Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Defense Department’s problems with its commercial cloud procurement known as JEDI really can be traced back to one thing: Poor communication with industry.

In talking with industry experts and contractors, all the concerns and anxieties over the Pentagon’s goal of a single cloud award or the question of whether the DoD is copying Amazon’s secret cloud for the CIA and the intelligence community could be alleviated with more in-depth and hearty discussions.

And what may be at the heart of this issue are the “experts” from the Defense Digital Service running the initiative, who observers say need to be more open to ideas and less egotistical.

A perfect case-in-point of DDS letting its ego get in its way is its treatment of John Weiler and the IT-Acquisition Advisory Council (IT-AAC) he leads.

Weiler and the IT-AAC, which includes a who’s who of former DoD technology and acquisition executives such as Marv Langston, a former Navy chief information officer and Kevin Carroll, the former Army Program Executive Officer-Enterprise Information Systems (PEO-EIS) director, received a “cease and desist” letter from DDS and Tim Van Name, its deputy director.

In an email to Weiler from Jan. 26, Van Name said the “Defense Digital Service (DDS) team feel harassed by the insistent calls and messages they are receiving from you, including on their personal phones and accounts.”

Yes, Weiler is known in the federal IT and acquisition community for both his passion for fixing federal IT problems, as well as for his almost obsessive need to make waves and see controversy in almost every corner.

When you mention Weiler’s name to current and former DoD executives, it comes with both an uncomfortable laugh and an understanding that Weiler’s doggedness is appreciated — up to a point.

At the same time, IT-AAC and his for-profit company the Interoperability Clearinghouse have provided valuable assistance to a host of agencies, including the Navy, the Air Force and the National Reconnaissance Office, that has helped fix troubled programs.

The back story of why Van Name decided to write a “cease and desist” letter is not entirely clear.

DoD spokeswoman Heather Babb refused to answer specific questions about Van Name’s letter, sending only a general statement about DoD’s work with industry around JEDI.

“The department is committed to a transparent process and a full and open competition to acquire a cloud services solution through the Joint Enterprise Defense Infrastructure (JEDI) Cloud Initiative. The department has been engaging with industry throughout this process to ensure it develops the best cloud solution for the warfighter,” Babb wrote. “The department appreciates industry’s participation in the draft solicitation process. DoD is confident that these inputs will help us refine and clarify the requirement so that we can provide the best capability for the warfighter.”

Babb highlighted the same statistics about JEDI that we’ve seen over the last few months — more than 1,000 questions from 46 companies on the first draft request for proposal, a round two of questions is under consideration for the version 2 of the draft RFP and more than 900 attendees at the industry day in March.

And when Weiler pressed Van Name for more details on the alleged harassment, he received no answer.

I called Weiler to get his side of the story. He said starting in November he engaged DDS, offering lessons learned from their experiences with cloud acquisition.

“They were receptive,” he said. “We told them things like leverage standards, and then focus on the outcomes and what problems you are trying to solve, and don’t be overly prescriptive. We said we can help you when you are ready.”

Weiler sent DDS a white paper on agile acquisition a few weeks later. Weiler said he remembers Sharon Woods, the DDS general counsel, telling him at an event to give her a call to discuss IT-AAC’s ideas further.

So over about a 30-day period, Weiler said he called the DDS office about 12 times, called DDS executives’ personal cellphones based on the recommendation of a former digital service employee who said that’s the main way they communicate, and sent a handful of emails.

“It’s hard to get anyone to answer the phone at DDS. And when I did, it seemed like no one was getting the messages,” Weiler said. “I’m expecting a call back and wasn’t getting one so I called back. I followed up on a communication thread where there was apparent interest in IT-AAC’s help.”

Weiler admitted he was maybe making more phone calls then he normally would, but he said the lack of response from DDS, even someone who said “thanks but no thanks” was all he was looking for.

“I was trying to find out information and get an answer. I was asking for transparency,” he said. “I was never told they weren’t interested and to stop calling. I just got the letter. If they would’ve called and told me to go away, I would’ve sent one final letter explaining IT-AAC’s concerns, and then gone away.”

Weiler, obviously, was quite upset over the “cease and desist” letter. When I asked others in the federal community if they’ve ever heard of DoD or any agency telling an industry organization to only go through the press office with communications going forward, no one could remember such an instance.

And it’s that claim by Van Name that Weiler was “harassing” DDS is the symptom of DoD’s larger problem with the JEDI procurement of thinking they know everything already.

An industry expert who is following JEDI closely said DoD could’ve been more forthcoming with its plans for JEDI, and there is no reason why it hasn’t.

“It either has been a conscious decision or a result of factors that we can’t see — inexperience or incompetence,” said the industry expert, who requested anonymity in order not to hurt their relationship with DoD. “The lack of answers in the Q&As with the draft RFP leaves you wondering why. Do they don’t know the answer, or do they know the answer and industry will not like it so they don’t want to give it, or is it something else? DoD has done the same thing with some past procurements like the Air Force tanker where they didn’t answer questions and it caused a lot of challenges for industry.”

Roger Waldron, the president of the Coalition for Government Procurement, said it’s unclear why DoD wasn’t more willing to engage with industry.

“I think DoD’s efforts created a ‘check the box’ impression because between industry day and draft RFPs their efforts were not optimal. They put out the draft RFP and then gave companies two weeks to respond, and then many of the answers to many questions were just ‘noted’ instead of giving more details, that left a lot of people wondering,” he said. “Then with the next draft RFP, DoD gave another two-week timeframe, which also was too short. It’s not a textbook example that you’d use in an acquisition training course for how to run a large procurement.”

And now DoD’s communication shortcomings are almost forcing Congress to get involved.

First in the fiscal 2018 omnibus spending bill, lawmakers asked DoD for a report to justify its approach to JEDI. DoD is expected to deliver that report by May 7.

The latest example of Congressional concern is a new provision in the House version of the 2019 Defense Authorization bill.

“Prohibits the Department of Defense from using 50 percent of the funds authorized to be appropriated for the JEDI cloud initiative, until the Secretary of Defense provides Congress with information sufficient to conduct oversight of the acquisition,” the chairman’s version of the NDAA states.

The industry expert said while the NDAA provision looks like a big deal, by the time the bill becomes law, JEDI will be well down the path of award and/or protest making the provision almost moot.

“People want answers to questions, and at the end of the day the stakes are so high that competitors want to understand the framework, the innovation, the security and how DoD will foster continuing competitions,” Waldron said. “All are fair questions and the lack of communication on answers, and the lack of a public cost-benefit analysis of single award versus a multi-award approach created a lot of the concerns.”

There are few people who believe JEDI will ever get off the ground. Either it will crumble under its own weight, get hung up in protests for the next year and eventually just go away or Congress will ramp up its pressure forcing DoD to make changes.

And all of this time, resources and effort could still be saved if DoD just opens up to be more forthcoming and hold meaningful meetings with industry.

Read more of the Reporter’s Notebook.

