencies, are demonstrating is the acquisition system doesn’t have to be , as Roper called it, intransigent and inflexible. It just takes leaders who are willing to get out in front on a consistent and constant basis and promote real and perceived innovation to change the culture.


Policy winners and losers in the Defense authorization bill

A lot of the focus on the annual Defense authorization is about the funding levels and policy changes for the Pentagon.

But as anyone who has been in the federal market for at least a year knows, the National Defense Authorization Act is a catch all for legislation and provisions that matter to all agencies. These range from cybersecurity to acquisition to management. Congress passed the 2021 NDAA conference report Dec. 3.

With so many to choose from, here are 10 policy changes that passed and six that failed to make the cut that are among the most interesting and/or significant.

Let’s start off with those that failed because they have some of the more interesting backstories and surprises.

FedRAMP Authorization Act

The House passed the bill as a standalone in February. It passed again as part of its version of the NDAA in July. Among the things the legislation would do is codify the cloud security program known as the Federal Risk Authorization Management Program (FedRAMP) and would require agencies to provide a “presumption of adequacy” to vendors that are already FedRAMP-certified from other agencies.

But for whatever reason in conference, the Senate, which didn’t act on the bill for 10 months, won out.

One industry source said the blame falls squarely on Sen. Ron Johnson (R-Wis.), the chairman of the Homeland Security and Governmental Affairs Committee.

“His objection as far as I know is that the committee never considered the legislation. But they had ample time to consider it, so that tells me he didn’t really care about it or didn’t want it,” said the source, who requested anonymity in order to speak about these discussions. “I think many of us are looking forward to Johnson leaving as chairman of HSGAC. We hope the next chairman is more receptive to the bill.”

An email to Johnson’s press office seeking comment was not immediately returned.

Rep. Gerry Connolly (D-Va.) has been pushing the FedRAMP bill for more than three years, getting it through the House twice before this 11th hour decision to spike it by the conferees.

“About six weeks or so ago, Johnson objected to the bill based on process because his committee hadn’t held hearings or voted on the bill. Basically the conferees gave Johnson the veto power to have it struck and he did,” the source said. “Connolly’s folks pushed hard to get it done, even raising it to the full committee and pushed hard to get it to the chairmen and ranking members to discuss. At the end of the day, the conferees decided to take Sen. Johnson’s objection and it was enough to pull the provision.”

Cyber provisions left out

Two interesting cyber provisions also were cut from the final NDAA.

The House wanted to create a cyber threat collaboration environment among DoD, the intelligence community and the Department of Homeland Security. The goal would’ve been to “develop an information collaboration environment that enables entities to identify, mitigate and prevent malicious cyber activity. The collaboration environment would provide limited access to appropriate operationally relevant data about cybersecurity risks and cybersecurity threats, including malware forensics and data from network sensor programs, on a platform that enables query and analysis.”

It also wanted to establish an Office of Cyber Engagement of the Department of Veterans Affairs.

This new office would’ve addressed “cyber risks to veterans, share information about such risks and coordinate with other federal agencies.”

It’s unclear in both cases why the Senate won out, but neither effort seems outrageous.

Some may say the cyber collaboration environment already exists within the Cyber Threat Intelligence Integration Center (CTTIC) so why establish another one?

Feds can still use TikTok

Mayne senators are big fans of TikTok? What other reason could there be that the upper chamber wouldn’t support the banning of federal employees downloading the controversial app on their government-furnished cell phones?

The House bill included a prohibition of the video streaming application, but for reasons unknown the Senate took it out.

In August, President Donald Trump issued an executive order highlighting concerns about TikTok and its ability to capture data of users. Six weeks later, the Commerce Department issued implementation regulations of that EO. It’s possible lawmakers thought codifying the banning of an app was too hard to overturn should an American or allied-nation company buy the video streaming app.

Keep regulations complicated

What seems like a logical provision to make it easier for the general public — i.e. non-lawyers or lobbyists — to understand federal regulations hit the cutting room floor.

