If you’ve heard Federal Chief Information Officer Suzette Kent speak over the last six months, she undoubtedly mentioned the concept of a zero trust network pilot.

And if you’ve gone to almost any cybersecurity conference over the last six months, sometime during a panel discussion one of the participants certainly talked about how the future of cyber revolves around creating a zero trust network.

What rarely happens at these and so many other events is the discussion of what zero trust actually means. So let me help you out here.

Zero trust is not a new technology. It’s not a new tool. It’s more of a change of thinking about how to approach cybersecurity.

“Everyone has gotten sick of chasing the rabbit and continuing to fail,” said Dr. Chase Cunningham, a principal analyst at Forrester Research. “Obviously the current strategy many agencies were using wasn’t right so let’s take a step back and do what’s right in fixing the problem.”

That step back helped Forrester create a nine-step framework for agencies or any organization to follow.

“If you look at where you start, you can’t fix or fight what you don’t know is in existence. The breadth and depth of any infrastructure that you are trying to protect is so great that if don’t have a baseline how can you put in controls to fix it?” he said. “It’s nothing other than data and network security, but it’s the hardest part of the problem to solve. No one knows where their data is and what the value of that data is.”

A cyber umbrella for all initiatives

Basically, zero trust is an umbrella term that nearly every federal cyber initiative can fall under, but it requires a change of thinking to create a network that trusts no one and verifies everyone.

“The idea behind zero trust is to ensure that every use on any end point is verified,” said Greg Cranley, vice president of federal and public sector sales for Centrify. “You know the user, you know the device they are using and you know the access to the network they are allowed to have. If you do those three checkpoints, that allows you to take away a big part of the risk surface to any organization. When someone logs in, zero trust ensures that’s me and corroborates that it’s my device using a PKI certification verified by a certificate authority. Then any request that I make, whether it’s through a Salesforce platform or through another application, it checks with our active directory that I have the right to access that system or app.”

In many ways, the Office of Management and Budget began the move to zero trust soon after the data breach suffered by the Office of Personnel Management in 2015. Agencies were required to identify their high value data assets and increase protections around them. In fact, OMB released an updated policy for high value data assets on Dec. 10. While it didn’t mention zero trust, the idea of applying more rigor and focus on high value data assets fits right into this concept.

But it’s more than just knowing your data. Zero trust actually brings together many of the ongoing cyber initiatives across government.

And that’s where the CIO Council’s zero trust pilot comes in.

End points, network redefined

While details remain a bit fuzzy, government sources confirmed the pilot will focus on end points such as laptops or mobile devices, and redefine what the “corporate network” really means.

Sources say zero trust means retreating the network around an agency’s most valuable data because that’s really what any organization must protect.

The CIO Council is leading an effort to develop a common understanding of what zero trust architecture means. An interagency group which includes the National Institute of Standards and Technology, the departments of Justice, Interior, Education and Health and Human Services, GSA, the Federal Deposit Insurance Corporation, OMB and the Defense Information Systems Agency are developing the pilot and common understanding.

Sources say the CIO Council expects to start the zero trust pilot in spring or summer 2019.

From the pilot, sources say OMB and the Homeland Security Department also are considering developing policy or guidance for how agencies can implement the concept of zero trust.

In the meantime, Cunningham said interest in the zero trust network concept has steadily increased over the last two years. He said agencies from the National Oceanic and Atmospheric Administration to NASA to the DHS to the U.S. Cyber Command have reached out to Forrester to learn more about the framework.

“The reason why it’s become so popular is a combination in the federal space of technology and culture,” he said. “I think the technology caught up on the platform level where you can do a lot with a single vendor because of all capabilities tools now bring. And with the culture, everyone has gotten sick of chasing the rabbit and continuing to fail.”

Centrify’s Cranley said zero trust also has received more attention because agencies finally recognized the value of identity and access management.

“Identity has proven to be the major cause of almost all data breaches because if people can steal my identity, use it to log in and we are not checking to see if it’s really me, then we are making it too easy for the bad actors,” he said. “Zero trust is a granular way to make sure you are allowed only to see what you are allowed to see. It allows us to get granular even down to the day and time of day. It makes it more difficult to steal data because it’s something you have, something you know and then it add analytics on top of that.”

Read more of the Reporter’s Notebook

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Department of Health and Human Services will be in the hot seat before the House Oversight and Government Reform Committee on Dec. 12 when its progress against the Federal IT Acquisition Reform Act (FITARA) will be scrutinized.

This seventh oversight session of FITARA will continue the committee’s focus on agency implementation of the law that is celebrating its four-year anniversary this month.

While few would argue these hearings are critical to keep agencies motivated and accountable, the real measure of meeting the spirit and intent of FITARA may not be found in the scorecard or at the hearings.

It is found in the bowels of agencies where the headquarters chief information officer is influencing, overseeing and managing technology spending on a regular basis.

Rod Turk, the outgoing acting CIO at the Commerce Department, offered a clear example of the type of success and impact of FITARA that many expected when lawmakers first started talking about the bill. He said that for the first time he issued budget formulation guidance to the bureau CIOs for the fiscal 2020 development.

“The idea is this is what the department is considering significant in preparing for budget year 2020, and this is where we want you to focus on and we will come visit you to see what budget looks like and ask customer relationship type questions,” Turk said at an event sponsored by the American Council for Technology and Industry Advisory Council in Washington, D.C., on Dec. 5. “We provided the guidance late summer or early fall, and I went to all components and looked at their budgets. It was a tremendous exercise for me to review how much money was being spent and where the focus is. I didn’t have that visibility before.”

Driving bureau CIO’s behavior

And it’s more than just visibility into the bureau’s IT spending. Commerce’s implementation of FITARA is driving the behavior of the bureau’s CIOs.

“Now that I’m looking at the budget formulation and from our IT investment review for anything above $10 million, the bureau CIOs are reviewing contracts before they get to me so they are having a great impact on our functional investments,” Turk said. “It’s also enhanced the relationships between the bureau CIOs and the functional areas. That is leading to less rogue IT because they have better relationships.”

Turk said all of this is giving him a greater awareness of investments across the department, which is helping to take systems and tools and share them across all the bureaus, especially the smaller ones.

“Our goal is to improve the services and capabilities for less money so by sharing that information across the different bureaus, we can make smarter investments,” he said. “That is the significant impact from FITARA.”

It’s also the kind of impact the authors of the bill hoped for and expected.

Rich Beutel, a former staff member on the House Oversight and Government Reform Committee who helped write FITARA, said the goal of the legislation was to follow the money.

“One of key areas that we were trying to solve with FITARA were around the issue of CIO empowerment,” said Beutel, who is now managing principal of Cyrrus Analytics LLC. “We wanted to give them broader budget oversight, which is precisely what Rod Turk is describing and we hoped would start to occur,.”

Beutel said Turk’s use of FITARA to drive visibility into the bureau level reminded him why the law was necessary in the first place.

