Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

If the House Appropriations Committee decision to increase the IT modernization fund to $150 million was a vote of confidence to the Office of Management and Budget, then the Senate committee’s decision to zero out the fund in fiscal 2019 would be considered by some a vote of skepticism.

Before questioning the spirit and intent behind the Modernizing Government Technology Act or claim lawmakers already lost interest in the law, consider this: Maybe the Senate is teaching the new administration a lesson of sorts?

Never enough communication

One of the challenges of bringing in executives without previous government experience is their inability to fully grasp the importance of communication with Congress. We have seen this with the Bush administration e-government initiatives. There is a popular story about an Interior Department official upset with the geospatial one-stop project going to “friends” on Capitol Hill to put a rider in the Interior spending bill to that would prohibit the agency from supporting the presidential initiative. What’s funny is that person is back in government, so hopefully they like the Technology Modernization Fund (TMF).

Under the Obama administration, Office of Management and Budget officials all but shut down the discussion about the Federal IT Acquisition Reform Act (FITARA) at one point, forcing one congressional staffer to almost publicly engage a key member of the administration in a debate about the bill.

And now, the Trump administration is starting to learn this sometimes hard lesson. No matter how often or much you think you have communicated with lawmakers and, more importantly, their staff, it was not enough.

Over the years, several former OMBers from the Bush administration have told me among their biggest mistakes was not working more with Congress.

So let’s go back to the TMF. Senate appropriators said in the bill’s report, “As the TMF reviews the remaining proposals, the committee encourages [the General Services Administration] and OMB to provide additional transparency surrounding agency proposals at each stage of the selection process, including projects submitted for consideration and those selected to receive funding. The committee will continue to monitor the proposal process and work with GSA and OMB to establish metrics for determining program and project success.”

Translation: You aren’t communicating enough and until we understand more, you are not getting more money.

Mike Hettinger, a former Hill staff member and now managing principal of Hettinger Strategy Group, said it’s clear there is some gaming going on.

“If I was OMB and GSA and I have a new program that appropriators were somewhat skeptical about at the beginning and played a big role in revamping it, I’d go overboard this year and give them everything they want to know,” he said. “I’d brief them every few weeks, letting them know how funding is being let out and keep them in the loop. My feeling is that didn’t occur and that is why OMB is seeing some push back.”

Sen. James Lankford (R-Okla.), chairman of the Appropriations Subcommittee on Financial Services and General Government, highlighted the need for more communication about the TMF process in an email to Federal News Radio.

“I am concerned about the lack of transparency with the allocation of the awards, and who is submitting proposals and why certain projects and agencies were or were not selected,” he said. “In the coming weeks, I hope to explore possible solutions to this lack of transparency.”

Hettinger said agencies and supporters of the TMF shouldn’t see this as bad news or even similar to what happened to the E-Government Fund that Congress insufficiently funded for years.

“Is money at risk? I don’t think so as long as OMB and GSA and the hill can work together. I think they will get the $150 million in funding,” he said. “I think this reiterates how important IT modernization is, and Congress is making sure they get the information they need. It also reiterates how important it is, especially for the sponsors of the MGT Act Sens. Jerry Moran and Tom Udall, for it to be successful. This back and forth with OMB and GSA is part of that.”

Sen. Jerry Moran (R-Kan.) said on June 21 during the subcommittee’s discussion about the spending bill that he was alarmed by the decision to remove all funding for TMF, but still is confident lawmakers will restore the funding.

“What I have learned and what I accept as important is there is good government that’s necessary as we pursue good government and that means that we need more information and that substantive and necessary oversight is currently lacking,” he said. “And we were able to work with the subcommittee to formulate a meaningful, in my view, amendment to require the GSA to provide specific information on how these dollars are being spent and I want to thank the subcommittee as well as you, Mr. Chairman, for working with us to accomplish that. It outlines what we need from the GSA, and my hope is that the GSA, even though this legislation with this language will not be law by the time we get to conference.”

He added the subcommittee’s message is intended to get the attention of OMB and GSA to provide the information the committee needs for oversight.

Living up to expectations

It’s not just the Senate that wants more communication. While the House committee approved $150 million for 2019 for the Technology Modernization Fund, lawmakers added more specifics about their expectations.

OMB has held on to information about the TMF like it was state secrets. OMB Director Mick Mulvaney told lawmakers how many proposals the TMF board received, but didn’t say from which agencies they came from. Other OMB and agency officials were tightlipped publicly and privately about which agencies submitted proposals, for what types of projects and really anything about the process before OMB announced the awards.

Maybe OMB was concerned that if they told the hill, it would leak out—invariably it would. But the questions then are: Who cares if the information is leaked? What is the harm? In fact, it may help the program.

And maybe OMB wouldn’t be in a position today to have to so aggressively promote and encourage agencies to submit more proposals for the remaining $55 million in the fund for 2018?

The message from Congress is clear: Federal CIO Suzette Kent, GSA Administrator Emily Murphy, a former Hill staff member, and GSA Federal Acquisition Service Commission Alan Thomas have the summer not only to give lawmakers the information they want, but to re-establish a regular cadence of updates about TMF.

If one thing has always been evident with any administration technology initiative over the years, it’s that OMB has done a good job managing down to agencies and across to vendors. But rarely has the e-government office figured out that managing up to Congress will make-or-break your initiatives. It’s time to figure this out if IT modernization is as critical as everyone says.

Read more of Reporter’s Notebook

It was 2006 when the federal government got serious about cybersecurity. Jerry Davis, the outgoing NASA Ames Research Center chief information officer, was an employee of the Veterans Affairs Department and a laptop with the data of 26 million veterans was stolen.

Davis, who has spent much of his career in cyber, said the incident “opened eyes and sent shock waves across the federal government.” From that event came a number of executive orders, memos, initiatives and even laws that tried to reshape the way agencies approach cybersecurity, and protect data and networks.

“I think the biggest challenge the government and really every sector faces is the skill set of the people who are securing our networks and systems,” Davis said in an “exit” interview. “We as a nation are woefully behind when it comes to producing really good individuals that have skill sets to work in cybersecurity.”

Davis’ description of the challenges facing the public and private sectors is the impetus behind the Federal CIO Council’s new chief information security officer handbook.

‘A central pillar’

In launching the 170-page CISO Handbook on June 26, the council wrote that “a central pillar of the administration’s IT modernization strategy is to improve the skills, leadership abilities, and overall pipeline of talent in the federal government to address our growing cybersecurity threats.”

