There is a lot of excitement in the federal community to see which agencies will be first to get money under the Technology Modernization Fund (TMF).

If you remember, Congress created the TMF and allocated $100 million for fiscal 2018 as part of the Modernizing Government Technology (MGT) Act.

While the other piece to MGT, individual agency working capital funds, have produced less excitement—only three agencies committed to setting up new ones and nine said they will use existing working capital funds—the decision of where the first tranche of awards from the centralized fund will go is a hot topic of discussion at nearly every IT conference recently.

“The TMF Board reviews federal agencies’ submissions for modernization projects, common solutions, and recommends funding for projects that have the greatest impact, highest probability of success, a strong execution plan, and repayment model,” writes Federal Chief Information Officer Suzette Kent in a blog post on CIO.gov last Thursday.

Under the President’s Management Agenda, the IT modernization cross-agency goal has a target of launching “least three initial projects selected for funding through the Technology Modernization Fund” by the third quarter of fiscal 2018—which ends in June.

In the meantime, the Office of Management and Budget  and General Services Administration (GSA), which are running the TMF program office, are encouraging agencies to continue to submit proposals to the board.

This seems to insinuate the amount of awards will be on the smaller side and there will be a steady stream over the course of the 2018 and into 2019.

In fact, GSA is hosting a TMF proposal workshop on June 8 to help agencies apply for TMF funds.

The Technology Modernization Fund Program Management Office and GSA’s Emerging Citizen Technology Office (ECTO) also hosted a webinar on May 22 detailing some emerging trends and factors from the first round of proposals for agencies to consider.

Elizabeth Cain, executive director for the Technology Modernization Fund, and Justin Herman, the lead for the emerging citizen technology program at GSA, provided the first real insight into what the board is looking for in proposals and why agencies make it to the second round of consideration.

From that webinar, here are the 10 facts I gathered and your agency should consider when applying for some of the $100 million fund:

• The TMF Board is interested in projects leveraging emerging technologies, including blockchain, robotics process automation (RPA) and artificial intelligence.
• The Board is looking at each proposal to answer two simple questions: “How does this investment effect American people and what is benefit to them?”
• Many of the initial project proposals were two pages long with a goal of getting feedback from board quickly. The proposals must include details about the citizen facing story, the desired technical solution and the payback model and current finances.
• The board is using a “Shark Tank” approach for agencies to present their proposals.
• There is no limit on the number of proposals an agency can submit. Some agencies have been submitting multiple proposals. The board moved multiple proposals from the same agency to phase 2.
• The sweet spot for proposals has been between $2 million-to-$10 million. The board is interested in seeing what can be accomplished in first year with the initial funding. That usually means it’s a project that the board can see the agency achieving benefits quickly from the infusion of money, whether it’s through better cybersecurity or service to the citizen. It also means board can fund proposals from multiple agencies.
• The board will do incremental transfers of funding to agencies that are tied to milestones outlined in their plan. Additional transfers will come as the program hits additional milestones.
• There has been a lot of confusion about how the pay back model will work. The Federal CIO’s office created frequently asked questions (FAQs) on the payback model. The first repayment must come within one year of the first transfer of funds, and the last transfer to close out the “loan” must come within five years of the last transfer.
• The board can work with an agency to reallocate payments and move repayments to another year in case it needs more time, and the board has a limited authority to expand repayments beyond five years with approval from OMB.
• The TMF program management office can help agencies develop their proposals for the board. Cain is not a voting member of board and offer impartial advice on acquisition or technical approaches.

“We are at a critical turning point in our government for technology transformation,” Kent said at a recent event sponsored by Foreign Affairs and the Advanced Technology Academic Research Center (ATARC) in Washington, D.C. “The mandate has been made clear not only by our administration, but by our lawmakers and most importantly the expectations of American citizens in comparing to things that are going on in industry. The use of technology is central to how products and services are delivered today and it needs to be central foundation what we are doing on the government side.”

Kent said TMF and working capital funds are part of the creativity that CIOs need to bring into the role to overcome the stagnant IT spending over the last four years.

This is why OMB is pressing so hard for agencies to take advantage of the working capital funds and central Technology Management Fund. It’s also why announcing the first set of projects, their milestones and ensuring they are successful may be even more important for the long term fulfillment of the MGT Act.

Read more of Reporter’s Notebook

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The sixth version of the Federal IT Acquisition Reform Act (FITARA) scorecard wasn’t pretty. If Congress took away most agencies’ iPhones and grounded them for a week, it wouldn’t be surprising.

The committee released the grades last Tuesday and brought two of the agencies that are struggling with FITARA — the Defense and the Agriculture departments — out to the woodshed to answer for their bad grades.

In all, five agencies saw their grades go up — the departments of Transportation, Labor, Energy and Health and Human Services and the National Science Foundation — while eight agencies stayed the same.

Meanwhile, 11 agencies saw their grades go down, most noticeably the U.S. Agency for International Development, which went from the only “A-” to a “C-” partly because it said its chief information officer doesn’t report directly to the administrator or deputy administrator.

The committee added that metric and how agencies are implementing the Modernizing  Government Technology Act to the scorecard as well as tested out a new cybersecurity metric based on agency inspector general reports and CIO self evaluations to this latest version of the FITARA scorecard.

“I want to note that we assign these grades not to shame agencies, but rather to incentivize certain behaviors that will save money and increase security. One area where we’ve increased pressure, is the continued lack of a direct reporting structure from the CIO to the agency head,” said Rep. Will Hurd (R-Texas), chairman of the House subcommittee on IT. “Three agencies have reorganized to give the CIO direct access since our last scorecard. To incentivize the remaining nine agencies to change their reporting structures, we reduced their grades on Scorecard 6.0 by an entire letter grade. If every agency had a direct reporting structure, only two grades would have decreased on this scorecard. I urge the nine agencies that have still not changed their reporting structures to comply with Executive Order 13833 [on CIO authorities] and adjust their reporting structures without delay, and I will add that we have not heard any reason why this shouldn’t be changed immediately.”

The good news is at least some agencies are getting the message of how to improve IT management.

Since version 5 of the scorecard, the Department of Housing and Urban Development, the National Science Foundation and the Small Business Administration changed the reporting structures of their CIOs, and USDA Deputy Assistant Secretary for Administration Donald Bice promised the committee that by the next scorecard, Gary Washington, the Agriculture CIO, would report directly to the secretary or deputy secretary.

Here are my three takeaways from the hearing:

Few want MGT Act working capital funds

Only three agencies plan to set up new working capital funds to save money to put toward IT modernization efforts as authorized under the Modernizing Government Technology (MGT) Act.

The SBA, DHS and the Labor Department were the only agencies to tell the House Oversight and Government Reform Committee about their plans to take advantage of the MGT Act.