This time it was the Senate that included a requirement to post a 100-word summary of proposed rules to Regulations.gov. The House version of the NDAA didn’t include the provision and the Senate relented on it.

It’s unclear, once again, why someone objected to this common sense provision that wouldn’t cost anything.

Maybe some thought it would be redundant to the Plain Writing Act of 2010, which required agencies to simplify how they write federal regulations and train employees to write in a more clear and concise manner.

Less documents for DHS acquisitions

The Senate decided the Homeland Security Department provided enough document for large-scale acquisition programs and removed the House’s provision seeking to provide more details of major acquisition initiatives.

The provision would’ve required everything from lifecycle cost estimates to cost-benefit analysis to acquisition plans outlining the procurement approach and acquisition vehicles.

The House has been pushing for DHS acquisition reform for some time, including passing Rep. Dan Crenshaw’s (R-Texas) DHS Acquisition Reform Act of 2019 in February. However, this was a bill that the Senate Homeland Security and Governmental Affairs Committee didn’t act on.

Here are 10 provisions that made it into the 2021 NDAA that impact all agencies and contractors.

Small business contracting changes

There are several provisions that attempt to improve the procurement environment for small businesses. Here are a few that will have a big impact.

Even before the Government Accountability Office found in a recent report that the category management initiative is impacting small firms, Congress has been concerned for years.

The NDAA included a provision requiring training of contracting officers and others in the acquisition community on best practices for buying goods and services from small firms and ways to avoid conflicts with the requirements of the Small Business Act.

GAO found in late November that while small businesses received 30% of the spending under category management, the number of these companies winning contracts decreased between 2016 and 2019. Auditors say small firms are concerned about scalability, contract terms and the focus on using “best-in-class” contracts.

And it seems like GAO identified the need for training.

“Agencies’ Office of Small and Disadvantage Business Utilization (OSDBU) personnel play an important role in supporting their category management efforts and are their agencies’ primary interface with small businesses. However, during interviews with OSDBU personnel, we found that these officials had varying levels of familiarity with specific details about the category management initiative,” GAO wrote. “For example, some OSDBU personnel misunderstood OMB’s guidance for using BIC contracts and believed the guidance mandated agencies to use them. OMB’s overarching guidance states that the size of the BIC goal is designed to give agencies flexibility to use other governmentwide, agencywide, and local agency contracts that reflect category management principles.”

Lawmakers also officially transferred oversight of the service-disabled veteran-owned small business certification requirements to the Small Business Administration from the Department of Veterans Affairs. The NDAA requires this transfer to happen within two years.

GAO found problems with the VA-led certification process  as far back as 2009.

Congress continues to give joint ventures of small businesses more power. In Section 868 of the NDAA, lawmakers said agencies should consider the past performance of these efforts as first tier subcontractors.

The move to use first tier subcontractor experience has long been a goal of small business advocacy groups. This seems like a first step in an important change.

Cybersecurity everywhere

There were almost 500 mentions of cybersecurity in the conference report, including an entire section dedicated with 50 provisions.

These are the seven that impact agencies other than, or in addition to, DoD:

The bill sets new experience requirements for the director of DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and limit the person to two five-year terms. The final bill doesn’t include the term limits

The Senate provision to modify the National Institute of Standards and Technology to include the identification and development of standards and guidelines for improving the cybersecurity workforce of an agency made it into the bill.

The House provision giving CISA more authority to “conduct threat hunting on federal information systems,” and for the agency to “provide services, information technology and sensors to other federal agencies upon request” also survived the conference committee.

Similarly, the requirement for CISA to establish a joint cyber planning office “to develop plans for the cyber defense of private and public sector entities,” the authority to issue administrative subpoenas and establish an advisory committee all were included in the NDAA.

One other significant CISA provision will require the director to review the agency’s ability to carry out its mission and implement certain recommendations of the U.S. Cyberspace Solarium Commission Report.

Two other non-CISA related provisions that are important.

One would require the Office of the Director of National Intelligence to work with the departments of State, Defense and other agencies to establish a social media data and threat analysis center and submit a report to Congress.