The group said it sought to produce a compendium of key information, templates and processes for a “‘one stop shop’ for new and emerging information security professionals to begin their upskilling into future cybersecurity executives. The handbook is a foundational document that will help agency leadership drive transformational workforce changes in a standardized, repeatable manner and create greater collaboration and coordination across agencies to address systemic cybersecurity challenges.”

Trey Kennedy, a senior adviser to the CIO Council, said in a call with reporters that over the last 15 years, since the passage of the Federal Information Security Management Act (FISMA), the complexity of what federal IT security executives need to know has sprouted.

“The creation of the handbook wasn’t centered on the confusion around what was out there, but what really came up was a lot of folks were saying there are tons of resources out there to help us do our job that highlighted the role of CISOs,” Kennedy said. “But the thing we found and consistently heard through the councils was that these resources are in various places. And when you are onboarding a new employee it would be really great if there was a one-stop shop that lets you point folks to a single document that may not be the totality of the universe, but gives you that foundational knowledge, the key that you really need to be successful in the cybersecurity role.”

He said the goal of the handbook is not to be prescriptive as there are plenty of laws and policies that do that. But it should detail the goals and objectives of federal IT security whether one is a CISO, striving to be a CISO or just a non-IT executive trying to understand federal cybersecurity.

“The goal is to highlight some of the best practices, too. The appendix is really based upon successful policies for agencies to refer back to. Since then, we’ve had some feedback from CISOs who’ve asked us for a little bit of additional information about what those policies look like,” he said. “We are trying to make sure this information sharing occurs. This allows folks to read through the handbook, identify the challenges that they see in their own organization and see from the handbook’s perspective what their peers may be looking at foundational perspective to overcome those.”

OMB tried something similar in 2016 by creating cyber.gov, but that site never really amounted to much and today it is blank page. The CIO and CISO councils outlined three main sections in the handbook:

• CISO roles and responsibilities, including reporting requirements
• Managing risk across the enterprise, including NIST and governmentwide initiatives.
• Management resources, including workforce and contracting

“Breaking the complex conversation of the CISO role and risk management into consumable pieces can only help the community succeed in bringing new talent onboard and meeting our mission needs,” Emery Csulak, CISO at the Centers for Medicare and Medicaid Services, said in the release about the handbook.

Plain language

Kennedy said Csulak and Cord Chase, the former CISO at the Office of Personnel Management and now a senior advisor for the National Background Investigations Bureau spearheaded the handbook’s development for the CIO and CISO councils.

Csulak and Chase led the working group that started with a survey of CISOs to understand priority areas and challenges, and then brought all the reference material together to get feedback from the councils.

“The way we wrote the handbook and the way we structured it was really around plain language. We wanted it to be a very clearly written document and you don’t need a deep technical background to understand the elements that are in it,” Kennedy said. “Whether you are a seasoned cybersecurity professional who just wants a quick reference guide for a lot of these items that are out there or if you are somebody new to the field or you are just a regular employee who is trying to understand what your role in cybersecurity is, if you read this you understand what is out there.”

He said this is especially true for program staff who need to know what are the baseline of cybersecurity requirements they must follow.

Kennedy said the CIO Council followed a similar approach it took with the U.S. Digital Service to create the TechFAR Handbook in 2014 and the work the General Services Administration did to create the M3 framework in 2015 for shared services.

Kennedy said the councils will continually update the CISO handbook as new policies, laws and challenges arise.

“One of the things we want to do is the document right now is a PDF format and we’d like to come up with a more interactive form of displaying it online so that is one of our first areas to tackle to try to improve the usability and accessibility online,” he said. “We’ve made sure to socialize this with the small agencies since a lot of times they are looking for these resources to have them as they might have a smaller staff or less dedicated folks to it.”

Read more of Reporter’s Notebook

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Hundreds, if not thousands, of government contractors are hopeful that starting June 29 the System for Award Management (SAM) finally will be fixed.

That’s the day the General Services Administration said the SAM.gov portal will implement a new way for vendors to log in, change their information, renew their entries or enter data for the first time. It also will reduce the nearly three month requirement to send notarized paper letters to make changes or apply for registration.

GSA said June 11 that it will use the Login.gov services to activate their registration. The agency said vendors still will have to submit a notarized letter within 30 days, but the document is not required to get started.

This is good news for more than 11,000 — 942 new vendors and 10,547 existing vendors as of about 30 days — currently going through the process ago to renew or sign up on SAM.gov as well as the unknown number stuck in the backlog created since March. That was when GSA told users that some contractors were victims of fraud through the SAM.gov portal for a second time in five years.

GSA started requiring notarized letters after it found a third-party changed the financial information of “a limited number” of contractors registered on SAM.gov and redirected payment for services or products to incorrect bank accounts. GSA sources say today it takes three to four weeks to get a notarized letter through the current process while, at least, one vendor says that number is closer to 40 days on average.

“GSA has been faster this week as we have had a couple more get through the process than normal, but that doesn’t have to do with login change,” said Christie Jackson, a lead case manager for US Federal Contractor Registration. It provides services to help vendors get through federal procurement registration processes like SAM.gov or the SBA 8(a) program. “They are getting more pressure to get them through before this big flip.”

A GSA spokeswoman said the agency is actively processing new entity registrations and annual renewals every day.

“GSA posted step-by-step instructions for domestic and international entities for easy reference. The introduction and use of notarized letter templates has increased the acceptance rate and is the recommended process,” the spokeswoman said. “GSA’s Integrated Award Environment (IAE) is rapidly deploying SAM system enhancements to mitigate against the identified fraud threats. Our focus has been to reduce the registration processing time for those entities who are registering solely to seek federal assistance.”

Jackson said since March the entire SAM.gov registration process has been in chaos.

She said the average wait time to get through to the Federal Service Desk—the SAM.gov help desk—by phone or online chat has been two-to-four hours. Additionally, she has several clients who have lost thousands of dollars and wasted dozens of hours trying to update or renew their registration.

“I have a live chat open — that started at 1 p.m. and it says the average wait time is two hours and three minutes so we are now pushing four hours right now,” Jackson, who has worked for the company for seven years, said on Wednesday. “And when you do get through, their favorite answer is ‘we don’t know.’”

Past fraud slowing today’s contracts

Jackson said the backlog and wait times caused by the fraud incident is having real world effects on US Federal Contractor Registration clients.

“I had one recently bought property that was part of a building GSA was leasing and he couldn’t get rent payment for two months and burned through his savings to keep everything afloat while waiting for the rent payment,” she said. “We ended up sending three letters before approved.”

