Pallabi Saboo is the CEO of Harmonia Holdings Group, a small women-owned business, with revenues approaching $20 million.

Harmonia Holdings Group is working for the Marine Corps to modernize its legacy system by using a tool the company developed to automatically migrate old software code into leading-edge languages.

Saboo said Harmonia Holdings couldn’t have won the contract without the Small Business Innovation Research (SBIR) program. Harmonia Holdings has won 89 SBIR grants over the last 15 or so years.

But Saboo said her company won the Marine Corps contract and many others not because agencies are using the SBIR program like Congress intended, but despite of it.

“The best kept secret in Phase III of the SBIR program is that any agency can put millions of dollars on the contract without competition. It’s very similar to an 8(a) contract,” Saboo said in an interview with Federal News Radio. “The problem is most contracting officers have no clue how to do that. I’ve tried to sell that until I was blue in the face. I have 89 different SBIRs, but I can’t get them to use it. That is challenging.”

Instead, Harmonia Holdings is using SBIR as a kind of venture capital fund where Saboo can obtain funding for research and development and then once the tool or software is ready, offer it back to the government through other contract opportunities.

“I use SBIR technology opportunities as areas where I want to develop competencies for my company,” she said.

GSA to offer Assisted Acquisition Services

And this is why the General Services Administration’s new pilot to use its Assisted Acquisition Services in the Federal Acquisition Service aims to connect companies like Saboo’s with federal agency buyers.

“We partnered with Small Business Administration to make this pilot program happen, said Mark Lee, GSA’s assistant commissioner of the FAS Office of Policy and Compliance, during a press briefing on July 30. “We think AAS is positioned to set up a shared service across the government to help support innovative solutions throughout the marketplace and that can lead to the job creation the program is designed to bring. There is a unique opportunity to work with companies early on and bring them to a contract vehicle and get them opportunities.”

Lee said the client support centers in Region 5 and the FedSIM office will run the pilots and have dedicated support to help expand the use of companies under the SBIR program throughout the rest of the federal acquisition offerings by GSA.

Saboo said any more attention Phase III SBIR companies can receive to help commercialize their technologies, the real key is whether FAS trains its acquisition workforce to use the program to the full extent the law allows.

“Once you finish Phase III, you are in the valley of death because there is no specific need anymore,” she said. “If you find someone who is interested in your project, you need money to really expand the project to do what they want, and the customer, especially in the Defense Department, may not be able to get you money for two years because of how the budgeting process works. We, and many other companies, have never been able to use the Phase 3 contract because contracting officers don’t know how to use it and the gap between funding is too much.”

Lee said part of the reason why GSA is stepping in is to address similar problems Saboo is referring to.

He said 13 agencies participate in the SBIR program and many lack a dedicated contracting shop so having AAS support SBIR contracts with a dedicated area

SBIR participating agencies

• Department of Agriculture
• Department of Commerce – National Institute of Standards and Technology; National Oceanic and Atmospheric Administration
• Department of Defense
• Department of Education
• Department of Energy
• Department of Health and Human Services
• Department of Homeland Security
• Department of Transportation
• Environmental Protection Agency
• National Aeronautics and Space Administration
• National Science Foundation

Jeff Koses, GSA’s senior procurement executive, said AAS is offering access to the SBIR Phase III companies currently and the pilot runs through fiscal 2019.

“We will have a governance process in place to ensure we understand the rules and making most effective use of the program,” he said. “We will communicate with SBA about future possibilities, such as extending the pilot to other parts of GSA or other areas of the SBIR program. When a customer agency comes to us with authority to use a company in the SBIR program, GSA will be the acquisition arm to support that makes the connection between the agency need and industry partner.”

John Shoraka, a former SBA associate administrator for government contracting and business development and now managing director of GovContractPros, said GSA’s idea is a good one, but the agency and SBIR companies also need to keep in mind several things.

“There should be significant SBA involvement as their Office of Innovation and Investment (OII) manages the SBIR program and reports on it to Congress,” he said. “The reporting of SBIR awards is unclear, and it is also unclear how many agencies use all of their dedicated SBIR funding, and how successful the funding is. There should be a report card grading system like the small business report cards to Congress for SBIR.”

Saboo said another way to improve the SBIR program would be for agency acquisition officers and commercialization assistance programs to spread the word about how the program works consistently and persistently.

“GSA doesn’t have to do matchmaking. I can take products and create opportunities if contracting officers are open to listening and understanding what they can do with the SBIR program,” she said.

Read more of the Reporter’s Notebook

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Quick, which federal cybersecurity process is most costly, takes the longest and is hated by most federal chief information security officers, program managers and chief information officers?

If you answered, the Authority to Operate (ATO), you’d probably be correct.

For an agency to get a system from test and development to full production it must have an ATO, meaning the system owner must approve the risk-based assessment and security controls that are running on top of the system.

For many system owners, obtaining an ATO can take a year and cost hundreds of thousands of dollars, and while it is supposed to be good for a year, without continuous monitoring, it really is good for about five minutes once it goes online.

“It’s also quite common for the specific steps to obtain an ATO to differ from person-to-person, which ultimately encourages everyone to take many unnecessary extra steps ‘just in case,’ further prolonging the process without adding benefit,” wrote Nick Sinai, a former federal deputy chief technology officer and now a venture partner at Insight Venture Partners and an adjunct faculty at Harvard, in a Medium post July 2017. “Further, the weight of the process strongly discourages ever changing a system, which would trigger the ATO process anew; this stagnation leaves most government legacy systems at great risk for vulnerabilities, not to mention lost innovation and productivity.”

But what if an agency could get an ATO in 30 days or five days, or one day? That idea was a dream industry experts and federal executives have talked about for years.

Today, that dream is much closer to reality.

When a need meets the desire, amazing things can happen, especially in government.

The General Services Administration’s Technology Transformation Service had a backlog of 30 systems that needed new ATOs. Aidan Feldman, an innovation specialist at GSA’s 18F organization, said there was no way TTS could clear out that backlog if every ATO took six-to-18 months.

So 18F did what it is known for, taking a big hairy problem and breaking it down into consumable pieces.

Feldman said 18F created an ATO sprint team that streamlined the process and reduced time to complete an ATO from six-to-18 months to 30 days.

“The real key to this ATO sprint team was getting everyone in the same room. We all work remotely so in this case it was a virtual room,” Feldman said in an interview with Federal News Radio. “If we have more conversational back and forth in real time, it increased the understanding on both sides, and greatly reduced the overall time to complete.”

18F reduced the backlog of systems that needed new ATOs in 18 months, and maybe more importantly, created a repeatable process.

The dream is even more real over at the National Geospatial-Intelligence Agency. Just over a year ago, Jason Hess, the one-time cloud security architect and now vice president of global security at JPMorgan Chase, excited the federal IT community by talking about getting an ATO in a day.

