Christina Calvosa, Judith Zawatsky and Tricia Sieveke all received similar news last week.

All three federal executives no longer have “acting” or “interim” before their titles.

Calvosa is now the permanent chief information officer of the Federal Communications Commission after serving as the acting CIO since August 2017. FCC Chairman Ajit Pai announced the change on Feb. 1.

“The FCC’s aggressive agenda requires an expert and agile information technology team. That team needs a leader with deep expertise in all aspects of IT development, deployment and information security,” Pai said in a release. “This is especially important because Congress last year enhanced the responsibilities of the FCC’s CIO — responsibilities the FCC recently codified in our rules. Ms. Calvosa is an ideal choice for this role.”

While acting CIO, Calvosa oversaw the information technology for the 28 GHz auction and led implementation of the FCC’s updated and modernized National Broadband Map.

“In short, Ms. Calvosa has demonstrated the ability to deliver on this agency’s complex information technology requirements,” the statement said.

Over at the General Services Administration, Zawatsky and Sieveke received permanent roles with the Federal Acquisition Service.

Zawatsky joined the Senior Executive Service and will serve as the assistant commissioner for the Office of Systems Management. Sieveke will become the permanent FAS chief of staff.

FAS Commissioner Alan Thomas said in an email to staff that Zawatsky, who has served as both acting assistant commissioner since David Zvenyach left the role in May, has improved governance and oversight of FAS systems while serving in an acting capacity.

Previously, Zawatsky served as FAS chief of staff and has spent 18 years in industry. Sieveke took over from Zawatsky in May and as the permanent chief of staff will help drive FAS strategic priorities including the federal marketplace, said Thomas.

Sieveke brings more than 20 years of experience across GSA, serving in operational and staff roles at both the regional and headquarters levels and most recently as the senior adviser to the assistant commissioner for travel, transportation and logistics.

As permanent assistant commissioner, Zawatsky has an important opportunity to make real progress in fixing FAS systems. Thomas said last fall that its internal systems such as E-Buy, GSA Advantage, the FSS 19 and many others that make up their core business systems are expensive to maintain and not customer friendly.

At the same time, Zawatsky will oversee the modernization of governmentwide databases like the System for Award Management (SAM.gov) and about nine others that have been slow to improve over the last decade.

Read more of the Reporter’s Notebook

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The General Services Administration released two pre-cursors to major acquisitions last week with the release of the draft solicitation for the $8 billion back-office cloud procurement and a request for information to expand the Centers of Excellence initiative.

The Customs and Border Protection, U.S. Citizenship and Immigration Services, Immigration and Customs Enforcement, and GSA launched a major cloud and IT modernization effort by announcing an industry day on Feb. 26 in Washington, D.C.

And the Office of Personnel Management is exploring how to create a central portal for the Federal Employee Health Benefits Program.

These are just a few of the more than 4,700 requests for proposals, RFIs and awards released on FedBizOpps.gov in the week after the partial government shutdown ended, opening up the acquisition floodgates.

By comparison, the last week of January in 2018 and 2017 saw seven to eight times fewer RFPs, RFIs and awards — 689 in 2018 and 528 in 2017 — than last week.

So even with 75 percent of the government still open for business during the 35-day funding lapse, every agency had pent up demand to move out with an assortment of procurement actions.

The Defense Logistics Agency alone released more than 700 solicitations last week for everything from nonchargeable batteries to liquid nitrogen and liquid oxygen to grenade launcher barrels, according to research by U.S. Federal Contractor Registration, a third-party which helps contractors register to do business with the government.

Kevin Plexico, senior vice president for information solutions at Deltek, said the volume of FedBizOpps notices posted during the shutdown by agencies that were impacted was about 19 per day.

“In the four full days since the shutdown ended, the pace has picked up to nearly 100 per day,” he said. “In terms of solicitations, DHS has been the most active. They posted 64 solicitations during the entire 35 day shutdown. They’ve posted 63 in the four days since reopening — a rate of 16 solicitations per day.”

The departments of Agriculture, Interior and Justice also have been playing catch up, posting 3-to-4 RFPs per day over the last week.

Among all the procurement actions that came out this week, GSA released two that many in the federal IT community are watching closely.

The first was a RFI released on e-Buy for the Centers of Excellence IT modernization initiative for a new blanket purchase agreement so every agency can take advantage of phase 1 services.

“The desired outcome of the Discovery BPA is to emphasize repeatability and scalability. We want to give every agency that works with CoEs access to private sector partners who can provide the expertise and technological know-how to successfully implement IT modernization agencywide,” said Bob De Luca, executive director of CoE, in a statement on Github. “It will also serve to reduce the total cost associated with the CoE efforts, allowing agencies to allocate more of their budget towards deliverables rather than on administrative procurement work.”

As an aside — and let me get on my soapbox for a second — while GSA was smart in issuing some of these details of the RFI on a public Github site, obtaining a copy of the actual RFI was way too difficult. In fact, several Federal Acquisition Service executives I talked to in contracting didn’t have access to the RFI under eBuy. There was no reason for GSA not to release the RFI publicly on FedBizOpps or through the Github site. The lack of transparency, once again, is bewildering.

The best line of the Github listing: “Interested vendors can view the RFI on eBuy by searching RFQID number RFQ1347115 with a title of ‘Center of Excellence Discovery,’” that is unless you aren’t on eBuy and then you can’t see it. So much for attracting new or non-traditional vendors.

Back to the details of the RFI, under phase 1 of the CoE, agencies work with a vendor to identify modernization priorities across seven task areas. GSA added information security and workforce reskilling and transformation to the existing five of cloud adoption, IT infrastructure optimization, contact center, customer experience and data analytics.

“This blanket purchase agreement is intended to account for each future partner CoE agency by offering a means of initial and continuous discovery work, by center need, considering the various different factors, influences, and context that applies to each agency’s organizational transformation needs,” the RFI states. “The contractor shall provide discovery and assessment support to lay the foundation for successful implementations of modernized shared services across the (agency).”

GSA is seeking industry input on how they would provide assessment services. Comments on the RFI are due Feb. 8th.

Draft DEOS RFP open for comment

The other big procurement is the draft RFP for the $8 billion Defense Enterprise Office Solutions (DEOS) procurement.

GSA, and its partner the Defense Information Systems Agency, said the procurement will be a single award, firm fixed price BPA “with a contractor who will provide a widely used/widely available, and non-developmental and fully integrated collaboration solution.”

The BPA will have a five-year base with two two-year options and one one-year option for a total of 10 years.

“The 10-year period of performance will provide the department with the flexibility to transition users based on user demand, migration schedules and legacy contracts or service end-of-life terms,” the draft RFP states. “For the Non-classified Internet Protocol Router Network (NIPRNet) and Secret IP Router Network (SIPRNet) implementations in United States territories and possessions, the government expects to leverage DoD approved commercially hosted facilities to meet the DEOS requirements. However, due to DoD data sovereignty requirements, the contractor must implement their NIPRNet and SIPRNet cloud service offerings within DoD data centers (e.g., Stuttgart, Wiesbaden, Capodichino) for locations outside of the United States territories and possessions. For locations outside of the United States territories and possessions, the contractor must provide a standalone environment within a DoD data center. The solution must be self-contained and must include the required infrastructure, hardware, software and auxiliary components required to implement, manage and maintain the CSO environment within the DoD data center.”

DISA said in the draft RFP that DEOS eventually will serve as many as 3.15 million users and more than 4 million directory objects.

Comments on the draft RFP are due Feb. 15.

OPM, CBP, ICE issue notices

Two other interesting procurement actions worth noting are from OPM, and from CBP, ICE, USCIS and GSA.