The report would focus “on foreign influence campaigns targeting United States federal elections and would be due by March 1.

Finally, the NDAA reestablishes a National Cybersecurity Director in the White House.

“The Office of the Director would have a range of responsibilities, including serving as the principal advisor to the president on cybersecurity matters, leading the development and implementation of cyber strategy, and coordinating major cyber incident response efforts across the federal government,” the provision states.


OMB sets new CDM data standards deadline for agencies

As with any discussion about cybersecurity, let’s start with the good news.

The Office of Management and Budget continues to live up to its promise to keep new requirements under the Federal Information Security Management Act (FISMA) at a minimum to ensure consistent measurement from year-to-year.

The latest memo from OMB Director Russ Vought outlining requirements for fiscal 2021 is exactly the same as the 2019-2020 memo except for a section about the continuous diagnostics and mitigation (CDM) program.

“At a minimum, Chief Financial Officer (CFO) Act agencies must update their CIO metrics quarterly and non-CFO Act agencies must update their CIO metrics on a semiannual basis,” Vought wrote. “Reflecting the administration’s shift from compliance to risk management, as well as the guidance and requirements outlined in OMB Memorandum M-19-03, Strengthening the Cybersecurity o(Federal Agencies by Enhancing the High Value Asset Program, and Binding Operational Directive 18-02, Securing High Value Assets, CIO metrics are not limited to assessments and capabilities within National Institute of Standards and Technology (NIST) security baselines, and agency responses should reflect actual implementation levels. Although FISMA requires an annual IG assessment, OMB strongly encourages CIOs and IGs to discuss the status of information security programs throughout the year.”

While OMB is pushing agencies to continue to take a risk-based approach to cybersecurity, it set a new deadline under the CDM program—the one “major” change to this year’s FISMA guidance.

By the end of fiscal 2021, agencies must certify to OMB and the Cybersecurity and Infrastructure Security Agency (CISA) in the Department of Homeland Security that they have implemented the CDM Program Data Quality Management Plan (DQMP) and can be “fully able to exchange timely data to the federal dashboard.”

“CFO Act agencies unable to meet this target date must provide a written justification to both OMB and CISA,” the memo states. “Additionally, the CDM program management office and participating non-CFO Act agencies will work together to ensure that all participating non-CFO Act agencies establish information exchange between their respective dashboards and the federal dashboard by the end of the end of [fiscal 2021].”

Kevin Cox, the CDM program manager at CISA, said during an event in June that the CDM data management team defined “enhanced data requirements, including completeness, accuracy, and timelines for CDM solutions.”

Source: CISA June 2020

Cox said at the event CISA gave agencies and system integrators the data quality plan earlier this year that details the data management team’s findings and it includes a “CDM Data Certification Rubric which uses a combination of quantitative and qualitative criteria to certify summary data.”

As of June, Cox said 69 non-CFO Act agencies were participating in CDM and 52% of those had already started exchanging data with the federal dashboard, and another 23% were in deployment or pre-deployment. All CFO Act agencies already have implemented the dashboard.

OMB and CISA are rolling out the new agency and federal dashboard throughout 2021 under a $276 million contract with ECS awarded in May 2019. CISA is piloting the new dashboard with 15 agencies in 2020 and then will expand to the rest of the large agencies throughout 2021.

“CDM brings a couple of things to the table. It provides tools to collect the data necessary to have full situational awareness, telling agencies who and what are in their networks. The second is having that capability to collect and identify that data, and then being able to put it on your agency dashboard so you can operationalize the data and take appropriate actions. The third is it gives OMB and DHS oversight of program and the ability to do an enterprisewide risk assessment of the government,” said Grant Schneider, the former federal chief information security officer and now a senior director of cybersecurity services at Venable. “Those tools, taken together, have been providing value at the tactical level.”

Schneider said as agencies implement the data quality plan, OMB and CISA will add clarity to what types of data are shared with the federal dashboard.