Of the other 21 agencies, 12 told the committee they weren’t planning to set up a new working capital fund, and of those 12, nine planned to use existing working capital funds for IT modernization savings.

Three agencies — the departments of Commerce, Defense and Justice — didn’t answer the committee’s request, and five others said either maybe or didn’t make it clear if they would take advantage of the authorities.

The decision by agencies not to establish a working capital fund was one of three main drivers for several poor grades under the FITARA scorecard, and it was probably the main driver among frustration with Hurd and Rep. Gerry Connolly (D-Va.), the ranking member of the subcommittee on IT operations and co-author of FITARA.

“I believe that the changes to the FITARA scorecard continues to accurately measure each agency’s ability to manage the IT it has and the IT it seeks to acquire,” Connolly said.

USDA was one of those agencies that plans to use its existing working capital fund to save and set-aside money for IT modernization.

Lynn Moaney, USDA’s acting chief financial officer, told the committee that the agency has been working with OMB to bring savings from IT modernization into their current working capital fund, but will track it separately so Washington can use the savings as necessary.

In many ways, it’s not surprising agencies didn’t jump at the chance to set up new WCFs. Back in November, we reported 17 agencies already had existing “bank accounts,” and in September 2016, we reported again that one of the obstacles the MGT Act had to get past was Senate concerns over the working capital funds.

At the same time, if agencies truly can set aside savings and CFOs, and others in the agencies, don’t try to snatch it from CIO’s wallets, then the concept is the true win under the MGT Act.

Grades don’t tell the entire story

You have to dig deeper into the latest scorecard to really understand the state of federal IT reforms.

Yes, overall grades went down or stayed the same for most agencies. But when you break down the areas like incremental development or managing software license, the results are much different.

Start with incremental development. The committee says 15 agencies received “A” grades as well as four with “F” grades. But when you look at what’s going on, the Government Accountability Office’s David Powner, the director of IT management, said 87 percent of all federal IT programs use incremental or agile development, which is up from 58 percent in 2014.

Under data center consolidation, five agencies received “Fs” and two earned “Ds.” Again, Powner highlighted the progress as agencies are on pace to close more than 7,000 data centers out of 12,000, and save $4 billion by September.

Agencies continue to struggle implementing the Megabyte Act, which requires them to have a software inventory and consolidate duplicative software licenses. While the committee handed out 14 Fs, Powner said GAO expects agencies to reduce the number of software licenses and save more than $340 million governmentwide this year,  which he pointed out is three times more than the amount in the Technology Modernization Fund created under the MGT Act.

Let’s continue to dig deeper into the use of PortfolioStat, the Obama administration’s initiative to manage spend across agencies. The scorecard shows four “Fs,”  five “Ds” and five “Cs.” But, once again, the committee says all agencies are reporting savings from the better management of IT, and the Department of Health and Human Services increased its savings by $148 million over the last six months.

Powner made one fair point about agency progress that should be noted here. He said if all agencies did some basic things, required the CIO to report to the head of the agency, established a working capital fund under the MGT Act and established a software license inventory, almost every agency’s grades would change. And more importantly, GAO’s research has shown these changes lead to better IT management and oversight so the agency can meet their missions better.

Still, the point here is to show that while the top-line grades remained stagnant at best for yet another reporting period, the progress is meaningful and real. The committee shouldn’t lose sight of that, given how difficult it is to turn this battleship.

DoD has 6 months to fulfill promises

New DoD CIO Dana Deasy had been on the job for only 13 days before coming before the committee

But he’s promised to make changes, including reviewing the number of people with the title of CIO in the 4th Estate, which encompasses nearly every organization that is not a military service. Currently, 35 people have the title CIO across those agencies, which include the Defense Contract Management Agency, the Washington Headquarters Services and the National Security Agency.

Hurd asked both Mark Easton, the deputy CFO of DoD, and Kevin Fahey, DoD’s assistant secretary for acquisition, whether there should be only one CIO.

“There should be only one CIO,” Easton said. “There is only one CFO. I think that the tone at the top that currently exists with the new team the thinking is the same. It’s expensive not to have an enterprise perspective and not have someone at top of the enterprise.”

Fahey agreed that there should be one CIO at the top of DoD.

But beyond the question of the CIO, DoD struggled with every other part of the scorecard and Deasy seems to understand he needs to make some changes not because it will lead to better grades, but because it’s the right thing to do for the Pentagon.

“If you had been in my conference room while I was preparing for this hearing, I said to the team, ‘Put aside the scorecard. Are these not fundamental things we need to do to be a great IT organization?’ I’m looking to improve upon the culture of the IT organization, and doing things for the right reasons, not just for the scorecard,” he said. “That will drive the right behavior and get to better outcomes. I’m not sure what it will take in terms of timing.”

To that end, Deasy said DoD will complete its first software license inventory by December.

Easton added DoD will take a look at the MGT Act and decide if its current working capital fund is sufficient or if they want to set up a new one. Either way, he said Deasy would have authority over the money that comes from IT savings.

“We’ve committed to reviewing our current WCF [working capital funds] and come back with plan this summer to ensure capability is available in DoD,” Easton said.

That plan was among several promises DoD made at the hearing. So the question isn’t about whether they will deliver, but what happens if they don’t. There isn’t a better agency that Hurd, Connolly and the committee could make an example of in order to show how serious they are about improving how the government manages and buys IT.

Read more of Reporter’s Notebook

When federal Chief Information Officer Suzette Kent spoke on May 9 at the Justice Department’s cyber symposium, she teased the fact that three new cyber policies were coming soon.

At the time, she said in the next 30 days, the Office of Management and Budget and the Homeland Security Department would issue updated guidance on the Trusted Internet Connection (TIC), cloud computing and managing high-value assets.

Little did we know at the time, DHS had issued a new Binding Operational Directive (BOD) two days earlier to change the way civilian agencies manage high-value assets (HVAs).

DHS published the BOD on Friday — more than two weeks after Kent spoke — detailing new requirements, expanded use of risk and vulnerability assessments (RVAs) and security architecture reviews (SARs), and extending the scope of the agencies that need to report the systems and the data that matter to the most to them from just the CFO Act agencies to every civilian agency across government.

“Based on operational insights and lessons learned, DHS is enhancing its approach to conducting these [RVA and SAR] engagements to provide agencies with improved results and findings by expanding system scope, refining assessment methodologies, and using less-constrained penetration testing approaches to resemble tactics, techniques, and procedures used by advanced threat actors attempting to gain unauthorized access,” DHS states in the May 7 directive.

This new BOD replaces the one DHS issued in 2016 that created the focus on and protection of  HVAs for the largest agencies.

Joe Stuntz, the vice president of client services and cybersecurity practice leader at One World Identity and a former policy lead for the OMB’s cyber and national security unit, said the BOD moves agencies closer to addressing cyber risk from an enterprise perspective.