OPM released an RFI looking for a cloud system to host a central enrollment program that is a one-stop-shop within an account-based portal where enrollees can compare and learn about FEHB plan options, including benefits, cost-sharing, and total out-of-pocket expenses, select a plan that fits the unique needs of their family and complete the enrollment process, all with customer service assistance.

“The CEP will include a web-based portal for self-service enrollment transactions, robust decision support tools and a customer support center to assist enrollees via phone, email or online chat,” the RFI states. “The CEP user experience will be supported by a data warehouse, enrollment transaction processing, and ongoing reconciliation of enrollment and premiums.”

Finally, CBP, ICE, USCIS and GSA are holding an IT modernization and cloud migration industry day on Feb. 26 in Washington, D.C.

The RFI states the industry day will cover a range of topics from multi-cloud to analytics to current and future opportunities.

Read more of the Reporter’s Notebook

The Senate confirmed James Gfrerer as the Department of Veterans Affairs’ assistant secretary and chief information officer just 17 days ago. Like most political appointees, he likely has been working at VA since he was nominated back in July.

But now his real work begins by figuring out how to manage 8,000 IT employees, another 8,000 contractors, hundreds of systems and an IT budget of almost $5 billion.

And Sen. Jon Tester (D-Mont.), ranking member of the Veterans Affairs Committee, wants to make sure Gfrerer knows lawmakers are watching.

Tester wrote to Gfrerer on Jan. 11 asking for a “comprehensive and prioritized list of VA IT projects.” Tester also wanted to see what metrics or rationale were used for prioritizing the projects.

“The operation of VA’s Office of Information and Technology has been under severe, well-deserved scrutiny in recent years,” Tester writes. “There is no doubt that insufficient resources, a chronic lack transparency and an inability to effectively prioritize countless competing objectives have led to serious questions about VA’s ability to meet the standard of technology necessary to serve our nation’s veterans.”

While Tester didn’t give Gfrerer a deadline to respond, there is no doubt that the legislator will not want to wait long for an answer.

So how can Gfrerer get his arms around the largest civilian agency’s technology projects, infrastructure and personnel?

Advice from former VA IT executives

Former VA technology executives say understanding the agency’s projects and programs and prioritizing them requires a whole lot of listening, a bit of research and a dash of humility.

“As quickly as possible, you have to get an understanding of the current state of technology. What is happening now? What is working and what is not? And he has to be willing to help the team understand sometimes you have to call it when a project is not working,” Laverne Council, the national managing principal for enterprise technology strategy and innovation for Grant Thornton, said in an interview with Federal News Network. “In technology, there will be things that were great ideas, but things change, opportunities change and technology changes every day. It could create different or new opportunities, and you have to have the kind of agility that allows you to say I’m changing the direction, and you have to be able to justify why. I’ve had to do those pivots. Those pivots help you gain credibility and bring change to the organization to provide speed to value.”

Council, who was the last politically appointed VA CIO, came in under similar circumstances as Gfrerer. Both started at the agency without a lot of federal experience and under a great deal of scrutiny by Congress and veterans to make technology services work better.

“I came from corporate America so I was used to working with C-suite executives and boards of directors. I understand the value of every stakeholder. My responsibility was to communicate before I was asked. I came up with a stakeholder list of all the people who need to know what’s going on,” she said. “I remember telling my folks that we are going up to the Hill and find out what they need to know. We will communicate in several ways by issuing an annual report, through meetings and updates and through the press. I had meetings with veteran service organizations. I met with every VSO, lawmakers, internal stakeholders including the inspector general every four-to-six weeks. All of this allows you to get the momentum and have the agility you need because we were constantly pushing information about what they needed to know.”

Another former VA IT executive, who requested anonymity because they didn’t get permission to speak to the press from their current company, said creating the relationship with internal customers from the Veterans Benefits Administration, Veterans Health Administration and the National Cemetery Administration is maybe more important than with the agency’s external customers.

“[Gfrerer] doesn’t need to go to every single hospital, but should go to different size ones to see challenges of the electronic health record or with the infrastructure as we well as some of things they are dealing with and the frustrations of people at front lines so you see their pain points,” said the former VA executive. “The more he can understand the business side, the more credibility he will have. That also will help him work with the undersecretaries better. Anything he does needs to be done with the other leaders in the department. There is only so much you can do to improve hospital IT outside of the leadership of VHA. So he needs to develop those relationships at the business level.”

The former executive added that knowing the key contractors also is important because of VA’s reliance on vendors.

“There are a couple of hundred contractors so you have to get to know them,” the executive said. “VA is an incredibly complex animal with a vast budget and an even larger technical debt. It’s an awful lot to absorb.”

Don’t manage by IG fires

And that need to absorb so much is why former VA officials said Gfrerer needs a dash of humility.

Sean Kelley, the former VA deputy CIO and now executive vice president of development and IT operations at Unissant, said he has to be careful not to manage by IG report or whatever fire is burning today.

Kelley said any new CIO, after understanding the lay of the land, must come up with a handful of changes he believes he can make in two years.

“He has to decide on what will impact veterans the greatest in terms of benefiting their lives as he looks at things,” Kelley said. “He has to understand and stop the pain points, answer congressional questions and establish the relationships across VA and VSOs.”

Council, who said she had developed a dashboard and data collection effort on all IT projects before leaving in January 2017, said Gfrerer should start by looking at the hot button issues such as the electronic health record, the benefits management system, the claims system, the patient scheduling application and others that lawmakers and auditors have highlighted over the last year.

“He needs to assess the situation for each program and give them an open assessment,” she said. “It’s one thing to say to Congress ‘here is a program,’ but another to say, ‘here is the reality of what we will deliver and where I need your help.’ I can’t remember a time when I didn’t ask Congress for something and gave them something as well.”

Council and others say this is why Tester’s letter is more than just expected oversight, but the lawmaker reaching his hand out to say “I’m on your side, if you want to work together.”

“When I looked at Tester’s letter, I didn’t think it was a negative, but really a call for transparency,” Council said. “Sen. Tester was asking relevant questions that require transparency, an agile project management office, and the ability to guarantee a consistent flow of information using metrics that matter.”

The former VA IT executive added a lot of what Tester was asking was the blocking and tackling of the agency’s infrastructure and technical debt challenge.

“I think what Sen. Tester is looking for is an honest assessment of what it will take to modernize VA’s infrastructure so things are not falling apart which will increasingly happen,” the source said. “You understand it’s a difficult system that is not set up for success. It’s also easy to go in there and say ‘people are idiots and I’m going to get my own team in there.’ But you actually find out there are a lot of good people at VA and it’s just the scale of the agency that is so challenging. It’s very cliché to blame everything on the outdated architecture and infrastructure, some of which is 50 years old and falling apart. But you can’t snap your fingers and replace things. There are a lot of dependencies. It’s a very overwhelming system that you need to get arms around and understand where to focus your energy and time on to make a difference.”

Read more of the Reporter’s Notebook

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The headlines started about a week or so ago, all variations of the same theme: Federal cybersecurity at risk because of partial government shutdown.

Then came the news about website certificates expiring and the new threat posed to federal cybersecurity.

But the fact is, the federal cyber sky is not falling. In fact, beyond some minor difficulties, like the website certificates expiring and further delays in programs like continuous diagnostics and mitigation (CDM), federal cyber workers are keeping agency data and systems as safe as ever.

“Security operations centers (SOCs) are running 24/7 and have stabilized. We still are protecting our data and monitoring our systems,” said one federal agency CIO, who requested anonymity because they didn’t get permission to talk to the press. “Websites are not being turned off. We are monitoring for critical patches, and will keep them up-to-date as necessary. All that work continues.”