“Some agencies have concerns about how their data will be shared and how it will be used, especially in an oversight or budget way,” he said. “The data quality plan will add some transparency about what the data elements look like and ideally it will lay out the use cases on how DHS and OMB will leverage the data.”

The consistency and standardization piece is huge for agencies, OMB and CISA as part of the broader cybersecurity effort.

Erik Floden, director of federal civilian government at Forescout Technologies, said the data quality plan can help make up for those agencies that continue to struggle with asset management.

“Some of the agencies are using capabilities that are not able to detect all of the assets on their networks. Those agencies’ data are, therefore, not baselined correctly because the data does not necessarily reflect their true IT environments,” Floden said. “The CDM Technical Capabilities Requirements Catalog stipulates that for the purposes of CDM reporting, all Internet Protocol (IP) addressable devices are in scope. Some agencies’ CDM architectures allow them to report complete data, but many are unable to do so. If agencies are not reporting complete data, this seriously impedes the ability of the agencies and CISA to make the risk-based decisions that they are supposed to.”

Schneider added OMB and CISA have been striving for consistency across the CDM program since it really began. He said the FISMA guidance re-emphasizes the need to measure progress and create trend lines over time.

“This is important for OMB and CISA to perform oversight of agencies’ cyber programs and the ability to perform the enterprise risk assessment across government,” he said.

Source: CISA June 2020

The other reason for making the data standards part of the FISMA guidance is CISA realized standardizing across tools was too difficult, but data shouldn’t be.

Floden said the wide assortment of tools impacts the quality of the data sent to the dashboard.

“For example, many agencies deployed particular tools that helped them discover an average of 75% more devices connected to their networks than previously known. Other agencies tried to accomplish asset discovery and identification utilizing existing tools or other alternatives that, frankly, do not allow them to discover all of the devices connecting to their networks,” he said. “Agencies that are unable to identify such a large percentage of devices that are on their networks firstly face serious cyber risk, and, secondly, will necessarily lack confidence that their reporting reflects their true IT environments. CDM was designed to give federal agencies flexibility in how they meet CDM requirements, however, they may have been given too much license to select tools or stay with existing tools that, in aggregate across the federal enterprise, do not really meet the overall needs or objectives of CDM.”

The priorities for CDM like the data quality plan continue to gain support from Congress.

The Senate Appropriations Committee allocated $325 million for CDM next year, which is $44 million more than the administration requested and $43.6 million more than in 2020.

“Due to a significant increase in malicious cyber attacks against Federal agencies, including Department of Health and Human Services’ computer networks in fiscal year 2020, the committee recommends $40 million above the amount requested to strengthen the resiliency of federal networks to malicious cyber events,” the explanatory report states about the increase in procurement funding.

The Senate also increased the operational support budget by $4 million for 2021.

This is $40 million more than the House version of the bill as well.

“CISA can do more to assist agencies in using CDM tools. CISA is encouraged to ensure agencies have the training and information necessary to fully leverage their CDM capabilities, to include guidance on best practices, sample architectures, and downloadable security policy sets,” the House report states.


Chilbert to be CIO at CFPB, Sritapan moves to DHS cyber shared services office

Even before agencies face the expected huge turnover in political appointees in January, the chairs across the federal technology and acquisition communities continue to shuffle.

Two long-time acquisition executives moved on and two technology leaders have new jobs, and one other decided to call it a career.

Here are some of the people on the move over the last few weeks across the federal community.

Chris Chilbert, the chief information officer for the Office of Inspector General in the Department of Health and Human Services, is leaving to be the new lead technology executive at the Consumer Finance Protection Bureau (CFPB).

Chris Chilbert will become the new CIO at the Consumer Financial Protection Bureau.

Chilbert replaces Donna Roy, who became the agency’s chief operating officer in July after serving nine months as its CIO.