While NGA hasn’t met that goal, Matt Conner, NGA’s chief information security officer, said after the Aug. 1 Meritalk Cyber brainstorm event in Washington, D.C., that the agency has realized an ATO in as little as three, five and seven days.

“We are continuing to build the telemetry necessary, the business rules, the promotion path for code committed to our dev/ops pipeline and to promote that as quickly as possible to operational,” Conner said in an interview. “We still haven’t realized the one-day ATO, but it’s out there.”

Conner said the NGA is so excited about the potential of reducing the ATO process down even further, there is discussion about an instant approval.

“We are continuing to shore up our continuous monitoring and telemetry capabilities for new capabilities that are developed so that we can really, really quickly authorize something or ATO something and move it directly into step 6 of the Risk Management Framework and continue to monitor changes to that baseline in operations,” he said. “The ATO-in-a-day solutions have always applied to our dev/ops environment. So these are capabilities developed on a platform, in a handful of languages that we prescribe with a handful of orchestration services, according to a handful of profiles that we’ve defined. It sounds like a lot of limits, it’s not. I would consider much more guardrails than limits.”

Long-time cyber challenge

The Office of Management and Budget and others have recognized over the years that the ATO process was broken. Back in 2017, OMB said it was running a pilot program to consider other approaches to shorten the authority to operate (ATO) life cycle and may potentially look at a “phased ATO.”

It’s unclear what happened to those pilots around a phased approach to an ATO as OMB never publically discussed those results or findings.

The attempt to fix the ATO process has been an ongoing project for OMB.

If you go back to 2013 in the annual FISMA guidance, OMB told agencies they had four years to get to continuous monitoring of systems, which would change the ATO process by making it an infrequent event to one that happens every time there is a change to the system.

Now despite these policy changes, the ATO process remains arduous and costly. Many agencies have moved to approve systems most regularly, in most cases annually.

The one thing about what NGA and GSA accomplished is the ATO in a day or 30 days works only because the organizations set specific limits. Conner said big monolithic systems that continue to use the waterfall approach to development will never enter the quick turnaround security conversation.

For 18F, the limits came from almost every system running on the cloud.gov platform, meaning a specific set of security controls that came with the platform-as-a-service were easily agreed upon and checked off the list.

The sprint team also used standardized ATO tools for architecture diagrams, vulnerability scanning and logging, according to Feldman’s blog post from July 19.

Feldman said one problem with the ATO process is the communication was slow and usually by email. 18F set up a dashboard to make progress easy to track,  and created these virtual teams that got together to hash out problems or challenges.

“Teams coming in may not have compliance experience so sending them to FISMA or other large daunting paperwork about the ATO process is not going to be the easiest way to get into it. So, we standardized and documented our process including a checklist about of what is expected going in, Feldman said. “Similarly for those systems, if every system coming in to the assessment is running on different infrastructure, then, for the assessors, there is no consistency and they don’t know what to expect. It’s the assessor’s job to understand what’s going on in the system and so it takes longer if they have to relearn a new technology every time. We found the more that we are able to inherit between systems and share the best practices of how you configure it, and then the shared language around how you explain how the system is working, having all that more consistent helped the process on both sides.”

NGA sets the guardrails

Over at NGA, Conner described a similar experience.

“These are code or algorithms or layers to our geospatial information system applications,” he said. “The process is really applying a lot of business logic to the telemetry we can gather and measure. We are looking at code quality, code dependency, static and dynamic testing, we are looking at targeted profiles that we’ve built that apply a set of controls to a workload and it’s all cloud based and platform based.”

“I’ve always likened the ATO in a day process to a speed pass on the local toll roads. You can real fast with your speed pass after you have gone online and registered your car and registered your transponder, tied it to a bank account and affixed it to the inside of your windshield in a certain place, then you can go real fast. If you don’t do any of those things, you don’t go real fast and you stop and give people money,” he said. “It’s the same thing. We have a set of design patterns; we’ve got a set of orchestration services; we’ve got a set of compute environments so if you are in that space and you want to play by our standards inside these guardrails, we will accelerate you as fast as we can. If you want to do something bespoke, you will have a different process.”

Feldman said 18F’s process is not magic or anything special — it’s just a matter of getting people in the same room as willing participants, documenting the process and your learnings, and setting the same expectations on all sides. That will go a long way, he said.

“I don’t think it will get down to an hour or anything like. The ATO process is there to make sure you are doing your due diligence securitywise and that can’t go away completely and I don’t think it should go away completely,” he said. “What I do hope to see is a reduced effort for the teams and the assessors to complete the ATO. That comes with better tooling, better documentation and better tracking of these projects as they go through so we can get ahead of problems as they come up.”

Read more of the Reporter’s Notebook

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

You can’t quite say the Technology Modernization Fund Board has $55 million burning a hole in its pocket. But the chunk of change remaining in the TMF for fiscal 2018 is heading out the door over the next two months.

Alan Thomas, the commissioner of the Federal Acquisition Service at the General Services Administration and a member of the board, said last week another “slew of proposals” are going through the review process.

Now what Thomas didn’t say, unfortunately, was how many and from which agencies.

For that information, we put on our reporter’s hat and opened up our “reporter’s notebook” to do some digging.

You see GSA and the Advanced Technology Academic Research Center (ATARC) hosted a TMF Summit on July 26 and decided to close it to the press. Now I understand there was some discussion and maybe even some disagreement about whether it was a good idea to close it to the media. Selfishly, let me say unequivocally, it was a bad idea.

The reasons are two-fold: First, the panel of TMF Board members and the industry panel weren’t going to say anything different in front of a mixed crowd of industry and government employees whether or not the press was there. Second, with more than 150 people in the room, of course details of the discussion would come out.

By the way, the Office of Management and Budget already is in a little bit of hot water for its struggles with communications about the fund with its congressional overseers, so the reluctance to “use” the press to explain what’s going on is more bewildering.

But I digress, back to the news.

20 projects seeks Technology Modernization funds

After talking to several attendees of the summit, Federal Chief Information Officer Suzette Kent and the board members said there are more than 20 proposals now vying for the remaining $55 million. But sources say the board offered no more details on what those projects were or which agencies submitted them. This is a big change from the first round where the board received only nine proposals from seven agencies.

Thomas, speaking at the AFFIRM event which was on the record and open to the press, admitted that most of the first set of proposals seeking extra funding fell far short of the board’s expectations.

“The review process was more rigorous than the typical agency program managers were used to,” he said. “We hope we raised their game. All proposals must be signed off by the agency’s CIO and CFO.  If it doesn’t look sharp, we aren’t hesitant to call the CFO and CIO and say is this what you really mean. The message is don’t just do it for us, but do it for all of your proposals.”

An industry source, who attended the TMF Summit and requested anonymity in order to speak about the “not for attribution” event, said Maria Roat, a TMF Board member and the CIO of the Small Business Administration, said the board said “no” to several proposals and to find money elsewhere.