This CIO’s experience is not special either. I talked with five agency CIOs and IT executives and all confirmed that cybersecurity is not being neglected, ignored or suffering from the partial shutdown — so, calm down folks.

“If security is a problem, we will call people in,” said another agency IT executive. “There was a domain-name system issue alert sent out by the Homeland Security Department and we brought some folks in to go through it. We found no issues, but we will bring people in as needed to protect our systems. We have a robust process where we vet who is working on an exempted basis, and it has to be approved by the leadership.”

Another government source who works in cybersecurity said they don’t believe agencies are at any further risk now than if all employees were working.

“SOC employees may be disgruntled and upset because they aren’t getting their pay, but they are doing their jobs,” the source said.

So let’s put this issue to rest once and for all.

Shutdown impacting people, programs

But where the partial shutdown is impacting federal technology is across two main areas: Delays in programs and projects, and across the contractor community.

Steve VanRoekel, the former federal CIO during the 2013 shutdown, said those IT contracts that are not pre-paid or do not ensure property or safety will feel the impact for months to come.

“A lot of what we were dealing with was managing employees coming back. Things tend to queue up so we were dealing with backlogs in the government. How can we get that throughput to happen when you have a demoralized staff?” said VanRoekel, now the chief operating officer of the Rockefeller Foundation in New York City, referring to the challenges after the 2013 shutdown ended. “The tail of the shutdown was a work problem to get people engaged and going. But this is where the American civil service is an incredible group of people and their dedication is amazing.”

Five years ago, the Office of Management and Budget issued a memo about federal technology, telling agencies to work with their general counsel offices to evaluate all contracts that fund the IT platforms, whether government-owned and operated, contractor-owned and operated, or cloud solutions, to determine whether activities involving those platforms may, pursuant to the Anti-deficiency Act, continue, or whether they must cease during a lapse in appropriations.

Sources tell Federal News Network that OMB and Federal CIO Suzette Kent did not issue a similar letter this year, and the weekly CIO calls touched only lightly on shutdown issues or challenges

Sources say OMB generally pointed agencies to existing online resources from the Office of Personnel Management.

VanRoekel said the Trump administration is taking a looser interpretation of the Anti-Deficiency law than the Obama administration did, especially when it comes to things like technology.

“We asked a lot of questions about where does electricity costs come into play? If IT is consuming electricity then you have to make the call and that is where agencies got involved because these systems are incurring costs,” he said. “At the end of the day, it comes down to agencies making those decisions. The government is too large for OMB to manage on a program by program basis. I do remember agencies making different calls than maybe I would’ve made based on their different interpretations in different parts of an organization and depending on different reasons.”

VanRoekel said this latest shutdown is more unique than the one in 2013 only because it’s going on longer with no end in sight whereas in five years ago there was some notion of timing because there was a feeling that progress was being made.

The length and lack of progress is making agency IT executives more and more worried about the long-term impact of the funding lapse.

CDM, EIS among programs facing delays

One agency CIO said any new technology investments or programs where there was a lot of development of systems or platforms has stopped, and when the shutdown ends, all will have to be geared back up.

“When we went through the 2013 shutdown, which was only two weeks, the impact on programs and projects was months long,” the CIO said. “I expect to see some of the same as well this time around.”

The federal IT executive said as soon as the partial shutdown ends, agencies will have to start looking at projects that were delayed and figure out which ones are more meaningful than others. The executive said OMB and other oversight bodies will have to accept the fact that some project milestones will have to move to the right.

This is especially true for projects such as CDM and the General Services Administration’s Enterprise Infrastructure Solutions (EIS) telecommunications and modernization effort. For example, GSA set a deadline for agencies to get their EIS solicitations out by March, but with the shutdown the likelihood of that happening now is small for the agencies affected by the funding lapse.

Agencies already were frustrated because of the slow roll out of services under the CDM program so the partial shutdown is exacerbating that issue for many.

Data collection activities like DHS’s cyberscope or OMB’s data center optimization efforts as well as finalizing policies such as cloud smart or identity management also will face possible delays because of the partial shutdown.

Another agency CIO said it’s not just a matter of restarting the projects, but getting employees back up to speed.

“I think that will be even harder this time around and I’m not sure any agency leadership appreciates it or understands it,” the CIO said. “Employee morale is taking a hit while people are on furlough. I had one person retire during the furlough. They had been eligible and said they had enough and gave me their papers. I knew it was going to happen in the next six or so months, but the shutdown accelerated it.”

And that leads us to the other big impact federal IT will feel: the loss of contractors, particularly small business subcontractors.

Tens of thousands of contractors not working

Agency CIOs and IT executives say the longer the partial shutdown continues the more likely key contract employees will be forced to find new jobs.

“When we restart, there will be an immediate impact by not having those companies working,” said the first agency CIO. “The number of contractors that this is a concern about is growing and going to get bigger. Larger companies can absorb folks on the bench, but the smaller ones can’t.”

The federal IT executive echoed similar concerns because their agency is so dependent on contractors.

David Berteau, the president and CEO of the Professional Services Council, an industry association, said retention continues to be a major concern for their members.

“There are no databases of the number of contractors impacted by the partial shutdown, but I would estimates its tens of thousands across companies that do work for the nine agencies and others effected,” Berteau said in a call with reporters last week. “We don’t have a number of contractors who have been furloughed, but we estimate it’s in the tens of thousands, who have been put on some kind of status without pay or are no longer earning revenue for their companies.”

Berteau added it’s also not a matter of vendors putting the furloughed employees on other contracts at agencies that are not shutdown.

“To transfer an employee from one contract to another requires approval from the government and sometimes there aren’t government people to make those approvals,” he said. “Additionally, assuming the shutdown ends, contractors are expected to turn back on again. If the government somehow reopens this week, federal civilians can pick up right away, but to undo stop work orders can take days. You have to issue the return to work order, which is easy, but to start you have to ensure funds are available. You need to get the proper people to sign off and that could take days or weeks as people come back to work. This one will be amplified as well if people just don’t come back because how long can they work without a pay check? The magnitude of the restart will be even harder than previous shutdowns. I’m not sure anyone is considering that.”

It’s clear agency CIOs and IT executives are worried about the long-tail of this partial shutdown.

Read more of the Reporter’s Notebook

Ask the CIO is the longest running show on Federal News Network. I’ve been the host for almost 11 years and every interview I do and every panel I moderate are always filled with interesting news and tidbits that show the progress of federal IT.

CIOs have some of most difficult but exciting jobs across government. As we’ve heard many times, technology is the glue that holds the mission and business programs together.

This is the first time we are highlighting the most popular Ask the CIO interviews.

1.  HUD, USDA bolstered from first payments from Technology Modernization Fund

Interviews with Department of Housing and Urban Development CIO David Chow and Agriculture Department CIO Gary Washington offered some of the first updates to both the Centers of Excellence and TMF initiatives. HUD and USDA are the “lighthouse” agencies to test out the concepts of these initiatives to modernize federal IT.

2.  IG community takes next step to close the FISMA gap between auditors, CIOs

This interview with Tammy Whitcomb, the Postal Service’s acting IG and chairperson of the IT subcommittee of the Council on IG Integrity and Efficiency, highlighted how the Office of Management and Budget, the Department of Homeland Security and the IGs are overcoming long-standing challenges to measuring cyber progress. The 2018 reports on agency implementation of Federal Information Security Management Act (FISMA) metrics will be the first to reconcile the checklist versus an approach to measure how agencies are closing cyber gaps.