“After five years at HHS OIG, I have accepted a position as CIO of another agency — it was a hard decision to leave, but I’m excited about the new opportunity. This announcement is for my current position. HHS OIG is a fantastic place to work, and there is a great team in place. I have tremendous respect for the work of HHS OIG and would highly recommend anyone looking for a federal CIO job consider applying,” Chilbert wrote on LinkedIn announcing his new position.

He joins the CFPB after spending the last five years as the CIO for the IG office. During his tenure at the HHS OIG CIO, Chilbert focused on improving network performance and moving applications to the cloud.

Chilbert, who also worked at the Department of Homeland Security and in the private sector upon leaving the Navy after eight years of service, said the focus on network upgrades became more important during the pandemic.

“We did make some additional investments during the pandemic to increase our VPN capacity to ensure that we had the capacity to operate remotely for an extended period. Because our approach was part of a deliberate strategy, the changes are sustainable, and we will continue to look for ways to improve,” he said as part of a recent Federal News Network survey of agency CIOs.

As the new CIO of CFPB, Chilbert will be, what the agency called in its job posting, “a hybrid of a traditional CIO, providing services that support the bureau’s operations, and a CTO, responsible for the technology that amplifies the mission effectiveness of the CFPB.”

CFPB said in its fiscal 2020 performance plan that in 2021, “the bureau will continue to invest resources to maintain a robust cybersecurity program to safeguard the bureau’s information and systems. The bureau will make significant investments in information technology (IT) as it continues to implement its vision and strategy to modernize its IT systems and services, which includes migrating to cloud native applications and leveraging cloud technology infrastructure and services. This modernization will provide the bureau with the flexibility, scalability, and on-demand capacity that is necessary to support an agile and expanding IT environment. The bureau will also increase design and software development as well as portfolio management support services as it implements its long-term IT vision and strategy. During this implementation, the bureau will begin employing elements of the Technology Business Management (TBM) framework to increase transparency with respect to the Bureau’s IT costs and investments.”

CISA gets some mobility expertise

In another executive move, Vincent Sritapan is taking his cybersecurity skills to the new Quality Service Management Office (QSMO) run by the Cybersecurity and Infrastructure Security Agency in the Department of Homeland Security.

Sritapan comes to the QSMO from the DHS Science and Technology Directorate where he led the effort to secure mobile devices for the last six years. He worked at S&T for nine years in all.

Vincent Sritapan has taken a new position with the CISA Quality Services Management Office (QSMO).

He announced the new position on LinkedIn.

Sritapan, who will be a QSMO section chief, likely will continue his work on mobile device security by helping on initiatives around managing emerging risks and developing services.

He also will continue to help lead the cross-agency Federal Mobility Group.

During his time at DHS S&T, Sritapan led a host of efforts to address challenges with securing mobile devices. One of his most recent efforts is reviewing agency mobile infrastructure under the government cybersecurity architecture review (GovCAR) initiative.

“We are looking at things like leveraging the National Information Assurance Protection (NIAP) protection profiles, and talking about picking a device that has been trusted and secured,” he said in 2019. “We have rechartered and renamed the federal mobility services category management team and mobile security tiger team to be one federal mobility group. It includes 45 agencies and departments to help move us all toward a better security posture.”

While Chilbert and Sritapan found new jobs, two long time technology executives decided to call it a career.

Mark Munsell, the chief technology officer at the National Geospatial-Intelligence Agency, retired on Nov. 9.

Lester Diamond, an assistant commissioner at the Social Security Administration, retired on Nov. 6 after 22 years in government.

“There have been plenty of challenges, but the mission is strong, and my colleagues have been outstanding. I’ve always enjoyed the people I worked with. I think we’ve done some good work. In some things, we’ve been among the best,” Diamond wrote on LinkedIn. “I don’t have many specific plans for retirement. I want to travel, when I can. And I’d like to consult some, perhaps. I used to be an expert. I may have some of that in me still.”

While many people may not recognize Diamond’s name, though he did spend six years at the Government Accountability Office auditing agency technology efforts, he was one of the first people I met as a reporter who helped me understand federal technology issues. He was always thoughtful, patient and responsive — all good things for new reporters.