“I remember talking to a component CIO of an agency who came in to the committee to tell me about one system that they were proud of. It was only going to cost them $40 million,” he said. “Just 48 hours later, another component CIO from same agency came in and started [to] tell me about basically the same system that they were spending only $60 million on. I asked if they knew about the other component’s system and they said their needs were different. But it was basically the same system. FITARA is trying to deal with empire building because it had gotten so rampant especially in federated agencies where components are so huge and dominate everything.”

The only way to stop this type of duplication is by giving the headquarters CIO authority to not only know what’s happening, but require components to work together.

CIOs need full authority over IT

Rep. Will Hurd (R-Texas), chairman of the Oversight and Government Reform IT subcommittee, said FITARA and its scorecard are supposed to drive a certain behavior.

“The CIO of the department or agency should have full insight and authority over all of the software and hardware they are responsible to protect. You can’t hold someone accountable if they don’t have the responsibility to manage their network properly,” Hurd said in an interview with Federal News Network.

Hurd said with the latest FITARA scorecard, the committee wants to focus agencies on ensuring their CIO reports to the deputy secretary or secretary of the agency, which 16 of 24 do today.

He also said the implementation of the MegaBYTE Act and the use of the working capital fund under the Modernizing Government Technology (MGT) Act are both good measures of the progress CIOs are making under FITARA.

“When the MegaBYTE Act was first introduced the number of departments and agencies that understand or knew how many software licenses they were using was less than 4 of the 24 CFO Act agencies. Now all but four have a handle on this. It’s one of the things that moved the needle for CIOs,” Hurd said. “The other trends we are seeing is making sure the CIO is reporting to agency head or deputy head. That means that agency head, the chief executive of that department values IT and values cybersecurity because the CIO is directly in their chain of command. That has changed behavior.”

Tony Scott, the former federal CIO, said when he was writing the implementation guidance in 2015, he knew the CIO authorities were the crown jewels of FITARA but it was going to take time for change to occur.

“We saw agencies where the CIO was being undermined or sidelined by superiors. At the time, many said FITARA, it was like these were protected programs and they were not going to let you have any involvement at all because it was a political or a pet project. While this wasn’t universal across all agencies, there were enough cases of it you were dismayed to say the least,” Scott said. “We also knew that as with any change, you have win over the people and you need to just keep hammering away at these things and they will shine through. What has been very helpful is the consistency in terms of congressional oversight, and the fact that OMB has been consistent with its focus on it.  With any change in personnel especially when you get new political appointees, you’ve got a chance to break some of the culture issues that inevitably get in the way.”

Scott said he believes FITARA has been successful even though it has taken four years to really start seeing major changes.

“I think the law has significantly moved the needle and created real momentum and progress. We would’ve been in far worse shape had it not come to pass,” he said. “But that being said, are we aspirationally where we hoped to be, probably not. But that means the focus, the dedication, continued oversight by Congress and the consistency from OMB will help us get there.”

Read more of the Reporter’s Notebook

Few were surprised by the General Services Administration’s decision on Dec. 6 to extend the time for agencies to transition to the new Enterprise Infrastructure Solutions (EIS) telecommunications and network contract.

GSA announced agencies would have up to three more years to move to EIS from the Networx telecommunications contract. Originally, GSA set a deadline of May 2020 for agencies to finish the transition. After remaining firm on the timeline since it awarded EIS in August 2017, agency officials over the last year — as the likelihood of meeting that deadline waned — started to offer some daylight around a possible extension.

Now agencies have two new deadlines to focus on. By March 31, departments must release their EIS solicitations, and by Sept. 30, they must award their EIS task orders.

Alan Thomas, the commissioner of GSA’s Federal Acquisition Service, wrote in a blog last week that the decision to extend the transition timeline came from their “continuous engagement and dialogue” with agency customers and contractors.

Thomas said GSA will extend the expiring contracts: Networx, WITS and local service agreements.

An interagency group made up of the 20 largest agencies under the Networx contracts and led by senior executives from the Justice and Defense departments sent GSA a letter in the last month expressing concerns about the transition timeline. Multiple industry sources confirm the letter played a significant role in getting GSA to extend the transition timeline.

“Over the last several months, GSA has learned of challenges our customer agencies have encountered when transitioning to EIS,” said a GSA spokeswoman in a statement. “It is imperative agencies maintain their current EIS fair opportunity solicitation and award schedules, and continue to timely award their EIS contracts, so their new contract is in place with enough time to effectively transition to the new services.”

No choice but to extend the deadline

Diana Gowen, the senior vice president and general manager at MetTel Federal, one of the nine vendors on the EIS contract, said she wasn’t surprised by GSA’s decision given the current state of the contract.

“We are a year plus into the contract, a year and a quarter from March 2020, [and] no awardee has an authority to operate (ATO), no awards have been made on EIS,” she said. “How could any agency transition from Networx to EIS in the remaining time, with no awards and no ATOs? [GSA had] no choice. Additionally, I believe that GSA was reluctant to take their foot off of the gas pedal for fear that the agencies would breathe a sigh of relief and relax again.”

GSA, and now lawmakers, want to make sure agencies don’t relax.

Rep. Gerry Connolly (D-Va.), the incoming chairman of the Oversight and Government Reform Subcommittee on Government Operations, said the transition to EIS is his agenda for 2019.

“Enterprise Infrastructure Solutions is an opportunity for federal agencies to modernize their telecommunications and network infrastructure. It is disappointing that a lack of planning by both GSA and agencies will result in an extension of old contracts, which could potentially cost taxpayers hundreds of millions of dollars,” Connolly said in a statement to Federal News Network. “I plan on conducting close oversight of this transition to EIS so that agencies will complete their transitions sooner rather than later, use EIS to truly modernize their telecommunications and networks, and avoid another prolonged and costly transition like we experienced with Networx 10 years ago.”

Connolly and GSA are trying to avoid a repeat of the problems with the transition to Networx starting in 2007 and lasting until 2013. The Government Accountability Office estimated agencies spent $395 million more and took 33 months longer than expected for agencies to transition to Networx from FTS-2001, which was arduous and costly.

Bob Woods, a retired federal executive who managed telecommunications transitions and now the founder and president of Topside Consulting Group LLC, which works with the industry, said interest from Capitol Hill will give this effort some much needed momentum.

“Vendors haven’t been as aggressive as I would have thought they’d be with the Hill,” he said. “I think there’s no reason for the transition to EIS to go this slowly, and there is no reason why the Oversight Committee wouldn’t have more interest. I hope it doesn’t have to reach a state of almost failure for Congress to get involved.”

Falling away from the IT modernization goal?

The Office of Management and Budget and Congress didn’t get involved in Networx until that transition was on shaky ground.

In 2008, OMB issued a memo at the start of the Networx transition detailing its expectations and the requirement to use the contract, but it never issued another policy during the transition. House oversight committee lawmakers held a hearing in 2010 asking why the move to Networx was behind schedule, but there was little oversight beyond that one hearing.