This is part two of a two-part look at OFPP’s version 3 category management strategies. In last week’s Reporter’s Notebook, I looked at the goals of the new strategies such as attempting once again to reduce contract duplication.

The small business community has a right to be concerned with the Office of Federal Procurement Policy’s reinvigorated category management initiative.

History hasn’t been kind to small firms when it comes to big, bold initiatives to better manage spending or reduce costs, or, as is the case for category management, all of the above and more.

The small business community remembers OFPP’s strategic sourcing efforts. The Obama administration talked a good talk about small businesses winning a bigger piece of the pie in areas such as office supplies. But the administration failed to recognize that smaller number of firms winning a larger percentage does as much harm to the industrial base as a larger number winning a smaller percentage of contracts.

With the Trump administration’s latest set of category management plans, small business is one of four main focus areas across the 10 spending categories, which agencies spend more than $294.1 billion a year on.

According to version 3 of the strategic plans, which Federal News Radio obtained, OFPP and the Category Management Leadership Council (CMLC) determined each category should target 13 percent-to-50 percent of their spending to small firms. The goals include 39 percent in the IT category, 50 percent in the office management area and 33 percent for professional services.

But the plans also raised serious concerns from the federal small business directors about whether category management and small business as a socioeconomic policy can live in harmony. So far, the harmony has been hard to come by as a recent study found the number of small firms winning prime contracts is down by 25 percent since 2010.

“While the committee is encouraged by the expressed of the Office of Federal Procurement Policy to further small business goal achievements, the committee’s review identified opportunities to strengthen aspects of the general approach of the plans to promote small business participation,” wrote Denise Sirmons, chairwoman of the committee and director of the OSDBU office at the Environmental Protection Agency, in a letter to OFPP, which Federal News Radio also obtained.

The Office of Small Disadvantage Business Utilization Council’s category management committee, and Robb Wong, the associate administrator in the Small Business Administration’s Office of Government Contracting and Business Development, wrote to OFPP detailing recommendations to make the strategic plans more responsive to small business concerns.

The recommendations include:

• Ensuring accountability for small business participation by developing key performance indicators and expanding the metrics to include specific goals for each socioeconomic category.
• Performing data analysis of how many socioeconomic small firms already are included in best-in-class (BIC) contracts and whether both the total contract value and vendor base are enough to support all the goals of category management.
• Clarify through policy or communications that category management, reducing contract duplication and the emphasis to use best-in-class contracts do not conflict with current acquisition regulations and laws.
• Develop a more transparent methodology to calculate cost savings, which is particularly important given the regulations require a cost-benefit analysis for consolidated requirements.
• Ensure each BIC has on-ramps, particularly for firms in the socioeconomic programs.
• Satisfy mandatory set-asides requirements under policy and law.
• Require prime contractors to provide data on how they are meeting their subcontracting plans.

Stacy Riggs, the acting director for the category management governmentwide program management office, said in an email to Federal News Radio that the OFPP, the SBA and the OSDBU Council have been collaborating to “align goals, collaborate on improvements and develop data intelligence to ensure agencies can continue to meet their small business procurement goals as they implement category management principles.”

“We also have developed tools and dashboards to help agencies understand and optimize their usage of well-managed contracts, and to find identify small businesses to meet their needs,” she said. “Moving forward, we will continue to work with OSDBUs, SBA and across government to grow existing capabilities (e.g., governmentwide category management dashboards, all small Mentor-Protégé Program, 8(a) Business Development Program, best-in-class contract on- and off-ramping, and supporting policies) and innovate new methods for maximizing opportunities for small businesses.”

Lesley Field, the acting OFPP administrator, also expressed the commitment to small firms.

“We have conducted a deep analysis of the current state on all BICs. Currently 45 percent of spend and 75 percent of the vendors are small business,” Field said in an email to Federal News Radio. “Many of the best-in-class solutions have pools or groups that are set aside exclusively for small business (e.g., OASIS and BMO). Other best-in-class solutions allow set asides at the order level, consistent with existing regulations and the Small Business Jobs Act. Several of the best-in-class contracts have on/off ramps.”

Field said category managers have identified requirements for a BIC finder tool that will let agencies more easily determine what BICs are available to meet small business needs. The tool even lets contracting officers search for set-aside and socioeconomic category set-aside options.

She added OFPP and the category managers have “compiled all details regarding small businesses on BICs, including spend, vendors, types, on-ramping, terms and conditions.”

In fiscal 2017, OFPP says 7 of 10 categories met or exceeded their small business goals.

But what Field and Riggs are missing is details about how they will hold the category managers accountable given shortcomings in the data.

Jack Kelly, a former OFPP analyst, who retired after 36 years in government, reviewed the new strategies and said there needs to be more specific data in each category.

“One of things each category should have is a small business participation strategy that lays out fundamental things like the number of small businesses available in this part of the supply chain, how much goes to small businesses and how much goes to large businesses currently,” he said. “One of things that always killed me about the government’s small business policy is we always talked about increasing the share of spending going to small businesses, but what I want to know what is the potential spend? We don’t know that. We could be close to the maximum of potential spend so pushing beyond that may not make sense.”

Kelly said when it comes to small business contracting, one-size does not fit all, which is why collecting the data on the current status of the industrial base is so important.

Joe Jordan, a former OFPP administrator for the Obama administration and now an independent consultant, said drilling down in each of the socioeconomic categories would be an important addition to the strategies to help address the potential impact on small firms.

“Where the strategies talk about best-in-class contracts, having on-ramps and holding them frequently is critical,” Jordan said. “You have to give new entrants the ability to access these opportunities and folks who are not delivering BIC results need an exit from these vehicles. It’s very hard to do, but that’s got to be a collaborative focus to make it work. The number of small businesses on a contract vehicle is not where the inefficiencies are as long as there are good ordering mechanisms and you have a good set of terms and conditions.”

Jordan said this is an area where Congress may even be helpful by focusing on metrics to ensure maximum small business participation and whether its total dollars or total number of companies participating.

Jordan said OFPP and the category management council need to pay close attention to the continued tension with small businesses. He said he recognized the flash point with strategic sourcing and came around to understand that measuring the percentage of dollars given to small businesses was not as good of a metric as measuring the number of small businesses receiving contracts.

Maybe that’s a lesson OFPP should heed?

Read more of the Reporter’s Notebook.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

This is part one of a two-part look at OFPP’s version 3 category management strategies. In next week’s Reporter’s Notebook, I’ll look at concerns by the small business community about the current and future impact category management could have on contracting.

The Office of Federal Procurement Policy has been trying to solve contract duplication for almost a decade.

OFPP required agencies to justify new multiple award contracts by submitting business cases. That had limited success.

OFPP tried to create catalogs of existing contracts so agencies could see what was out there first before going down the path of a new contract. That had even less success.

Now OFPP is trying to use category management and its subcategory best-in-class contracts to shrink the number of technology, professional services, transportation and logistics and seven other categories where the number of MACs has grown and grown for decades.

Each category manager developed new strategies for 2018 with goals across four broad areas. Without a doubt, reducing contract duplication and ensuring small businesses aren’t left behind are going to be the hardest to achieve.