“Performing system architecture reviews are really important. It’s good to talk about protecting HVAs when you are building new stuff, but it’s hard when dealing with the legacy systems the government has. So by doing architecture reviews you can see where the faults and issues are being put into the system and where design changes are needed,” Stuntz said in an interview. “It’s not just about patching everything, but architecture reviews could help fix a system at the fundamental level. SARs for all HVAs is important because it’s also helpful to understand system interfaces because if you don’t understand where it’s connecting and sending data to, you will be less effective in securing the enterprise.”

Another major change in the new BOD is when DHS can perform penetration testing.

“Agencies shall impose no restrictions on the timing and/or frequency of the assessments, the services to be provided by DHS, or the scope of systems that are part of or related to the HVA being assessed,” the BOD states.

Stuntz and other former federal cyber officials say this is an important change because agencies were trying to tell DHS not to test their systems during certain times of the day or weeks of the month, but the reality is hackers don’t take any days off. The BOD stops limiting DHS’ access to assess risk and no longer puts the government at a disadvantage to the advesaries.

Over the last two years, DHS conducted 100 RVAs, and plans to do another 60 in 2018 alone. DHS says the RVA and SRA efforts are making a big difference with agencies reducing the time to patch critical vulnerabilities to 10-to-15 days on average down from 200 days in 2014.

John Banghart, a senior director for technology risk management at Venable and a former director of federal cybersecurity at the National Security Council under President Barack Obama, said this change also signals the trust agencies have in DHS.

“I think what we’ve seen thanks to the great leadership at DHS, people like [former DHS Deputy Undersecretary for Cybersecurity and Communications for the National Protection and Programs Directorate] Phyllis Schneck and now [current DHS Assistant Secretary for Cybersecurity and Communications] Jeanette Manfra and [the nominee to be the new Undersecretary of NPPD] Chris Krebs, the use of the BOD has been backed by an allocation of resources and expertise that really help agencies,” Banghart said in an interview. “It’s not just DHS telling them do this or that, but telling them here is what we need to do and here is how we will get you there. Agencies are trusting DHS to come help them and that goes to the overarching mindset that we are one large government agency and we are under attack in an interconnected environment.”

Stuntz agreed that the maturation of DHS and the high-value asset process led to the expansion of the BOD.

“The BOD sets in clear language that this is a priority and DHS has approval and authority to do what they need to do,” he said. “Agencies should not try to reschedule or limit them as the agency would not get the value and are wasting the capacity the government has. So the language in the BOD gives DHS the freedom to do what they need to do.”

The BOD didn’t resonate with everyone.

John Pescatore, the director of emerging security trends at the SANS Institute, said while he is supportive of focusing on HVAs, the BOD is too much of a compliance exercise. Instead, any BOD should give agencies specific actions to take and be more tactical.

“The downside of the HVA approach is historically if agencies say, ‘If I call this major application or now a HVA, and I don’t fix it quickly, I’ll get yelled at,’ so there always has been a reluctance to call something a high-value asset or a major application,” he said in an interview. “When NIST created the risk management framework, all agencies were supposed to create a risk rating for each system. What’s missing in all of this is if the government just focused on raising the security hygiene for everything instead of making 24 agencies report similar stuff, they’d be better off.”

Pescatore said he is a fan of BODs like the one for email security or to turn on secure sockets layer. He said the government took leadership in requiring agencies to use Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol

“When the BOD is another level of paperwork and to look at things, I’m not sure that increases the security of them,” he said. “Doing something increases security, but throwing new requirements over the transom haven’t been as effective historically.”

Stuntz and Banghart say the 2016 BOD has been effective and changed the way agencies protect their systems and data.

“Agencies now have two years of experience working with DHS, and, at least publicly, we haven’t heard anything breaking or shutting down because of these efforts,” Stuntz said. “Agencies know what DHS can do and they are coming in to help get more information and better prioritization. DHS provided that value back so hopefully they are more open to gaining more upfront. I do find it interesting that DHS runs the process, but OMB has a role in the selection of HVAs that get analyzed. I think that’s important from an enterprise risk perspective, and if it can be coordinated with the IT modernization efforts, that could make it even more valuable.”

Read more of Reporter’s Notebook

Maybe it has something to do with the time of year, but the number of federal executives on the move is a bit unsettling.

Let’s start with some good news. Joe Klimavicz, the Justice Department chief information officer, received some much-deserved recognition for his leadership in bringing change to the agencies he works for by being elected as the new vice chairman of the CIO Council.

Klimavicz replaces Luke McCormack, the former Homeland Security Department CIO who retired in January 2017.

Klimavicz has been the Justice CIO since April 2014 and has been making progress in integrating DoJ’s technology, consolidating email systems from 23 to 9 and promoting shared services.

The vice chairman, which has included Dave Wennergren and Richard Spires along with McCormack, traditionally has helped bridge the political and career technology managers.

It’s a smart move by federal CIO Suzette Kent to have both Klimavicz, who is one of the longest tenured CIOs, and Margie Graves, the deputy federal CIO, to help her navigate the often confusing and tricky world of federal IT.

The Environmental Protection Agency and DHS also are starting to fill some IT executive holes in their lineups.

EPA named Rob McKinney to be the new chief information security officer.

Sources confirmed McKinney ascends from his acting position to the permanent CISO role. McKinney has been with EPA since 2010 and previously worked at the National Weather Service and Veterans Affairs Department in cyber executive positions.

Over at DHS, John Zangardi, the new CIO, is trying to stay ahead of the talent wave that is crashing around him.

Since January, DHS has lost its chief technology officer, a senior technology adviser and its chief information security officer, while its deputy CTO left in October.

Zangardi named Paul Beckman as DHS’ new CISO in April, and now is bringing in Joe Harris from FEMA to be the new executive director of the IT services organization to replace Jim Flanagan, who is retiring.

He’s also changing the CTO’s role to be the chief technical officer.

“One of my roles  in DHS is I’m the IT technical authority and I want to make sure we are focused on the technical,” Zangardi said at the DHS industry day sponsored by Washington Technology on Friday in McLean, Virginia. “We’ve picked an individual and we are going through that SES hiring process with OPM.”

Zangardi will continue to be busy filling holes in his staff.

Darryl Peek, the DHS director of digital innovation and solutions, is leaving to join Salesforce after five years in government.

Peek joined DHS’ federal network resilience group in 2013 and moved to the CIO’s staff in June 2016.

Additionally, Barry West, who has been a senior adviser and deputy CIO for DHS, announced he is retiring on May 31.

And finally, Josh Ziman, who was in charge of the DHS initiative called Cloud Factory, left in April to join Cisco as a service delivery manager, according to his LinkedIn page. Cloud factory is DHS’ shared services capabilities to provide a fully automated provisioning and delivery lifecycle of cloud services.

Two other departures also are worth mentioning.