Jackson said before the fraud incident, US Federal Contractor Registration could change a point of contact or an address almost automatically and nothing would take more than a day or two at most. Additionally, she said she used to process more than 100 registrations or changes a week, but in the last month she got 25 registrations approved by GSA.

“We’ve tried to talk to GSA but they don’t give us much,” Jackson said. “We were telling our clients to send a letter to their senators as a way to add some pressure from another side.”

This will be the second major implementation for Login.gov after GSA implemented it for the USAJobs.gov site in February. The GSA spokeswoman said the implementation to SAM.gov will be similar to the USAJobs.gov effort.

“Login.gov leverages the cloud to scale up our infrastructure as needed. During the USAJobs.gov launch, login.gov monitored performance and did not see any issues serving the increased traffic. As we do with every major launch, we made minor enhancements to increase the usability for specific user groups. Post launch, we continued to iterate by making other enhancements to better the experience for the USAJobs.gov population,” the GSA spokeswoman said. “As with every Login.gov integration, we will coordinate closely with the SAM.gov team before, during, and after the launch to continue to increase security, usability and privacy for the SAM.gov users.”

Christoph Mlinarchik, the owner of Christoph LLC, federal contracting consultancy, said the move to multi-factor authentication is a great first step and one that should’ve been in place years ago and would’ve prevented the fraudulent activity in the first place.

“This incident is a vivid reminder that the federal government desperately needs to invest more in cybersecurity and information technology. Hacking and cybercrime is a trillion-dollar racket, and it has national security implications for the critical contractors in the intelligence, security, and defense supply chain,” he said. “There’s a digital war going on and some don’t understand they’re in it. Many contractors don’t realize they’re a target and a liability if they don’t have adequate cybersecurity protocols. America can lose a battle without firing a shot if adversaries steal vital technology or trade secrets, and contractors are prime targets.”

US Federal Contractor Registration’s Jackson said she has some concerns about the move to Login.gov. She said she remembers the trouble when the government moved to SAM.gov from the Central Contractor Registration, where the new site struggled for several months.

“We created a Login.gov account. I’m not sure it’s going to be easier as you need to get a security key, get a confirmation email and then a phone text with a six-digit code. And it has to be used in 10 minutes, which makes it difficult when you are trying to serve customers,” she said. “With SAM.gov now, we can send a link and the client has 48 hours to activate it. And even with that link, some of them can’t figure it out. This will be a lot more difficult. I understand why they are doing it, but wiping out every log in to SAM.gov is not going to make it faster.”

The good news is getting rid of the requirement for notarized letters will address the immediate need of most vendors. Additionally, there has been little to no public complaints about how Login.gov has worked with USAJobs.gov, which bodes well for SAM.gov.

The real test for both SAM.gov and Login.gov will come over the next six weeks if the site and service can handle the incoming use and not crash.

Read more of Reporter’s Notebook

The data from fiscal 2017 on the number of suspensions and debarments is not out yet, but federal procurement attorneys suspect the three-year decline will end.

It’s not that more federal contractors did the government wrong in 2017, or even the laws governing suspension and debarment proceedings changed. Rather, procurement attorneys say the government is more aggressive in areas that were once rarely part of suspending and debarring officials’ discussion.

“I noticed in my experience that I was seeing suspension and debarment in places I had not seen them before, like at the end of a routine False Claims Act case. I’ve found it to be more likely to get a show cause letter than it used to be the case,” said Jonathan Aronie, a partner with Shepperd Mullin. “I went about looking to see if my experience was illustrative with what was going on in community generally and looked at the data and saw the trends.”

Aronie found the suspension and debarment officials were more likely to send letters based on:

1. Stories in the media
2. Suffering a data breach
3. False Claims Act settlements
4. The actions of an individual in a company should they get in trouble for something that has nothing to do with the business or contracting efforts.

“Suspension and debarment officials are not looking at guilt or innocence, but saying ‘we are seeing something and want to know if we should be afraid or not so come in and tell us,’” Aronie said. “SDOs are pretty good at letting the other processes run their course before making a decision, but they want to be alerted early on so they can track it and stay up to speed. SDOs are being more vigilant about things that, in theory, could harm the government’s interest. I don’t mind getting a question about a newspaper article, but I certainly wouldn’t expect someone to be suspended or debarred because of it.”

Congress has encouraged the Justice Department to become more aggressive over the past decade in holding contractors accountable. Suspensions rose to more than 1,000 and debarments increased to more than 1,900 in 2014 before tailing off in 2015 and 2016.

Aronie and others say agencies are issuing more “show cause” notices, meaning the vendor must tell the government why they shouldn’t be suspended.

Rob Burton, a former Office of Federal Procurement Policy deputy administrator and currently an attorney with Crowell & Moring, said the show cause notice gives the vendor an opportunity to present their case or rebut the allegations, while a notice of suspension or proposed debarment is a de facto debarment.

“It’s a nuisance, but you will not be irreparably harmed like you would be by a notice of proposed debarment,” Burton said. “OFPP and Congress should be touting the use of the ‘show cause’ process and encouraging more agencies to use it. The last thing they should issue is a notice of proposed debarment based on any of those reasons.”

Aronie said for many of these trends suspension and debarment officials want to see corrective actions or other steps the vendor took to stop these problems from happening again.

Bill Shook, a long-time procurement attorney who runs his own firm, said the trends are worrisome for several reasons.

Take the False Claims Act settlement trend as one example. He said usually in a settlement the party that is paying the fine and the DoJ agree not to identify any fault as part of the agreement.

“But with suspension and debarment officials, now you have to prove why you are presently responsible even though the False Claims Act issue happened years ago?” Shook said. “It’s a further criminalization of the procurement process where companies have to endure the requests for additional data in order to prove they are capable of doing business with government. It’s a paperwork process. I’ve sat with a company that is better equipped to do government contracts and they went through the False Claims Act process to get rid of attorney’s fees. Then the SDO asks for all of these records, and because debarment is capital punishment, you have to kiss the ring. That’s what’s happening with officials.”

Shook takes his argument that suspension and debarment officials are exercising their power in a more aggressive manner by calling them “super contracting officers.”

“If you think about it, the contracting officer has the authority to determine the responsibility of a proposed awardee,” he said. “So SDOs are now assuming a greater role of super contracting officer for determination of responsibility and requiring contractors to further document and spend resources to justify an action of rogue employee or a False Claims Act settlement.”

Burton said he agreed that the current suspension and debarment process is broken and these trends are a symptom of that broken process.

“There needs to be some due process built into it,” he said. “The real gap in the procurement process is that a notice of proposed debarment is void of due process.”

Aronie said there are a several things contractors do to get ahead of any “show cause” notice.

