The long-standing debate over whether prices on the General Services Administration Schedule contract are “fair and reasonable” reached a new level of discord.

GSA’s inspector general makes what some may say are a shocking series of recommendations about schedule prices in a new report. Auditors told GSA to cancel the six-year-old Transactional Data Reporting (TDR) program. The IG also told GSA to tell its agency customers to make their own price reasonableness determinations because they cannot trust that they are getting the lowest prices through the schedule.

And GSA’s Federal Acquisition Service responds with contempt for those suggestions, calling TDR valuable, schedule prices more than reasonable and compliant with the Federal Acquisition Streamlining Act and the Competition in Contracting Act (CICA).

The latest episode in this long-running squabble over schedule prices is an unfortunate and predictable escalation.

Industry experts called the IG’s report more than just another shot across the TDR bow, but an attempt to sink the ship.

“The OIG recommending that agencies should perform independent price determinations feels like a significant escalation in the battle between GSA OIG and GSA over the effectiveness of TDR,” said Leo Alvarez, a principal in the government contractor solutions practice of Baker Tilly, in an email to Federal News Network. “In essence, the OIG is saying they have lost confidence in the GSA schedules program to achieve reasonable prices. A proverbial ‘buyer beware’ sign is on the program.”

Alan Chvotkin, a partner with the law firm Nichols Liu, said the IG has never liked the TDR program since its inception.

“The GSA IG opposed the TDR pilot from the outset because both the commercial services practices (CSP) and the price reduction clause (PRC) would be/are inapplicable to firms participating in the TDR pilot,” Chvotkin said in an email. “The IG has also opposed almost every effort to adjust or eliminate the CSP and the PRC, such as recommended by the GSA MAS Advisory Panel. I served on that panel and supported the recommendation to eliminate the CSP and the PRC under certain circumstances. Yet both of these elements have been consistently identified by ‘commercial item’ providers as barriers to their willingness to participate in GSA’s schedules market.”

Part of the reason the IG has been against TDR and for keeping the PRC has to do with its ability to recoup alleged overcharges or mischarges.

No good way to check prices?

While the IG may like the PRC over TDR, this latest report finds that both approaches are deficient.

“When performing price analyses on TDR pilot contracts, FAS contracting personnel do not have access to TDR data that can be used for pricing decisions and as a result, they mainly compared proposed pricing to other MAS and government contracts,” the IG stated. “However, this approach does not provide customer agencies with assurance that FAS achieved pricing that reflects the offerors’ best pricing and will result in the lowest overall cost alternative to meet the government’s needs.”

The IG also heard from contracting officers; 7 out of 11 expressed concerns about TDR’s value.

“We sampled eight contracts under the TDR pilot with an estimated total value of $2.5 billion and found that TDR data was not analyzed for any of the sampled contracts,” the IG stated. “Accordingly, FAS contracting personnel followed the guidance as outlined in [2016] and relied on the pricing tools to evaluate the relative competitiveness of the proposed pricing.”

As for using the price reduction clause, the IG found “FAS contracting personnel frequently accepted commercial pricing information from offerors that was unsupported, outdated or that identified no comparable commercial sales. As a result, FAS cannot provide customer agencies with assurance that MAS contract pricing will result in the lowest overall cost alternative to meet the government’s needs.”

The IG’s analysis went one step further, looking at 20 recent MAS contract and option awards and found contracting officers’ price analyses couldn’t provide customer agencies with assurance that orders placed against MAS contracts will result in the lowest overall cost alternative.

Trust in schedules returned

This was part of the reason the IG recommended GSA tell its agency customers to conduct their own price reasonableness determination.

Trust in GSA schedule prices hit an all-time low in 2014 when the Defense Department, which is the largest customer of the program, and NASA issued deviations to the Federal Acquisition Regulations telling contracting officers to do their own price reasonableness determinations.