3. Thirst for new technologies, new capabilities driving IC’s cloud expansion

John Sherman, the CIO of the Office of the Director for National Intelligence, clarified that the IC is not, and was never going to be, dependent on a single cloud provider. The interview came as the concerns about the Defense Department’s Joint Enterprise Defense Initiative (JEDI) were rising.

4. Lack of cyber workers is the forcing function for shared services

This show came from a panel I moderated with the current Federal Chief Information Security Officer Grant Schneider and former White House cyber coordinator Michael Daniel. The discussion, like many do, turned to how agencies can address the ever-growing cyber risks while competing for workers with the private sector. OMB and DHS are expected to begin setting up and testing cyber shared services in 2019.

5. Before replacing the CAC, DoD to evolve current smart identity card

The Defense Department started talking about moving away from the common access card back in 2016, but before that can happen, there are other issues they must address. The Defense Information Systems Agency is conducting a series of pilots to test alternative approaches to CAC.

6. Emerging threat to warfighters required new thinking by DoD’s JIDO

This interview focused on two of the hottest topics of 2018—faster acquisition and quicker IT development. What stood out to me from the interview is how the Joint Improvised Threat Defeat Organization reduced its spending on legacy systems to about 10 percent from as much as 41 percent two years ago. While JIDO isn’t a huge agency, there are definite lessons other agencies can take from it.

7. US Digital Service helps CMS with ‘novel’ approach to IT modernization

The U.S. Digital Service turned its reputation around over the last year, in part because of how it got the word out about its successes. This was one of five interviews I did with USDS and its partner agencies like the Centers for Medicare and Medicaid Services, the Small Business Administration or the Department of Veterans Affairs demonstrating the ongoing and successful digital transformation of the government.

8. NCI develops a model for the future of scientific computing

The National Cancer Institute and its partner organizations across the National Institutes of Health are taking full advantage of cloud computing and other emerging technologies to make research easier and better. The NCI is getting out of the infrastructure business as well as using the cloud for data analytics needs. This show came from a panel I moderated at the AFCEA Bethesda Health IT day. The 2019 event is coming in Jan. 30 where I’ll be moderating another panel.

9. TSA isn’t sweating the new Windows 10 mandate from DHS

The timing of this interview couldn’t have been better. I had just heard that DHS CIO John Zangardi issued a memo in early 2018 mandating the agency move to Microsoft Windows 10. Russell Roberts told me not only was TSA ahead of the game in moving to the new operating system, but planned several other initiatives around Win10.

10. Revealing the value of IT investments will help form the path to the cloud

During the course of the year, several shows are “exit” interviews with federal IT executives who retire or move to the private sector. The fact that this one made the list is a bit surprising given it’s an exit interview. But former General Services Administration deputy CIO Steve Grewal, who joined Cohesity, hit upon a hot topic of Technology Business Modernization (TBM) standards.

Read more of the Reporter’s Notebook

Government reorganization and cybersecurity incidents attracted the most attention across the federal IT market last year. So it’s no surprise these stories make up seven of the top 10 Reporter’s Notebook stories of 2018.

Now in its seventh year, my Reporter’s Notebook continues to evolve into my weekly download of important analysis and people news across the IT and acquisition communities.

As I’ve said from the beginning, this is neither a column nor commentary — it’s news tidbits, strongly sourced buzz and other items of interest that have happened or are happening in the federal IT and acquisition communities.

As always, I encourage you to submit ideas, suggestions, and, of course, news to me at jpmiller@federalnewsnetwork.com. Here are the 10 most viewed Reporter’s Notebook stories of 2018 in order:

1. “70,000 contractors must get notarized letters in next 60 days to continue working for government”

This story as well as No. 10 are among the most interesting stories of the year because of the continued problems the General Services Administration has with the System for Award Management (SAM.gov) website. This was the third incident in five years, meanwhile SAM.gov is one of 10 portals GSA has been trying to modernize and consolidate for almost a decade. So that and the critical nature of the portal, put it at the top of modernization priorities list.

2.  “USDA to block 400 websites after IG finds employees looking at porn”

Any headline with “porn” seems to do well, but this story was much bigger than just another unfortunate example of a bad apple spoiling the bunch. This story was another in a series showing the upheaval among IT executives at the Agriculture Department in the summer of 2017.

3.  “Secretary’s ‘OneUSDA’ vision rings hollow to some in light of new telework policy”

This was the first of many reorganization stories we worked on last year. Without a doubt, the Trump administration’s reorganization efforts caused a lot of angst across the federal community. USDA was out in front in making changes, especially to telework policies. The departments of Education, Health and Human Services and several others have begun to retreat or are considering moving away from broad telework policies.

4.  “OPM kicks off ‘break up’ effort by naming interagency team”

What’s funny about this story is that it was almost an after-thought. But it goes to show you the anxiety the administration’s reorganization efforts are creating with the federal workforce. The popularity of the story also shows there is a deep desire for information on the reorg efforts. A lesson the administration may choose to learn for 2019 is that transparency isn’t necessarily a bad thing.

5. “7 years after cloud-first policy, agencies turns up speed to adoption”

This story was actually published in December 2016 — the seventh anniversary — but remained popular among readers in 2018. Many believe 2019 finally is the year for cloud computing, not just acceptance, but large scale movement. OMB released its updated cloud policy in September, and reported in December that almost 70 percent of all federal email is in the cloud, up from 40 percent almost 10 months ago. Federal CIO Suzette Kent said 13 agencies have at least 95 percent of their email in the cloud and six are at least half way there. She said two are still in the planning phase, and they will be spending a lot of time with OMB over the next year. A big shout out goes to Bloomberg Government for providing me with the data that really brought the story together.

6. “Feds may seek new jobs thanks to growing telework policy changes”

Similar to why the USDA story did so well, federal employees are alarmed about what many consider abrupt changes to agency telework policies. Our survey from July demonstrated that, with more than 60 percent of the 395 respondents saying they were concerned or somewhat concerned about changes to their agency’s telework policies. It will be interesting to see what lawmakers do in 2019, particularly in the House to reaffirm the importance of telework across government.

7. “OMB shows its IT policy hand in 2019 budget request”

Most employees and contractors know any president’s budget is dead on arrival when it goes to Congress. But it’s that reason the policy changes OMB highlights matter so much. If you go back and look at what OMB planned for 2018, we now see much of it came to fruition around federal IT, including the implementation of the Technology Modernization Fund and the continued use of Technology Business Modernization (TBM) standards.

8. “For first time, OMB can paint the governmentwide cyber risk picture”

Of all the cybersecurity stories last year, this one, at least from a policy perspective, was most significant for multiple reasons. At the top of that list was the way OMB wrote the report, not just highlighting problems, but also the solutions they plan to implement. The report also brings in data from almost every federal agency, large, small and micro, for the first time. If you only read one OMB cyber policy/report last year, hopefully this was it.

9. “Is DISA getting innovation by using OTA for new background investigation system?”

The quickly expanding use of other transaction authorities (OTAs) has been a hot button issue for the last year plus. And when you combine OTAs with security clearances, the interest in the community jumps off the scale. Even today, nearly a year later, the status of this modernization effort is unclear.

10. “GSA’s central contractor website victimized by fraud for second time”

This story brings us full circle with number one in our countdown. This was the first story that alerted industry that there is a problem, again, with SAM.gov.

So there’s your top 10 Reporter’s Notebook stories for 2018. Over the next 12 months, we will continue to analyze and help you better understand the trials and tribulations of the federal IT and acquisition communities. Stay tuned, it’s sure to be a fun ride.

Read more of the Reporter’s Notebook

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Even with all the focus and concern over the partial government shutdown, let’s not lose sight of the potential and real impact technology will continue to have on agencies in 2019.