Jon Johnson, the General Services Administration’s director of enterprise mobility for the last five years, is moving to industry.

Sources confirmed his last day is June 1. It’s unclear where he will go. Industry sources say he will remain in the federal market.

“I will not be going far and will remain here in DC working from the private sector to continue to advance technology in a smart, meaningful, impactful, mission-driven way that drives efficiency and effectiveness of mission and operations across government,” Johnson wrote in an email sent to industry associates and obtained by Federal News Radio. “That desire, and that role, will not change. The only thing that changes is where I will be doing this from.”

Johnson joined GSA in 2009 as a contracting officer and began working on mobility initiatives in 2012.

He led the governmentwide Mobile Services Category Team, which has helped agencies save more than $500 million on mobile devices and services through better management and buying.

Today, agencies are paying on average almost $20 a month less for mobile services and devices with some paying as much as $30 less because of the team’s work.

Jonathan Benett, the Agriculture Department’s chief enterprise architect, left government after a decade and will join Adobe Systems’ public sector team in June.

“It was a very difficult decision because of my love of the USDA mission and public service. But sometimes when an incredible opportunity comes your way … you have to take a leap of faith!” Bennett said in an email to colleagues, which Federal News Radio obtained.

He joined the government in 2008 to lead the project management office at the Patent and Trademark Office in the Commerce Department and then moved to USDA where he worked in a variety of roles.

Benett also is well known for his volunteer activity in the federal community, holding executive board positions for ACT/IAC, AFCEA Bethesda and AFFIRM, and most recently he was the government chairman of the Young AFCEA Bethesda Government Advisory Council and co-founder/chairman of the Federal Project Management Community of Practice.

Read more of Reporter’s Notebook

Last week’s abundance of cybersecurity news makes it hard to know where to start.

We could begin by looking back over the last year at the accomplishments of the Trump administration, since May 11 was the one-year anniversary of the cybersecurity executive order.

The Office of Management and Budget released the first-ever cyber risk management report as part of fulfilling one of the more than 50 deliverables under the 2017 order. A teaser: Next week’s notebook will have more on that report.

Or, we could dig deeper into two new cyber strategies from the Homeland Security and Energy departments.

And then we have the news around the White House cyber coordinator position and National Security Adviser John Bolton’s decision to eliminate the specific role and add its responsibilities to existing positions. Rob Joyce left the role to return to the National Security Agency.

But all of this cyber activity over the last week really leads us to take the temperature of the administration’s initiatives over the past year.

Authority, accountability and resources

Most experts were more than happy to focus on the White House cyber coordinator role as part of the initial checkup. And despite a range of serious concerns to limited hopefulness, experts said agencies are more secure and better prepared to deal with cyber incidents and threats than ever before.

“The thing that stands out is the fact that there hasn’t been a lot of news around cybersecurity over the last year. In the sense that the policies and things that this administration has pursued really go back to the Bush administration, so there is a strong line of continuation across the Bush, Obama and now Trump administrations,” said Michael Daniel, former White House cybersecurity coordinator and now president and CEO of the Cyber Threat Alliance. “How they are thinking about federal network security and continuing to work away at expanding things like the continuous diagnostics and mitigation (CDM) program,  and moving to much more of a shared services model and to cloud services — all of those things are continuing to move forward. At the same time, you continue to see how much of a real struggle it is to make progress in those areas if you don’t have clear pressure from the top.”

And it is that pressure from the top that is now short two of the three top roles: the White House role, the federal chief information officer and federal chief information security officer.

Frank Cilluffo, the director of the Center for Cyber and Homeland Security at the George Washington University, said any major government initiative needs to meet three criteria to be successful: Authority, accountability and resources.

With the decision to move the White House cyber role and the lack of a permanent federal CISO, either a lot will ride on Suzette Kent, the federal CIO, and her cyber staff at the Office of Management and Budget or the leaders at the National Security Council will have to make their plans public.

“When looking at EO, I’m not sure who is now holding all the agencies to account given that was largely [former White House Homeland Security Adviser] Tom Bossert and Joyce’s roles in the past,” Cilluffo said. “With any strategy, it’s fair to say we have to be in the position to translate nouns into verbs. I was a big proponent of many of the EO’s issues, but it’s hard part to implement and execute strategy.”

Unified cybersecurity approach advocated

Cilluffo, like many experts, is not in favor of the National Security Council eliminating the cyber coordinator position.

A common refrain from Daniel, Cilluffo and others was eliminating the named positions distracts from the unity of effort that is needed to address cyber threats and incidents.

Kate Charlet, a former acting deputy assistant secretary of defense for cyber policy in the Defense Department and now program director of Technology and International Affairs at the Carnegie Endowment for International Peace, said unlike other issues where maybe only a handful of agencies are involved, the old adage that cyber needs a whole of government approach is never more true.

“With cyber, you have DHS, Justice, Commerce, Energy, State, the NSC and so many others which all care about cyber policy issues. There is so much interagency wrangling that goes on, it takes a huge amount of bandwidth so having that extra authority that came with the cyber coordinator position was needed to deal with all the actors involved,” Charlet said. “There will be other areas impacted more than federal cybersecurity because you still have [acting federal CISO and White House Senior Director] Grant Schneider, who I expect to continue to be responsible for federal cybersecurity.”

Daniel added the lack of a cyber coordinator means the federal CISO becomes more important to further drive progress on federal network security.

“You have to have somebody focused on that as their day job,” he said.

Daniel said he and others recognize the president and the NSC director have the right to rearrange the council as they see fit.

“From an operational perspective, a lot depends on what they now decide to do. Are they going to make both positions a special assistant to the president and senior directors? That approach has implications on how those positions interact with other agencies,” he said. “Are they splitting the director into two positions, and who will have responsibility for what? A huge part of the role is herding the cats by spending time to get agencies into alignment. The NSC is special in that you can’t order them to do something. They are not directive positions. Your job is to bring people together, reach consensus, persuade and use the convening power of NSC to achieve your goals. It does take time to do all that.”

Robert Palladino, the NSC’s spokesman, said the council’s cyber office has two capable senior directors who will coordinate cyber matters and policy.

“As they sit 6 feet apart from one another, they will be able to coordinate in real time,” he said in a statement. “[Thursday’s] actions continue an effort to empower National Security Council senior directors. Streamlining management will improve efficiency, reduce bureaucracy and increase accountability.”

Permanent CISO uncertain

The consolidation of the cyber coordinator role also casts more uncertainly about whether the administration will name a permanent federal CISO.

Trevor Rudolph, a former chief of OMB’s cyber and national security team and now a cybersecurity policy fellow at New America, a think tank, said the decision to remove the White House coordinator position strengthens the hand of the federal CIO around cyber issues.