During his almost 16 years at SSA, Diamond worked on IT governance and architecture projects before moving into the financial management support area over the last three years.

NGA CTO retires

Munsell, who also served as the agency’s CIO and IT services deputy director, joined NGA’s predecessor agency, the Defense Mapping Agency, in 1996, where he led the update of the agency’s aeronautical production systems.

Mark Munsell , the CTO of the National Geospatial-Intelligence Agency, retired after 20 years in government.

He also worked in many senior positions across NGA operations, including a deployment to Iraq in 2008.

Prior to taking a post at NGA, he worked for the National Oceanic and Atmospheric Administration and spent some time as a government contractor, and later founded the Internet Marine and Aviation Planning Services in 2000 to offer flight and maritime planning services to individuals, industry and government.

Before retiring, Munsell finalized NGA’s technology focus areas and technology strategy for 2021, which are designed to solve some of NGA’s mission areas’ most pressing challenges.

“We have the technology strategy that focuses on the processes and how we’d like to change. While the tech focus areas focuses on the actual what we are looking for, the technology strategy focuses on how we’d like to act, how we’d like to behave and the processes we’d like to change,” he said earlier this summer.

As the CTO, Munsell focused on transforming and modernizing NGA’s technology to better serve mission partners, and oversaw and streamlined information technology capabilities and services.

Procurement executives moving on

Two other changes of note, but these are from the acquisition community.

Monica Manning, NASA’s chief procurement officer, joined the Federal Reserve on Nov. 9 after 17 years at the space agency.

Monica Manning left NASA after 17 years to join the Federal Reserve. Photo Credit: (NASA/Bill Ingalls)

“Monica set the Office of Procurement’s vision and priorities resulting in transformative, innovative and diverse procurement strategies which translated to approximately $19.5 billion in obligations and 36,000 contract actions in support the agency’s Mission. She has been recognized as an outstanding leader and her contributions led to NASA ranked the highest in the quality of support and solutions received for contracting functions across the 24 CFO Act agencies, in the 2019 Mission-Support Customer Satisfaction Survey administered to all Federal employees. Monica’s contributions on the Agency Executive COVID-19 team and the Unity Campaign’s diversity and inclusion incentive will leave an indelible mark on the agency,” wrote Bob Gibbs, the Mission Support Director Associate Administrator, in an email to staff obtained by Federal News Network. “I thank Monica for her exceptional service to NASA. Leaders who embrace change, accept challenge, and take care of their people all at once are a rare commodity. I count Monica among those exceptional leaders who leaned-in and rose to every challenge in front of her.”

Gibbs said Bill Roets, the deputy assistant administrator for procurement, will serve as the acting assistant administrator for procurement, until NASA names a permanent replacement. Roets has worked at NASA since January 2008.

Finally, Mauricio Vera, the director of the Office of Small Disadvantaged Business Utilization (OSDBU) at the U.S. Agency for International Development retired on Nov. 6 after 30 years in government.

“I did my absolute best to support small business interests every day for these 30 years. At USAID, I led an amazing OSDBU team that achieved an unparalleled record of success: we increased our contract dollar awards and percentages to small businesses every single year for the past 12 years. Our total small business dollar awards increased by tenfold during that time. Over the past five years, we shifted our focus primarily to USAID’s overseas missions and our efforts resulted in a tripling of small business dollars awarded overseas, without the benefit of FAR Part 19 which does not apply to those acquisitions,” Vera wrote on LinkedIn. “I am honored and humbled by all of the congratulatory messages and notes of gratitude I received from many of you! I’m taking a couple of months off to reconnect with family over the holidays and then plan to re-engage next year fully energized in another capacity. I look forward to connecting with many of you in that new role!”

He led USAID’s small business office for 13 years, spent seven years at the Nuclear Regulatory Commission managing small business programs and eight years with the Smithsonian Institution where he led the supplier diversity program.


Exclusive

Special Report: Benefits of Technology Modernization Fund validated

The Technology Modernization Fund is achieving the goals set out back in 2016 when the Obama administration first proposed the concept of a revolving fund.