The source said Roat said agencies struggled with the initial proposals to define why they chose a particular technology and what their major milestones would be tied to a realistic and clearly defined timeframe.

Charles Worthington, a board member and the CTO at the Veterans Affairs Department, said the panel was surprised it didn’t see more shared services or at least multiple agency proposals.

Thomas reiterated what Kent, board members and the TMF program management office have been saying for some time: The board wants projects that could be emulated across the government and that could be “flagship” or “lighthouse” projects where others easily can see the benefits.

One industry source, who also went to the summit and requested anonymity for the same reasons, said Kent said the three agencies that won funding in June — the departments of Agriculture, Energy and Housing and Urban Development — came with a clear vision and requirement, and received bonus points if they had done a pilot, or demonstrated a track record of success and were moving into scale and implementation to better ensure success.

Energy pushing for culture change

Interesting insights, but far from earth-shattering details that haven’t been talked about before.

In fact, Max Everett, the Energy CIO, said in June at an AFCEA Energy event, that the focus on moving the entire agency to cloud email and the extra money were part of the reasons for developing a business case proposal, but the overarching decision came down to addressing the fundamental way the agency manages technology.

“One of the other things that is really important about TMF is building a business case, having an holistic picture that you can present to leaders about where you are going and why,” he said. “It’s not just about we need a new thing or it’s time. It was lined up to all of our mission functions and priorities, and it told a story. That was really important because for us as a very federated department with dispersed capabilities all over the nation, this was about some other things. It was about collaboration, common baselines on security, enhanced mobile user experience. It will encourage us toward a true life cycle model for managing our IT.”

He said the cloud migration project represents “significant culture change” for the department.

And it’s that concept that attracted the board to fund Energy’s proposal, the board members said at the summit.

Sources say the board members highlighted the need to break down siloes when it comes to IT and the second order effects of culture change was highly attractive.

Kent said as part of the requirement to get the funding the board tasked DoE to create a playbook so other agencies could follow their model.

The first source said Kent highlighted the fact that Energy already had done the planning and needed money to accelerate it.

Everett said that planning started when he arrived at Energy more than a year ago.

“If there is no other value to cloud email, just being able to talk about a number that is associated with that service of a mailbox has some value by itself,” he said. “We spent a lot of time looking at what the costs are for all of these disparate systems across the department, understanding the costs and the experience we had with moving parts of the department into cloud email. We actually had a good idea of what those costs were, and we sought other agencies who had that experience as well. Then we started to push people to give us real numbers on what it cost to run their on-premise emails. That had been a little of a challenge, to be frank.”

He said too often Energy organizations didn’t account for all the assorted costs of energy, backups, storage, hardware, labor and other things.

Paying back the extra funding is the only option

A big issue for both government and industry at the summit was how HUD, Energy and USDA, and eventually others, would pay back the TMF loan.

The second source said they got a sense that agencies were complaining a lot about the requirement to pay back the loan, but Kent said OMB made it clear to agencies that once they were in for a dime, they were in for the whole dollar.

The sources said Kent made it clear that even if an agency fails, they still have to pay the loan back.

“They are being strict on that requirement,” the source said.

The first industry source said Kent also left no doubt that agencies cannot ask for more money in their budgets to pay back the loan.

The source said Kent said Congress expects that the modernization will run more efficient and cost less money, and has clear expectations about seeing a real dollar return on investment.

Kent said the board will work with teams about meeting payback expectations.

To that end, the second source also said the board is tying all projects to a reporting dashboard, detailing deliverables and milestones.

The source said Kent made it clear that once the project is accepted, the CFO, CIO and program manager must report back to the board on a regular basis that they are all working in the same direction. What is particularly important, said board member and Social Security Administration CIO Rajive Mathur, is that the CFO needs to understand the terms of repaying the loan.

The source added Kent underscored the fact that if the agency fails to meet its project deadlines, the board will stop the funding stream and the CIO and CFO still will be responsible for paying back the loan.

As for the new projects that Thomas referred to as in the cue, the first source said Kent emphasized that the board wants to see more “product based” proposals that are focused on commercial technology.

The source said they hadn’t heard board members talk so definitively before about the desire for agencies to bring in commercial innovations.

What’s ironic about all of these details is getting multiple stories in the press about the board’s oversight and rigor of the process would help alleviate lawmakers’ concerns about the program and help the Senate reinstate TMF funding for fiscal 2019. Instead, concerns about getting “clearance” and “approved talking points” continued the veil of secrecy around the fund that put OMB in this hot water in the first place.

Read more of the Reporter’s Notebook

Every year the Defense Authorization bill is filled with golden nuggets of little noticed provisions that make a big impact on the federal acquisition community.

This year they range from a strong focus on making it easier for agencies to buy commercial items to mixed messages around the use of other transaction agreements to the ever increasing concerns about too many bid protests.

This is, by far, not a comprehensive list, but several that most federal and contractor employees interested in acquisition should know about.

The House passed the NDAA on July 26. The Senate is expected to take up the bill next week. House and Senate conferees agreed to the bill on July 23, clearing the way to passage.

DoD-only provisions

Sections 816 and 817 make minor, but important updates to acquisition law

Under 816, Congress modifies the limitations of single source task and delivery order contracts, replacing “reasonably perform the work” with “efficiently perform the work.”

Roger Waldron, the president of the Coalition for Government Procurement, said in a blog post that the change raises concerns and risks because it could potentially diminish the benefits multiple companies bidding on task order contracts.

While under 817, lawmakers want agencies to use their preliminary cost analyses as the rationale for developing multi-year contracts.

The conferees didn’t heed the General Services Administration’s request of raising the micro-purchase threshold for all e-commerce buys to $25,000 from $10,000. But they did bring DoD up to par with the rest of the government by raising their micro-purchase limit to $10,000 from $5,000.

Bid protests continue to be a big concern for lawmakers and DoD. So much so, in fact, that they added Section 822 to the bill to require DoD to study the frequency and effects of bid protests involving the same contract award or proposed award that have been filed at both the Government Accountability Office and the Court of Federal Claims. The report would include the length of time protests take, the appeals to the federal court, whether the protester was an incumbent and whether they were a large or small business. The Pentagon also would have to establish a data collection system to better track and analyze bid protest trends in the future.

There has been no hotter topic in the procurement market over the last year than supply chain risk management. To that end, lawmakers, in Section 881, permanently extended the 2011 provision in the NDAA that requires DoD to manage its supply chain risks. It also clarifies that the secretary’s risk determination applies throughout DoD. The provision further clarifies that the secretary’s determination cannot be protested before the GAO or Court of Federal Claims. Additionally, DoD should notify other components or federal agencies responsible for similar procurements facing supply chain risks.