“I think that individual needs to take a serious look at updating the Federal Information Security Management Act (FISMA), strengthen agency CISO authorities, and from that it will logically flow to formalize the federal CISO position and figure out once and for all what authorities are needed, the federal CISO’s relationship with DoD and the intelligence community,” he said. “I think we need to figure out the federal CISO’s roles and authorities before you name an official. It would be  a mistake to name someone without first understanding their roles and authorities.”

Rudolph said stepping back from the White House and federal CISO discussions, the bigger issue is whether these decisions and others are part of a state of complacency or numbness that many people in and out of government feel because of the constant stream of cyber attacks.

“How you right that ship is by having a strong leader in White House around cyber,” he said.

And that could come from the cyber coordinator’s role, the new NSC positions or even a federal CISO.

So while the debate over the cyber coordinator’s role continues, the telltale sign will come the next time there is a cyber incident in which a whole of government response is needed. Will it be more like Wannacry or more like Heartbleed?

“We need a coach to know how pieces all align and where they don’t, and we need someone to have visibility across all the initiatives agencies are doing and need someone to hold them to account. That was a big take away with the EO, and I’m not sure who is assuming that function right now,” Ciffullo said. “Clearly progress has been made. I know that agencies and OMB are delivering on some of those EO requirements. But how all of those pieces are being integrated into a cohesive whole was one of the primary functions of the cyber coordinator. We are not fully clear on how some of those gaps will be backfilled right now.”

Read more of Reporter’s Notebook

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

It’s a bit too early to pop the champagne and begin celebrating. But when Emily Murphy, the administrator of the General Services Administration, announced a new pilot this fall that would begin to shed some light on  the schedules program, my heart skipped a beat.

For the better part of a decade, I have been asking — sometimes nicely, other times less so — for GSA to make requests for proposals, requests for information and contract awards under the schedules program visible for non-schedule holders.

So there I was at the Coalition for Government Procurement’s (CGP) spring conference in Falls Church, Virginia, on May 16 when Murphy dropped the news.

“If we are trying to attract vendors and customers to our schedules being clear about what is actually bought is really helpful,” Murphy said at the event. “One of the areas GSA is looking at starting for next fiscal year is a pilot in the agency so after award using e-Buy, GSA would publish its own statements of work. We would publish the results of this so we would be clear what it is we are buying from the schedules. I asked for defined metrics for how we will decide whether that’s a successful buy. It’s an area I’m excited about because it goes back to those principles of transparency and increasing competition.”

Now it’s just a pilot, and it doesn’t start for several months. But the fact that Murphy and others such as Alan Thomas, the Federal Acquisition Commissioner; Mary Davie, the FAS deputy commissioner; and many others recognized this as a shortcoming and are willing to try something is a major step forward.

4 priorities for newest GSA admin

The news about the planned pilot was one of several specific examples of her plans Murphy brought to CGP’s annual event. For reasons of full disclosure, CGP has a show called Off the Shelf on Federal News Radio.

Murphy started by driving home her four overarching priorities with each speech and each interview over the last five months. She then put some details behind those four priorities of increasing competition, ethical leadership, increasing transparency and reducing duplication.

From all signs, if GSA can accomplish many of these initiatives, Murphy’s tenure will live up to expectations.

The biggest lift may be in modernizing the federal payroll providers. GSA issued a pre-solicitation notice on May 17 for a 10-to-13-year contract worth upwards of $2.5 billion.

GSA wrote on the notice that it plans to “compete its requirement to modernize the Payroll and Work Schedule and Leave Management (WSLM) ecosystem. The competition will be conducted among holders of GSA IT Schedule 70 contracts, SINs 132-40 and 132-51. The government expects to award one or more Blanket Purchase Agreements (BPAs) under which orders may be placed directly by participating federal agencies.”

GSA expects to issue the final request for quotes in June.

“Under the President’s Management Agenda, GSA is charged to be the co-lead with the Office of Management and Budget to provide quality services,” Murphy said. “I think it’s always important to remember that the goal is to provide quality shared services, not just shared services.”

She added that the government spends $28.6 billion a year on administrative services, and speculated that if surveyed, federal executives would say they were unhappy with the quality of those services.

“If you are going to spend nearly $30 billion, you want to be happy with the results,” she said. “For GSA, the challenge is not can we put together another contract vehicle. It’s how can [we] go out and help agencies. To be very clear this is not something GSA is doing to another agency or is doing for another agency — this is something GSA is doing with other agencies.”

She said the shared services effort is about agreeing on what is needed and then coming up with the best solutions for everyone. That could mean a common set of contracts or designating agencies to provide the services or a single provider supplying a service to all others, such as the Treasury Department processing payments.

“One area that OMB and GSA have been working with agencies right now is putting together a checklist on how ready are you to transition to a new payroll system,” Murphy said. “Instead of saying, ‘We have [a] new contract, everyone move,’ it’s a quarter-by-quarter, month-by-month set of items to make sure we are ready to transition. This isn’t an overnight solution. This is a 10-year process GSA has sketched out with OMB. The end goal is savings and a better service.”

New shared services strategy explored

Maybe the biggest differences in this shared services effort are the use of software-as-a-service and the broad recognition that providers need to make a “profit” to ensure they can continually upgrade their services.

To that end, Murphy said many of these shared services will be contracts for commercial services with at least three solutions.

“One area I’ve asked everyone to look at also is whether we could use a model somewhat similar to the EIS model for networks, where we retain a portion of the fees to pay for the next round of transition so we are not finding ourselves in a few years locked into one solution without the ability to pay for the transition to the next. Let’s start starting planning for transition now,” she said. “In other cases, it could be that GSA instead of helping to support contracts is actually for the SaaS or commercial services is instead helping agencies better align the personnel and providing them with support to manage the systems they already have as they prepare for transition.”

Another opportunity GSA is exploring for shared services is around document digitization to meet the National Archives and Records Administration’s requirements.

“OMB came to us asking about NARA’s requirements for digitization, and  we were able to say we have two new special item numbers (SINs) under the schedules program that could help agencies with that,” Murphy said. “ Now we are working with them on how to leverage the schedules to adopt digitalization and records management solutions.”

Read more of Reporter’s Notebook

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Watch out for the BHAGs at the Department of Transportation.

What is a BHAG, you may ask? Well, it stands for “big hairy audacious goals,” and it’s DOT Chief Information Officer Vicki Hildebrand’s plan to continue the agency’s IT modernization effort.

Hildebrand, who joined DOT in October, sees a lot of money that the agency is misspending and could be redirected toward new systems and better services.

“After about two or three months of observing, learning and asking questions, I got the team together and we talked about where we want to go, what our vision was and what it would take to get there,” Hildebrand said after a panel discussion at the CIO Summit sponsored by Foreign Affairs and the Advanced Technology Academic Research Center (ATARC) in Washington, D.C. “We started a series of six study teams and four work streams and we have official details assigned from the modes. Some of the CIOs leading them and some of the leadership from my organization are leading the teams making this a truly departmentwide initiative.”