The category management strategic plans version 3, which Federal News Radio obtained, details 2018 and 2019 goals for each of the 10 categories, including a 5 percent-to-20 percent reduction in the number of contracts that serve each specific area.

“Each of the categories is focused on increasing spend through best-in-class (BIC) solutions, which is what the category managers can work to influence by working with the agencies,” said Lesley Field, the acting OFPP administrator, in an email to Federal News Radio. “Agencies are held accountable for meeting the targets for BIC and spend under management (SUM).”

Field said among the goals the administration has set for 2020 is “a cumulative reduction of unnecessary duplicative contracts of 13 percent” out of the 425,000 contracts that are under what OFPP calls Tier 0 or unaligned spend that do not align or conform to category management principles.

The strategies don’t describe how OFPP will hold agencies accountable for the 13 percent reduction.

For example, under the professional services category the strategy calls for the leaders to “implement professional services supplier relationship management program; Services spend analyses completed for top five professional services spend agencies; and Administrative savings methodology adopted for the Professional Services Schedule.” Each of these areas has quarterly goals ranging from hosting supplier relationship management community of interest meetings or developing a forecast opportunities strategy, but there aren’t any specific assignments to people or agencies, or OFPP oversight details.

Jack Kelly, a former OFPP policy analyst, who spent 36 years in government, said in an interview that the issue the administration needs to solve is that no one wants to give up control of their contract, or their spend in a particular category.

“I think contract duplication needs to be more of focus than it is in 3.0 plan,” Kelly said after reviewing the strategies.

Joe Jordan, a former OFPP administrator during the Obama administration and now an independent consultant, said addressing contract duplication is a critical success criteria for category management.

“It’s extremely hard, but what needs to happen is for OFPP, GSA and others to look at the economics of contract providers. If they charge a fee on everything that goes through the contract, does that make sense? Are the economics right?” Jordan said. “At the end of the day, the two biggest challenges to reducing contract duplication are understanding the economics involved, particularly around the agencies receiving fees, and the human desire to have control. Too often acquisition professionals say, ‘Sure, some other agency can do most of what I want, but I like my agency, my buyers and our mission is different.’”

OFPP has had some positive results in which it worked with agencies to reduce duplicative contracts, such as for satellite communications where the Defense Information Systems Agency and the General Services Administration partnered on the Future Commercial Satellite Communications (COMSATCOM) Services Acquisition in 2012.

Additionally, Bloomberg Government reported in 2017 that the number of multiple award contracts dropped by 239 over the last five years, while spending continues to increase to over $111 billion a year.

But as category managers saw in 2017 when only two of 10 categories came close or accomplished their contract duplication goals, there are more examples of contract duplication than not.

These strategies mark a return of sorts for category management. Over the first 15 months of the Trump administration, there has been little public attention to category management — no new polices, the draft circular from October 2017 seems to have fallen by the wayside and only some basic references by Field or other OFPP executives at conferences.

OFPP floated a draft category management policy last fall, but it seems to be stuck in place.

But with the approval of the strategic plans and the release of the President’s Management Agenda, the administration finally is putting its support behind the initiative, despite still no permanent OFPP administrator and no one coming in the next six months either — the time it takes for someone to be nominated and go through the Senate confirmation process.

Overall, the goals for category management are straightforward and lofty

“The strategy of category management is focused on reducing costs and increased use of best-in-class solutions, as well as reducing duplication, improving  communications through vendor management, sharing transactional data to inform better procurement and maximizing small business participation,” said Stacy Riggs, the acting director for Category Management governmentwide program management office, said in an email to Federal News Radio.

Field said the administration expects to reach $18 billion in cumulative cost avoidance, over a baseline of $5.8 billion in 2016, bring 60 percent of common spend under management, an increase over the baseline of 44 percent, and increase the total addressable spend through best-in-class contracts to 40 percent from a baseline of 10 percent in 2016.

“OMB and the Category Management Leadership Council (CMLC) developed a spend under management tiered maturity model to help agencies evaluate their progress in aligning common spend activities with category management principles,” Field said. “The model is designed to be a living management tool that can be refined by OMB, in consultation with the CMLC, based on experience and best practice.”

Kelly said the strategies and goals, generally speaking, seem to hit all the right notes, but OFPP needs to put a finer point on the spend under management data.

“It’s hard to tell how much is really spent under management. If the goal is to reduce unmanaged spend and increase the use of best-in-class contracts, but there isn’t anything that talks about what percentage or how much isn’t managed,” he said. “When you run those numbers, for example under facilities and construction less than 0.01 percent is not managed, but that’s still a lot of dollars, but low percentage. There are definitional challenges and I’m not sure how it will be handled. For instance, how do you count blanket purchase agreements (BPAs) versus indefinite delivery, indefinite quantity (IDIQ) contracts? IDIQs are a license to buy, but the actual contracts are against BPAs.”

At the same time, Kelly said the savings numbers also are concerning because too often the data isn’t accurate enough to show the difference in costs.

Jordan added that he too has some concerns about the savings numbers. But instead of worrying about having the right data or all the data, agencies should move forward with what they know and figure out how best to reduce costs without focusing on specific percentages.

“I’m not sure this is the best place to spend their energy on precise percentages,” he said. “This is why I retain hope that category management will make a difference by presenting clear data about what’s going on. If you can show how much people are paying through various vehicles, you can create the natural ‘shark tank’ effect and make dispassionate arguments that this vehicle is providing equal but lower prices. Right now, there isn’t enough objective data, but I think given how much focus OFPP, GSA and the BIC managers have put in collecting good and more robust data within these categories, I retain hope that this will be one of several positive outcomes.”

Read more of the Reporter’s Notebook.

Sen. Heidi Heitkamp (D-N.D.) wants the Homeland Security Department to be a center of excellence (CoE) for cybersecurity for the entire country.

She told Chris Krebs, during his confirmation hearing to be the Under Secretary of Homeland Security last week, that DHS should be the lead on all things cyber that impact the nation’s defense and national security. If confirmed, Krebs will be the head of the National Protection and Programs Directorate.

“We need a broader, governmentwide, nationwide plan for what we will do in cyber so we are not stepping on each other, so we are not taking missteps that are incredibly costly, and we can’t ignore the small stuff. The resiliency of the foundation, which I will tell you, is fairly porous,” Heitkamp said during the Senate Homeland Security and Governmental Affairs Committee hearing. “We expect you to throw some sharp elbows. There’s been a lot of turf on this and there can’t be. We need a center of excellence and that’s your job in my opinion, to create a center of excellence to be that entity that evaluates products out there that can be, in fact, protective and shield to develop products to better educate the public on how to protect themselves.”

What Heitkamp is asking Krebs to do is take a similar approach to what DHS has taken with federal networks over the last decade.

DHS, for all intents and purposes, has become that CoE for civilian agency cybersecurity, and the latest report on the Federal Information Security Management Act (FISMA) to Congress demonstrates that in may regards.