But since then, GSA made changes that reestablished faith in the schedules prices. In 2018, the Naval Postgraduate School and the Coalition for Government Procurement looked at prices on GSA Advantage and found they were better than commercial offerings by more than 50%.

GSA cited the Naval Postgraduate School analysis in its response to the IG, and the IG responded by throwing the study’s conclusion back in the agency’s face: “While the study found that, in some cases, GSA Advantage! pricing was better than Amazon Business, the study did not recommend using GSA Advantage! due to minimum order requirements and instead found that Amazon Business was a viable option for purchases below the micro-purchase threshold, currently at $10,000.”

Baker Tilly’s Alvarez said what seems to be the issue at hand is the long-time battle between best value and lowest price.

The IG seems to believe GSA must always achieve lowest price, while the federal acquisition community over the last 25 years has preached best value.

“In their view the program, under TDR, fails to fulfill the requirements of CICA as it does not result in the ‘lowest overall cost alternative’ to the government,” Alvarez said. “I think that highlights something more fundamental about how GSA OIG and GSA perceive the Schedules program. The concept of ‘best value’ has long been a bedrock principle of the program. In fact, at industry meetings where the TDR program was being proposed and ultimately rolled out, GSA officials stated on a number of occasions that the data would not be used to facilitate a race to the bottom on prices. Yet cost appears to be the overwhelming focus of the OIG’s audit report.”

He added while focusing on low prices for products may be easy, it’s not the case for services. And agencies are spending more on services every year, reaching more than $380 billion out of $637 billion in fiscal 2021.

“Pricing evaluations for services at the MAS contract level have always presented a challenge, and it remains unclear how GSA will effectively determine price reasonableness and best value for services contractors under TDR,” he said. “With services representing the majority of sales under the GSA MAS program, it will be interesting to see if GSA MAS contracting officers working with contractors under TDR continue to rely on the previously mentioned pricing tools, more frequently request additional supporting information, use other methods or simply struggle with drawing conclusions about price reasonableness.”

TDR expansion coming

It’s clear the IG’s criticisms aren’t having an effect on GSA’s plans to expand TDR.

Sonny Hashmi, the commissioner of the Federal Acquisition Service, said while he appreciates the IG’s input and suggestions, TDR is valuable and GSA plans to expand it.

“The future of how we buy in government is going to require real time data, and the price reduction clause, which served a particular purpose a decade ago, two decades ago, isn’t good enough. We have to rethink how we have we buy products and services in government. And programs like the TDR are the way forward,” Hashmi said in an interview with Federal News Network after the IT Modernization Summit sponsored by FCW. “Our current focus right now is to make sure that the quality and complete centric completeness of data continues to go up. We’ve made significant progress this year and we want to continue to make that progress. We’re continuing to integrate that data into the analysis tools that our contracting officers use every day when we’re doing fair price analyses.”

Hashmi said TDR has proven its value through initiatives like category management, through the pandemic and through hurricane responses.

While Hashmi wouldn’t offer details or a timeline about how GSA is expanding TDR, the IG report says the agency plans to move it out of the pilot phase and expand it across all schedule contracts starting Nov. 1.

“The goal though is to move to a regime over time that leverages transactional data rather than relying on clauses for price or product price assurances. We want to get we want to do that when we’re all comfortable. It’s the right time to do one of the big pushes,” he said.

Alan Thomas, the former FAS commissioner at GSA and now chief operating officer at IntelliBridge, said the IG report actually gives the agency the opportunity to rethink this entire process.

“TDR upends that model and requires the IG to change while continuing to provide important oversight of Contracting Officers’ work. This isn’t easy, but I think the report offers a pathway to a new normal.  Doing so will require leadership buy-in from FAS and the IG,” he said. “The expanded use of additional data and analytic techniques to get the best value for government buyers is an area for collaboration between FAS and IG’s audit team.  With the right leadership support, this latest report could be the catalyst for putting the best minds from FAS and the IG together on this topic?”