She said nine BHAGs are under her Destinations Digital strategy:

1. Strengthen the federal IT workforce
2. Eliminate 1 million hours of burden
3. Modernize multimodal processes
4. Reduce malicious cyber incidents
5. Shrink the IT footprint
6. Implement intelligence software
7. Promote transportation cybersecurity
8. Expand self-service options
9. Retain savings

“We are [very] federated with nine modes of transportation. We were operating very independently and we are bringing the modes together to develop departmentwide strategies,” she said. “We have more help desks across the agency than we should ever have. This is one example of  an opportunity [to] collaborate on the back end.”

Spend wisely

DOT has so much misdirected spending that Hildebrand said when it comes to accessing potential dollars from the governmentwide central fund under the Modernizing Government Technology Act, she neither wanted nor needed any money.

“We have a lot of spend out there that we need to spend more wisely,” she said. “I’m actually doing many of the same things that are happening over at [Agriculture Department], but we are doing it internally and evoking the Federal IT Acquisition Reform Act (FITARA) to make that happen.”

Hildebrand was referring to USDA being a “lighthouse agency” to pilot the centers of excellence (CoE) effort under the IT modernization initiative from the Trump administration.

DOT launched the study teams earlier this month and they already have devised several potential short- and long-term changes.

“I was surprised when I got here because the government gets charged more than the private sector for IT services, and sometimes the services aren’t quite as good,” Hildebrand said. “I’m challenging that. I’ve seen the price tag from the private sector, and we need to compete more. I know part of that is it’s more challenging to procure in the government than in the private sector, but we have to shake things up. We are spending more money on things than we need to.”

Learning from the past

Hildebrand is picking up many of the initiatives started under former DOT CIO Richard McKinney, who left in January 2017. McKinney used FITARA to break through the culture plaque that had built up over the years by freezing IT spending across the agency until he could have better visibility, going so far as suspending a modal’s access to the internet until a cyber vulnerability was fixed.

Hildebrand said she has talked to McKinney and is taking advantage of the foundation he laid. And that is why her IT modernization efforts are not on hold until the BHAGs get going.

Hildebrand said her office recently consolidated some back-end functions and saved more than $1 million by reducing the number of contractors DOT worked with to provide the services.

“In terms of a new application, we just have a prototype at this point,” she said. “We had taken one of our applications off line and we had some issues with it and it has been down for some time. We needed to do something quickly and I wanted to use that opportunity to demonstrate that software doesn’t take multiple years and multiple millions of dollars to do.”

She said DOT used design-centered thinking to address this customer-facing system.

The modernization effort is not being done in a silo either. She said the acquisition, financial and human resources communities within DOT also are part of these teams.

“I always say IT exists for the mission and we can’t be successful without the support of the rest of the department,” Hildebrand said.

The biggest challenge she faces is, like any political appointee, to win over the career staff. She said to do that, it’s all about the quick victories such as the software or contractor consolidation examples.

“I understand the modal CIOs don’t know what to make of me. Part of that is because they have heard it before, and I think there is this sense that the ‘Christmas help,’ as I’ve been called, come in and talk big and nothing happens,” she said. “This is not the first time the career folks have been through this. If I were in that role, I’d understand who is this person and what are they doing with my job.”

That’s why she knows building up that body of accomplishments is so important. It also takes listening to career folks to keep her out of hot spots and create a very different DOT.

Read more of Reporter’s Notebook

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The White House is considering two new executive orders to address growing threats to the federal supply chain.

Sources confirmed the executive orders focus on two major areas: telecommunications and federal procurement.

The New York Times reported on May 2 that the White House was drafting an EO that would ban agencies and possibly contractors from buying telecommunications equipment from Chinese firms, including Huawei and ZTE.

The second order and corresponding policy, sources said, would extend the supply chain threats into the federal procurement arena even further. Details on the second order were vague, but sources said these steps are part of the growing public recognition that the federal supply chain continues to face serious risks.

At the same time, House Armed Services Committee lawmakers approved a provision in the fiscal 2019 Defense Authorization bill that would ban agencies from buying equipment from telecommunications companies owned, controlled or partly managed by the Chinese government, such as Huawei and ZTE.

Under the provision, every agency by Jan. 1, 2021 would have to stop using ZTE, Huawei or any other equipment or services either directly or indirectly through a third party that is connected to the Chinese government.

“This section would require the head of an agency to submit to the specified committees a plan to phase in the prohibition in this section, including with respect to the ‘white label’ problem,” the NDAA states. “This section would also permit the head of an agency to provide an additional 2-year waiver if he determines it is appropriate to allow an entity to terminate its use of covered telecommunications equipment and he can demonstrate certain other conditions have been met.”

In another congressional action, lawmakers on the House Appropriations Subcommittee on Commerce, Justice, State and related agencies added supply chain provisions to the 2019 spending bill.

The provisions in the draft bill released May 8 would require the agencies that fall under this subcommittee to review criteria of companies providing systems at the moderate and high levels, review the possible risk of the awardees particularly around cyber espionage and then send a report of that determination to the House and Senate appropriations committees and their respective inspectors general.

While a lot of these efforts are for public show, the real action to secure the federal procurement supply chain can be found one level down within the agencies.

A good example of this happened recently with the Social Security Administration. SSA issued a solicitation for printers and associated equipment and services. As part of the request for quote, SSA required a supply chain risk assessment of the awardee — including an assessment of any subcontractors, suppliers, distributors and manufacturers involved in the awardee’s supply chain.

Among the nine factors SSA said it wanted to review were :

• The foreign ownership or control of the apparent awardee, or its subcontractors or suppliers;
• The degree to which the apparent awardee and its subcontractors or suppliers maintain formal security programs, that include personnel, information, physical, cyber security, and supply chain risk management programs;
• The locations of the manufacturing facilities where the hardware and software are designed, manufactured, packaged and stored prior to distribution.

The procurement received a lot of interest from a handful of bidders, and the supply chain requirements even worried a few.

Iron Bow submitted a pre-award protest first to the Government Accountability Office and then to the Court of Federal Claims after GAO dismissed the complaint. Iron Bow said SSA’s decision to disqualify them was “irrational.”  SSA downselected Iron Bow out of the competition due to the printers the company was proposing to use in the contract were from Lexmark. SSA said the Lexmark devices were “an unacceptable supply chain risk to the government” because the Chinese government’s interest in the company was greater than the SSA initially recognized.

You can read the entire court case here. The upshot is the Court of Federal Claims ruled that SSA conducted the supply chain risk assessment in accordance with the terms of the RFQ, and that the agency reasonably concluded that the printers proposed by Iron Bow presented unacceptable risks to the government’s supply chain.