Let’s be clear early on, DHS is not perfect. It still has plenty of shortcomings and challenges it must face, but the services and help it provides — think of the continuous diagnostics and mitigation program or the EINSTEIN tools — to civilian agencies is undeniably more valuable every year.

The 2017 FISMA report to Congress, which the Office of Management and Budget released in March, highlights several of these areas where agencies are improving their cybersecurity.

“OMB and DHS’s long-running efforts to instill disciplined cyber practices across government helped safeguard agency IT systems in 2017,” the report states. “As a clear example, DHS’s efforts ensured that Federal agencies had already patched their systems to protect against the vulnerability that led to the WannaCry, Petya, and NotPetya ransomware before those attacks swept across the globe. Agencies also expanded their use of continuous monitoring tools and of multi-factor authentication Personal Identity Verification (PIV) cards throughout the year.”

An OMB senior adviser, who requested anonymity, said DHS and agencies now have greater situational awareness about the threats, vulnerabilities and posture of their systems than ever before.

“We focused on the attack vector. Do agencies know where these incidents originate and where the attacks are coming from?” the official said. “With CDM, EINSTEIN and other tools, agencies have an improved understanding of where the [risks] are, and how to mitigate them.”

And having better situational awareness is only getting more important as the number of incidents continues to increase.

OMB said agencies reported 35,277 incidents in 2017, a 14 percent increase over 2016 (30,899), and only five reached the threshold of being “major incidents,” which requires immediate reporting and steps.

The OMB official said this is the first year in which  OMB and DHS are looking at standard data from agencies. In 2014, OMB and DHS created a standard approach to reporting cyber incidents.

The official said the data shows agencies and DHS are getting the right information, and are able to identify trends across the government.

“There is a delta in incident reporting from 2015 where there were 25,000 more incidents. We weren’t using the information in a meaningful way, so we wanted to verify the incidents to root out false positives,” the official said. “Now the data shows you trends, like email is one of top attack vectors, so we can decide what security controls we can put in place, which is where the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol binding operational directive came from.”

In October, DHS issued a BOD requiring agencies to implement DMARC to improve the security of emails coming into agency networks.

OMB reported that the number of attacks via email or phishing more than doubled in 2017.

“There is greater awareness at the CIO level, even among small or federated agencies, because CIOs are seeing all the information, the inspectors general are seeing the same information so there is much greater accountability for results,” the OMB senior adviser said. “We are driving accountability throughout the budget and saying those who haven’t performed shouldn’t necessary get more money, and let’s drive reforms and deal with risks. We have a mechanism for better fidelity and training information where to take action to deal with cyber shortcoming.”

In regards to driving accountability, the OMB adviser said while spending on cybersecurity increased by 14 percent in 2017 over 2016, agencies and the administration have a better idea of why spending needed to go up.

“We are not throwing good money after bad,” the OMB official said. “If you look at the metrics, the cross-agency goals, you can see we are not throwing money at agencies that need it the most. We’ve tied FISMA implementation to the budget. If an agency is underperforming in specific areas, we want to know where do we need to invest to mitigate a threat or add a capability? We also want to augment those programs that are leading the charge like CDM, so we can raise the bar for everyone.”

While the FISMA report shows a lot of progress, agencies continue to struggle in some basic areas. For instance, the governmentwide maturity around cybersecurity continues to struggle, particularly around detecting threats and vulnerabilities.

Agency IGs report hardware and software asset management continue to lag behind OMB goals.

The report also leaves some to question the long-term value of EINSTEIN in terms of return on investment.

DHS has spent more than $820 million on EINSTEIN over the last few years and it only detected 2,200 incidents across all three versions of the program, and E3A blocked just over 600 incidents.

“As of Sept. 29, 2017, DHS reports that, of 119 federal civilian agencies, 31 report implementing all three NCPS [EINSTEIN] capabilities, 17 of which are CFO Act agencies,” the FISMA report states.

The OMB adviser said the report shows that agencies, DHS and OMB are communicating better, which is leading to a better cyber posture governmentwide.

“The report shows people are understanding threats in a way that has context around it, and we are putting resources where they are needed the most,” the official said. “We also have shifted focus to capabilities to drive the threat down and move out of the compliance mode. All you have to do is look at the responses, agencies care about this on a daily basis, not because of a cyber executive order, but because we gave them meaningful reasons, increased engagement and are sharing the risk through a reasonable approach that holds them accountable.”

Read more of the Reporter’s Notebook.

One of the biggest surprises in the last few months in the federal chief information officer community had to have been the Department of Navy’s decision to basically get rid of its standalone CIO.

The DoN revealed in March it was restructuring the CIO’s role and merging it into a dual-hatted role with the undersecretary of the Navy and chief management officer, in this case Thomas Modly.

The decision seems to deemphasize the notion that the two sea services should operate under one set of IT policies, but also reflects the realities of the different directions the Navy and Marine Corps have taken. The split was noticeable after a 2013 restructuring of what had previously been a single contract for a fully-outsourced Navy-Marine Corps Intranet (NMCI).

A month after this dramatic change, we are receiving a few more details on what this new CIO set up will look like.

Dr. Kelly Fletcher, the acting DoN CIO, wrote a memo April 16 outlining her new role as well as how the new combined organization will work.

Fletcher announced she will be one of four senior executives leading specific efforts. In her case, Fletcher will be in charge of the CMO’s business system rationalization and modernization team.

“The CMO office will be led by four senior executives focusing on business system rationalization and modernization, development of a data strategy, improvement of audit outcomes, and reform initiatives,” Fletcher wrote. “The direct reporting of both the CIO and CMO offices to the under secretary reflects the Department of the Navy’s focus on leveraging information technology to drive rapid business process improvements.”

Fletcher didn’t say who would be the other three SESers leading the other offices.

“Many of the talented and dedicated people currently in the office of the DON CIO will follow their transferred functions to new positions in these organizations,” she wrote.

Fletcher has been acting CIO since August when Rob Foster, the last permanent DoN CIO, left to be the deputy CIO of the National Credit Union Administration.

Details of the Navy’s reorganization highlighted a busy week in the CIO community.

In addition to Fletcher announcing her new role, Sonny Bhagowalia, the former Treasury Department CIO who was unceremoniously moved out of his position in July after more than three years, revealed his new position as deputy assistant commissioner at the Homeland Security Department’s Customs and Border Protection directorate.

As CBP’s deputy CIO,  Bhagowalia, who had been a senior adviser at the Bureau of Fiscal Service, wrote on his LinkedIn bio that he will be overseeing two broad areas: information and data, which includes everything from application programs to security to data management, as well as technology and systems, which includes infrastructure programs, cybersecurity, technology training and network management.

Two other agencies also are looking for CIOs.

The Overseas Private Investment Corporation (OPIC) released an announcement on USAJobs.gov looking for a new CIO. Applications are due April 30.

Bob DeLuca left OPIC in early March after spending two years in the role.

DeLuca joined the General Services Administration in March to implement the day-to-day operations of the Centers of Excellence initiatives.