“Contractors and their lawyers should be more willing to go into suspension and debarment officials beforehand and alert them if there is a potential problem,” he said. “You have to not fight the liability question in front of the SDOs, but you must go into these things knowing that the government was right and you have to show you are responsible. If you try to litigate the underlying issue, you are wasting time and good will because the SDOs are not interested. While lawyers can be helpful in the SDO process, at the end of the day, the official wants to look the company in the eye and hear what they have to say.”

Read more of Reporter’s Notebook

Two long-time and well-respected federal IT executives are leaving federal service.

Gary Wang, the deputy chief information officer/G6 for the Army, retired after 35 years in government May 31 while Jerry Davis, the chief information officer and director of IT at NASA Ames Research Center in California, will retire effective July 7.

Wang’s decision leaves a big hole in the career staff at the Army’s CIO/G6 office with only Tom Sasala, the director of the Army Architecture Integration Center and chief data officer, as its senior most non-uniformed staff member.

‘Weaponizing the network’

Wang has been deputy CIO since 2014 and spent most of his career working for the Navy in civilian leadership roles.

During his time as deputy CIO, Wang helped usher the Army through several modernization efforts, including the final steps of enterprise email and the initial starts to move the service to the Joint Regional Security Stacks (JRSS).

In a presentation before the AFCEA Northern Virginia chapter in mid-May, Wang highlighted several ongoing initiatives that his replacement will need to pick up on, including consolidating network circuits and moving toward enterprise licenses for software.

“We are weaponizing the network to conduct offensive and defensive operations and we are using it for business things during the day,” he said. “Everything we do in CONUS depends on those networks, yet we have functional parts of the Army that continue to build their own separate networks. They don’t understand security and when it hits the fan, they ask for help. The idea is to converge some of those existing networks. Three years ago we started talking about convergence and getting all the operational networks behind the JRSS. We are starting to do that now.”

He said Army CIO/G6 Lt. Gen. Bruce Crawford’s priorities include:

• Readiness to ensure the Army is prepared for the current and future battles from a technology perspective.
• Modernization, including the networks, JRSS, building capacity and getting rid of old technology, including routers and switches, and moving to voice, video and text in the cloud.
• Shaping the force to train the workforce to support the emerging technologies of today and what’s coming in the future.
• Cyber policy focused on using a risk management framework to assess risk for programs and hold leaders accountable. “There are things we are looking at to apply automation to, and streamline processes,” Wang said.
• Baseline enterprise initiatives like the JRSS and services in the cloud.

Wang began his federal career in 1983 at the Naval Underwater Systems Center as a project engineer. He later moved to the Navy’s Intelligence, Surveillance, Reconnaissance, and Information Operations where he was a program manager responsible for developing and acquiring cryptologic, meteorological, operational effects and intelligence programs.

Wang joined the Senior Executive Service in 2005, serving in several roles at the Space and Naval Warfare Systems Command (SPAWAR), including director of Corporate Operations and command information officer,  chief technology officer, and director of the Science, Technology and Engineering Department at SPAWAR Systems Center Pacific.

Wang earned his bachelor’s of science degree in electrical engineering from the University of Texas at Austin.

Sources say Wang is taking time off to travel with his family and has no known plans after the summer.

Always a patriot

Over at NASA, Davis’s decision is a little more surprising as he elected to enter into deferred retirement, according to an email sent to staff last Friday and obtained by Federal News Radio.

Deferred retirement is for employees who have reached the minimum retirement age based on the year they were born and have at least 10 years of federal service.

“I have a tremendous and profound respect for all of the staff in Code I [Ames IT organization]. During my first all hands I was very explicit when I said ‘no one works for me, we all work together.’ I have kept true to that rule ever since,” Davis writes in his email to staff. “Also, as I have said many times in the past, ‘In our haste, we often forget to say thank you.’ I must say thank you for propping me up and letting me be the face of the organization … Thank you for putting the center first before yourselves. Thank you for doing something bigger than yourselves.”

Davis said he would remain the San Francisco area to continue to work on what he called, “in support of the science behind Moore’s law.”

“I have fought the good fight, I have finished the race, I have kept the faith. I have made sacrifices on behalf of our nation and when my country called, I showed up without hesitation. I have been a good patriot,” he said. “My federal time is over, but the memories are forever and I will always be a patriot.”

Davis began his career as an 18-year-old Marine and served a tour of combat during the first Gulf War.

He joined the CIA in 1994 and later joined the Education Department in 2004.

Davis also served as chief information security officer at the Veterans Affairs Department and NASA headquarters before moving to become the Ames CIO in 2013. Once there, he worked on modernizing Ames’ network while focusing on areas such as the convergence of cyber-physical systems.

“If I thought that being at NASA the first time opened doors for me, then coming to Ames opened an entire universe of possibilities and opportunities,” he wrote. “I have been able to use this incredible platform to reach the underserved and relay to them that anything is possible; that the persistent pursuit of passion is all one needs.”

During his career, Davis wasn’t one to shy away from speaking out about what he thought was right when it came to federal technology. He came out publicly around VA’s cybersecurity troubles including alleging the agency was “rubber stamping” system cyber approvals.

One of his main priorities has been to improve NASA’s cybersecurity. He introduced a concept called Gryphon X to help secure critical infrastructure in a more active and proactive way, and also push the space agency back toward the front of the innovation pack.

“It’s not the technology that makes Ames special, rather it is its people,” he wrote. “People who definitely are in persistent pursuit of their passions and because of this, Ames can do just about anything. It is truly an amazing place full of amazing people.”

Read more of Reporter’s Notebook

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Government Accountability Office still is not required to follow the Administrative Procedures Act.

The General Services Administration’s next great IT services governmentwide acquisition contract finally is through the protest gauntlet and soon will be ready for use. And the Treasury Department makes a surprising decision about the future of one of its multi-billion dollar multiple-award IT contracts on the heels of GSA getting the go-ahead for its contract.

These three events are part of a busy last several weeks in the federal acquisition community.

Federal procurement experts say the U.S. District Court’s decision that GAO continues to be exempt from the APA isn’t surprising. The act waives sovereign immunity only with respect to suits seeking relief other than money damages and challenging the action or inaction of an “agency.”

The court said GAO is not an “agency” by the definition in the law since it’s part of the legislative branch.

Rob Burton, an attorney with Crowell & Moring and a former deputy administrator in the Office of Federal Procurement Policy, said the district court’s decision reinforces that GAO is a unique entity and the rules governing it are dissimilar than any other.