Governmentwide acquisition changes

House and Senate lawmakers agreed several significant provisions that will impact every agency.

Lawmakers took on the dreaded lowest-price technically acceptable (LPTA) by requiring a new Federal Acquisition Regulation rule within four months of the NDAA becoming law that would limit the use of this approach to buying products and services. The bill details six areas the new FAR rule must address, including requiring the agency to clearly describe the minimum requirements, performance objectives and standards to judge bids, and the determination that any proposed technical approach would require no, or minimal, subjective judgement by the agency’s source selection authority.

Additionally, the conferees say in order to balance effective oversight with reasonable costs, they want the GAO to develop a methodological approach that will provide insight into the extent to which LPTA source selection criteria are used by agencies, without requiring a review of each individual instance in which such criteria are used.

Lawmakers also told agencies to limit the use of LPTA when buying IT, cybersecurity, system engineering and technical, audit readiness, knowledge-based and a host of other services.

Rich Beutel, a former Hill staff member, lead staff member of the Federal IT Acquisition Reform Act (FITARA) and now president of Cyrrus Analytics LLC, said the NDAA is trying to address congressional interest in reversing DoD’s “habit of ignoring commercial innovations in such areas as cloud migration, because LPTA simply does not work well as an procurement approach when contracting for such complex technical services.”

Lawmakers revisited its direction around the upcoming e-commerce portal GSA is developing in section 838. The conferees is requiring the portal to meet the definition of full and open competition under the law — meaning there are at least two suppliers that offer similar products.

At the same time, legislators emphasized to GSA that the portal must be done in a manner that:

• Enhances competition
• Expedites procurement
• Ensures a reasonable price for commercial products
• Be implemented with multiple contracts with multiple portal providers
• Requires the portal providers to safeguard the data and not use the data for pricing, marketing or for any competitive advantage

Related to, but separate from, the e-commerce portal is section 878 that that would require the Office of Federal Procurement Policy to finalize the definition of the term procurement administrative lead time (PALT) and produce a plan for measure and publicly report PALT data for contracts and task orders greater than the simplified acquisition threshold. The measurement will focus on the time for when an agency releases an initial solicitation to the time of award. This data collection is in response to the increased use of other transaction agreements and similar approaches to reduce the time to get capabilities to the mission.

One provision GSA is excited about is section 876 to increase competition at the task order level. Lawmakers are providing exceptions that certain multiple award contracts, including those under the Federal Supply Schedule, can acquire services where price is not necessarily an evaluation factor.

Alan Thomas, the commissioner of GSA’s Federal Acquisition Service, said July 26 at an AFFIRM breakfast, that this change was something the agency had been pressing for because of the desire for the price competition to happen at the task order level. GSA took similar approaches and had success with its governmentwide multiple award contracts such as OASIS, the Human Capital and Training Solutions (HCaTS) and Alliant 2. GSA Administrator Emily Murphy said one of her priorities is to ensure there is more competition at the task order level and this change in the law is the first major step to ensure that.

DoD and OTAs

Lawmakers are definitely sending a mixed message when it comes to the use of other transaction agreements (OTAs). On one hand House and Senate Armed Services committee member are pushing DoD to use more OTAs by loosening the rules around this approach over the last few years.

But in the 2019 NDAA, lawmakers are starting to express some initial concerns. First in section 215, conferees limited to 80 percent of the funds the Air Force can spend on its Air Operations Center 10.2 OTA. The committees want a report on the Air Force’s acquisition and development approach as well as costs of the development and how the entire service can use what the center is developing.

Additionally in section 873, lawmakers want DoD’s service acquisition chiefs to collect and analyze data around OTAs, and then provide a report to Congress addressing the who is using this approach, how often, for what purpose, how much money they are spending and any successes or challenges.

The driving force behind the use of OTAs has been the Defense Innovation Unit Experimental (DIUx) and lawmakers now are concerned about the value this organization is bringing to DoD.

Lawmakers want a report by May 1 that details how DIUx is integrating with other research and development efforts across the military and its services as well as measuring the organization’s effectiveness, detailing the number, type and impact of its transactions and initiatives. Specifically, legislators want more details on how many non-traditional and traditional Defense contractors are working directly with DIUx and “the number of innovations delivered into the hands of the warfighter.”

Read more of the Reporter’s Notebook

It’s been 18 months since the Veterans Affairs Department had a permanent chief information officer and has had only two permanent technology executives since 2009, both of whom lasted on average of three years.

In the meantime, VA has faced a host of challenges ranging from continued cybersecurity shortfalls to delays and problems in developing an electronic health record that is interoperable with the Defense Department to programs and projects falling behind or not meeting expectations.

This is why President Donald Trump’s decision to nominate James Gfrerer to be the next assistant secretary for information and technology and CIO at VA is significant.

If confirmed by the Senate, Gfrerer would join VA from his current position as an executive director with Ernst & Young, where he worked in the firm’s cybersecurity practice. He also joins a long list of VA CIOs — both permanent and interim — who are veterans. Gferer served in the Marine Corps for more than 20 years, and was a Defense Department detailee to the Department of State, where he led interagency portfolios in counterterrorism and cybersecurity.

“Having permanent leadership in place to oversee these projects and the VA’s various information and technology systems will be critical as Congress works with the VA to address concerns and make improvements to bring VA into the 21st century,” said Sen. Johnny Isakson (R-Ga), chairman of the Veterans Affairs Committee, in a statement.

Gfrerer seems to be another in a long line of qualified CIOs for VA having earned a bachelor’s degree in computer science from the U.S. Naval Academy and Masters of Science in national resource strategy from the National Defense University.

He would replace Laverne Council, who left in January 2017, as the last permanent VA CIO. Over the last 18 months, Scott Blackburn and Camilo Sandoval have been acting CIOs or executives performing the duties of the CIO. Blackburn left VA in April and Sandoval has been acting since then.

The big question is whether his experience at E&Y will translate in being able to manage a $4.4 billion IT budget that may go up to $5.5 billion in fiscal 2019 if Congress approves the White House’s request, and a workforce of more than 377,000 spread across the country serving more than 20 million veterans.

The budget increase would include “$381 million for development projects such as modernization of legacy systems; development of a Digital Health Platform, and a new financial management system,” states VA’s budget request to Congress.

According to the Federal IT Dashboard, Gfrerer faces an uphill challenges with VA’s IT projects, only 41 percent are on budget and 79 percent are on schedule. The good news is 95 percent of all projects are using an iterative or agile approach to development, and 81 percent of those projects are on schedule.

More good news for Gfrerer is how much the agency is spending on legacy systems. The VA CIO’s office reported in January that about 60 percent it’s budget on operations and maintenance. The governmentwide average is closer to 80 percent.