Connolly, and hopefully others in Capitol Hill, will take the same approach as they are taking with the Federal IT Acquisition Reform Act (FITARA) where there are constant oversight hearings reviewing the law’s implementation. In fact, the committee will issue version seven of the FITARA scorecard on Dec. 12.

While OMB hasn’t issued any recent memos on EIS, the administration did focus heavily on it in its IT Modernization report. In the report to President Donald Trump, OMB said EIS is the vehicle to achieve the goals of consolidating and standardizing “network and security service acquisitions to take full advantage of economies of scale, reduce burden, and dramatically improve technical development and operations.”

But so far the focus on IT modernization has fallen short, and now with GSA’s new deadlines, some are concerned that agencies may stray farther from the goal.

Gowen said the “artificial” deadline GSA created is concerning for her company and other new entrants into the market.

“Responding to a ‘tsunami’ of task orders in less than nine months will be difficult for all awardees, but this ‘tsunami’ puts significant pressure on three of the new awardees, who are small businesses,” she said. “Few awardees will be able to respond to all task orders, even if they are in our sweet spot, in such a short period of time—it will be quite expensive, and in some cases impossible, so agencies may miss out on the benefits some awardees could offer them. I fear that this ‘forced’ tsunami will also push agencies toward a winner-take-all award mentality and/or a like-for-like task order, which also advantages the incumbents.”

EIS: 21 percent savings on average

The lack of progress is frustrating for agencies and vendors alike. ACT-IAC’s Network and Telecommunications Community of Interest estimated in an April report that on average the cost for services under EIS are 21 percent cheaper than under Networx.

“It’s pretty safe to say that nearly every product and service on Networx that are now on EIS have cost savings. While they all vary by carriers, there are double digit cost savings to be had especially if you transform,” said David Young, senior vice president of CenturyLink’s strategic government group in an interview with Federal News Network. “There are technologies that industry is moving away from and as fewer and fewer buy those things from carriers, there are fewer people to support them and the cost structure will go up. So that’s why it’s important for agencies to just not move like-for-like, but to transform.”

Young said a perfect example of this is agencies need to move away from time-division multiplexing (TDM), which is a method of transmitting and receiving independent signals over a common signal path. He said if agencies continue to use TDM, they will pay a lot more than if they move to Ethernet.

Sam Kline, senior vice president for corporate strategy at Granite, said while the delay benefits incumbent contractors, he believes the floodgates of EIS solicitations will open soon enough.

“We are hearing different things from different agencies. Some of them have their fair opportunity solicitation ready to go, while others are still trying to decide their technical direction or are putting their entire inventory together. I think agencies are motivated to move to newer technology. I hope agencies move forward quickly because the outdated technology isn’t getting any newer or easier to keep running.”

CenturyLink’s Young added the extension is critical to give agencies and carriers much more latitude in how the transition from one contractor to another will be successful. He said more time makes the effort “more feasible and not rushed because when things are rushed, they can cause some problems.”

The biggest difference in the fourth version of the Office of Management and Budget’s data center consolidation and optimization memo isn’t the decision to remove the focus on non-tiered data centers, nor is it the revamping of the metrics that don’t specifically focus on optimization or savings.

Rather, the biggest difference of the draft policy released Nov. 26 may just be the pragmatism of the entire memo itself. Several former federal officials said OMB seems to have listened to agencies about what metrics and goals are actually achievable, measureable and, maybe most importantly, logical.

“The memo does reflect the reality that they didn’t anticipate with the first memo from several years ago. Now that agencies have a couple of years under their collective belts and the practical realities needed revision,” said Rick Holgate, a former chief information officer in the Justice Department’s Bureau of Alcohol, Tobacco, Firearms and Explosives and now a senior director and analyst at Gartner. “The theme of relaxing or revising what is a data center is an acknowledgement of the realities of federal missions. Labs or high performance computing centers or medical or research facilities all may have needs for local computing footprints. The revised definition helps normalize and rationalize what is a data center to be reasonable and realistic.”

Comments on the draft policy are due Dec. 26.

It wasn’t that previous OMB data center policies didn’t reflect the reality of the day too. The lessons learned over the last eight years demonstrate that savings and optimization are fine metrics, but a one-size-fits all approach across these two areas just doesn’t work.

“Earlier guidelines were geared toward getting quick wins—taking care of existing data centers that simply were not efficient and that could be dealt with quickly and easily, and with big returns on investment. In that context, clear-cut definitions and hard and fast metrics made sense,” said Bryan Thomas, vice president of public sector for World Wide Technology, in an email to Federal News Network.  “As we’ve seen wins and successes, it becomes imperative we evolve the definitions and metrics. It’s less about what constitutes a tiered or non-tiered data center, and more about where agencies can continue to drive efficiencies. Yes, an agency can invest money in upgrading a small server room, but how much return will they see on their investment, compared to what they might get by investing that same money in upgrading the operational technology of a larger facility?”

Thomas said this becomes especially important as agencies collect and analyze more data to meet mission goals. He said the draft policy recognizes agencies need more flexibility to manage their data.

After 8 years, diminishing returns

And more importantly, OMB recognized the continued evolution in the draft memo.

“After eight years of work in consolidating and closing federal data centers, OMB has seen diminishing returns from agencies resulting from their closures. Much of the ‘low-hanging’ fruit of easily consolidated infrastructure has been picked, and to realize further efficiencies will require continued investment to address the more complex areas where savings is achievable,” Suzette Kent, the federal CIO, writes in the draft policy. “While optimization will be the new priority, consolidation and closures should continue wherever applicable. OMB will focus on targeted improvements in key areas where agencies can make meaningful improvements and achieve further cost savings.”

OMB made that clear in freezing data centers, both new ones and existing ones, and reinforcing the requirement to follow the Cloud Smart strategy. OMB released the draft Cloud Smart strategy in September and now is reviewing comments.

“As previously required by the FDCCI, agencies shall continue to principally reduce application, system, and database inventories to essential enterprise levels by increasing the use of virtualization to enable pooling of storage, network and computer resources, and dynamic allocation on-demand,” Kent writes. “Agencies shall evaluate options for the consolidation and closure of existing data centers where practical, in alignment with the Cloud Smart strategy. The Cloud Smart strategy emphasizes the use of risk-based decision-making and service delivery as key considerations in evaluating cloud technologies.”

Thomas said the draft policy lets agencies figure out their specific operational constraints and evolve their enterprise to focus on workload placement, application rationalization, and automation.

“This evolution will increase each agency’s agility while reducing costs and physical footprint,” he said.

At the same time, OMB also is shutting down the data center marketplace that the Obama administration sought to create at the General Services Administration. In 2016, OMB wanted GSA to connect agencies with extra data center capacity with those who needed to expand. The initiative, as envisioned, never got off the ground.