“We who work with GAO regularly know it’s not part of executive branch and the rules that apply to the executive branch do not always apply to legislative branch,” he said. “But it’s fairly rare to have a disagreement with GAO over redactions to public protest decisions. Most of time GAO is pretty good about it and have never seen them act in arbitrary way.”

The case the U.S. District Court said it didn’t have jurisdiction to rule on was from Pond Constructors, which was unhappy with GAO’s decision to publish a protest decision information that Pond says is commercially confidential, including bottom-line prices, adjectival ratings and past performance information.

“Pond alleges that GAO’s refusal to redact this information from the decision is arbitrary and capricious in violation of the Administrative Procedure Act,” the court states.

Bill Shook, a long-time procurement attorney, said the decision reinforces a major hole in the federal acquisition system — vendors have no recourse if GAO rules against them.

“I’ve always complained that GAO has no procedures for appeal on decisions made by an attorney. Redactions are a perfect example of where I believe data has a commercial valuable under the Trade Secrets Act and there isn’t anything you can do to stop them from publishing it,” he said. “If GAO says no to your request, there is no review of that decision except for Congress and that’s not going to be successful.”

Shook said he just had a recent situation with a client in which they were concerned if their proprietary information was made public, they would lose what they see is a competitive advantage over their competition.

“If GAO decides to put out that data and their competitors can use that same process and my client loses those trade secrets,” he said. “You are relying upon the reasonableness of the GAO attorney. I got some of that information redacted, but not all of it.”

On the other hand, Shook said if a vendor submits a protest to the Court of Federal Claims and a judge makes a decision about redactions that the parties don’t agree on, there is an appeals process to higher court.

Burton added any attorney has to view their relationship with GAO as a partnership and not an adversarial relationship.

“You have to be persuasive in the fact that the information is proprietary and would hurt company if released. Sometimes that argument is hard to make,” he said. “Generally, people abide by the protective order and I’ve never seen a lot of proprietary information releases by counsel. It just doesn’t happen as general rule.”

GSA Alliant 2 beats protests

GSA also came out on top of a recent bid protest decision. Four vendors submitted complaints to the Court of Federal Claims after being left off of the $50 billion Alliant 2 IT services GWAC.

GSA awarded 61 vendors a spot on the unrestricted version of Alliant 2 in November.

Several unsuccessful bidders then took their cases to federal court, which ruled in GSA’s favor in early June.

GSA announced that Alliant 2 would be ready for other agency use starting on July 1.

“The court’s decisions further solidify the validity of GSA’s innovative procurement approach, highest technically rated offerors with a fair and reasonable price,” wrote John Cavadias, the GSA Alliant 2 GWAC Procuring Contract Officer  in the IT Services Contract Operations Division at the Federal Acquisition Service, in a blog post on GSA’s Interact site.

GSA said when it made the initial awards that Alliant 2 would be a key piece of the Trump administration’s IT modernization effort.

GSA made several changes to Alliant 2 from the initial contract awarded in 2009 including:

• Flexibility as emerging technologies and the definition of information technology evolve.
• Ancillary support (non-IT) permitted when it is integral to, and necessary for, the IT services-based outcome.
• On-ramp and off-ramp provisions, ensuring retention of a highly-qualified pool of contractors.

The original Alliant contract has been popular with agencies, receiving 865 task orders worth more than $19 billion over the past 10 years.

The Army, Air Force, the Defense Department and the Homeland Security Department were the biggest users of Alliant by total obligations, while SAIC, Booz Allen Hamilton and Leidos were among the biggest winners among vendors by total sales.

IRS to use best-in-class contracts

On the heels of GSA’s win in court, Treasury decided not to recompete its large IT services contract known at TIPSS 4. Instead, the agency will let it expire in December and move all work to other governmentwide contracts.

“We, along with all other government procurement offices, have been mandated to acquire needed services and supplies from already established governmentwide and designated ‘Best-in-Class’ vehicles. Therefore, we are transitioning all current and future projects to GSA Schedule 70, GSA Alliant and/or Alliant-SB and other vehicles as we see appropriate,” the IRS writes on the TIPSS 4 website.

The IRS awarded the TIPSS 4 contract in 2010 to 33 vendors. It had a ceiling of $4 billion.

Bloomberg Government, which first reported the IRS’ decision, said the TIPSS-4 unrestricted and the TIPSS-4 small business have generated $3.8 billion in spending obligations since 2011. Bloomberg says 63 companies have won task orders under the contract, led by Deloitte Touche ($688 million), Booz-Allen Hamilton ($586 million), Northrop Grumman Corp. ($525 million) and IBM Corp. ($467 million).

The IRS’ decision not to renew TIPSS is a big deal given how popular it is compared to some of the BIC vehicles, where Bloomberg Government reported Treasury spent a combined $232 million on these vehicles since 2010.

OFPP is pushing agencies to reduce duplicative contracts by 13 percent by 2020 under the category management initiative. This is among the first major wins for that effort.

OFPP currently says there are 32 contracts determined to be best-in-class.

Bloomberg Government also reported in 2017 that the number of multiple award contracts dropped by 239 over the last five years, while spending continues to increase to over $111 billion a year.

Another potential win to look out for is the DHS Eagle 3 acquisition.

Soraya Correa, DHS’ chief procurement officer, said at a recent industry day sponsored by Washington Technology that she sees next generation contract as much different than the current one.

“Between GSA, OMB, and agencies we created this best in class procurements where they provide a lot of generic services so if there is a best in class procurement that fulfills our needs we will go to that first. We will see what they offer and see what’s out there,” Correa said. “We do have plans and are working with the DHS CIO’s office to create a follow-on to Eagle and Flash [agile procurement vehicle] and it will be a combined procurement that is more uniquely tailored to DHS’ needs around what we need to do now and in the future, and what our components needs are. It will not look exactly like Eagle 2. It will probably be pretty different.”

Correa said she envisions the same thing for the DHS First Source IT products contract as well.

The DHS IT Category management council, made up of staff from the CIO and CPO offices, are identifying what things the agency needs to work on, including assessing current best-in-class vehicles and talking about requirements the agency needs for the future.

Correa gave no specific timeline for Eagle 3, but the current contract expires in 2020 so acquisition planning is underway.

Read more of Reporter’s Notebook

House lawmakers offered a strong show of confidence in the Technology Modernization Fund (TMF) by allocating $150 million for fiscal 2019.

The House Appropriations Committee approved the Financial Services and General Government fiscal 2019 spending bill last week with the 50 percent increase of funds over the 2018 level.