Similar to OPIC, the U.S. Mint also put out a hiring announcement for a new CIO.

Lauren Buschor had been CIO since January 2014 before leaving in July, according to a Mint spokeswoman.

Buschor now is the CIO at the Bureau of Fiscal Service.

Another interesting job announcement came up on USAJobs.gov from the Defense Information Systems Agency.

DISA is looking to hire a new SES position, the National Background Investigations System executive.

DISA says the person will be “responsible for establishing goals, priorities and measures of effectiveness to ensure that DISA and OPM driven information technology policy and objectives are achieved with regard to the security, standardization, implementation, and sustainment of the National Background Investigations Bureau (NBIB). Additionally, he/she will work closely with OPM in order to provide executive lifecycle management of its enterprise capabilities to support their transformation to net-centricity through adoption and fielding of a more up to date program and an enterprise-focused IT services and capabilities; directs planning for the implementation, operation, and sustainment, of the OPM NBIB information technology infrastructure and services.”

Applications are due April 30.

What’s interesting about this position is the rumor about whether the White House will move almost all of the security clearance processing to the Defense Security Service.

If the administration goes through with this plan, which some say is no longer a realistic option, would DISA continue to run the technology or would DSS take over all aspects of the modernization effort?

Add to that the House Armed Services Committee’s plan to get merge, integrate or even get rid of DISA, and the entire future of the position and effort will something to watch.

With these people on the move, we can’t overlook two long-time federal employees who quietly left.

DISA’s Jessie Showers, the director of the infrastructure directorate, left after 10 years with the agency in March.

As one of Showers last accomplishments, DISA announced last week that the Defense Information Systems Network (DISN) optical transport system now operates at 100 gigabytes per second up from 10 GB. DISA says the next generation optical transport network upgrade project “supports combatant commands with improved infrastructure resiliency, service delivery node resiliency, encryption and transitions critical legacy components to an internet protocol-based Ethernet infrastructure.”

It’s unclear what Showers is doing next in his career.

Randall Conway, the Defense Department’s deputy CIO for information enterprise, retired after 26 years as a uniformed officer and another seven as a civilian employee.

Conway, who left in March, worked on DoD’s implementation of the Joint Information Environment (JIE) and helped lead the move to the cloud.

Conway says on his LinkedIn page that he is an independent consultant, living in Florida.

Read more of the Reporter’s Notebook.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Technology Modernization Fund Board has $100 million in the bank, and so far, it’s not burning a hole in its collective pockets.

Four out of nine projects will move to the second phase of the proposal process, the Office of Management and Budget said Sunday.

“These agency proposals were selected because of the alignment to criteria, impact, strength of business case, and probability of success. Selected projects teams have been invited to present their proposal for further funding consideration,” said an OMB spokesman in an email. “The large volume of proposals has signified a high interest for technology modernization across government and agencies are strongly encouraged to continue submitting their projects.”

Federal Chief Information Officer Suzette Kent made the announcement of the board moving forward with the four proposals on the Government Matters show on Sunday.

Federal News Radio has learned that seven agencies submitted those nine proposals. Sources say the departments of Agriculture, Commerce, Energy, Housing and Urban Development, State and Veterans Affairs as well as the U.S. Army Corps of Engineers are vying for the first allocation of the $100 million.

Sources say the reason only four proposals made it to the second round was many were missing key components of the requirements OMB laid out in the Modernizing Government Technology (MGT) Act memo in February.

Sources couldn’t confirm which agency proposals were among the four finalists.

An OMB spokesman would not confirm any of the agencies that submitted proposals for funding.

It was a busy week for the TMF.

First, the General Services Administration announced Elizabeth Cain will be the executive director for the Technology Modernization Fund.

Cain comes to the role after serving as a financial management analyst in GSA’s Office of the Chief Financial Officer. She has worked at GSA since 2009

In her new role, Cain will help coordinate the technical reviews of agency proposals as well as their fiscal and business reviews to make sure the projects can provide the required return on investment and repay the fund so it can continue the cycle of reinvesting.

Later in the week, both OMB Director Mick Mulvaney and GSA Administrator Emily Murphy testified before congressional committees on separate occasions and told lawmakers about their optimism for the extra money.

“Thank you for the Technology Modernization Fund. You all put a bunch of money in there, and we really appreciate that,” Mulvaney told the House Appropriations Subcommittee on Financial Services and General Government on April 18. “This is, I think, a very innovative program where we have a group of folks from all over the executive branch who get together, and essentially we have a competitive process with programs that we think might actually work, and we’ll spend money on those to try and update our IT. I encourage you folks to continue your oversight of that. We’d be happy to share information with you. We think it’s one of the most innovative programs that we have come up with together, the administration and the Congress, and we look forward to keeping you all abreast of the progress there.”

Earlier in the week, Murphy told the same committee that the TMF funding for this year and next — a total of $310 million — would set the government started down the right path.

“The board is meeting once a week now and is reviewing all of the plans that agencies have submitted for ways that they can address technology modernization requirements. Specifically, they’re looking at technology that can be leveraged across agencies so it’s not just a one-time fix, it’s something that we get long-term return out of,” Murphy said. “We’re looking for identify. It’s not a new issue. It’s got to be an identifiable issue that we can really address and we are working very hard with them to establish that criteria.”

Murphy said these initial projects under the TMF would be “proof of concepts” to show how this process would work. This is the same line of thinking the Trump administration offered as part of its fiscal 2018 budget request when it asked for $228 million for the central fund.

“It’s a revolving fund. It allows us to go and make targeted investments. We get the return on those dollars, reinvest them into the next set of projects and how this is a continual improvement process,” Murphy said. “It also should highlight areas where we can get, you know, demonstrable savings and then agencies can themselves come back and ask for additional appropriations as necessary.”

The OMB spokesman said just because this initial group of four is going to the second round, the opportunity for agencies to request extra IT modernization funding is just starting.

“There is still time for agencies to submit proposals and are strongly encouraged to do so,” the spokesman said.

Neither OMB nor GSA discussed the timing for the TMF Board to make final funding decisions for these four projects.

But given the priority around modernization and goal to start proving to lawmakers the value of the central fund, the sooner OMB can get the money out the door the better for everyone involved.

Read more of the Reporter’s Notebook.

The calendar marking Emily Murphy’s time as the administrator of the General Services Administration read 120 days, and she wasted little time in putting her mark on the agency.

Murphy moved around, named or made permanent 18 senior executives across the agency. Murphy was sworn in as GSA administrator on Dec. 12.

Among the most significant changes are Jessica Salmoiraghi becoming the new associate administrator for the Office of Governmentwide Policy (OGP), Joanne Collins-Smee losing  her “acting” title to become the permanent deputy commissioner of the Federal Acquisition Service  and director of the Technology Transformation Services (TTS), and two well-known federal executives heading out to the regions: Tony Costa moves to be regional commissioner for the Public Building Service in the Northeast and Caribbean Region, and Giancarlo Brizzi will move to Texas where he will be regional commissioner of PBS in the Greater Southwest Region.