New data collected by Federal News Network demonstrates that the six agencies that took loans are moving faster to modernize legacy systems and — hold on to your hats — paying back the loan to the TMF Board.

“The TMF is meeting the spirit and the intent of the law,” said Alan Thomas, the former commissioner of the Federal Acquisition Service at the General Services Administration and a member of the TMF Board, in an interview with Federal News Network. “We got the processes and infrastructure in place and demonstrated some results. It’s in a stronger place today to argue why putting $1 billion in the TMF makes sense. There was a bunch of different directions it could’ve taken, but it turned out pretty well and continues to move in the right direction. It has a solid foundation.”

Thomas, who now is the chief operating officer at IntelliBridge, said the TMF is through the crawl-and-walk stages of development and is ready to run.

Thomas and other observers said the success of the TMF model show it’s more than just throwing more money after a problem, but the oversight by the board and accountability in the agency are major drivers of success.

More than 50 projects totaling more than $550 million in requests were awarded 10 loans from seven agencies, as of September. Each project must produce a “playbook” at the conclusion on their modernization effort, encompassing the perspectives and lessons learned. When an agency repays Technology Modernization Fund loans, the funds are returned to the TMF program to be made available for reinvestment in efforts as approved by the board.

The program was awarded $5 million in 2018 but borrowed only $500,000 in February 2019. It is complete, and the first and final loan repayment was for $515,000 in September.

The TMF Board awarded $4 million in 2018. Project analysis and proof of concept are complete, and now a formal determination on next steps is being made. The first loan repayment was for $103,000 in August 2019, and the second was for $1.03 million in August.

The project was awarded $8 million in 2019 and received $7 million to date. It is on track for completion in fiscal 2022, and its first loan repayment for $515,000 is expected in August 2021.

A $4 million loan was awarded in 2019 and the program received the first $2 million in January. The first phase is half-way through, and loan repayment begins in fiscal 2021. If EEOC earns the second $2 million tranche, repayment will end in fiscal 2026.

The initial award for $15 million, made in 2018, was lowered to $3.7 million when the project scope changed in 2020. DOE received $3.3 million and awarded initial contract actions to begin to migrate 18,560 mailboxes to the cloud.

The project received $9.8 million in 2018 and about $4 million of the loan has been repaid. It will modernize 11 applications and create a playbook. Three of the efforts finished in 2019, and the other eight are planned to finish before the end of fiscal 2021.

The project was awarded $16.9 million in 2019 and the first repayment of $500,000 was made in 2020. GSA has an annual schedule of payments through fiscal 2024. TMF funding is supporting technical design and development of the software-as-a-service capabilities.

HUD received $13.8 million in 2018 to migrate five critical business systems from an on-premise mainframe database to the cloud; $2.06 million is repaid. The housing systems’ code and databases are in testing. Applications go live into production in Q3 of FY 2021.

The project was awarded $3.5 million in 2018. A Data Hub to enable sharing user information and case data across multiple government systems was implemented. Loan repayment began June 25 and is expected to complete in fiscal 2025.

Matthew Cornelius, executive director of the Alliance for Digital Innovation, an industry association, and the first TMF project lead for the Office of Management and Budget, said the fund’s success is really all about the process. He said OMB set up a diverse team of experts and created the program management office at GSA to help agencies on a regular basis.

“There has been and is tremendous talent on the board. They all contribute valuable insights, and are prepared and thoughtful. The board is interested in what they funded and they take a serious interest in the health and welfare of the projects. They are serious about receiving regular updates from the teams and dealing with issues that pop up,” he said. “This has been one most incredibly successful programs that came out of this administration. Even with all constraints around limited funding and all the visibility from the press, the process has worked. There is a tremendous amount of promise going forward.”

Observers said the initial $100 million Congress allocated in fiscal 2018 and $25 million in both 2019 and 2020 for a total of $150 million over the last three years was, in the end, a good approach to ensure the board had the right governance and processes in place.