“The committee encourages GSA and the TMF Board established by the Modernizing Government Technology Act to prioritize and fund those projects that have the most significant impact on mission enhancement and that most effectively modernize citizen-facing services, including updating public facing websites, modernizing forms and digitizing government processes,” the committee writes in the bill’s report.

At the same time, the committee also increased the IT Oversight and Reform (ITOR) fund run by the Office of Management and Budget to $25 million from $19 million as well as the Federal Citizen Services Fund to $55 million from $50 million this year. In all, the administration would receive about $230 million for IT modernization efforts.

At the same time, the committee warned the administration to offer more details on its plans.

“It is surprising, then, when staff charged with administering the new IT Modernization Fund refuse to share findings and respond to queries from the very committees that made the fund possible,” the report states. “The committee directs OMB and GSA to work more collaboratively with the relevant committees of jurisdiction in order to better evaluate the needs of agencies and opportunities for improving IT across government.”

The Senate Appropriations Subcommittee will mark up its version of the 2019 spending bill on Tuesday.

Still all of this bodes well for the administration’s IT modernization efforts, which kicked into second gear with three awards by the TMF Board.

OMB recently released more specifics on how the departments of Housing and Urban Development, Agriculture and Energy plan to use the money to help satisfy committee concerns.

HUD, which received the biggest share of the $100 million so far, will use its $20 million to move five legacy services to the cloud.

“The current system is used by 30,000 users to access 100 HUD grant, subsidy, and loan programs that disburse $27 billion per year,” states OMB’s fact sheet. “According to HUD estimates, the code modernization and migration will save $8 million annually, enabling payback and generating working capital to transform additional legacy systems. The new modern platform will be a Java cloud-based application suite that will cost less to maintain and will enable functional and technical enhancements to be completed more rapidly and at lower cost.”

USDA received $10 million to further its Farmers.gov portal.

“This is an opportunity to update legacy systems and re-engineer processes and systems to reduce improper payments, address and resolve repeated financial audit findings, and properly connect these agency systems to the USDA common financial system,” OMB states about USDA’s proposal. “Without this funding, USDA would need to delay integrating this part of the process into the consolidated Farmers.gov Citizen Experience Portal in a later year when funds became available. However, with support from the TMF the project can be conducted at the same time as other enhancements to the Portal, faster.”

Energy will use its $15 million in TMF funding to quicken its pace to consolidate and migrate 64 separate email systems serving more than 184,000 mailboxes across the agency to a single cloud-based software.

“TMF investment will be used to migrate the 26 remaining email systems that service 47,080 mailboxes. With this migration, DOE will secure large scale operational benefits and costs savings,” OMB states. “Without this funding, DoE would need to conduct the migration of the remaining systems using a piecemeal approach, subject to fund availability. DOE anticipates it will have a greater ability to serve its mission more quickly across sites and capabilities, which will positively impact the American people. The operational benefits of this project include cost savings, increased efficiency, improved cyber posture and decreased operational risk.”

OMB is encouraging agencies to continue to submit proposals for a share of the remaining $55 million in the TMF for 2018. To that end, the CIO Council launched a website to help promote the selection criteria, provide documents and templates and answer common questions.

The board received nine proposals from seven agencies for this first round of projects, and many in the community have said the quality was lacking. If that is true, plus the House committee’s report language promoting a specific type of project gives prospective agencies a lot of good intelligence to win future funding.

Read more of Reporter’s Notebook

The White House’s latest attempt to give agency chief information officers a bigger seat at the table is filled with many similar desires and hopes as many of the previous efforts over the last 22 years.

One of the main goals of President Donald Trump’s executive order from May 15 was to breathe life into stagnant CIO authorities.

“Structure dictates behavior and behavior dictates results,” said a senior administration official back in May. “The organizational structure is 20 years out of date in this area. As we looked at this problem over the last year and in consultation with experts in and out of government, we asked how do we do structural reforms to make sure the organization is governed in a modern way? We are fixing this governance problem in all agencies because too often CIOs have been relegated to the back office. This is a significant organizational change coming from the presidential level.”

But was the EO really needed? Are there enough laws — such as the Federal IT Acquisition Reform Act (FITARA) — policies and requirements on the books already that give CIOs enough authority to meet their oversight and operational responsibilities?

Federal News Radio put those questions to a group of former agency CIOs and IT executives who have more than 50 years of experience in the federal IT community among them. Their responses were edited for length and clarity:

What are some things in the EO that you would’ve wanted when you were an agency CIO?

Ann Dunkin, former Environmental Protection Agency CIO: I would have liked more authority to merge or reorganize agency IT functions to promote agencywide consolidation of the agency’s IT infrastructure, taking into account any recommendations of the relevant agency CIO. The individual IT organizations within EPA that don’t report to the CIO represent a signification percentage of the total IT in the agency.  Some of that makes a great deal of sense, but some of it doesn’t, either because there would be efficiency gains or security improvements through consolidation, or simply because a group was a bit out of its depth in the IT functions it was responsible for. As EPA CIO I really had no way to change that. Now, this new authority doesn’t really do any good if it doesn’t get any easier to execute a reorganization to shift those functions and  if department leadership doesn’t pay attention to the requirement.

Dan Chenok, former Information Policy and Technology branch chief at the Office of Management and Budget: The EO largely reinforces authorities that CIOs have had under prior law, but that were inconsistently applied. The focus on consistent application of CIO authority in the range of areas that impact IT performance, including investment strategy, cybersecurity, and hire authority promises to raise that performance across agencies. It would help drive governmentwide improvements in the use of IT. Also, the clear statement of CIO governance roles, combined with the focus on sensible IT consolidation, can streamline and strengthen CIO-led decision-making in each agency.

Pete Tseronis, former Department of Energy chief technology officer: While a good bit of the order reiterates what has been stated in past administration iterations, such as visibility into and control of IT investment, a few elements appear to have underscored the CIO significance and leadership. Specifically, setting the knowledge and skill standards for IT personnel and hiring authority. The Federal CIO maintains a position that requires both strategic and tactical proficiency.

Executive Order 13800 highlights the importance of IT personnel aptitude. The CIO must be in a position to lean on his or her softer skills to recruit, manage, and guide an array of individuals to implement the complexities of a digital transformation involving disparate tools, risks, and business models. Streamlining personnel recruitment so that agency CIOs can develop a state-of-the-art federal IT workforce is vitally important.

Do you think this EO was needed? Why or why not?