Costa previously served as a senior adviser to the administrator as well as acting deputy administrator and chief human capital officer at GSA. Brizzi previously served as principal deputy associate administrator for OGP and currently is the acting chief of staff for GSA.

Salmoiraghi comes to GSA after serving as the director of federal agencies and international programs at the American Council of Engineering Companies. In that role, she focused on federal and international procurement issues that affected engineering firms. She also was the director of federal relations and counsel at the American Institute of Architects where she led the Institute’s advocacy and outreach efforts before the executive and legislative branches.

Here is a full list of all the SES changes at GSA.

Murphy, like most new political appointees, by law has to wait to reassign or move Senior Executive Service (SES) members into new positions. Part of the reason for the four-month time period is to let new leaders get to the people and mission of their new agency. Even someone like Murphy who was well-steeped in GSA, having worked there in the mid-2000s and having overseen some aspects of the agency during her time on Capitol Hill, still needs to get to know career SESers and understand their strengths and weaknesses.

So it got me thinking about what really goes into an executive’s decision to move people around.

Seth Harris, a former Labor Department deputy secretary, had a similar experience as Murphy. When he joined Labor as part of the Obama administration, it was his second tour with the department.

Harris, who now is runs his own law firm, Seth D. Harris law and policy, and is a visiting professor at Cornell Institute for Public Affairs, said as soon as new political appointees arrive, career and political executives are whispering in your ear.

“The task is to sort through what is politics, what is interpersonal strife and what are real leadership challenges,” Harris said in an interview. “That is why 120-day rule is a very important rule. As someone whose hands were tied by that rule, you really need to learn before you make any decision about what should and shouldn’t happen with SESers. It’s not just a cooling off period, but a moving up the learning curve period.”

I didn’t ask Harris to comment specifically on GSA’s moves as he isn’t familiar with the agency or the people. But from his experience, any new political appointees at any agency must follow a similar path toward the 120-day mark. He said they must research, listen and learn in those first four months.

“Sometimes you are moving people because they may not be good at their job or them being in that job suppresses more junior people from moving up, but too often it’s perceived by people in the SES as punishment,” he said. “There is a grade compression problem in the government when people get to GS-13, and you have to move into a supervisory role in most places to put you on a path toward SES status, but not everyone should be a supervisor or a manager or an executive. I’ve encountered people who were not suited for the SES. And because those slots are so valuable, and the career SES are so critical to the management of government, if you have someone who is not well suited for management, it’s a lost resource.”

Some decisions to move executives are straightforward. Harris said he got a call during his 120 day period from a manager who said his office couldn’t account for $11 million.

“Whoever was in charge wasn’t doing a good job,” he said. “You don’t often see things like that. We got rid of the top career leader in that organization and the person doing the financial management was moved out.”

Most of the time, Harris said, it takes personal engagement with each of the leaders.

“There is a very interesting interpersonal dynamic that goes on between the political leadership and those they are surrounded by, the career leaders. It becomes a work family in many ways. It’s not necessarily a well-functioning family sometimes,” he said. “So dislodging someone from that work family can be very challenging. It forces leaders to make hard choices and the only way you can do that is based on having very clearly defined individual performance plans tied to agency performance plans. You also have to look at whether one’s personality doesn’t work in the role they are in or at all. And third, are there ethical or legal challenges that you need to consider. The third thing is the easiest because then you can take a straightforward personnel action. But with all three of these, partisan politics should never play a role in these decisions.”

Harris said the decision to move executives around may be the easier part of the post-120 period. All the political leaders, like Murphy, must deal with the change management piece of dislodging the work family.

“It is extremely challenging to deal with the change management piece. It matters who you pick to move up, and if it looks like you picked a flunky or kiss up, it will go badly. If you picked someone who is well qualified and respected in the organization, and whose mere selection signals success matters then it’s that person and their boss’ job to communicate through the organization where the agency is  going and why,” he said. “What front line supervisors and other senior career leaders are saying matters a lot more than what the secretary or deputy secretary are saying.”

Good advice for Murphy, and every new political appointee because there is only one way to get the administration’s priorities successfully completed — getting the career staff to lead them.

Read more of the Reporter’s Notebook.

The nervousness over the security of the technology agencies are buying may have hit the necessary crescendo needed to change behaviors. The U.S. China Commission issued its final report on supply chain risks to federal IT last Thursday and the findings show the threat from China and other countries is not only real, but agencies already are in trouble.

“China did not emerge as a key node on the global [information and communications technology] ICT supply chain by chance. The Chinese government considers the ICT sector a ‘strategic sector’ in which it has invested significant state capital and influence on behalf of state-owned ICT enterprises,” the report states. “New policies requiring companies to surrender source code, store data on servers based in China, invest in Chinese companies, and allow the Chinese government to conduct security audits on their products open federal ICT providers — and the federal ICT networks they supply — to Chinese cyberespionage efforts and intellectual property theft. China also continues to target U.S. government contractors and other private sector entities as part of its efforts to gain economic advantage and pursue other state goals.”

The report, done by Interos Solutions, details six recommendations ranging from linking federal regulations to appropriations as an encouragement for agencies to secure their supply chains to adopting an adaptive risk management process.

“We also cannot separate the responsibility between both the federal government in how they acquire but also the share risk responsibility with industry,  as this is an industry and business problem to solve,” said Jennifer Bisceglie, CEO of Interos Solutions. “Given where manufacturing of technology equipment occurs, we will have to work with countries as suppliers, even though in other situations they are not seen as ‘our friend.’  How do we mitigate concerns in our technology in the same way we negotiate risk in other business dealings?  How do we understand what we’re willing to accept and how do we negotiate from there? It’s the same in how we deal with a global supplier base. We need to understand what risks we’re willing to accept and then work through shared risk acceptance and mitigations with our suppliers.”

The report found the lack of transparency among vendors and their supply chain partners and the link back to China was particularly disconcerting.

“The Chinese government has expended significant political and economic capital in its effort to expand and indigenize its ICT production capabilities,” the report states. “If U.S. multinationals fail to adhere to Chinese government regulations, they may face restricted market access in China, which could decrease their revenues and global competitiveness. But if U.S. companies — which are the primary providers of ICT to the U.S. federal government — surrender source code, proprietary business information, and security information to the Chinese government, they open themselves and federal ICT networks to Chinese cyberespionage efforts. This threat is not theoretical. Chinese government pressure on companies to submit source code for review may occur in support of, or in tandem with, other efforts to identify vulnerabilities in U.S. ICT products. The China Information Technology Evaluation Center (CNITSEC), which conducts the security reviews of foreign companies, is run by China’s Ministry of State Security. But Recorded Future, a U.S.-Swedish internet technology company focusing on cyber intelligence, has linked CNITSEC to APT3, a China-based cyberespionage unit that has hacked federal agencies and companies in the United States and Hong Kong.”

Dr. Larry Wortzel, a commissioner with the U.S. China Commission, said in an email to Federal News Radio, the report provided no real surprises, but did drive home some key current and future challenges.