The question is can the IG and FAS leadership put away years of acrimony to come together on this important topic? It’s clear that GSA isn’t canceling TDR or telling its customers that schedule prices are not fair and reasonable. And it’s clear the IG will continue to say schedule prices are problematic.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcastsor PodcastOne.

Among the first words out of Don Yeske’s mouth last Friday was “I hate architects.”

Yeske is the chief solutions architect for the Department of Navy’s chief information officer’s office, so right away the standing room only luncheon crowd at the AFCEA NOVA event offered a hearty, if not a little uncomfortable, laugh.

“We work in this obscure language that nobody speaks, called the Defense Department Architecture Framework (DoDAF). It’s great language, there’s nothing wrong with it. We have extra people come on board to a project or program and those people go and bother the people who are the engineers, the testers, the developers, the people turning wrenches, and they say, ‘Hey, I need information. So I can fill out this DoDAF view because we got to go back to the Joint Requirements Oversight Council (JROC) and get it approved, or we got to go back to the program officer to the milestone decision authority, the chief engineer has to approve these things in order for us to field this thing we’re working on,’” Yeske said. “I have to steal some of your time to go create this product, so that it can be checked by guess who? Another architect whose whole job is to check the homework of the first architect. They will argue, believe me; they will go back and forth with one another because if the second guy doesn’t reject the first guy’s work, once or twice, he’s not doing his job. In the meantime, what’s actually happening? Everybody else is out there, like building stuff, actually testing things and delivering things, hopefully, to the end user who actually needs them. And the architecture really served as a gating function. It really served as a thing that would slow you down, and that would prevent you from eventually delivering that capability. So I hate architects, because that’s what we do.”

And with more than a dozen reference architectures across DoD, ranging from zero trust to the Joint All-Domain Command and Control (JADC2) to cybersecurity to the Joint Information Enterprise (JIE), it’s no wonder architects are disliked, ignored and yawned at.

But Yeske is no self-hating architect. In fact, he’s more of a modern-day architect.

Doing development differently

He’s leading an effort within the Department of the Navy CIO to change not only architecture, but, more importantly, how the service delivers capabilities.

“The purpose of an architecture, taking it completely out of the DoD context, is if I’m building a house, it’s the instructions. It’s how you’re supposed to build the house that someone should be looking at. The engineers and the contractors should be looking at those plans and figuring out what to do. And by the way, occasionally saying, ‘Hey, your plans are wrong, change this or we did it differently.’ That’s how that’s supposed to work, but it’s totally not how it works in the Department of the Navy, or in DoD broadly,” Yeske said. “The grand idea that we have in the Department of the Navy is to do things differently. We’re going to push out information that encapsulates a lot of higher order architectures.”

To that end, the DoN CIO published on Sept. 6 version one of the Capstone Design Concept for Information Superiority. To borrow from the old Oldsmobile commercial, “This is not your father’s architecture.”

Yeske said it’s 14 pages long, it will be updated, and, don’t tell anyone, but it’s an architecture.

“We actually want people to pick up the document and read it because a lot of what it says is also said in the DoD zero trust reference architecture now in its second major version; is also said in the JADC reference architecture, now on its third major version; is also said in the cybersecurity reference architecture. There are a dozen or more major architectures that DoD and the Department of the Navy have produced that say all the same things. Nobody read them because nobody speaks DoDAF,” he said. “But we all speak English, at least passably well, and it is a highly technical language. So let’s try it. It’s a crazy different approach. Let’s see if it works.”

The Department of Navy’s CIO’s office spent a year writing the Capstone Design Concept for Information Superiority. It has one overarching goal: “To securely move any information from anywhere to anywhere else.”

Under the main objective, the DoN outlined two primary outcomes that the design concept document is moving toward:

• Operational resilience: Yeske said this is about how resilient the system or application is? Is it down all the time? Is it approachable? Is it usable? Can people depend on the thing that you’re delivering, even under the worst possible circumstances? And if so, how do you know that? “We’re going to ask everybody, what were your measures? And how are you doing? And how do you know how you’re doing on these lines?”
• Customer experience: Yeske said this focuses on how easy is it for people to use your application? “That’s a crazy thought, right? The two things everybody’s going to measure and report on are, how easy is your thing to use? Tell me what your customer experience actually is? Tell me what feedback you got from the end users of your thing that told you it worked? Does it work? And how do you know?”