Charlie Armstrong, former Customs and Border Protection CIO: The need for the EO is debatable. It does clearly define the reporting relationship to the agency head. The challenge always comes down to money and prioritization. In the case of component agencies, they have a mission to get done. Component agency heads have to rack and stack investments not just with IT but with all the elements it takes to run the agency — personnel, vehicles, weapons, aircraft, real estate, etc. Consolidating, cloud migration, [digital] services, wide-area network modernization are all means to lowering costs and improving service. Securing information is an absolute need to protect information and ensure public confidence. It is a journey, not a short trip.

Jonathan Alboum, former Agriculture Department CIO: I believe the EO was needed in the sense that IT governance topics are really critical as we embark on IT modernization and digital transformation initiatives across government. In our rush to transform, it’s easy to overlook fundamental communication and change management requirements that are the real critical success factors for these efforts. By re-articulating that the CIO is the person ultimately responsible for all IT initiatives, it forces the organization to channel all of this work through a central office.

While there is a risk is that this can become a bottle neck, I believe that it is outweighed by the opportunity to promote enterprise approaches and data sharing across government. There’s tremendous opportunity to reap value in the data in our federal systems, but there also needs to be more awareness into the visibility of that data, as data volumes are expected to grow rapidly, exacerbating current challenges. Without the strategy and planning that will result from the CIO being positioned as the “senior technical advisor,” agencies will face a lack of data visibility, increased risk, and complicated cloud migration paths that frequently result in vendor lock-in.

Simon Szykman, former Commerce Department CIO: I think the EO is important in that there are things that might not happen without it. But at the same time, while it is important, the EO in and of itself – despite its title – is not enough to ensure enhancement of the effectiveness of CIOs. [Section 4(c)] is merely a restatement of one of the provisions of FITARA, which was passed around three-and-a-half years ago. And of course the words don’t matter unless they are implemented. If these things have not happened three-and-a-half years after being legally required by statute, will an executive order make a difference? Maybe or maybe not, but if so, it’s not going happen as a result of signing an EO; it’s going to happen because of action on the part of agency heads, and the White House and OMB holding agencies accountable.

Similarly, for Sections 5(a) and 5(b), it would have been great to have been empowered to do those things when I was a CIO, but an executive order on its own does not empower today’s CIO’s with any more authority than I had.  It takes the agency head executing the provisions of the EO to empower CIOs to achieve the desired outcomes. I think there are some agencies where we already saw things moving in this direction prior to the EO (e.g., USDA), but in other agencies, if the agency head is ambivalent toward the importance of these trends, change may be slow or minimal.

Dunkin: I’m of two minds about that. On the one hand, as I noted above, the EO should be unnecessary. Most of the items included in the EO were included in [the Clinger-Cohn  Act] or FITARA. On the other hand, the previous efforts failed to generate the desired results. Don’t get me wrong, most agency and department CIOs are trying very hard to comply. However, antibodies in their own organizations, along with funding issues and misaligned incentives or inappropriate measures make compliance with some requirements difficult.  So, if an EO can create different outcomes, then by all means, it’s necessary.  That will require putting some teeth into enforcing the requirements. I suspect that they will get tested very quickly and that all agencies and departments will be watching to see if the White House is serious or if they can just continue to pick and choose when to comply.

What advice would you give to current CIOs when it comes to fulfilling the spirit and intent of laws and policies focused on CIO authorities?

Alboum: To support the success of FITARA and the agency as a whole, the CIO must create a culture of collaboration across the enterprise and learn to lead through influence, rather than direct control. They must create an environment that leverages the interdependent nature of what can seem like distinct component contributors across the agency’s various IT organizations. These groups are closer to the products and services they deliver to the public. They know their customers’ needs best. The CIO must be respectful of differences within these organizations, while also driving the agency’s IT community to adopt a common identity and enterprise approaches to IT. The best way to do this is to stay focused on your agency’s mission. The only reason IT exists and the spirit of all of these requirements is to ensure that IT is used effectively to drive positive program results. I encourage all CIOs to get out of the office and see their missions in action.

Armstrong: CIOs need to explain the value of investment and how it improves mission delivery and the risk of mission failure when investments are not made. The CIO should never forget they are at the table to support the mission. CIOs who put directives or policies in place to make IT more efficient without consideration for the mission will diminish the role of the CIO, not enhance it.

Tseronis: As technology continues is ubiquitous progression within the federal government, dependence on collaborative relationships with industry is so important to attain the vision of a secure, state-of-the-art, shared panorama of technology resources/services. Do not expect your leadership to tell you what to do. Do not wait for legislation to direct you what to do. Instead, leverage your authoritative role as the CIO to own, develop, and mature the supporting infrastructure that our nation’s federal workforce, agencies, and constituents depend on seven days a week, and twice on Sunday.

Szykman: Empowerment won’t happen by itself, nor can CIOs assert greater authority merely by pointing to an EO on a website. The empowerment will come from agency heads throwing their support and authority behind the CIO on all agency matters concerning IT management, governance, spending, etc.  My advice would be to work closely with the agency head, or deputy in cases where the deputy serves in a chief management officer or chief operations officer role and is more involved in internal matters than the agency head. Build support for implementing FITARA and the EO, providing a business case for a change agenda. Even with the support from the agency head, it’s preferable to have change management be a team effort rather than an internal struggle over turf.

Without the broader support, CIOs may find themselves facing resistance to change from organizations that are entrenched in existing ways of doing things. Consequently, I would also recommend building relationships with senior leadership across the agency, component/bureau leadership and heads of major mission programs, and an accompanying communications strategy to gain support from affected organizations.

Chenok: Since the Clinger-Cohen Act first codified the position of a federal agency CIO in 1996, successful CIOs have leveraged law and policy to build coalitions with government and industry partners that drive collective progress in federal IT management. Rather than viewing law and policy requirements as a compliance activity, strong CIOs can use law and policy tools — including the recent EO — to lead mission improvement, efficient operations, and effective agency adoption of new technologies such cloud and artificial intelligence.

Read more of Reporter’s Notebook

The most important information in the cyber risk determination report issued back in mid-May by the Office of Management and Budget isn’t governmentwide data on 96 agencies or even the plans to consolidate security operations centers governmentwide. The most important highlight in the report, which was required under the May 2017 cyber executive order signed by President Donald Trump, is the ability to use the data to explain to non-IT executives why money needs to be spent, what actions need to be taken and why they are responsible for all of these ongoing cyber challenges.

“There is still a great deal of work to be done and OMB will work with agencies to intensify the ongoing focus on improved management of cybersecurity risk. Many of these efforts will be addressed, in part, through upcoming budget processes, which will utilize the risk report to drive strategic investment designed to buy down the federal government’s overall level of risk,” wrote Suzette Kent, the Federal Chief Information Officer, and Grant Schneider, the acting Federal Chief Information Security Officer and senior director for cybersecurity policy in the National Security Council, in a blog post.