“VA now plans to move critical functions from outdated and unsustainable platforms to more modern systems that operate at lower maintenance costs. We expect this change to save millions of dollars that can be reinvested in projects that directly enhance services for all veterans,” the report states. “A significant part of this reinvestment focuses on cloud and IT infrastructure improvements. Moving these functions to new platforms requires careful, thoughtful planning, and we accomplished much of that necessary planning in 2017.”

Among Gfrerer ‘s biggest challenges is moving from strategy to implementation for the electronic health record. In May, VA awarded Cerner Corp. a 10-year, $10 billion contract to implement the same EHR system that the Defense Department is deploying and abandon its own, existing Veterans Information Systems and Technology Architecture (VistA).

In June, VA executives told the House Veterans Affairs Committee that Cerner will build and provide project management, planning and pre-initial operating capabilities under the first task order. It will conduct facility assessments at three sites in the Pacific Northwest under the second task order and provide an EHR hosting solution under the third, acting VA Secretary Peter O’Rourke said in his written testimony.

VA will begin deployment at those three sites in October, with the goal of fully implementing the system by March 2020.

To date, VA has designated 260 full-time employees to the department’s new Electronic Health Record Modernization Program Office. VA will add more staff over time as the agency implements the new system to more sites, said John Windom, program executive officer for VA’s EHR modernization office.

Gfrerer will have to make quick work of the learning curve and begin managing VA’s technology transformation across several fronts.

Read more of the Reporter’s Notebook

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Editor’s Note: This story was updated on July 24 with new details from EPA.

After two laws, an executive order and countless reminders that federal agency chief information officers MUST report directly to agency secretaries or deputy secretaries, the Environmental Protection Agency is regressing.

Multiple sources in and out of EPA say the leaders are reorganizing the entire administrative and management offices and pushing the CIO deeper into the organization under the assistant secretary in the office of administrative and resource management (OARM).

The decision to reorganize OARM comes as EPA named in late June Vaughn Noga as its new CIO and principal deputy administrator in the Office of Environmental Information, replacing Steve Fine, according to an internal announcement obtained by Federal News Radio.

Fine took a new position starting Aug. 5 as a senior advisor in the Office of Air and Radiation in Ann Arbor, Michigan.

“Vaughn currently serves as the director, Office of Administration, Office of Administration and Resources Management, where he is responsible for a diverse portfolio, including facilities and property management, physical and personnel security, and safety and health,” said the internal email from EPA Chief of Staff Ryan Jackson. “I want to thank Dr. Steve Fine for serving as the PDAA in OEI and leading the organization through transition and improvements in cybersecurity, and hardware and software advances agencywide.”

Fine had been acting CIO since Ann Dunkin left in January 2017 as part of the Obama administration. But EPA hasn’t had a Senate-confirmed assistant administrator and CIO for five years when Malcolm Jackson left the position. The Senate never confirmed Dunkin because of an unrelated hold.

What the memo doesn’t say — and sources say, has not been communicated in writing — is Noga may be a PDAA in name only.

Sources say EPA’s plan to merge OEI and OARM would push the CIO, which had been Senate-confirmed assistant administrator position for more than two decades, down to a deputy position in the resources management office.

The CIO would answer to the principal deputy of OARM, currently Donna Vizian, or the assistant administrator, should one ever be named and confirmed. Vizian has been acting since before the Obama administration ended.

“Moving the IT organization down a level will only decrease the visibility and the needs of IT by the agency leadership,” said one former EPA official, who requested anonymity in order to speak about sensitive discussions. “It is a surprising move since the presidential cyber executive order made the deputy administrator responsible for cyber. This is a step backwards for IT and EPA.  This model was used back in the late 1990s before organizations realized IT needed to be part of the leadership team for them to be successful.”

EPA taking a step back from technology

An EPA spokesman on Tuesday confirmed in an email to Federal News Radio that the agency is merging the Office of Environmental Information and the Office of Administration and Resources Management after consulting with the Office of Management and Budget.

“The combined organization – the Office of Mission Support – will be the national program manager for information management, information technology, acquisition, grants, human resources, real property and security.  It’s workforce will be about 1,000 people,” the spokesman said. “Given the breadth of responsibility and the size of the organization, the agency decided to name the deputy assistant administrator for Environmental Information- the senior career position over IT/IM – to be the CIO.  The proposed placement would allow the CIO to focus full-time in IT and information management (IM) activities—continuing to give those issues the attention they deserve.  It also ensures continuity in the organization and a strategic approach by an IT professional. The CIO will continue to have access to the senior leadership of the agency and will continue to participate in agencywide IT/IM budget formulation and strategic planning.”

Another former EPA official, who also requested anonymity because they didn’t receive permission to speak to the press from their current company, said the merger is concerning because it seems to drop the CIO down a notch in the organization.

“Depending on how they do it, the CIO may not have a voice at the table with deputy administrator or administrator,” the former official said. “If you have an administrator who is concerned about technology, then maybe he or she gives the CIO a seat at the table. But it’s not organic like it would be if the CIO reported directly to the administrator or deputy administrator.”

The former official said it seems that technology is taking a back seat at EPA.

“Technology grew up in each of those mission offices separately over time, and that created inefficiencies,” the official said. “So if the CIO is not with other assistant administrators then technology will be an afterthought and not be used strategically. Think about it this way, if the assistant administration for air talking about technology, but does not understand where technology is going or where OMB wants it to go, and the CIO is not sitting there to talk about where the agency needs to go, then you run the risk of creating siloed solutions.”

Dunkin said in an email to Federal News Radio given how complicated technology is and will continue to be, the CIO needs to have both the positional power and direct access that comes by reporting to head of the department to influence others who report to the executive too.

“I’ve heard many people try to tell me otherwise but it is clear to me that reporting relationships and access matter. The CIO has to have a seat at the table with the rest of the department or agency head’s staff. They must be seen as a peer,” Dunkin said. “So, the leadership of the EPA can make all the claims they want the CIO will be invited to the administrator’s staff and have access to the administrator, but if the CIO is a deputy Assistant Administrator, they won’t have the relationships or leverage to get results. This is further complicated within the EPA where every assistant administrator and regional administrator is a political appointee. Turning the CIO into a career position clearly removes them from the group.”

She added the CIO is held accountable by OMB and Congress to meet IT mandates, so changing the reporting structure will reverse a decade of progress.

“Meeting the mandates weren’t easy when I was there but my peers knew that I had the backing of the administrator and the deputy administrator along with the law. If the CIO becomes a deputy administrator, not only does the CIO lose positional authority and their position as a peer appointee, but they administration sends a clear message that they don’t care about the law that empowers CIOs,” Dunkin said. “That means the CIO loses the ability to exercise the authorities of Federal IT Acquisition Reform Act (FITARA) or [President Trump’s] executive order. Staff will know that the administrator doesn’t care about complying. The new EPA CIO will be operating with both hands tied behind his back as a career deputy assistant administrator.  So, the bottom line is that this is not good for EPA continuing to transform IT. The Pruitt team has starved OEI of resources and now the CIO is losing their authority.”