This is an important case for several reasons.

First, it drives home a key point about supply chain risk that Bill Evanina, the director of the National Counterintelligence and Security Center (NCSC) in the Office of the Director of National Intelligence, said at a recent event sponsored by the Intelligence and National Security Alliance (INSA).

“You can have the best cyber program in your company and you can hire a private cybersecurity firm who has the best software, but if your procurement and acquisition folks are not part of the team, you will fail,” Evanina said. “Our adversaries, that’s how they get us, through procurement and acquisition programs. If you are a chief information security officer or chief information officer, are you aware of all the procurement being done by your company — to buy new printers, scanners, faxes, PBX switches, routers — probably not.”

He said agencies are required to do some basic research, such as finding who are on the company’s board of directors, who are their subcontractors and who is on the ownership team.

“The Defense Department does this every single day. We do National Intelligence Determinations for companies who want to do business with the government all the time. It’s a big process,” he said. “Private sector needs to do this more often. Understand who your suppliers of the suppliers are because our adversaries strike us with the subs and subs of subs.”

Evanina said agencies and companies need mitigation plans as well as opportunities to exercise those strategies, similar to what organizations need to do with cyber intrusions.

The second point the court’s decision for SSA drives home is around vendors who need more help to ensure the security of their supply chains as agencies continue to ask for more details.

Eric Crusius, a partner with Holland and Knight law firm, said he’s sees more and more clients asking for assistance to make sure they are compliant with laws and regulations.

“The fact is there are supply chain requirements in procurements themselves and if a company, generally speaking, thinks it’s the wrong approach, they should protest it before bids are due on solicitation,” he said. “Otherwise you are agreeing for the government to evaluate your supply chain as part of the overall evaluation process.”

Crusius said companies need to go beyond just the minimal level of compliance.

“It’s  just not meeting the legal requirements of supply chain risk management, but sometimes companies have to look at it from a practical and business standpoint,” he said. “As a prime contractor, you are responsible for the entire chain below you, and that is not always practical. So you should do a risk analysis and see where it leads you down the supply chain, and then you can make smarter decisions, and maybe even change suppliers if you can’t ensure the security of the vendor.”

There are several other cases like that of SSA that highlight similar points. For instance in 2018, the Commerce Department upgraded its supercomputers and decided not to go with Lenovo, which had bought IBM’s x86 server business — the type of servers NOAA bought previously. Instead, Commerce brought in Dell systems after concerns increased about Lenovo’s relationship with the Chinese government.

Supply chain risk management also played a big role in another recent Commerce Department acquisition for cybersecurity services.

In the request for proposals, Commerce required the vendor to have supply chain risk management expertise on staff with 16 different skill sets, including conducting research and analysis, preparing situational awareness briefings and conduct individual assessments for internal department customers buying technology.

Evanina said many organizations don’t have effective supply risk management programs but like cyber was 5 or 7 years ago, there’s a growing understanding of why it’s important.

“We spend a lot of time with DoD and others training acquisition folks to understand the threats that manifest in contracts,” he said. “The contracting world is something we have to hurry up and train and make them aware of threats.”

Read more of the Reporter’s Notebook.

The one challenge facing every agency where IT innovation and modernization could make a huge difference is defending against the insider threat.

So it shouldn’t come as a surprise to anyone that the FBI is making IT innovation and insider threat synonymous.

Roger Stanton, the assistant director of the insider threat office for the FBI, said for the bureau it’s more than just protecting information and people. The new technology can help address the culture challenges of a force of alpha males and females.

“I have two types of employees, creators and system people. Creators are those people who are out on the edge, in the white space, driving to create a capability that does not exist yet,” said Stanton, who joined the FBI’s insider threat office about a year ago. “Then I have the system people who are between the four corners of policies and regulations, and they get things done and they do it within the systems. I have also found they drive each other crazy because the creators want to be out there on the fringe that will be the next great thing, and the system people are the ones who say, ‘You can create that iPhone, but if you can’t deliver to the customers, then our business is going to fail.’”

Speaking at the Justice Department’s cyber symposium on May 9, Stanton said having a healthy tension between the two groups is a good thing, but it also makes leading them more difficult.

To help address the people side of the insider threat challenge, Stanton said the FBI is launching two new platforms.

The first one will help the FBI do a better job of understanding the possible threats within its three investigative elements — security violations, internal misconduct and internal espionage.

“We manage those referrals and we make sure we are monitoring every referral that comes into completion so it’s my job to make sure collaboration is emphasized and maximized,” he said. “We use this software application, we call Javelin, it’s home grown, and it manages referrals. What we do to make sure the big three get a benefit from entering referrals into the system and monitoring them is we pull from our holdings so when you type in an individual’s name, it throws a bunch of information at you, whether it’s the history of polygraph exams, any incidents they have been associated with in the past and any investigative information.”

Through privileged user access, when a referral comes into the insider threat office, the investigator is the only one who has access to the case and information.

The second application is called Insider Threat Analysis Platform (InTAP), which is the FBI’s big data analytics tools that looks at potential models, triggers and the data sets it has to identify potential threats to the organization.

Stanton said analytics receive the data and decide whether it needs to be referred to an investigator.

“We are developing that now. We are at initial operating capability for that,” he said. “Until that final capability is issued, and everyone in the insider threat program knows that anyone who says they have this [issue] licked, they lose credibility with us because it’s a continual examination of your internal business processes, your culture, the applications that are unique to your organization, that is what an insider threat program is. And because they change and modify, we have to change with it.”

Stanton said the FBI doesn’t talk too often about this program as its concerned about adversaries taking advantage of its strategies.

This is why getting this look inside is the FBI — pun intended — is worthwhile. This is especially since October will be seven years since President Barack Obama signed an executive order requiring agencies implement an insider threat detection and prevention program and, for the most part, they have struggled.

Until the FBI can fully launch its InTAP application, its relying on its legacy approach where it uses bulk data derogatory records checks where it looks at different triggers and models.

“We take our 70,000 employees, contractors and detailees and through it against certain data sets that might be an indication that there could be misconduct or could be a risk posed by that insider based on the modeling and triggers we do,” he said. “The FBI takes great research to work with its intelligence community partners to push information sharing about how we are modeling or identifying insider threats, and what we think behavior analytics should be for that. It’s a huge challenge because it’s another thing that changes as cultural things change as the way we communicate changes.”

All of these efforts are overseen by an Insider Threat Risk Board, which is run by the associate deputy director of the FBI and includes all the executive assistant directors and assistant directors involved with insider threat matters, including human resources, financial management, technology and others. The board meets quarterly to review the FBI’s critical assets and what potential risks they are facing.

“Key vulnerabilities are business processes. How do we go about our day-to-day operations? What sort of vulnerabilities may be there?” he said. “One example could be how we escort visitors into the building. Each individual office had its own policy, and when we looked at them some were good and some were great.  A business process across the whole FBI can be improved so those good ones could be great.”