“There were several challenges to getting shared services going,” said Brig. Gen. (retired) Greg Touhill, the former federal chief information security officer and now president of Cyxtera’s federal group, in an interview with Federal News Network. “By the time the government often gets itself organized, they are overcome by events in the private sector. Based on what I see in my company and the data centers we are running, we are running at the highest levels from classified all the way to unclassified. At this point, the private sector is able to meet every single capability the government demands so the days of investing in any data center is not a wise use of people’s money.”

Non-tiered centers still a security risk

Touhill said the decision to de-emphasize the closing of non-tiered data centers — those small closets or single servers — is a bit concerning.

While he said he understands OMB’s rationale, the cyber risk from these outposts is just as great as those tiered data centers.

“When I was commanding units in the military, we had our multi-disciplinary teams finding those servers and exploiting them. They’d find them in the middle of the night. They were inadequately protected, but they were strategically important because they were devices that gave us an entry into certain networks,” he said. “I would hate to have an organization look at this proposal and say, ‘I know [I] have a hall pass and I don’t have to close or secure a server closet because it’s only based on cost effectiveness.’”

Touhill added the non-tiered data centers also can lead to shadow IT, which increases the obstacles to fully implementing the CIO’s authorities under the Federal IT Acquisition Reform Act (FITARA).

OMB mentioned FITARA in the draft policy nine times and emphasized the changes adhere to the law. But Kent doesn’t address the CIO authorities particularly around non-tiered data centers as a way to limit or stop the growth of shadow IT.

Holgate said OMB also didn’t make clear in the memo that it conferred with lawmakers and the Government Accountability Office on these changes, which is important when it comes to the FITARA scorecard.

“This would help stop the gotcha FITARA hearings when CIOs are given different metrics from OMB, which they are comfortable with, but then get whacked on the wrist by GAO or the Oversight and Government Reform Committee for not meeting congressional metrics,” he said. “That will dampen the changes a little bit if GAO and the committee aren’t on board so it would’ve been helpful if OMB indicated they worked with others on these revised metrics.”

While one would hope, and even expect, OMB to have conferred with GAO and Congress around these changes, a sentence or two would go a long way, especially given the long-history of disagreement over how to measure savings.

World Wide Technology’s Thomas said this pragmatic approach is likely to deliver more of the results OMB is looking for in this initiative.

Gartner’s Holgate added, “I see this really as an evolutionary policy. It reflects what has worked and what has not over the years. This will enable agencies to show more tangible progress against the metrics, which reflect what’s possible based on the lessons over the last few years.”

Read more of the Reporter’s Notebook

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Government Accountability Office’s latest annual report on bid protests shows a less than a 1 percent increase in the number of complaints last fiscal year. In the hundreds of thousands, if not millions, of contract transactions that happen annually across government, contractors decided to take their grievances to GAO for just over 2,600 of them.

On the surface, it seems like the federal procurement marketplace is doing just fine.

But if you dig deeper into GAO’s numbers, there are some concerning trends.

Steve Schooner, a Nash and Cibinic professor of Government Procurement Law at the George Washington University in Washington, D.C., said the number of hearings GAO is holding is so small it may be sending a chilling message to the community.

“Indeed, based on the 2018 numbers, one must conclude that, under GAO’s current bid protest shop leadership, a significant policy decision has been made to permit fewer hearings or, in effect, eliminate them in all but the most extraordinary matters,” Schooner said in an email to Federal News Network. “To put the 2018 number — hearings in only five cases (only 1/2 of one percent of the matters filed) — in context, keep in mind that the report, which shows a decreasing trend line, only goes back 5 years. But looking at prior reports that number is down from 61 cases (10 percent) in 2010, and 74 cases (13 percent) in 2003. That’s a pretty dramatic change in practice.”

Schooner said GAO changed its policy in 2018 in its 10th edition of its “Descriptive Guide” to bid protests, but didn’t explain well why they are moving away from hearings. That “makes the sudden drop seem out of character or, more specifically, inexplicable.”

He said the guide reminds us that GAO can hold a hearing on its own initiative or provide one upon request.

“Where the guide explains that a protestor may request a hearing and ‘must explain … the reason a hearing is necessary to resolve the protest,’ it doesn’t say that such a hearing will only be granted in ‘extraordinary’ cases,” he said. “I don’t know how much attorneys should be expected to read into the statement: ‘Because hearings increase the costs and burdens of protests, GAO holds hearings only when necessary.’ Rather, GAO merely points out that ‘GAO has issued a number of decisions that discuss reasons for holding hearings …’  And, of course, GAO reserves the right to hold a more limited hearing than requested. But that’s a far cry from statistically, empirically never holding a hearing. Again, none of this is new, so it would be helpful if GAO was more transparent on its obviously evolving practices with regard to hearings.”

GAO’s filing fee not a disincentive

It’s more than just the lack of hearings that show some concerning trends. Other procurement lawyers say companies are more inclined to submit protests and GAO’s decision to require a $350 fee per filing doesn’t seem to be a disincentive.

Eric Crusius, a partner with Holland & Knight in Washington, said a mostly steady or rising effectiveness rate is fueling the additional protests.

“When contractors see that a protest will have a 50 percent chance of receiving some kind of relief, they are encouraged their claims will receive a fair hearing,” he said. “It also shows how necessary the protest system is. Federal contracting needs protests to ensure taxpayer dollars are being spent correctly and at nearly 50 percent of the time when a protest is filed, the agency could have done something better.”

Barbara Kinosky, managing partner of Centre Law and Consulting LLC, said she is seeing companies who have not protested before filing complaints.

“I think it’s budget uncertainty at the agency level. Companies are not sure when [the] next big request for proposals will come out,” she said. “There are not a lot of agencies stepping up and making big statements other than GSA about contracting actions or plans.”

Crusius said the numbers also show agencies and vendors are beginning to dig in more. GAO said the sustain rate dropped to 15 percent from 17 percent, but the number of protests going the full 100 days increased to 622 last year from 581 in 2017.

“Once a protest passes the comments stage — when a contractor responds to an agency report and underlying procurement record — on day 40, there is little incentive to resolve the protest,” he said. “For both the government and contractors, the only work left to be done is usually at GAO. GAO has been working to utilize alternative dispute resolution (ADR) in recent years to break the post 40-day logjam. Perhaps looking to expand that program would result in fewer written decisions. That being said, final decisions are helpful from GAO because they help shape future actions by contractors and contracting agencies in similar situations.”

The number of ADR cases increased by five to 86 in 2018 but the success rate dropped considerably to 77 percent from 90 percent in 2017.

Protests of task orders up by 100

Another interesting statistic is the number of protests of task order contracts increased by 100. In 2018, only 356 of the more than 2,400 cases GAO closed came from task orders, up from 256 in 2017, but down from 375 in 2016.

Kinosky said this is one area where vendors remain hesitant to file protests. Unlike single award solicitations, the contractor expects to have many more opportunities to win work so suing their customer over one task order isn’t necessarily a good idea.

All of these statistics become even more important as the Section 809 panel prepares its January report. David Drabkin, the chairman of the panel, tweeted last week that the next set of recommendations are due in mid-January and bid protests will, once again, be part of the discussion.