OMB not happy either

Multiple emails to the Office of Management and Budget asking about how the administration is tracking agency progress in meeting the goals of the May executive order on CIO authorities were not returned.

The latest FITARA scorecard from the House Oversight and Government Reform Committee says EPA’s CIO reports directly the administrator or deputy administrator. But unless Noga or someone else comes forward to tell the committee access has been shut down or clearly diminished, the charade of reporting will continue.

And that’s why this move is so worrisome for many former EPA officials. There is nothing in writing. Sources say congressional oversight committees declined to approve the reorganization, but agency leaders are going forward anyway.

Sources say OMB isn’t happy with EPA’s actions either.

The second former EPA executive said these changes are being driven by Henry Darwin, EPA’s chief of operations. His background is using lean management principles where he used this approach as the state of Arizona’s chief of operations, where he oversaw the operations of all 35 state agencies and worked to stand up state government’s first intentional management system based upon lean principles.

Lean principles focus on the customer by creating more value in each process and reducing any process that doesn’t add value.

As for Vaughn, he walks into a tough situation. Dunkin had begun to reorganize the CIO’s office, but Fine and others weren’t happy with that direction and had begun dismantling it.

The second former EPA source said Vaughn likely will reverse course again and continue with the concepts of agile project development and having an open architecture.

“I know that Vaughn has quite a bit of experience in technology world, having been head of operations and as chief technology. He also was instrumental to help move EPA to the cloud with Microsoft Office 365,” the source said. “Cloud will be one of a few priorities. He’s well positioned to step into that role and know people, the organization and having been outside of OEI for last few years and consuming their services, he has a viewpoint of being inside and outside. I think he’s well positioned to step into that role and identify where they should be focusing.”

Noga will discuss his priorities this week in Dallas, Texas during EPA’s annual IT meeting.

The former official said it may be two years until EPA really understands the impact of the change.

“Because the CIO didn’t have a seat at the table when decisions are made, EPA will build out the technology and then there will be audits, and only then you will know if this change was a problem,” the source said. “Former Administrator Scott Pruitt was supportive of this change. With current acting Administration Andrew Wheeler being a former EPA official, he’s at least grounded in the mission of the agency. But I don’t think he will stop this OEI and OARM reorganization. It’s too far down the path.”

Read more of Reporter’s Notebook

Following the General Services Administration’s lead, the Office of Personnel Management named an experienced executive to lead its reorganization effort.

Sources confirmed Kathleen McGettigan, OPM’s chief management officer, is heading up the intra-agency task force to  “break up” the agency under the Trump administration reorganization plan.

McGettigan, who served as acting OPM director for 14 months and has been with the agency for more than 27 years, is designing the plan to move the HR Solutions organization and the retirement and health services organization to GSA. It’s unclear if she also is leading the move of the National Background Investigations Bureau to the Defense Department as well as whatever is left of OPM to the Office of Management and Budget.

In June, GSA named Mary Davie, the deputy commissioner of the Federal Acquisition Service, to lead an internal task force to figure out how best to accept the new services from OPM. Federal News Radio also has learned that GSA brought in Erv Koehler, the assistant commissioner for customer and stakeholder engagement, from Atlanta to be the acting deputy commissioner.

Sources said McGettigan had its first kick-off meeting last week with its task force. Federal News Radio couldn’t confirm all the other members of the OPM team, but they do include many executives from the HR Solutions shop and possibly leaders from OMB.

Federal News Radio sent OPM several specific questions about the reorganization task force efforts, including who is leading it and others on it, but received only a basic response.

“OPM understands that the reorganization will include many transitional stages that involve continued discussions between all relevant parties,” an OPM spokeswoman said in an email to Federal News Radio. “Many aspects need to be coordinated and fully understood as OPM works to create the most effective way to deliver services to the American people from their government.”

Sources said the initial discussions are starting to reveal just how complicated it will be to move the pieces from OPM to GSA. The meetings will look at matters such as contracts and potential outlines of the changes.

“Everyone is freaked out a bit,” a source said. “I think if you work for one of the components like HR Solutions, you will be disturbed but not lose your job. If you are part of the support offices like legislative affairs or the general counsel’s office, you may be in real jeopardy of losing your job.”

All of these efforts are further complicated by provisions in spending bills that restrict agencies from spending any money on reorganization plans without congressional approval.

“None of the funds made available in this or any other appropriations Act may be used to increase, eliminate, or reduce funding for a program, project, or activity as proposed in the president’s budget request for a fiscal year until such proposed change is subsequently enacted in an appropriation act, or unless such change is made pursuant to the reprogramming or transfer provisions of this or any other appropriations act,” the 2018 spending bill reads.

The 2019 spending bills have similar provisions.

We will learn more on July 26 when GSA and OPM get to explain their efforts further to the Senate Homeland Security and Government Affairs Committee. It will be interesting to see who ends up testifying, OPM Director Jeff Pon and GSA Administration Emily Murphy, or McGettigan and Davie.

This will be the third hearing on the administration’s plan to reorganize the government. OMB Deputy Director for Management Margaret Weichert appeared before the House and Senate oversight committees seeking to alleviate concerns by lawmakers.

Other personnel news

Melinda Rogers is the new deputy chief information officer at the Justice Department after spending the last seven years as the chief information security officer. She replaced Kevin Deeley, who passed away suddenly in February.

As a result, Larry Reed will serve as acting chief information security officer to replace Rogers. Reed has been the assistant director for security operations since 2016.

Over at the Air Force, Bill Marion received a temporary promotion to acting chief information officer after Lt. Gen. Brad Shwedo became the new CIO of the Joint Staff in April. Marion has been deputy CIO of the Air Force since May 2016 where, among his focus areas, is the effort to hire and train more cyber workers.

Former Homeland Security Department deputy CIO and senior adviser Barry West landed a new job in the private sector after retiring from federal service on May 31. West is the new president of MicroTech, a service-disabled veteran-owned small business which provides a host of IT services such as telecommunications, cybersecurity, cloud and network systems integration.

Read more of Reporter’s Notebook

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Typically, the IRS isn’t known for its openness and transparency. It’s one of those agencies that prefers to neither be seen nor heard, except when your taxes have a problem.

But times are changing, at least for the chief procurement officer.

CPO Shanna Webbers, the chief procurement officer, and her deputy Harrison Smith are creating stronger partnerships internally and externally for the IRS through the simple concept of industry and reverse industry days.

Earlier this month, more than 200 vendors showed up in Washington, D.C. to hear from acquisition and program leaders about where the tax agency is heading over the next year.