For the past seven years, agencies have talked about moving the cloud. Expect the Office of Management and Budget, through the General Services Administration, to make an even bigger push to move commodity technology like e-mail to the off-premise providers.

For the past dozen years, cybersecurity has been an all-encompassing problem. With the changes to the continuous diagnostics and mitigation (CDM) program from GSA and the Homeland Security Department and the better understanding of governmentwide cyber risk, many expect 2019 to be the year that agencies see real progress in fixing those systemic cyber hygiene problems.

And for the past three years, IT modernization has soared to the top of nearly every agency chief information officers’ and contractors’ priority list. In many ways, 2019 will be a make-or-break year for the Trump administration’s Centers of Excellence efforts to show real progress in moving agencies off legacy systems and improve services to citizens.

So it’s no surprise that when I asked a federal IT experts for their insights about what we should expect in 2019 that they mentioned these topics time and again. But what is surprising is the discussion about who or what entity will have the most influence over the federal IT community. In part one of this discussion, I asked these same experts for their observations about the impact of federal IT in 2018.

Here are the answers on what to expect in 2019, edited for clarity and length, from:

• Rich Beutel, managing principal for Cyrrus Analytics LLC
• Alan Chvotkin, executive vice president and counsel for the Professional Services Council
• Mike Hettinger, managing principal of the Hettinger Strategy Group
• Trey Hodgkins, senior vice president, public sector for the Information Technology Alliance for Public Sector (ITAPS)
• Dave McClure, director CIO advisory at Accenture Federal Services
• Dave Powner, director of strategic engagement and partnerships for Mitre

What are your expectations for 2019 for federal technology?

Hettinger: Keep an eye on emerging technologies. With the increased focus on enhancing customer service delivery, technologies like blockchain, artificial intelligence (AI) and robotics process automation (RPA) will begin to play a more prominent role in government extending beyond the pilot phase to become more mainstream. Further, if President Donald Trump insists on cutting budgets, five percent or more, agencies will turn to automation as a way to bring operating costs down.

Chvotkin: Increased constructive and destructive federal IT oversight hearings from the Democratic-controlled House, including from the Oversight and Government Committee.

Continued slow progress on IT modernization, including in the cybersecurity and supply chain risk management areas.

Continued growth in the use of other transaction authorities (OTAs), especially by defense agencies

More AI/machine learning use cases to emerge across government.

Risk of grid-lock for the fiscal 2020 budget process.

Beutel: I believe that it will be a year of implementation, with a growing focus upon the need to adopt commercial technologies and commercial best practices. The Defense Enterprise Office Solutions (DEOS) award in the Department of Defense is an excellent example.

McClure: In terms of technology, I see a rapid shift towards hybrid cloud architectures and more intelligent, proactive cybersecurity as overarching trends. I also believe that growing citizen expectations, emerging AI technologies and continuing cost pressures will force agencies to redefine their contact center strategy. I also see the emergence of digital platforms as being a way to drive quicker wins at low costs across large swaths of application modernization efforts.

Powner: Modernization will result in more major mission enhancements, not just operational IT efficiencies. Interest in AI will continue to rise, with legislators and policymakers joining in to investigate challenges limiting its utility. Supply chain security and resilience will continue to be enhanced

Hodgkins: A sustained focus in the administration and on Capitol Hill on the importance of continuing to modernize information technology in the federal government.

What are three agencies/congressional committees/organizations which will have big impacts on the federal technology market in 2019?

McClure: USDA modernization lessons learned – We are going to see a significant and sustained effort to capture and promote these best practices governmentwide.

House Committee on Oversight and Reform’s ongoing oversight of IT modernization progress and outcomes – expect a rare bipartisan effort to use both carrots and sticks to drive improved operational performance and more comprehensive cybersecurity.

Can DoD jump into the cloud? — If they continue to move forward, both JEDI and DEOS have the potential to transform the Pentagon into a cloud-first environment.

Hettinger: In the executive branch, the focus will shift from the Agriculture Department to the Department of Housing and Urban Development as it relates to the IT modernization centers of excellence. This should garner a lot of attention. I think you’ll also see a focus the Census Bureau. With 2020 bearing down on the department and a history of IT failures, Census will jump into the spotlight. Last but certainly not least is Congress. I expect rigorous oversight from the House Oversight and Reform Committee on the administration generally, but also getting into issues affecting the day-to-day operations of the government. This means oversight of the reorganization plans, the President’s Management Agenda (PMA) and on down the list. Rep. Gerry Connolly (D-Va.) will play a leading role in all of this.

Powner: The House Oversight and Reform Committee continuing its efforts on FITARA implementation, cyber issues and AI.

The House Veterans Affairs IT Subcommittee’s efforts on enhancing services to our veterans, including the oversight of the electronic health records acquisition.

House and Senate armed services committee for its continued moves to reduce the risk the DoD takes on from contractors and vendors.

Most appropriation, authorization and oversight committees will have cybersecurity issues as a major focus of their legislative agendas.

Chvotkin: White House/OMB in setting governmentwide policy and providing (or constraining) funding for federal technology spending.

House of Representatives for its role in funding federal technology and for its oversight agenda, including from the Oversight and Reform Committee.

Federal health activities, including VA and DoD EHR market opportunities, policy direction and performance outcomes.

Hodgkins: Margaret Weichert in her role as deputy director for management at the Office of Budget and Management will play a central role in enabling IT modernization and implementation of the President’s Management Agenda.

The Department of Homeland Security for the voice they will have in critical cyber issues, like software and supply chain assurance.

The Department of Defense and their overseers, the House and Senate armed services committees, for their statutory efforts to address technology-based threats to the United States.

Beutel: The House Oversight and Reform Committee and the Senate Homeland Security and Governmental Affairs as well as the White House and OMB will have the biggest impacts.

Read more of the Reporter’s Notebook

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Just stop for a moment and think about the last 12 months in the federal technology community and all that has happened.

The excitement over IT modernization hit a crescendo with the Centers of Excellence effort coming together at the departments of Agriculture and Housing and Urban Development. The Technology Modernization Fund is among the most watched initiatives in a long time despite the limited short-term impact it can have on agency modernization efforts.

The Federal IT Acquisition Reform Act furthered IT reform progress not just because of continued harassment of agency chief information officers, but, for once, Congress and the Government Accountability Office may have just chosen the right metrics and right authorities to motivate real change.

And then there is cybersecurity. The never-ending story of breaches and data loss—see NASA as the latest example—that came fast and furious over the last decade seems to have slowed.

The Office of Management and Budget revised four major cyber policies—Trusted Internet Connections (draft), high valued assets (final), identity management (draft) and cloud smart (draft)—and revoked dozens of others that no longer mattered. And maybe most importantly, OMB now has the first ever governmentwide picture of cyber risk, and a plan to mitigate many of those challenges.

The National Institute of Standards and Technology just this put the proverbial cherry on top of 2018 by releasing version two of the Risk Management Framework, Special Publication 800-37, today. The update has seven major goals, including promoting the development of trustworthy secure software and integrating security-related supply chain risk management concepts into the framework.

In Federal Chief Information Officer Suzette Kent’s victory lap earlier this month, she said 2018 was a year of policy sprints because modern technology needs modern policies.

Kent’s goal was, in part, to lay a foundation for 2019 and beyond. But 2018 was more than just a matter of putting down the building blocks. It was continuing the long-journey to change the way agencies buy, oversee, manage and use technology.