In May, the panel made four major recommendations to change bid protests, including limiting viable protest grounds and expediting protest timelines to 10 days for some complaints.

Crusius said expedited protest procedures specifically for smaller dollar protests is worth pursuing and could eliminate a lot of the delays.

“More transparency in procurement and the protest process will encourage more judicious outcomes. For instance, fuller debriefings should be encouraged because they would sharply curtail protests that are filed in the search of additional information,” he said. “In addition, greater public access to GAO protest dockets and documents will help contractors and their attorneys make more informed decisions about when to protest. The protest process (as well as the procurement process) is often shrouded in unnecessary secrecy.”

Kinosky added another suggestion the panel should consider recommending is creating a real appeals process. If vendors lose at GAO, they can file with the Court of Federal Claims, which delays the procurement longer.

“We’ve all talked about the problem with federal procurements in making timely purchases to meet emerging needs, especially in cybersecurity and IT,” she said. “I do believe having two forums contributes to that. I think we need to either have appeal process to the Court of Federal Claims so the process doesn’t have to start over, or maybe have a more thoughtful process to see if there is a real error versus just getting a redo.”

Read more of the Reporter’s Notebook

Few would doubt that Josh Moses held up and enhanced the reputation of those who came before him as the Office of Management and Budget’s chief of the cyber office.

Moses, who left his role on Nov. 30 after more than three years to take a job with the PricewatershouseCoopers commercial division, was known for his ability to easily shift between the policy and technical worlds.

“Josh has continued to build on the work that the OMB Cyber team and the Office of the Federal CIO/CISO have done for the last four years. The business processes he has put in place will continue to elevate the level of security across federal departments and agencies for years,” said Ross Nodurft, a former OMB cyber chief and now a vice president of risk management at OneWorld Identity. “Thanks to him, our CIOs and CISOs are focused on measuring outcomes as opposed to reacting to compliance regimes. As a leader in the Federal CIO’s office, Josh truly cared about the mission of the cybersecurity. Through his leadership, agencies elevated their ability to manage the multitude of cyber risks that they face every day.”

Moses spearheaded the first-ever governmentwide risk determination report, which established a baseline for all agencies and came up with specific plans to address these issues.

“Josh was a huge contributor to and leader of the OMB Cyber Team and the Office of the Federal CIO/CISO. The biggest compliment I can give is that after his four years, Federal cybersecurity is better today because of his efforts,” said Joe Stuntz, a former OMB cyber chief and now a principal with OneWorld Identity. “His focus on the federal workforce and his emphasis on real risk management will continue to pay dividends for years and the OMB Cyber team is stronger and better prepared for the future thanks to his leadership, but will certainly miss his positivity and sometimes good jokes.”

Moses also worked with the Department of Homeland Security to address new goals and approaches to the Federal Information Security Management Act (FISMA) to give agencies more flexibilities to achieve a final goal versus following a prescriptive set of requirements.

Moses joined the government in 2009 as a program manager at the Treasury Department’s Special Inspector General for Troubled Asset Relief Program (TARP). He then moved to the Defense Department’s Office of the Inspector General and then to Amtrak’s oversight office.

“Josh’s contributions and service to the federal government’s cybersecurity mission are extremely valued,” said Federal CIO Suzette Kent in an email statement. “I want to thank him for his hard work and effort in advancing the president’s cybersecurity agenda.”

It’s unclear who will replace Moses as the cybersecurity division leader.

Commerce exec heading back to consultancy

Along with Moses, another impactful federal employee is heading to the private sector.

Glenn Davidson, who was the Commerce Department’s executive director of Enterprise Services for the last three years, joined Deloitte’s human capital transformation practice.

Davidson led the agency’s effort to consolidate all back-office functions since 2015. He did that by capturing the total cost of ownership for procurement, human resources, technology and financial management, did a comparative analysis of public and private sector companies and detailed what it would cost for people, process and technology to improve these administrative services.

While the effort is far from complete, the model is one that many agencies could follow to meet the Trump administration’s goals of reducing costs and improving the effectiveness of these services.

This was Davidson’s first experience in the federal government, having worked with consulting firms Accenture and KPMG as well as being chief of staff to the governor of Virginia in the early 1990s.

Molly Cain, DHS’ director of venture, also left federal service last month. According to her LinkedIn page, Cain’s two-year appointment ended, which was the reason for her leaving.

During her time at DHS, Cain led the effort to launch the Office of Innovation, which seeks to pilot several assumptions and initiatives, and serve as a bridge between venture capital, startup, academia and Fortune 500 companies.

Finally, Shane Barney was promoted to chief information security officer of DHS’ U.S. Citizenship and Immigration Services directorate. Barney had been deputy CISO since May 2016. He has been with USCIS since 2014 when he joined as a chief of the cyber intelligence branch.

Read more of the Reporter’s Notebook

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Defense Information Systems Agency may be best known for the more than $5 billion in contracting support it provides the military services and agencies each year. But with the move of the Joint Force Headquarters, DoD Information Network (JFHQ-DoDIN) to DISA earlier this year, the agency is playing a bigger role in securing the Pentagon’s networks and data.

Just listen to what Dana Deasy, the Defense Department’s chief information officer, said are his priorities: Cloud, cybersecurity, artificial intelligence and next generation command and control. All of these relate back to the work DISA is doing and will continue to do into 2019. And it’s also the reason why DISA’s Forecast to Industry day is one of the must-attend events each year.

More than 500 people journeyed out to Linthicum, Maryland on Nov. 5 to hear from and meet with DISA’s senior executives. While the focus on the days tends to be the agency’s acquisition plans for 2019, including the timing of the release of solicitations and awards as well as any acquisition strategy that it has determined, the real benefit for contractors is the policies and programs behind the contracts.

It’s also more than just DISA discussing the products and services it wants to buy, but officials discussing why they are buying them.

The Forecast to Industry day continues to be a refreshing reminder of the importance of and what success looks like around industry-government communication. To be clear, the model isn’t perfect by any means, but it’s heads and tails above what most agencies do.

Here are three highlights from the event:

A new view of how to secure the endpoints

A new endpoint security policy is coming from DoD.

Lisa Belt, the acting cyber development executive, said the document will incorporate lessons learned over the last year from the military services’ pilots of different end point detection, response and containment tools.

Belt said it also is based on the results from the DoD cyber architecture review effort and a new analysis of the end point threats the military faces.

The strategy aims to converge the security of traditional end points like laptops with new ones like mobile devices and critical infrastructure systems.

DoD has been using a host based security system (HBSS) approach for much of the past decade. DISA says “HBSS is designed to provide a flexible, modular design that enables expansion of the tool by incorporating additional security capabilities, integrating existing security products, and eliminating redundant systems management processes.”

The DoD CIO’s office asked DISA to test new endpoint security technologies. DISA worked with the Army Research Laboratories at Adelphi, Maryland to analyze eight endpoint detection and response and application containment technologies.