“What we wanted to make sure industry heard is that we see them as one of our customers. In having conversations with our customers, we help understand a little bit better about what drives their behavior,” Smith said in an interview with Federal News Radio. “Ultimately it’s helping them have enough information so they can make more informed decisions, and ultimately make the marketplace more efficient. The more we are able drive down the costs to compete with the IRS by providing information and therefore reducing risks, the more frankly we reduce rack rates, the more we reduce the chance that someone says we don’t know enough about the IRS and its requirements and I’m not sure I want to do business with them.”

At the recent industry day, more than a half dozen executives provided details on everything ranging from the IRS’s move to the cloud to small business goals to the impact the new tax reform law is having.

Tax reform law requires changes to 140 systems

Kirsten Wielobob, the deputy commissioner for services and enforcement, said implementing the tax reform legislation is the biggest undertaking for the IRS in her 21-year career with the agency.

“We are revising hundreds of forms, modifying 140 systems for filing in early 2019 and we are training our employees, particularly those on the frontline answering questions and interpreting and explaining the law that’s written in legal guidance,” she said. “We have created a project management offices staffed with IRS executives and contractor support.”

At the same time, Wielobob’s office also is modernizing its operations, including the service and compliance programs. She said the goal is to give employees the tools to make them more effective by providing more insight and data analytics to minimize the taxpayer’s burden.

She said among her biggest projects are a new enterprise case management system.

“What’s different from 21 years ago is the level of engagement,” Wielobob said. “The amount of transparency and partnership we are trying to foster is huge.”

And that’s where Webbers and Smith come in.

Webbers said the CPO’s office recently released a strategic framework supporting the broader IRS strategic plan.

The framework outlines how the CPO’s office is supporting IRS employees’ efforts to improve citizen services and engage with industry in a more consistent and assertive way.

What may be most important about the IRS’s approach is giving contracting officers and specialists top-down support. If they make a mistake or if a procurement is protested, Webbers and Smith have their back.

“Harrison and I have open office hours where individuals can come in to talk about strategy, and advise them which [way] they should be going,” Webbers said. “When there is an issue that is controversial potentially or let’s say a vendor protest, we stand with the contracting officer shoulder-to-shoulder, answering those questions so it’s not them there by themselves. We encourage them feel bold and empowered and we are standing right there beside them. I feel that has changed the environment of our staff. I can feel the difference in their confidence.”

IRS contracting offices takes a smart risk

Smith pointed to a recent example where the CPO’s office helped a contracting officer take a different approach on an acquisition.

“We challenged the procurement team to post as much information as they possibly could and let them determine that,” he said. “They came back within two days and posted a three-page memo which outlined when the proposals would be due, how much time industry was going to have to respond, the evaluation factors, what was most important, the historical information that would be useful to industry. They let industry know that they took a lot of time and effort to provide them with this information and they were serious about opening up the competitive aperture and making sure that folks have enough information to make an informed decision about how to proceed.”

The CPO’s office also has encouraged contracting officers and program managers to say the simple phrases, “We don’t know,” or “We need your help.”

Smith said traditionally the IRS has hesitated to put out information before it’s final. But his team is helping the acquisition community embrace the concept of providing as much information as they know to industry, and then asking for help filling in the details.

“We want to avoid radio silence, which is so often a killer in terms of tracking requirements and capturing opportunities,” he said. “Requirements owners in the [chief information officer’s] office or the [chief human capital officer’s] office are sometimes afraid to talk to industry because they don’t know the rules and don’t want to get anyone in trouble, which we certainly applaud. We are setting the conditions that allow for open conversations in a safe environment, providing training to individuals in the requirements offices, ultimately our customers as well, to help them understand what’s out there, what’s available and how they can have conversations with individuals when they are not necessarily under a contractual arrangement.”

Webbers said many of these internal discussions focus on the IRS’s appetite for risk. She said her office tries to be clear with the program folks when taking risks make sense and when they don’t.

Webbers said other program managers and contracting officers got wind of that posting on FedBizOpps and contacted the contracting officer for more information.

“We celebrate our successes,” she said. “We want to provide that example where we as one team, one procurement rely on each other. As we learn what we did well, let’s continue to do it. As we learn of something we could’ve done better, let’s learn from that and continue to progress forward.”

Smith said the CPO’s office tracks progress in a number of ways, including increased competition for solicitations and, to a lesser extent, bid protests. But he said as any agency tries to be more innovative with their acquisition strategy, the likelihood of vendor complaints could increase.

“Another area we are working on is ultimately how do we make sure the customer is getting what they need in a more efficient and appropriate time?” Smith said. “That does mean that sometimes we need to say ‘we spend a lot of time on this particular set of activities and maybe it’s not worth risk or return on investment.’ It means we have to back away and say, ‘we are not doing things the way they have been done in the past just because they have been done that way in the past.’”

It takes a targeted effort, he said, as well as resources identified by leadership to make sure the agency is constantly improving, and identifying better and more effective ways to do business.

Read more of Reporter’s Notebook

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Agriculture Department’s decision in January to make significant changes to how often its employees could telework is reverberating across the government.

The departments of Education and Health and Human Services followed suit over the next few months. There are rumors other agencies, including the Veterans Affairs Department and Commerce Department may soon implement similar changes.

And all of these new policies are causing some federal employees to believe it’s only a matter of time before their agency follows suit.

Federal News Radio conducted an exclusive online survey of its readers over the last month and found 44 percent of 396 respondents say they are very concerned and 25 percent said they are somewhat concerned about possible changes to their agency’s telework policy.

“The management in [VA] is considering decreasing telework or eliminating it,” said one respondent.

Another said, “Telework is now not an option starting Oct. 1st (originally was two days a week).”

Of those who answered how their agency changed the telework policy, a vast majority said it was a straight reduction usually limited to one day per week. One respondent said their agency cancelled any regularly scheduled teleworking, and now only situational is allowed.

Others said their agency clarified policies and procedures around telework, such as “increased monitoring of log on and log out times,” according to one respondent.

Another respondent said, their agency clarified “meanings of ad-hoc, situational and reoccurring as well as expand teleworking to ad-hoc to a maximum of two days per pay period.”

Several also commented that their agency’s policy is if an employee can telework, they must during weather-related situations.

One respondent said their agency “mandated anyone with a telework agreement must work on days where the government is closed, such as snow emergencies.”

And there were a few who said their agency actually is promoting telework.

“Encouraging us to do more telework to save space in office,” stated one respondent.

Another said, “Expanding telework to more employees to telework more than 50 percent of the time.”

It’s clear all of these changes are causing consternation across almost every agency. And what’s unclear is what agencies are doing to alleviate the challenges.

At USDA, Don Bice, the deputy assistant secretary for administration, said while employees had initial concerns about telework, the time since the policy helped clarify the agency’s intent.