To gain a better understanding of why 2018 was among the most significant year for the federal IT community in the last 20, I asked a group of experts for their opinions. Here are the answers, edited for clarity and length, from:

Rich Beutel, managing principal  for Cyrrus Analytics LLC

Alan Chvotkin, executive vice president and counsel for the Professional Services Council

Mike Hettinger, managing principal of the Hettinger Strategy Group

Trey Hodgkins, senior vice president, public sector for the Information Technology Alliance for Public Sector (ITAPS)

Dave McClure, director CIO advisory at Accenture Federal Services

Dave Powner, director of strategic engagement and partnerships for Mitre

How would you characterize in a single sentence the year that was 2018 when it comes to federal technology?

Hettinger: I can do it in a single word: modernization.

Beutel: Building the policy foundations for IT modernization.

McClure: The real steps being taken towards technology modernization in 2018 are paving the way for a truly sustainable digital government.

Hodgkins: 2018 provided the highest level of prioritization for federal IT to date, but the effort is still nascent and we have to stay focused.

Powner: IT remained center stage as IT modernization is highlighted as a strategic priority and a key driver of transformation in the President’s Management Agenda. In addition, in many ways, 2018 was characterized as the “year of the dawn of supply chain security” with several key legislative elements being passed and landmark moves by the Department of Defense, the Homeland Security Department, and other government agencies to address Kaspersky Labs security concerns.

Chvotkin: 2018 provided a treasure trove of federal technology opportunities; some of them were seized on (with a few even completed), while too many of them were missed or under-achieved.

What surprised you about federal technology in 2018?

McClure: Despite attention and assumptions, cloud computing adoption is still relatively sluggish; according to our State of Federal IT report, 54 percent of federal IT leaders report that less than a quarter of their infrastructure is cloud-based.

Hodgkins: That security, whether cyber or national, for information technology is still not as central an element of decision-making as the importance the topic is given would seem to merit.

Chvotkin: Oracle’s successful protest of an other transaction authority (OTA) agreement, when the mythology was that an OTA is “protest proof.”

The national attention to DoD’s JEDI cloud initiative–from the press coverage to the Hill engagement to the industry’s reactions.

How much talk there has been about the challenges of cybersecurity and the importance of technology modernization, but how little has been accomplished to date.

Beutel: The continuing failures of large, customized government IT systems deployments. How many IT disasters do we need before we conclude that the current process is deeply flawed?

Powner: This past year, I was surprised by the amount of progress agencies made approaching IT acquisitions with incremental and agile approaches, and the widespread recognition of the threats China and Russia present to our IT systems.

Hettinger: I’m not sure anything necessarily surprised me about federal IT in 2018.  Most of what we have seen play out was to be expected.

In what ways were you disappointed in 2018 about federal technology?

Powner: While CIOs have increased their stature, in general, federal CIOs are not viewed consistently as a strategic partner by department and agency business units.

The degree to which the government continues to lose critical technology and information because it accepts inherent IT risks from vendors and contractors.

Chvotkin: There were too many missed opportunities for technology successes, with policies launched but not implemented, senior technology leaders departing in record numbers and agencies slow to seize the opportunity for modernization.

The under-implementation and slow uptake on MGT Act implementation, including particularly agency working capital funds and TMF funding.

The difficulty in attracting and retaining agency CIOs and other senior technology officials to federal service.

Hettinger: I expected big things for the TMF in 2018—lots of projects funded, Congress fully embracing the concept. We haven’t really seen that yet.

McClure: While advance automation and real-time analytics have proven themselves as game changers within commercial enterprises, government agencies haven’t move fast enough in seizing these opportunities to improve operations, management and performance.

Hodgkins: Despite passage of the MGT Act, we still don’t have a clear path to funding for the necessary modernization of information technology in the federal government.

Beutel:  The continuing delays in hiring critical IT thought leaders and senior agency talent.

What were your top 3 stories or lines that happened over the last year and why?

Beutel: Agencies acknowledged the value of commercial cloud technologies.

Agencies begin consideration of non-traditional acquisition approaches.

Agencies embrace the need to adopt emerging technologies, such as artificial intelligence and machine learning.

Hodgkins: The Centers of Excellence manifested the new focus the federal government intends to bring to information technology and is on the way to establishing a replicable, scalable model for agencies and departments to tap into for their modernization needs.

FITARA Implementation affords an unprecedented level of authority to CIOs for IT decisions within their agencies and departments and brings a new level of alignment in IT prioritization and decision-making.

The President’s Management Agenda because it is a clear blueprint for evolving a number of critical elements of government operation, realigning resources and framing how government assets can benefit taxpayers and constituents.

Hettinger: The ongoing focus on modernization, coupled with the shift in focus to delivering a better customer experience as seen through the CoEs at USDA and eventually HUD, as well as the ongoing back and forth between Congress and the administration on funding and utilizing the technology modernization fund, which continues through today.  How that plays out will set the stage for 2019 and beyond.

OMB and the focus on government reorganization, moving OPM functions to GSA, the release of the PMA, the Federal Data Strategy — OMB has been very busy this year which has created a lot of buzz.

Cybersecurity and the government’s continued focus and struggle with cybersecurity from the executive order through changes to the continuous diagnostics and mitigation (CDM)  program. Maybe the changes at DHS and the creation of Cybersecurity and Infrastructure Security Agency will begin to make a difference.

McClure:  Passage of the Modernizing Government Technology Act — makes IT modernization a C-suite priority by offering significant incentives tied to improved business outcomes.

Cybersecurity evolves — growing interest in and expected adoption of zero trust models and software-defined networks to provide a more resilient and adaptive security posture.

Customer experience design becomes a strategic priority — agencies like the Veterans Affairs Department recognize that it is fundamental to successful mission delivery.

Powner: Cybersecurity issues remain one of our nation’s top national security risks. Breaches are as prevalent as ever and more often than not adversaries’ capabilities are advancing at a quicker pace than defensive capabilities. There is marked recognition that our national security systems and critical infrastructure are compromised through several DoD/IG and GAO reports and complementary new legislative actions. Aggressive new defense authorization bill language to help secure defense weapon systems along with new Committee on Foreign Investment in the United States (CFIUS) and Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) authorities.

CIOs continue to gain more authority. Agencies changes, Congressional push, and the administration’s CIO executive order all helped here.

FITARA has laid the groundwork for more meaningful modernization. Major improvements have occurred, now this needs to be leveraged to have more mission enhancements.

Chvotkin: Enactment of a two-year Congressional budget deal and resulting appropriations for fiscal 2018 and 2019 that provided more fiscal certainty for (most) agencies and their industry partners — at significantly increased funding levels.

Initial implementation of the Modernizing Government Technology (MGT) Act and creating the Technology Modernization Fund that provides a new mechanism for IT modernization (even if implementation has been too slow and funding levels are not as significant as hoped for).

The extent of White House and OMB engagement across a wide range of actions — including the President’s Management Agenda and Federal CIO Executive Order, the work of the White House’s Office of American Innovation, the visibility and engagement of the Federal CIO and MGT initiation, and governmentwide and agency-specific cybersecurity policies and workforce development.

Read more of the Reporter’s Notebook

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The cloud — it has been held up by two administrations and contractors now for eight years with promises of first cost savings, then more capabilities for the same amount of money, then better cybersecurity and now all of the above.

No one argued in 2007 that the Trusted Internet Connections (TIC) initiative wasn’t a good one when the Office of Management and Budget issued it. Agencies were in the dark about how many internet gateways existed and where.

But TIC and the cloud are like oil and water. TIC and the cloud are like pizza and pineapple. TIC and the cloud are like — well, you get what I’m saying, they don’t work well together.

TIC has been the albatross hanging around the cloud’s neck for much of the past eight years.

That is all about to change. OMB issued the updated draft TIC policy Friday to remove the real or imagined barriers the 11 year old policy created that many said made it harder for agencies to move to the cloud.