“We’ve got some ongoing piloting activities, live environments out with the services and our mission partners. We are learning about what’s working there and what isn’t,” she said. “Expect to see some acquisition strategies refined in this space as we move forward over the next three-to-six months.”

Belt said DoD has done good work to secure traditional endpoints, but as the Pentagon’s environment becomes more complex, a next generation approach is needed.

“We have a phased approach because of the complicated environment,” she said. “Mobility has been expressly and intently built into that strategy as well as supervisory control and data acquisition (SCADA), Internet of Things and more non-traditional endpoints where we’ve done some work  across the enterprise but we really eventually under this phased approach will need to get after how all of these various endpoints security can come together.”

CAC’s transformation to zero trust

DISA has several irons in the proverbial fire around identity management and access control.

First, the traditional use of PKI, public key infrastructure, will continue as DISA and the National Security Agency are the joint program manager of the program.

“We are working our way through what happens in the identity space. This is key and transformational. It’s on Mr. Deasy’s top 10 cyber list. If we don’t get the next generation of identity right with quantum computing coming at us and encryption, we really don’t have much to talk about if we can’t definitively identify who is on the network, where they are and how they’re operating, everything else we are doing is interesting, but not as effective as it could be,” Belt said. “So working closely with the innovation folks, we have our engineers and our program managers with some key stakeholders and mission partners on what identity will look like writ large in the next three-to-five years.”

In the short term, DISA is trying to improve its current approach.

For instance, Douglas Packard, DISA’s procurement services executive, said the agency released a request for a white paper under Other Transaction Authority (OTA) for how artificial intelligence could help assure a user’s identity on a mobile device.

“It has a set of models and we are building them into fusion score and making a decision based on risk,” he said. “We are using AI in several places, but I don’t see us specific buying AI.”

This effort is in addition to DISA’s Purebred program, which replaces the need for smart card readers to send digitally signed and encrypted email, decrypt email, and authenticate to DoD websites when using a DoD mobile device. DISA says “Purebred provides a secure, over-the-air credentialing process through a series of one-time passwords and user demonstrated possession and use of a CAC.”

Currently there are more than 32,000 users of the Purebred technology.

At the same time, DISA rolled a series of services under PKI to improve identity management and access control.

Jason Martin, the services executive, said DISA now has a single authoritative source of identity data for all of their customers and the applications and endpoint devices.

“To secure all that … we rolled out virtual desktop interface (VDI) for those folks who have access to privileged information. So our entire privileged user base is now using a scaled down version of an enterprise VDI,” he said. “We are very excited about that capability. We have been able to eliminate over 200,000 user accounts simply by developing a single authentication solution and a single entry into that solution. From a security threat vector perspective, that’s pretty good. We dramatically reduced our threat vector simply by instituting two solutions.”

Martin said DISA wants to provide these VDI tools to other services as well.

All of the work around identity management is helping lead DISA toward a zero trust network.

Belt said it will take DoD some time to get to a full zero trust network, but identity and the endpoint security policy are pieces to the bigger puzzle.

Forecast: Cloudy with a chance of more clouds

Every senior official who presented mentioned the word cloud in some way or another. So it’s not surprising that DISA continues to be leading many DoD efforts around cloud.

Even with all the anxiety and drama over the $10 billion JEDI cloud program, officials tried to make clear to the industry audience that a multi-cloud approach is the only way for the Pentagon.

Deasy, the DoD CIO, said the military will use both a general purpose cloud and a fit-for-purpose cloud.

“I’ve been asked a lot about our cloud strategy and I keep pointing out there will be multiple vendors, multiple clouds,” Deasy said.

No matter what happens with JEDI, DISA continues to move out with its cloud initiatives including the maturing of MilCloud 2.0 and the Defense Enterprise Operations Solutions (DEOS) strategy.

Martin said DISA already has migrated 30 applications to the MilCloud 2.0 and more are coming as the “fourth estate” agencies migrate more than 100 data centers to the offering by March 2019.

“What we are doing now is placing heavy emphasis on integrating us with the commercial vendors’ off-premise solutions for cloud with the secure cloud computing environment point also known as the cloud access points (CAPs),” he said. “That is where we’ve placed a lot of emphasis, time and effort over the past six months, and we will continue to over the next year or two as we continue to move people onto the unclassified (NIPR) CAPs and as we build out the secret (SIPR) CAPs.”

Martin said DISA also is increasing the security of MilCloud 2.0 to increase to an impact level six on the secret enclave. Martin said he expects to reach that security level by early 2019.

And finally, DISA will decommission MilCloud 1.0 November 2019 and move all the existing capabilities on to version 2.0 over the next year.

Read more of the Reporter’s Notebook

The decision by the Office of Management and Budget to give agencies more flexibility in how they meet the requirements of the continuous diagnostics and mitigation (CDM) program may be seen by some as a much needed change to a program that has been slow and, at times, frustrating.

But if you’re Kevin Cox, the CDM program manager at the Homeland Security Department, your glass is more than just half full. It’s a chalice full of hope and possibilities.

Cox sees the bright future for CDM in new ways from security operations-as-a-service (SOCaaS) to shared services for small and micro agencies to ensuring agencies are a part of the continuous improvement cycle because cybersecurity is never done.

Most of all Cox is a pragmatist about the program because agency needs change, vendors’ ability to provide new tools and services ebb and flow with emerging technologies and just because there was a plan three or five years ago, he knows approaches always can be improved.

“One of the things that we as a program really want to get our focused shifted to is the idea of the requirements for the program rather than coming out with specific solutions. We want to know first and foremost what those requirements are, and then we want to make sure we are working with the agencies to understand what those requirements are and in the long run meet those requirements,” Cox said on Ask the CIO. “We worked with OMB to really keep it requirements focused, and ultimately benefit the agencies so they had a memo to take to their components and offices and say, ‘we all need this at the agency level, at the federal level to understand what our enterprise looks like from a cyber perspective.’”

The CDM program, once again, stepped into its next evolution with OMB’s fiscal 2019 Federal Information Security Management Act (FISMA) guidance that opened the door for agencies to acquire tools and services outside the initiative’s bounds or use existing cybersecurity software that meets the program’s requirements.

CDM is not focused on a particular solution

Cox said DHS has heard regularly from agencies about the time it took to deploy tools as well as the question about why they should replace existing tools that were working and meeting the requirements of CDM.

“We don’t want to have the perception that we are focused on a particular solution. We want to make sure the requirements remain the focus and if an agency can show those requirements, then we will take the data from that system to meet the requirement,” he said. “At times there was a perception that CDM was coming in to rip and replace entire solutions that were working. We don’t want that to be the case. A key for the CDM program is the partnership not only with the agencies but also the integrators to get the right solutions for the agency and make sure everything interfaces for communication purposes, and the agency gets the visibility they need and federal leadership gets the visibility they need to ensure the federal enterprise is secure.”