“I think the more that we talk about what the Secretary intended and what the authorities are … this did not change any reasonable accommodations and it didn’t change if there were any additional issues, where if there were staffing that had to do with space limitations, it didn’t change that. It’s more the perception there,” Bice said in an interview after a House Oversight and Government Reform hearing in May where Rep. Gerry Connolly (D-Va.) brought up concerns about USDA’s decision. “The secretary still supports telework, still expects people to come to the office most of the time of the days of the week, still allows telework, but it’s matter of a perception on the time periods that people feel comfortable with and what the secretary tried to do was provide to the supervisors the ability to make decisions in conjunction with employees.”

USDA extended the initial timeline to implement the telework policy to 60 days after employees said 30 days was not enough.

Bice said that is an example of how the agency helped with adjustment.

“The secretary asked each one of his policy staff and the people acting in those policy positions to go out and have conversations with their employees to explain the policy. I think that has helped to explain what the intent here is,” he said. “For those people whose job does allow full-time telework, those positions have now been designated to be eligible to be done in other duty stations. The other big component is that we were accurately identifying whether people were doing work from home or doing work from an office location. Certainly, we are fielding lots of questions. Some have been good humored. Some have been not so good humored.”

As more and more agencies follow USDA’s lead and require employees to be in the office more days per week, the lack of humor is becoming evident more and more.

The good news is 34 percent of the employees who responded to the survey said the change in the telework policy wouldn’t prompt them to look for a new job.

“Already happened. I’m not terribly upset by it,” wrote one respondent.

Another said, “I’ll retire in a couple of years so I won’t be looking for another job because of telework policy.”

At the same time, 31 percent said a change in the telework policy would “very likely” motivate them to look for a new job and 20 percent said they were “somewhat likely” to change positions.

“I have 20 years, so leaving makes no sense, But as soon as eligible for retirement, I will seek other opportunities,” stated on respondent.

Another said, “I’m looking to transfer to another duty station closer to home.”

The short and long term impacts of the policy changes are unclear.

Frank Landefeld, public sector market leader at MorganFranklin consulting, told Your Turn with Mike Causey in March that restricting such work-life policies could make it harder for the federal government to compete for new talent.

That seemed to play out in the survey.

More than half of the respondents said the biggest benefit of telework is it reduces the amount of time they spend commuting, while 25 percent said the biggest benefit is greater work-life balance.

“Ability to have uninterrupted time for heads down work that is not possible in the open office environment,” wrote one respondent.

Another respondent stated, “Less commuting, higher productivity, equal collaboration through instant messaging.”

Overall, the survey showed continued concerns over real or potential changes to federal telework policy. The lack of communication about why the changes are being made and an inconsistent application across agencies is a problem agencies are struggling to address. As USDA’s Bice said, fielding and answering all those questions would do a lot to relieve anxiety.

The Nuclear Regulatory Commission’s implementation of phase one of the continuous diagnostics and mitigation (CDM) program fell behind schedule by as much as nine months.

In June, the agency issued a sole source justification authority to continue to pay Enterprise Services— formerly HP Enterprise Services — $389,000 for another year of work on phase one.

Now for NRC and the five other agencies in Group E, phase 3 of CDM may also fall behind schedule.

The General Services Administration’s award to ManTech for $668.6 million for services and capabilities under the DEFEND task orders is under protest before the Government Accountability Office. Enterprise Services filed a bid protest on July 2, arguing its proposal shouldn’t have been rejected as unreasonable.

The irony of this protest is the Enterprise Services is the current provider of CDM services to Group E so by protesting the award they are both paying for the legal fees and getting paid by their customers to continue to provide services. It’s a perfect example of an incumbent losing the recompete and extending their revenue through a protest. This issue has long been a red flag for many in the acquisition community about why certain parts of the bid protest process need to be fixed. But that discussion is for another time.

HPES has been providing services to these six agencies since 2015, when GSA and the Homeland Security Department, which the operational arm of CDM, awarded the company a $21.7 million contract. The six agencies include the NRC, the Environmental Protection Agency, the departments of Housing and Urban Development and Education, the Small Business Administration and the National Science Foundation.

And this brings us back around to NRC. It’s unclear if NRC’s implementation challenges were the fault of Enterprise Services, DHS, the agency or some combination of the three, but the fact is NRC, and likely other agencies, will have to figure out how to deal with the ever-increasing cyber attacks without these advanced tools.

In the justification document, NRC offered a little insight into why CDM has been delayed:

“In the original design, the CDM project intended to collect a large amount of system security information that would be analyzed and displayed in an agency CDM dashboard that also sent summary data to a federal CDM dashboard hosted at DHS. This effort required installation of ten new servers involved in data collection and analysis, and due to the complexity of this system the length of time required to troubleshoot configuration issues so that it functioned properly was much longer than anticipated. Due to limitations of the lab environment provided by the contractor, CDM system configurations could not be adequately tested prior to deployment on the NRC network which further increased time needed for troubleshooting.”

NRC also said: “CDM project lacked a complete architectural vision or concept of operations from U.S. Department of Homeland Security (DHS). For that reason, the CDM project is behind the schedule originally” detailed in the initial contract award to HPES.

Only since March has the NRC CDM dashboard met initial operating capability, which seems to be on schedule with other agencies. In May, Kevin Cox, the CDM program manager, said DHS had 20 of 23 agencies providing data and had a goal of closing the gap this month to have all 23 civilian CFO Act agencies submitting data to the governmentwide dashboard.

This is the second time Enterprise Services protested an award under the CDM program. In 2015, the former HPES lost its complaint to GAO over the $29 million award to the Knowledge Consulting Group to provide DHS’ headquarters with continuous monitoring tools.

While Group E must wait until October at most to get going, the agencies under Group C are ready to go.

GSA awarded CGI Federal a $530 million contract to under the Alliant governmentwide contract for five agencies — the departments of Commerce, Justice, Labor, State and the U.S. Agency for International Development.

GSA and DHS held the “kick-off” meeting with CGI Federal and the agencies last week.

GSA received four bids under the task order competition and, obviously, it wasn’t protested.

As for the other agency groups under DEFEND, which marked a major change to how GSA and DHS approached CDM:

• Group A — CACI won a $407 million task order in May for DHS headquarters and components.
• Group B — Booz Allen Hamilton won a $621 million task order also in May for seven agencies —the departments of Energy, Interior, Transportation, Agriculture and Veterans Affairs, and the Executive Office of the President and the Office of Personnel Management.
• Group D — Expected award by the end of July. Agencies under Group D are: GSA, NASA, the Social Security Administration, the departments of Treasury and Health and Human Services, and the Postal Service.
• Group F — Cox said DHS continues to work with the small and micro agencies to get them to submit data to the governmentwide dashboard, and is starting to pilot a continuous monitoring-in-the-cloud solution.

Sources say GSA and DHS are working on the next part of Phase 3, which currently is being called the CDM Dashboard II. GSA received feedback from a recent request for information and is expected to hold an industry day in August.

Read more of Reporter’s Notebook