“In my opinion, the big takeaway from the report is that ‘any information and communication technology component’s physical structure pales in importance compared with the firmware and software operating within in it,’” he said. “We have known that hardware was vulnerable, but the report highlights that ‘future risks will involve software, cloud-based infrastructures, and hyper-converged products rather than hardware.’ Furthermore, ‘a vendor’s, or manufacturer’s business alliances, investment sources, and joint research and development (R&D) efforts are also sources of risk.’”

Charles Thomas, the market planning director in the Anti-Bribery and Corruption Business Services division for LexisNexis Risk Solutions, said the underlying message of the report is clear for federal agencies, or really any organization: Know who you are doing business with.

He said the nature of the threat from a supplier that is owned by the Chinese or any other government shouldn’t be surprising to agencies.

Thomas said the report could’ve done a better job of highlighting the need to connect companies that are accused of breaking the law.

“In acquiring the goods, procurement shops and others should also look at the due diligence for entities around things like the foreign corrupt practices or human trafficking,” Thomas said. “It’s interesting there was no mention of those kinds of things. Due diligence was mentioned by supply chain, but one of things we are seeing is molding or convergence of multiple risk and compliance regimes, and companies have to do more with fewer resources. Why not come up with a strategy that covers multiple bases?”

Thomas added corporate reputational elements also should play a role in deciding who to do business with.

“Looking at the supply chain will give you a good idea [about the company] but you may miss something that would lead you to ask more questions,” he said. “You do not have to do a deep dive of investigative due diligence, but if you just cast a wide net to see what other outliers of risk exist beyond the traditional supply chain risks [you will get a more complete picture].”

The commission’s report adds to the growing oversight by congressional committees, to the new initiatives by the Homeland Security Department and to the pressure on contractors.

While all of these initiatives are helping to open the eyes of technology, acquisition and program leaders in agencies as well as executives at contractors, Bisceglie said it’s not enough.

“Right now, the U.S. has no clear understanding of what risks we’re willing to accept and how to articulate that with our industry partners in a way that allows industry to work normally, remembering that industry has just as much risk as the federal government does in the protection of their people, business continuity and intellectual property,” she said.

Wortzel said the commission will consider adding these recommendations to its final 2018 report to Congress, which the commission will issue in November.

“In my view, strengthening federal regulations in this area is a critical part of improving the U.S. government’s management of its supply chains. With respect to the executive branch, we continue to look at supply chain vulnerabilities within federal agencies, keeping in mind that we report to Congress,” he said.

Read more of the Reporter’s Notebook.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Defense Department is leaving almost every technology vendor on edge for another few days. It posted a message on the FedBizOpps.gov website saying it would post version 2 of the Joint Enterprise Defense Infrastructure (JEDI) cloud contract sometime this week.

Part of the reason for the delay is DoD received 1,089 comments from 46 vendors, two associations, and three government agencies in response to the first draft solicitation.

While DoD said it wouldn’t be sharing any details of the comments or commenters, it didn’t stop a full court press from Capitol Hill and vendors to influence and change on the Pentagon’s plans for a single source award for cloud services that many estimate could be worth as much as $10 billion over 10 years.

Contractors and former Defense officials have been ringing the alarm bells over what many see is an internal preference for the military to move to Amazon Web Services.

These concerns made Thursday and Friday of last week even more interesting when there was a series of non-response responses from Defense leaders, former Defense officials, lawmakers and even Amazon’s head of its global public sector.

Thursday, April 12, 10 a.m.

During a House Armed Services Committee hearing, Rep. Jacky Rosen (D-Nev.) asked Defense Secretary James Mattis about DoD’s plans for the cloud contract.

Rosen: What are the cloud’s implications if we do public and private partnerships, as we — if we move to the cloud, who’s going to own some of that proprietary information? What if some of those private businesses go out of business?

Mattis: The movement to the cloud, congresswoman, is to enhance the availability of the information among us right now. We have to also quickly advance our security. We have over 400 different basic data centers that we have to protect, and we have watched very closely what CIA got in terms of security and service from their movement to the cloud.

It is a fair and open competition for anyone who wants to come in. It’s only two years. If you’ve read something about 10 years in the press, that’s not the case at all.

So it will be a full and open competition. Not sole sourced, by the way, to make certain we don’t fall into just one and I’m very confident that we can get it to your horizon on anyone bidding ought to know with certainty, they will not be folding.”

So Mattis reaffirmed to lawmakers that the JEDI procurement will be fair and it’s only for two years. Now that may be a two-year base with several option years, but no matter, Mattis, I’m sure, is hearing the concerns from Congress and industry alike.

April 12, 12 p.m.

The Hudson Institute hosted a panel discussion with two former Defense officials — John Stenbit, who served as the assistant secretary of Defense for command, control, communications and intelligence during the George W. Bush administration, and Stephen Bryen, who served as the director of the Defense Technology Security Administration from 1981 to 1988.

Both Stenbit and Bryen as well as William Schneider, a senior fellow at Hudson and a former staff member in the House and Senate and State Department executive, expressed deep concerns about DoD’s acquisition strategy.

“The DoD has laid down its own standards or guidelines, if you want to call them that, on what it expects the security of the system it will procure should look like,” Bryen said. “Basically, what they’ve done, for the most part, is two things: one, of course, is to make sure the employees who are working in the cloud environment that they proposed are cleared American employees. That, by the way, creates a significant problem in being able to find enough cleared American employees to do the job. I’m not sure they are so readily available so that is definitely a challenge that is out there. The second is to take some of the procedures that are used to procure DoD’s existing computers, servers and equipment and apply that to the cloud. I’m wondering if DoD has such confidence in these standards. There is not a new standard for the cloud. They are just taking what they have in the Security Technical Implementation Guidelines (STIG). Basically, there are about 400 of these and they are massive checklists that you go through and make sure you are in compliance.”

Bryen said it’s unclear how the STIGs would apply the cloud and that’s a serious problem because fixing the cyber vulnerabilities can require taking a system offline.

Additionally, Bryen questioned DoD’s approach because it’s not clear what or who the backup is if Amazon’s services go down.

“My guess is the backup is actually the existing system, and what they really are trying to do is keep two systems going — a cloud system over here, and the old system here. We already know the old system has a set of problems. We don’t know all the set of problems with new cloud system,” he said. “If you can do denial of service attacks on a cloud, which is one risk, and shut it down, you could shut down DoD if it was only on one [provider.]”

Bryen said keeping the old system online as the backup also would require having skilled and cleared employees run those systems, which adds to the first challenge.

“I think this whole thing is really in need of a lot more study, a lot more investigation and particularly on the security side, which I think what we have is a simplistic approach to security right now that says we can put the old standards to the new system, it will work and everything will be fine. I think that is wishful thinking,” he said. “It seems to me that a much more ambitious effort should be made. I think cloud computing makes sense, but I think it has to be secure computing.”

Stenbit added that he would suggest to DoD that the Defense Science Board, which includes 45 private sector and academic experts that give the Pentagon advice and recommendations.