“This memorandum affirms that agencies may use modern and emerging technologies to meet TIC initiative requirements,” OMB writes in the draft policy. “The Department of Homeland Security (DHS) will define TIC initiative requirements in documentation called TIC Use Cases. The TIC Use Case documentation will outline which alternative security controls, such as endpoint and user-based protections, must be in place for specific instances where traffic is not required to flow through a physical TIC access point. The capabilities used to meet TIC Use Case requirements may be separate from an agency’s existing network boundary solutions provided by a Trusted Internet Connection Access Provider (TICAP) or Managed Trusted Internet Protocol Services (MTIPS).”

The proposal outlines four possible use cases:

• Cloud—infrastructure-, email- and software-as-a-service.
• Agency branch office—Where the office is outside of headquarters, but uses the main office for IT services. This use case supports agencies that want to enable Software-Defined Wide Area Network (SD-WAN) technologies.
• Remote users—For users connecting to the agency’s traditional network, cloud and the internet-using government-furnished equipment from outside the traditional boundary.
• Traditional TIC—This use case is for instances not covered in other DHS examples and agencies are required to continue following the traditional TIC use case, which may include agency use of TICAP and MTIPS providers.

“The expectation is that the process described … in this memorandum results in the continuous improvement and development of updated TIC Use Cases that account for emerging technologies and evolving cyber threats,” the draft memo states. “Given the diversity of platforms and implementations across the federal government, the TIC Use Cases will highlight proven, secure scenarios, where agencies are not required to route traffic through a TICAP/MTIPS solution to meet the requirements for governmentwide intrusion detection and prevention efforts, such as the National Cybersecurity Protection System (including the EINSTEIN suite of capabilities).”

The use cases particularly for cloud services came from pilots conducted by the Small Business Administration and the departments of Energy and Justice.

Agencies would have a year from when the policy is final to move to the new TIC requirements. DHS and GSA also will develop a compliance verification process for each use case.

Expanding what are high valued assets

At the same time, OMB updated another policy—this one in final form—for how agencies should protect high value assets going forward.

The HVA policy, signed by OMB Director Mick Mulvaney on Dec. 10, expands the concept of what “crown jewels” agencies should consider protecting first and foremost. The guidance requires more governance that includes mission owners and other non C-level executives and lets agencies use private sector experts to assess protections of the HVAs and report back to DHS.

“On the first pass, we identified some data sets but we didn’t include all agencies, only the CFO Act agencies,” said Suzette Kent, the federal chief information officer, at the Center for Strategic and International Studies (CSIS) on Dec. 12. “And when we said value, we didn’t look at value in a full comprehensive manner. That is what the new policy actually does.”

The HVA memo also requires agencies to have remediation plans should the data or systems have vulnerabilities. These plans have to have support not only from DHS, but the agency’s resource management officer at OMB and should be coordinated using a risk-based approach across other agency leadership.

“With the dynamic adversarial threat to the security and resilience of HVAs, it is essential that the initiative evolve to take a more comprehensive view of the risk to the federal enterprise and the measures available to mitigate those risks,” the policy states.

The HVA and TIC policies are the final two of the four OMB sought to modernize in 2018, and in many ways are the lynchpin to more progress in 2019 and beyond.

“Modern technology requires modern policy. Over the last 10 months we’ve had our own set of policy sprints,” Kent said at the ATARC IT modernization summit. “In reflection, 2018 was a year of action. Part of my challenge of being here over the last 10 months was to build a relationship and roadmap for partnering with the agencies to deliver on those lofty expectations that we were given in the technology community both by the administration and by Congress.”

Two policies still in draft

Kent highlighted these and other successes last week in sort of a celebration of all that OMB, the CIO Council and agencies accomplished in 2018.

There still is a lot that remains. OMB must finalize three of the four policies that it issued in draft earlier this year. Kent said OMB received more than 500 comments on the identity management policy it released in April.

“What we are looking at doing is emphasizing identity-centric perspective for how we manage devices and person and non-person devices. That’s really important as we think about how we go forward with using automated technologies,” Kent said at the ATARC event. “Your comments back also helped us recognize we need to be more definitive about roles and responsibilities between NIST, GSA, OPM and DHS. That is what we have been spending our time doing and making it clear who owns what in the identity equation.”

The cloud smart draft policy from September received 41 comments. Kent said the goal of the draft policy was to link all the pieces together, workforce, procurement, cybersecurity and how agencies get authorities to operate.

“We are strongly encouraging agencies to complete an application rationalization,” Kent said. “If you haven’t looked at your whole landscape and know where you are going, then you aren’t going to be making the best long-term strategic decisions.”

And Kent is far from done once those policies are finalized. She said a new policy is coming around robotics to make sure agencies have some guidelines for how to use automated technologies.

If many considered 2018 a foundational year for many aspects of IT modernization, then 2019 is shaping up as a year of implementation.

Read more of the Reporter’s Notebook

As the House Oversight and Government Reform Committee marked the fourth anniversary of the passage of the Federal IT Acquisition Reform Act (FITARA) with the releases of the seventh iteration of its scorecard, there was plenty to celebrate.

No agency received an “F” grade for the first time. While there were no “As” either, there were 11 “Bs” and every agency either improved or stayed the course.

“The intent of the scorecard, as my colleague and original co-author of FITARA [Rep. Gerry] Connolly (D-Va.) has pointed out, is not to paint agencies with a scarlet letter. Rather, our intent is to incentivize behaviors and actions that result in better managed and more secure IT resources,” said Rep. Will Hurd, (R-Texas), chairman of the IT subcommittee, in his opening statement.

And it’s that goal of driving and incentivizing a specific set of behaviors that came through in this latest scorecard more than ever before.

The changed behaviors can be seen at the agency level whether it’s the Commerce Department’s acting CIO Rod Turk exercising his oversight muscles over the bureau’s IT spending, or the Transportation Department’s decision to freeze IT spending back in 2016 to address cybersecurity challenges and then in 2017 to add more oversight to IT spending.

For many agencies, complying with the law doesn’t mean getting all “As” and staying out of the cross-hairs of the committee. It means CIOs can stop talking about getting a “seat at the table” and start exercising their authorities to affect real change.

The bi-annual hearings, in many ways, are a reminder that at least House lawmakers are watching with high expectations.

“These hearings and our consensus on the issue of federal information technology procurement sends a message to agencies that the Oversight and Government Reform Committee is serious about agency implementation of the Federal Information Technology Acquisition Reform Act – or FITARA – and we are not going to take our foot off of the gas pedal until we achieve full implementation of the law, regardless of who is in the majority,” Connolly said in his opening statement.

Now if only the Senate Homeland Security and Governmental Affairs Committee cared as much about public accountability when it comes to FITARA — that would really help drive home the message.

In the aftermath of FITARA 7.0 scorecard and hearing, as I’ve done for the past six, here are my three takeaways:

No “A” by May, but pretty close

The Department of Health and Human Services was mired in the FITARA basement with five “Ds” before inching up to a “C-” last May. So HHS officials launched a new initiative to improve their scores, but more importantly change the culture of the agency.

Ed Simcox, the acting HHS CIO and the chief technology officer, told the committee that after the agency’s fourth straight “D” grade in June 2017, it paused to do an analytical review of the legislation, their implementation and figure out where they can improve.

Over the next 18 months, HHS focused on a three-pronged approach to improve how it manages technology, knowing that FITARA scorecard improvements would come almost as a byproduct.