An OMB senior adviser said the data in this report is not new by any means. Agency inspectors general publish it in the annual Federal Information Security Management (FISMA) report to Congress.

“This is not the first time we’ve had this view of risk, but it’s the first time we’ve shared that view governmentwide,” the adviser said. “Historically, it’s more of a one-on-one with the agencies. What we wanted to do, and the president wanted us to do, with this was determine what’s our starting point as baseline and then start moving forward.”

The difference here also is the clarity of what the problems are and plans to fix them. And this is especially important given the concerns about a lack of centralized governmentwide cyber leadership without a named cyber coordinator or permanent federal CISO.

“What you will see in that one of the most comprehensive risk assessments of 96 agencies. It was based on the updated NIST cyber framework and they have a much better understanding of the universe and cyber maturity of each of those agencies,” said Trevor Rudolph, a cybersecurity policy fellow at New America and a former chief of OMB’s cyber and national security team and now a cybersecurity policy fellow at New America, a think tank. “It’s not just understanding the maturity of each agency, but taking that maturity into account when figuring out appropriate resource levels. That is probably the highlights from the progress on the EO, in particular.”

The report found agencies struggle to identify, detect respond, and if necessary, recover from cyber incidents. OMB found 71 of 96 agencies (74 percent) participating in the process had cybersecurity programs that were either “at risk” or at “high risk.”

“OMB and the Homeland Security Department also found that federal agencies are not equipped to determine how threat actors seek to gain access to their information,” the report states. “The risk assessments show that the lack of threat information results in ineffective allocations of agencies’ limited cyber resources. This situation creates enterprisewide gaps in network visibility, IT tool and capability standardization, and common operating procedures, all of which negatively impact federal cybersecurity.”

The most aggressive plan of action to begin to solve many of these problems is for agencies to consolidate their security operations centers (SOCs).

OMB and DHS found only 27 percent of agencies reported they have the ability to detect and investigate attempts to access large volumes of data, and even fewer agencies report testing these capabilities annually.

“Simply put, agencies cannot detect when large amounts of information leave their networks, which is particularly alarming in the wake of some of the high-profile incidents across government and industry in recent years,” the report states.

Mike Pitcher, the vice president of technical cyber services for Coalfire federal, said agencies do not have an understanding of true risk in part because of the limited visibility across their networks.

“The SOCs are largely an uncoordinated effort and rarely do we see agencies using ticketed items so they are not making sure two people aren’t looking at same thing within SOCs. There are a lot of stove pipes,” Pitcher said. “We’ve seen information sharing in the SOC as a big challenge.”

OMB and DHS expect the continuous diagnostics and mitigation (CDM) program to help considerably with network visibility, but the consolidation is SOCs is the key to improving all agencies.

“OMB, in partnership with DHS and the General Services Administration (GSA), is working to finalize a set of requirements for organizations to begin acquiring security operations center-as-a-service,” Kent and Schneider write. “This will allow agencies currently lacking adequate security to shift to managed security solutions and provide an option to address gaps in their existing defenses much more quickly. Some federated agencies are already consolidating their security operations centers to achieve greater enterprise visibility and increase the standardization of cybersecurity tools and capabilities.”

A senior OMB adviser added consolidating SOCs or providing them as a service will drive agencies to normalize the way they do IT operations.

“Some departments have 8-to-10 internal organizations so getting to one [cyber risk] score there will be important,” said the adviser, who spoke on background in order to talk to the press.

A second OMB adviser added new FISMA metrics as well as the requirements in Circular A-11 around IT spending will help the administration see if there is duplication, where the gaps exist and what needs to be done to fill them.

The new FISMA metrics are designed to focus on capabilities that directly correspond to mitigating threats identified in the Cyber Threat Framework issued by the Office of the Director of National Intelligence.

“DHS has also put the Cyber Threat Framework into practice via its .gov Cybersecurity Architecture Review (.govCAR) program, which is based on a tool developed by the National Security Agency for the Department of Defense to map defensive capabilities against intelligence-informed threat vectors,” Kent and Schneider write. “Though still in its early stages, the program has already identified existing gaps against certain adversary activities, allowing the government to remediate shortcomings.”

The adviser said OMB is raising the bar for agencies to improve situational awareness beyond the basics of CDM. The addition of the threat framework will give federal decision makers the insight and knowledge to prioritize cybersecurity investment and risk mitigation decisions through a hierarchical, structured, transparent, and repeatable methodology.

The idea to consolidate SOCs isn’t new. OMB tried a version of it in 2005 with the security line of business. Then in 2016, OMB told agencies to designate a principal SOC to report to DHS for all incident response activities.

The first senior adviser said the risk report and the President’s Management Agenda are among the levers OMB can pull to make sure consolidations happen more quickly.

“We are setting performance expectations for how they meet these metrics and cross-agency priority goals,” said the first OMB senior adviser. “Some agencies can get straight there. For others it will be evolutionary getting visibility and then getting centralization. Agencies will be accountable as they outsource or leverage another service provide. If an agency is not meeting these requirements then we can lean on them through budget or other political tools. We need to move toward a shared service.”

Coalfire’s Pitcher said based on what his company is seeing in the CDM program, the best thing a report like may do it get executives to ask for and Congress to allocate more money for cybersecurity.

Civilian agencies already are spending more than $5.6 billion on cybersecurity tools and services, but as the risk report shows significant gaps remain.

“The report helps with how we talk about threats so there is consistency with threat sharing,” he said. “Too often agencies are using funding to acquire solutions but they are not addressing what systems or networks the actors are exploiting. They also have many tools with overlapping functionality. I hope this report raises awareness and helps make sure budgets are allocated to the right places.”

Read more of Reporter’s Notebook

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The General Services Administration potentially could give the Defense Department a detour around what many in industry call a huge mistake with its JEDI cloud procurement.

Multiple industry sources say a meeting may be in the works among leaders of both agencies to offer suggestions for how to take the Joint Enterprise Defense Initiative (JEDI) in a different direction that many believe could lead to better results.

Industry sources say GSA should consider pushing DoD toward a multi-cloud approach using an agile cloud broker framework.

A rumored meeting between GSA and DoD  executives on JEDI spread through industry last week, but multiple sources in government say no such meeting happened.

DoD spokeswoman Heather Babb said “We are not aware of any such meeting. There is no change to the JEDI cloud acquisition strategy.”

A potential meeting could still happen as sources say DoD and GSA have been looking to discuss the approach to JEDI since March.

 

(more…)