But now with the TMF’s success, experts said the appropriators should get on board with the suggestions by House and Senate lawmakers to add at least $1 billion to the program.

Kelly Morrison, the director of digital transformation and management at Grant Thornton Public Sector and a former performance analyst in OMB’s Office of the Federal CIO, said the TMF-funded projects to date have demonstrated that the concept makes sense and more funding is what is needed so that the program can really work as conceived, which was with a large amount of money that could drive modernization across all agencies at a grander scale.

The projects that received TMF loans also demonstrated that a quick infusion of funding focused on specific outcomes is an approach that should be emulated.

Mike Hettinger, a former Hill staff member and now managing principal of Hettinger Strategy Group, said agencies have shown time and again that if you can define parameters for the project and make incremental progress with a specific amount of money, reaching a successful outcome is more likely. He said over the past few years the TMF has made it clearer that the “big bang” funding approach doesn’t work and it may even harm agency efforts to modernize.

Cornelius added another benefit of the TMF, in some cases, is agencies used the application process to obtain OMB’s “stamp of approval” to get traction internally.

“The TMF helped CIOs who wanted to do some of this stuff but, for whatever reason, the ideas never made it through their own internal budget processes,” he said. “If they got $1 billion, OMB and GSA could survey the landscape to see longer-term projects. OMB is seeing these opportunities already across the government because of the response to COVID. OMB could target those investments to make enterprisewide investments.”

Payback model improvements

While the agencies receiving loans in the first two years paid back a least $8.4 million out of the $64.3 million obligated in 2018 and 2019, many experts agree the pay back model is the one area where the TMF could improve.

“I think agencies don’t want to participate as readily because of the strings that come with it, with the pay back requirement,” Hettinger said. “Identifying savings is difficult to do. There will be some agencies that took this money and didn’t save anything, but have improved operations and modernized system or applications. In order to make it work and get people to jump on it, I think they have to come up with a simpler process to pay it back. Maybe that means there is no process to pay it back. It could just be a pot of money for IT modernization that agencies apply for and must demonstrate results. It’s more like a venture fund that is used to accelerate IT modernization projects.”

ADI’s Cornelius added initially the way to get Congress on board with the TMF was to make it a revolving fund. But now with the spending caps no longer a big worry and the success of both the current TMF projects and IT modernization more broadly during the coronavirus pandemic, loosening up the payback model may make sense.

“If it got rid of the payback model and made it more focused on enterprisewide projects, they may see better outcomes,” he said. “By doing that, it gets OMB and GSA more credence to go back to Congress and explain the other projects or problems that need to be addressed and how much it will cost. It becomes more about the normal appropriations versus the cat and mouse game that’s currently happening in funding the TMF.”

Next step: Enterprisewide projects

Intellibridge’s Thomas said the payback model is important but it’s not the only metric that shows these projects are successful.

“There is benefit for an agency that may not be saving money but creating a positive benefit so how do you reflect that?” he said. “That is why giving agencies some additional flexibility, maybe something like avoiding costs or reducing time for citizens. The board decided to be more stringent on the payback because there was a lot of scrutiny and visibility. We didn’t want to be accused of ‘funny math’ because that’s how the program could get hurt.”

Grant Thornton’s Morrison said investing in governmentwide or multi-agency projects rather than agency specific projects may make sense going forward for the TMF.

“Yes, they will require greater investment and the impact and benefit will be so much greater than the value and impact achieved to date,” she said. “Additionally sharing successes around the projects themselves so that other agencies working on similar modernization initiatives can potentially apply successes to their projects or even leverage the solution to scale across other agencies. Also sharing successful TMF funding requests — why they are selected.”

It’s clear the TMF brings real change to those agencies that use it. OMB now needs to do more to share these success stories as a way to convince the appropriators to open their wallets. While $1 billion may seem like a huge amount, providing the board with $500 million to further prove the value of the program would be the next logical step to get more agencies much needed help to accelerate projects.


« Older Entries

Newer Entries »

Sign up for breaking news alerts