Simcox said HHS termed the initiative D3:

• Data — HHS created an internal FITARA scorecard, developed a CIO work plan and refreshed its approach to transparency and risk management.
• Dialogue — Headquarters executives held bi-weekly and monthly meetings with bureau level CIOs to discuss FITARA implementation as well as monthly briefings with the Office of Management and Budget and the Government Accountability Office. Simcox said through these conversations, which also included the deputy secretary, the agency brought in more of the CXOs so FITARA wasn’t considered just an “IT law,” but one to “support mission and business operations through the effective use of technology.”
• Delivery — The agency identified and captured cost savings or avoidance through the use of shared services, cloud services and consolidation of IT acquisitions. HHS created its first-ever software inventory and found more than 4 million licenses across 12,000 software publishers.

Through the D3 initiative, HHS fell short of its goal of an “A by May” but did improve to a “B+.”

“Our rapid improvement from FITARA 4.0, where we received a ‘D-,’ to today’s FITARA 7.0, where we have a ‘B+,’ would not have been possible without broad collaboration,” Simcox told the committee. “Working in partnership with GAO, OMB and Hill staff has been critical. This committee’s advice has directly contributed to the IT improvements at HHS.”

Simcox said D3 created a common language across the agency to compare performance and take advantage of the data to address high risk areas.

“HHS’s improvements are an example of how the FITARA scorecard positively incentivizes agencies to act,” Hurd said.

HHS now is moving to the next iteration of D3, called M3: Monitor, maintain and mature.

Simcox said under M3 HHS plans to drive performance further through an internal FITARA dashboard and discussions, specifically around CIO reporting, data center optimization and cross-agency cyber priorities.

The committee specifically pushed Simcox on data center efforts. So far, HHS has closed 17 tiered data centers out of 54.

“We can do better and will continue to make progress on that,” he said. “I also would like to mention our enthusiastic support for shifting from a cloud first approach to a cloud smart approach where we are able to actually look at the subject matter that is in systems and really match that to the mission that is supported by the systems and any legislative requirements.”

The lessons learned by HHS and what the six agencies with “D” grades — the departments of Justice, Agriculture, Defense and Treasury, the Office of Personnel Management and the Nuclear Regulatory Commission — should take from their experience are clear.

And Simcox summed it up very simply: “The truth lies in the data. We achieved high scores by following instructions and using data to drive conversation, collaboration and change. FITARA has created a culture shift inside HHS. At HHS, we like to say FITARA is both a law and a lifestyle.”

Rep. Hurd’s obsession with working capital funds

Without a doubt, among the biggest frustrations Hurd is experiencing with the entire IT reform effort, which includes both FITARA and the Modernizing Government Technology (MGT) Act, is the lack of willingness for most agencies to create working capital funds to help pay for IT modernization efforts.

Only four agencies — the departments of Agriculture, Labor and Homeland Security and the Small Business Administration — plan to set up a MGT Act authorized fund.

Hurd said the working capital fund authority really is the most important part of the MGT Act, even though many others like to focus on the Technology Management Fund (TMF).

During the hearing, he specifically questioned HHS’s decision to use its nonrecurring expenses fund (NEF) instead of creating a specific IT working capital fund.

Simcox said about two-thirds of the fund is used for IT projects and one-third for capital investments.

HHS CFO Sheila Conley said since 2013, the agency has spent about $5 billion on IT and cyber projects from the fund.

But Hurd said the problem he sees with HHS’s NEF and other existing working capital funds in other agencies is the lack of control by the CIO. In HHS’s case, Simcox is part of the decision-making process, but the secretary has the final say of how the money is spent.

And that’s what frustrating him the most. The point of the MGT Act was to give the CIO the final say. Now that idea also begs the question whether any CIO really has a final say when the secretary and deputy secretary really control all spending across the agency.

At the same time, HHS is among several agencies whose general counsel determined their agency doesn’t have the legal authority to transfer money into the MGT Act working capital fund, which comes before there is even a decision on how the money is spent.

Again, Hurd questioned HHS on this issue and even asked for the general counsel to appear before the subcommittee to explain their determination.

“What legal analysis went into making the conclusion that HHS lacks the transfer authority to move money into a MGT account?” Hurd asked.

Conley responded, “As it relates to our transfer authority, we have very specific transfer authority that is provided in several instances…”

Hurd interrupted, “And that’s why we wrote and passed the MGT Act to give the authority for the CIO to have access to a working capital fund that is exclusively used by the CIO. It’s frustrating that agencies claim they lack the transfer authority when we just passed legislation to do that.”

Conley said HHS needs to be provided with explicit transfer authority to move money into the MGT Act fund. Hurd responded by asking that the law by Congress wasn’t enough?

“In the GAO’s red book, or the federal appropriations law book, they point out that the agency may transfer funds only when expressly authorized…” Conley said.

Hurd interrupted again saying the red book was last updated before the passage of the MGT Act. GAO said it last updated the red book in March 2016, which was 15 months after FITARA became law.

It seems Hurd will either work with GAO to clarify the red book or get some sort of FITARA technical correction or update into a future bill to specifically clarify how the working capital funds work. And other agencies should pay attention too and come up with a more detailed legal analysis or face being called to the carpet like HHS.

Data center definition concerns

GAO and OMB’s debate over the definition of a data center doesn’t look to be simmering down any time soon.

OMB’s draft data center policy released Nov. 26 isn’t sitting well with government auditors. In that draft policy, which is out for public comment through Dec. 26, the administration decided to remove the requirement that agencies track and close non-tier data centers as well as change how agencies measure optimization.

At the FITARA hearing, Connolly said OMB’s decision to change the definition is concerning.

Carol Harris, the director of IT management issues at GAO, said OMB’s decision to move away from fully measuring the progress to consolidate and optimize all data centers is worrisome.

“When you take a look at server utilization that is currently being reported as a percentage, which gives an idea to the degree of the servers are being utilized,” Harris said. “With OMB’s proposed change, they are looking to report only the number of underutilized servers in each data center. So without that context of the total number of servers, you lose the ability to know the progress being made in consolidating those servers. That is one example of a metric where OMB could potentially be fuzzing things up.”

Harris told Rep. Mark Meadows (R-N.C.) later in the hearing that GAO plans to meet with OMB to discuss the proposed changes.

Meadows asked Harris if the current data center metrics are working as intended.

“It’s not perfect, but we do think the current metrics that are in place are giving a pretty good picture of how the agencies are doing relative to their goals,” she said.

Meadows pressed Harris for further explanation about why the data center metrics needed to be changed whether the recommendation came from Federal CIO Suzette Kent or the CIO Council or somewhere else.

But Harris said she couldn’t answer the why and would find out more in their meeting with OMB.

“If you and your colleague [at GAO] would reach out to OMB and tell them it is of significant concern,” Meadows said. “It’s like changing the parameters for a SAT test. If you change it and it’s a different standard for high school students today versus high school students 20 years ago, you can make the scores anything they want to be,” Meadows said. “I’m concerned if you are only looking at underutilized servers and that matrix, then you have no idea how much stuff you’ve moved to the cloud. If you are truly looking at server capacity at these data centers, then it doesn’t show the whole picture.”

Data centers and the metrics around them have been a source of dispute for OMB and GAO almost since the beginning of the initiative in 2011.

Connolly said he believes the data center initiative has stalled at some agencies. GAO said in August 2018, six agencies reported that they did not plan to meet their goals for closing tiered data centers and nine agencies reported that they did not plan to meet their goals for closing non-tiered data centers by the end of fiscal 2018.

OMB’s meeting with GAO in the coming weeks will do a lot to alleviate or spark the obvious concern in Congress. The fact that OMB didn’t at least brief GAO on the draft strategy before putting it out, once again, is a missed opportunity for the federal CIO’s office to control the narrative.

Read more of the Reporter’s Notebook