Stanton said the FBI identifies those risks by getting together every two years with the risk board and ordering the entire organization to think about critical assets and business processes that are vulnerable to insider threats.

From that, the board will come up with a manageable risks based on the highest or most critical vulnerabilities.

“My office has a critical asset vulnerabilities assessment team and they will do a ‘red team’ approach to look at everything around that asset or business process and try to identify any gaps or vulnerabilities that are posed by an insider,” Stanton said.

Once they find the gaps or vulnerabilities, communication and training help fix any potential or real challenges.

While the FBI’s requirements for protecting against insider threats may be more rigorous than many other agencies, there is no reason why these two platforms couldn’t become shared services for other agencies , especially given it’s one of the administration’s priorities.

Read more of the Reporter’s Notebook.

The House Armed Services Committee isn’t sitting idle while the General Services Administration comes up with an implementation strategy for the e-commerce portal, otherwise known as the “Amazon amendment,” over the next nine months.

Once again, lawmakers are trying to disrupt the federal procurement system before the paint is even picked, let alone dry, on the e-commerce portal. The committee approved a provision in the fiscal 2019 Defense Authorization bill that would raise the micro-purchase threshold to $25,000 from $10,000 for all purchases through the forthcoming e-commerce portal.

“The committee expects the commercial e-commerce portals would simplify and streamline the defense acquisition process as well as provide better transparency,” the bill that passed the committee on May 10 states.

GSA also recommended increasing the micro-purchase threshold to $25,000 in its initial implementation plan sent to Congress in March.

Additionally, the bill includes language that would increase the micro-purchase threshold for all other buying approaches across DoD to $10,000 from $5,000. In the 2018 version of the NDAA, all non-DoD agencies received the MPT increase from $3,500 to $10,000.

This latest action by the House committee likely will add to the growing anxiety about the e-commerce portal.

“Everyone who saw that report on first sight was a little taken aback as it was a little unexpected in the defense authorization bill,” said Angela Styles, a former administrator in the Office of Federal Procurement Policy and now a partner with the law firm Bracewell in Washington, D.C., on the Off the Shelf program. “We have no idea of the ramifications will be with the increase. What worries me is the lack of transparency. We as taxpayers will have no idea of what’s going on and to raise the micro-purchase threshold to $25,000 is a huge increase. I think the real question is why increase it to $25,000 before we know what $10,000 looks like?”

Styles wasn’t alone in her concerns about the increase of the MPT.

Jonathan Etherton, a former DoD and congressional executive and now founder of Etherton and Associates, a consultancy for federal contractors, said he too was surprised and thought the rationale by the committee “wasn’t compelling.”

Jonathan Aronie, a partner with the law firm Sheppard Mullin, said there are costs and advantages to raising the micro-purchase threshold, including opening up the government to more produces from overseas, including China. He said the increase would reduce accountability and competition, which would have a dramatic effect on agency and vendors alike.

The concerns about Chinese products, including supply chain risks (see my other notebook item) are so strong that the National Association of Wholesaler-Distributors wrote to President Donald Trump on April 20 expressing serious reservations about the increase of the MPT to $25,000.

“The proposal confounds Executive Order 13788, Buy American and Hire American (April 18, 2017). Instead of fostering the purchase of U.S. goods and products by government agencies, it circumvents and dilutes your Executive Order’s commitment,” writes NAW, which represents approximately 30,000 enterprises of all sizes that employ more than 5.9 million workers in the U.S. “By more than doubling the micro-purchase ceiling, it will expand enormously the foreign products purchased by the government. Its breadth collapses the compliance structure mandated by the Buy American Act and your Executive Order.”

Additionally, NAW writes that GSA hasn’t conducted a cost-benefit analysis and doesn’t seem to be considering one.

“Section 846 fundamentally restructures the way the federal government acquires commercial products. NAW agrees with what we understand to be Section 846’s purpose: to improve the commercial product acquisition process,” the letter states. “We have conveyed to the Congress and to GSA that only meaningful competition at platform and supplier levels will afford fair opportunities to participate and give federal agencies broad choices at competitive pricing. GSA’s jettisoning Buy American Act obligations is wrong. Moreover, the momentum implementing Section. 846 is toward the ‘Amazon Amendment’ model and is to the detriment of countless private sector stakeholders, the federal government and taxpayers. It will generate potentially several billions of dollars annually in fees to what will at best be an extremely limited number of commercial e-commerce portal providers. The disparate, specialized and unique requirements of many federal agencies will be compromised.”

The association requested to the president and Congress that GSA removes its suggestion to increase the MPT and reconsider its overall plan.

Jim Anderson, NAW’s vice president for government relations, told Federal News Radio that the association hasn’t heard back from the White House and continues to educate lawmakers about their concerns.

At the same time, the National Office Products Alliance (NOPA) and the Office Furniture Dealers Alliance (OFDA) are holding a “fly-in” on Monday and Tuesday to meet with lawmakers.

NOPA and other organizations, such as the Institute for Local Self-Reliance, are worried about the e-commerce portal as part of Amazon’s growing influence.

“An important aspect of Amazon’s lobbying strategy will no doubt be how it is a friend to U.S. small businesses rather than a competitor and that using the Amazon Marketplace for federal government purchases will be beneficial to small and medium businesses,” wrote NOPA in a release after Amazon released its Small Business Impact Report in May. “Indeed, that was part of Amazon’s message back in January when the GSA asked for stakeholder input into the proposed federal e-commerce portal. Amazon identified four areas for the GSA to consider: ‘using commercial terms and conditions and commercial practices; enabling robust competition; enhancing opportunities for small and disadvantaged businesses; and encouraging the availability of tools to simplify compliance.’ As U.S. business products associations NOPA and OFDA prepare for their small business advocacy fly-in to Washington later this month, they will be mindful of Amazon’s efforts to portray itself as a platform that underpins small business growth and job creation.”

In its report, Amazon states more than 1 million small and medium sized businesses sell through Amazon, including more than 300,000 who started in 2017, and those firms account for an estimated 900,000 new jobs.

Styles and other experts agreed that GSA needs to do more homework and research to really understand the impact of many of its proposals, including increasing the micro-purchase threshold.

“They have to go out and talk to disinterested companies,” Styles said. “You can have an industry day, but all of those who attended have an interest, so GSA needs to talk to companies out there and learn how they are buying. I think legislative proposals are premature. It’s unusual to have access to GSA thinking and I think they may have some second thoughts after doing more research.”

Etherton added the House provisions to increase the micro-purchase threshold also seem a bit premature given GSA isn’t expected to implement the portal until 2020.

All the more reason why some vendors are so concerned about the House’s effort to put the cart well before the horse.

Read more of the Reporter’s Notebook.