DoD also created a Defense Innovation Board, which includes private sector experts such as Dr. Neal DeGrassse Tyson, Eric Schmidt of Google and Marne Levine of Instgram.

What’s even more interesting about the Hudson Institute event is it was sponsored by Oracle. Industry sources say Oracle is aggressively lobbying against DoD’s single source strategy. The software giant may also be driving a wedge across industry as all the large cloud and technology players are paying close attention to JEDI.

Bloomberg reported on April 13 that Oracle “is holding regular calls with tech allies, courting trade and mainstream media and lobbying lawmakers, defense officials and the White House.”

Of course, this wouldn’t be the first time Oracle played the role of aggressor. When the Trump administration released its draft IT modernization strategy in September, Oracle submitted comments that trashed Obama administration efforts to move off of legacy IT.

Friday, April 13

Less than 24 hours later, Teresa Carlson, vice president of worldwide public sector for Amazon Web Services, stood before a packed room in McLean, Virginia, during a Northern Virginia Technology Council (NVTC) breakfast and said nothing about JEDI or the ongoing e-commerce portal effort at the General Services Administration.

But if you read between the lines, Carlson’s points certainly were there to send a message.

“We have a leadership principle called customer obsession. It’s the one thing we think about all the time. It’s the way that listening to our customer has allowed us to move fast in this [public sector] community. We listen and then innovate on behalf of the customer. We don’t go in with preconceived ideas and we are pretty flexible on the way we are actually dealing with them,” Carlson said. “The one thing I’ve told my team from day one is that we are not going to settle to do things lesser than we should be because we are disruptive and we are changing the way our customers are thinking and taking advantage of technology.”

Carlson, then, went right after the government’s current approach to technology, acquisition and innovation, and maybe even all of those contractors who are pushing back against DoD’s approach.

“When you are creating new technologies — and a lot of people in this room are doing these kinds of things — you can’t settle for old and outdated policy or acquisition legislation. You can’t settle for security controls and modules that don’t meet the needs of our nation anymore,” she said. “It’s important we take a stand and we are proactive in how we are doing that. So we listen, we’ve innovated and we’ve brought those tools available to our customers.”

Later on in the speech, Carlson took another shot at the status quo companies.

She said AWS has dropped its prices more than 65 times since 2006, and increased the number of capabilities provided through the cloud.

“In 2012, we released 160 significant services and features. Fast forward to today, in 2017, we’ve launched over 1,400 new services. Why is that important? That’s important because it shows you with cloud computing how fast you can move, and how our partners and customers can take advantage of that. You don’t have to sacrifice innovation for speed or security. You can have all of those,” Carlson said.

It’s easy to see how all of these facts and figures are direct messages to lawmakers and DoD officials about why Amazon is the right choice.

So what does all this mean for JEDI?

Several industry experts have told me they believe JEDI will never get off the ground in its current incarnation. If DoD goes down the path of a single award, the congressional inquiries and the bid protests will keep this initiative tied up in knots for the next 12-18 months.

The second draft of the RFP that is expected this week will be telling to see if the pressure by vendors and lawmakers is getting through, or if the Amazon supporters remain in control.

Read more of the Reporter’s Notebook.

Up to 70,000 federal contractors are heading to their local notary to get that special stamp on a letter that’s destined for the General Services Administration to authenticate the vital details of their business, including who is the authorized “entity administrator associated with the DUNS number.”

These are the first details of the impact on vendors emerging from the latest case of fraud to affect GSA’s System for Award Management (SAM).

A GSA spokeswoman confirmed the agency already received 7,500 notarized letters.

“GSA is making internal business process improvements based on our analysis of the first set of letters received,” the spokeswoman said in an email to Federal News Radio. “We are continuously updating the instructions on SAM.gov to make it easier for entities to be in compliance. Additionally, we have posted templates on SAM.gov for entities to use when submitting their notarized letters.”

GSA is requiring notarized letters for several thousand contractors immediately, and then any vendor whose existing registrations on SAM.gov need to be updated after April 27.

This all stems from a third incident in the last five years in which a third party either stole or changed contractor data. GSA alerted vendors on March 22 after it found a third-party changed the financial information of “a limited number” of contractors registered on the governmentwide the SAM.gov portal.

GSA issued initial details of the fraud at that time and then updated the frequently asked questions on April 4.

An internal presentation from April 12, Federal News Radio obtained,  sheds even more light on the impact of the SAM.gov fraud incident.

GSA officials said more than 33,000 contractors needed to confirm a change in their bank account information in the past year. Now this is not to say all 33,000 vendors were potential victims of fraud, but it’s not a stretch that many of them were swept up in this incident as we all know how difficult it is to change bank accounts. I’m not sure anyone would voluntarily change banks.

The GSA spokeswoman wouldn’t confirm how many vendors were victim of this latest fraud, citing an active law enforcement investigation.

It seems vendors are struggling with GSA’s notarization process. Of the 7,500 notarized letters received, GSA processed more than 3,300 and rejected almost 56 percent of them (1,910) for one reason or another.

GSA said it added staff to its Federal Service Desk to support the response and continues to evaluate the overall impact of this fraud incident, including call volume and wait times.

The presentation shows GSA plans to take several other steps to further improve the process. GSA said it modified its process for international entities and partially masked sensitive data elements on SAM.gov.

By the end of June, GSA plans to end the requirement for a notarized letter “by implementing a data-driven, risk-based approach” by combining technical and analytic processes “to reduce risk and focus any additional burden only on those entities with the highest risk profile.”

The goal, GSA said, is to “provide confidence” in that approach so it would deter known fraud paths.

Finally, GSA said by April 30 it would present details to improve the governance of SAM.gov to the joint governance board.

Beyond the impact on contractors and GSA, the SAM.gov modernization effort also now will be delayed.

The presentation said “the combined fraud response will have cost/schedule impacts on modernization,” and GSA will know about the extent of the impact by mid-May.

The GSA spokeswoman said the agency remains committed to ensuring that the existing SAM.gov and the future SAM.gov systems are reliable.

“We are continuing to make progress on the modernization and utilization of beta.SAM.gov. Users may provide feedback on the new beta SAM website at beta.SAM.gov,” the spokeswoman said.

The presentation provides a bit more details about the beta.SAM.gov initiative.

By the end of May, GSA expects to decommission the current site that hosts the Catalog of Federal Domestic Assistance (CFDA). The CFDA provides a full listing of all federal programs available to state and local governments, tribal entities and public and private organizations.

Also starting in May, GSA plans to begin “alpha testing” the reports, opportunities, federal hierarchy and wage determinations modules of SAM.gov.

GSA has been trying to improve and consolidate the 10 portals that are a part of SAM.gov for almost a decade. During that time, it has now suffered three incidents — both cyber and fraud — during that time. Maybe GSA should consider adding two-factor authentication, maybe even those new Login.gov capabilities that it added to USAJobs.gov earlier this year, to SAM.gov and limit the number of vendors who have to go through the notarization process.

Read more of the Reporter’s Notebook.