To DHS and the General Services Administration’s credit—a lot of it goes to Jim Piche, GSA’s Federal Acquisition Service’s homeland sector director for FedSIM—for recognizing the need to change CDM. While it’s been far from perfect and it is a fair criticism that it took GSA and DHS too long to move off the initial approach, the agency partners along with OMB recognized the need for this latest change more quickly. Along with the new acquisition approach of awarding long-term, services-based contracts, the focus on requirements rather than specific solutions seem to be coming at the right time.

DHS is starting to face a backlog of requests for additional CDM-related capabilities.

Greg Decker, a principal with Booz Allen Hamilton and who is the chief engineer for the CDM program, said at the recent Symantec Government Symposium with DHS and GSA awarding more than $3.2 billion in cyber contracts over the last year, the competition for expertise is strong as is the demand for services from agencies.

“The DEFEND contractors are completing Phases 1 and 2, filling gaps for Phase 1 and finishing Phase 2,” Decker said. “That will give agency leadership a complete view of the enterprise through the dashboard and begin to transform the sensors to integrate with the governmentwide and agencywide dashboards. We also are seeing agencies incorporating more threat intelligence especially around their high-value assets into the dashboard.”

Decker added that DHS also is prioritizing the requirements based on what they see across agencies through their government cyber architecture review effort.

DHS  wants to hire 30 employees

Cox said DHS is starting to see a bottleneck in terms of the number of staff they can put toward it. He said he has been working with DHS leadership to hire as many as 30 more employees in the coming months.

Part of the reason for the bottleneck of requirements is a change in how DHS and agencies determine the next set of capabilities.

“We need to make sure the agencies and DHS are defining the requirements before we go to the integrator and have them come back with a proposal. What we don’t want to do is say ‘integrator, define our requirements for us.’ What gets delivered may not be what we really need. It’s something that we’ve really worked to introduce discipline within our own program as well our interactions with agencies. That’s why we can’t say Booz Allen, CACI or whomever, come up with something new,” Cox said. “In terms of timing around the backlog, a lot of it is just volume right now. We’ve got all the DEFEND task orders in place so all the agencies are coming to us with ideas for requests for services and we have our own RFSes so that’s why we are starting to see a backlog. But I think overall we have good management on it. It’s not like we have a tremendous backlog, we just have some slow down.”

Cox and DHS, and GSA should be recognized for the ability to change and evolve as too many times agency programs believe the risks are too great and the rewards are not worthwhile enough to change, and that’s why we see failed technology programs that waste millions of dollars.

Read more of the Reporter’s Notebook

The federal technology community is mourning the loss of Jeff Koch.

You may not know the name and that’s OK. But you’ve probably been impacted by Koch’s creative and practical work on federal technology and management issues over the past 20 years.

Koch, who served as the Labor Department’s deputy assistant secretary for administration and management for the last year, passed away suddenly Nov. 3 from liposarcoma, a rare form of cancer that begins in the fat cells. He had been battling the disease since 2015, going in to remission and out of remission several times.

Koch was 55 years old and is survived by Patty Stolnacker Koch, his wife of seven years. The couple is expecting their first child in January.

“Jeff’s sudden passing shocked and saddened his many colleagues and friends at the Department of Labor,” said Pat Pizzella, deputy secretary of Labor, in an email to Federal News Network. “Those of us who worked with Jeff at DOL during the Bush administration and the past year will miss his keen intellect and sharp sense of humor. Jeff’s combined expertise in classical music, personal computers and guns made him always fun to be part of any conversation.”

Koch, who was known for his twin passions of classical music and the Boy Scouts, was a true public servant. After a short time in the private sector, Koch found his third passion – good government. He came to Washington as chief of staff for Rep. Pete Sessions (R-Texas) in 1998, and moved to DOL as its associate chief information officer in 2002.

“It was a shock that we are here but we’ve come to say Jeff Koch is worthy of the accolades he will receive in heaven,” Sessions said the funeral service on Nov. 10 in Alexandria, Virginia.” Jeff excelled in the exuberance of life and shined in the light of other people.”

Where Koch made his biggest impact on federal service was during his time as an e-government portfolio manager at the Office of Management and Budget, where he worked on the government-to-government projects.

Tim Young, who as the deputy federal CIO during the Bush administration and an e-government portfolio manager at OMB, said Koch had an “unwavering commitment” to improving federal technology.

“Jeff was successful in getting so much done because of his poise, persistence, and persuasion,” said Young, who now is a principal with Deloitte, in an email to Federal News Network. “Jeff was the colleague you went to when you had a large, complex, politically-sensitive challenge to solve. You went to Jeff because his response was always ‘Yes, and … ,’ followed by numerous (emphasis on ‘numerous!’) probing questions, some light-hearted humor and refreshing optimism and enthusiasm to get to a solution.”

Koch worked on the internal efficiency and effectiveness portfolio, which included projects such as e-payroll, e-travel and the electronic official personnel file (eOPF).

“In several contentious E-Gov governance board meetings, Jeff showed his distinctive ability to cut through tense moments through his wit, ‘unconventional’ sense of humor, and self-deprecation,” Young said. “He had this amazing ability to lead change by simply being his authentic self.”

As several colleagues said, Koch was the last one to turn out the lights at OMB when the Bush administration ended, sending emails to agencies 30 minutes before Barack Obama was sworn in as president.

“Jeff was a true public servant, whom I had the privilege of serving alongside at OMB for five years. He was an inspiration to those around him, dedicated to his work and achieving results. His loss is not only a loss for the community, but for the nation,” said  Karen Evans, assistant Secresary of the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response.

On a personal note, I covered Koch during his time at OMB and at Labor, and kept in touch with him over the last decade since he left federal service. He never criticized the new administration, offering only thoughtful insights, historical context and direct questions about federal management issues.

Koch wore his passions on his sleeve and never wavered in his belief that a little hard work from a group of people with shared goals made anything possible.

Time and again, he showed the resilience in pushing federal IT and management issues up a steep hill, whether dealing with grumpy political appointees or frustrated contractors.

Outside of work, Koch enjoyed life. He played the cello in the community orchestra, lead a Boy Scout troop, and entertained the neighborhood with a super-spooky haunted house for  Halloween and mega slip-n-slide on July Fourth. He also was an Eagle Scout, a ham radio operator, a rare arms collector, a competitive cycler and played Ultimate Frisbee.

His friends and relatives called Koch a “renaissance man” for his varied interests and his ability to be feel comfortable in a tuxedo or covered in mud.

“For Jeff, it was less about the activity and more about enjoying the companionship of the people around him,” said his long-time friend Brian Carlson at the service.

Koch may not have been a household name in the federal technology community, but his impact will continue to be felt for decades to come and his legacy is one we all should aspire to.

There are few truer public servants who grace the IT community the way Koch did. For that, we are thankful and will miss him.

GSA’s IT shuffle, ODNI tour ends

In other personnel news, the General Services Administration is losing one technology executive to the private sector and gaining one back at the same time.

Navin Vembar, the GSA chief technology officer since 2016, is leaving to join CollabraLink to be the chief technology officer. Vembar joined GSA in 2011 as an enterprise data manager, became the director of the IT Integrated Award Environment (IAE) in 2013 to rescue the failing Sam.gov site, and eventually CTO.

CollabraLink is an IT services and consulting firm providing systems development and integration, technology infrastructure support and program/project management services.

Meanwhile, Beth Killoran, the former chief information officer at the Department of Health and Human Services, also found a new job, as GSA’s deputy CIO. She updated her LinkedIn page Nov. 12 confirming the rumored move.

Killoran spent the last two-plus years as the HHS CIO. The agency moved her into a new role in August. She replaced Steve Grewal, who left for the private sector in January.

Finally, Tonya Ugoretz, the director of the Cyber Threat Intelligence Integration Center (CTIIC), is heading back to the FBI after serving for two years with the Office of the Director of National Intelligence (ODNI). Ugoretz will return to the FBI as the deputy assistant director for intelligence in FBI’s cyber division. She is a career FBI intelligence analyst who joined CTIIC as its first director in 2016 under a two-year detail.

She entered the government in 2001 as a Presidential Management Fellow and as an all-source analyst with the FBI’s counterterrorism program. In 2003, she became the first analyst to serve as the FBI director’s daily intelligence briefer.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Homeland Security Department laid out its plans in late October for a fourth attempt since 2003 to modernize its financial management system.

After failing twice with the private sector and once with a federal shared service provider, DHS told industry on Oct. 24 in a notice in FedBizOpps.gov that its market research revealed a two-pronged approach that may just work this time.

“At this point, the government plans to conduct two procurements for the Financial Procurement and Asset Management Systems (FPAMS): 1) software, and 2) system integration support services,” the notice states. “The government anticipates the award of the software procurement in June 2019. The government anticipates the award of the system integration support services in August 2019. The government expects to issue a draft statement of work, evaluation factors, and price schedule in December 2018.”

DHS’s decision to buy software and then integration support services isn’t surprising or unexpected. It is, however, a glimpse into the future of federal shared services.

When the Office of Management and Budget releases the December update to the President’s Management Agenda, the shared services cross-agency priority goal — Number 5 of 14 if you are keeping score at home — will have refreshed strategy.

Suzette Kent, the federal chief information officer, offered a small glimpse into what we should expect at the Nov. 1 Shared Service Summit sponsored by the Association of Government Accountants, ACT-IAC and the Shared Services Leadership Coalition.

“The way that we are going about the journey is in three pieces. The first is we are looking at services that are already fairly widely used and there is a lot of agreement. Maybe some of those are smaller services … like fleet management. We will be elevating those to the model that matches the target state of how the services are provided, which includes a focus on continuous innovation, a priority for customer service and shows ways we can get some quick wins,” she said. “The second thing we are focusing on are in areas [such as human resources or financial management] where we are driving out the standards and defining the journey around that set of solutions.”

Kent said that could mean coming to agreement across the government on the standards and then move out for quick wins in those areas.

Continuous innovation necessary

Finally, the third piece of the strategy is continuous innovation.

“Some of the barriers in the past have been once a service is rolled out that connection to continued improvement, leveraging new technologies, changing the operating model, continuing to build, grow and identify other services, that is a commitment we have to make,” Kent said. “It’s that ongoing commitment that we just don’t get to a place and stop, and get to that place and it’s just a starting point in the journey. And the agency is continually involved in defining new requirements, enhancements and leveraging those innovations so we continue to drive value, benefit and use modern technology.”

Kent said the refreshed strategy helps meet agencies where they are, but gives them an idea of what success looks like today and in the future. The administration is focused on 14 areas that it believes are ripe for shared services and which could save the government $2 billion over the next decade.

Other near term shared services opportunities for shared service that are emerging are around contract close-out and records management.

“When we look at the full scale of what we need to modernize, there are many systems that are decades old. It’s a huge agenda. Shared services and the areas we are focusing on, they appear on many agency’s agenda. They are some of the oldest sets of applications. They are some of the applications that are most in need of updates, and some of the applications that create more substantial threats,” Kent said. “How do we protect the data and the information that are in those systems? I see the shared services agenda absolutely linked with IT modernization because it’s a way we can pick [a] common set of solutions and move a large group quickly to a more modern, more secure, better service platform.”

Beth Angerman, the acting principal deputy associate administrator in the Office of Governmentwide Policy at the General Services Administration and executive director of the Unified Shared Services Management office, put a finer point on the forthcoming update.

She said the PMA CAP goal for shared services includes 10 goals, including the requirement for agencies to participate in the development of standards so agencies can have a big say in what the future capabilities will be for HR or financial management or any area where shared services could work.

One size doesn’t fit all for shared systems

Another one is an acknowledgement that the government doesn’t need to build its own IT systems any more.

“There are commercial systems that exist that can help us drive better processes in government because those commercial solutions already have incorporated so many of those best practices that exist in industry,” she said at the summit. “The second one is one size doesn’t fit all. Hopefully, the new strategy really does give every agency the opportunity to declare some level of success, whether it’s through the participation of standards or through the adoption of existing services, and the goal will point out what those are, or whether it’s thinking through the plan to adopt new centralized services.”

The third piece to the strategy is competition is key and the government needs to be smarter buyer. Angerman said both of these factors came through clearly in the market research the USSM office did over the last year or so.

“That is the role you will see start to emerge for the service management offices to help us prevent the proliferation of instances, to help us make sure that we have smart contracts that give us the opportunity to bring innovation and to make sure we actually don’t have vendor lock-in,” she said. “All of the things that we’ve heard are the concerns of customers over time.”

There are plenty of examples over the last 15 years where these problems arose. Around too many instances, just look at the  E-Travel program. GSA Administrator Emily Murphy said every agency uses the same travel management system, but each has a different version totaling more than 40 across government.

With vendor lock-in, the Labor Department’s experience shows why this has been a concern. Labor moved to a private sector provider for financial management services in 2010 only to have to buy back the software and the interfaces in 2014 for more than $20 million when the vendor went bankrupt.

And around innovation, the USSM office is emphasizing the “as-a-service” approach so agencies can buy services and not systems, which tended to be static while cloud services can be dynamic.

This brings us back to DHS and their seemingly never-ending effort to modernize their financial management systems. In its request for information from March, DHS wanted information on cloud and non-cloud systems. It wanted to know about application programming interfaces (APIs) and it wanted to know how the software is or plans to use artificial intelligence, blockchain and/or robotics process automation.

If DHS writes the solicitation using the tenets of the administration’s new strategy, then there may be hope for it and many other agencies like it that shared services may actually gain some real traction this time. Over the last 15 years, beyond payroll services, there have been only a handful of success stories and too many failures.

“We are making it a little better every time the baton is passed [from one administration to another],” Angerman said. “We are excited about the future.”

Read more of the Reporter’s Notebook