Very simple and straight forward questions that every developer, mission owner and architect should be asking and answering.

Of course, just writing a 14-page, easy to read (hopefully) document is only step one. Yeske said the DoN CIO’s office needs to not just get developers and mission owners to use it, but truly understand the value it brings.

Step one in that effort is delivering services that embody the capstone design document’s goals and objectives.

First enterprise service approved

Yeske said the Information Superiority Advisory Board approved the first enterprise service that exemplifies the architecture concepts just recently.

“The Naval Integrated Modeling Environment hosts model-based systems engineering tools and provides a shared repository for the models to live in, so that people can iteratively, incrementally and collaboratively develop and deliver anything that you can do through a digital engineering approach,” he said. “It’s just a shared set of tools with a shared repository to do that digital engineering work. If we didn’t have that, or something like it as an enterprise service, what would we do? Well, I can tell you what we would do, because it’s what we’re doing now, everybody’s trying to create their own version of that. Everybody’s trying to create their own shared repository. Everybody’s trying to create their own standards around digital engineering.”

Through the Naval Integrated Modeling Environment, the DoN is creating a standard infrastructure with reusable services that is based on the architecture. But, for the most part, developers and users don’t need to know that.

The advisory board’s is likely to approve the Naval Identity Services (NIS) as its next enterprise service.

Yeske said because every application requires identity verification and authorization, it makes sense for the DoN to create that common platform.

“What we do right now is we all implement our own solutions for that. That’s a huge waste. And it’s also preventing us from getting after the next objective,” he said.

In the end, the architecture or Capstone Design Concept for Information Superiority is just a tool to get the Department of the Navy to its end goal, systems that serve the warfighter’s needs, that are secure, agile and rely on standards.

Pretty simple to understand, even for an architect.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Federal Chief Information Officer Clare Martorana’s time before the House Oversight and Reform Subcommittee on Government Operations on Sept. 16 lacked many of the trite lines of questioning that have usually come with federal IT hearings.

There were no complaints about the definition of a data center. Lawmakers did a nice job of keeping big “P” politics to a minimum. And concerns about specific constituent issues were mostly left out during questioning.

At the same time, Martorana, who reached her 18-month mark on the job earlier this month, kept the lawmakers at bay at least for a few more months around hot topics like cyber and customer service metrics.

What we did learn from the hearing, however, puts the Office of Management and Budget and the Office of Federal CIO on record to produce public, transparent metrics and deliver on promises in fiscal 2023.

Here are my three takeaways from the hearing:

IT funding questions

One long-held view across the federal sector over the last two decades is agencies need more money to get out from under the technical debt.

OMB hasn’t shared a new estimate about how much truly old technology agencies are working with for at least six years. Former Federal CIO Tony Scott projected in 2016 that federal technical debt topped $7 billion.

This is why when Congress included $1 billion for the Technology Modernization in the American Rescue Plan Act, Rep. Gerry Connolly (D-Va.) and others called it a down payment.

But more than a year after receiving the money, not every member of the subcommittee is convinced that more money for federal IT is the answer.

Rep. Jody Hice (R-Ga.), ranking member of the subcommittee, raised concerns about how agencies are spending money to modernize technology and the Federal CIO’s oversight of that spending.

“There’s an underlying assumption that the vast amounts of funding somewhere in the neighborhood of $100 billion a year will somehow deliver the intended results. But in my time in Congress, at least, and certainly during my time as ranking member of this subcommittee, I’ve learned that it’s probably not wise to make that assumption,” he said. “While my Democratic colleagues claimed the source of the problem is lack of funding, I, quite frankly, reject that premise. Simply pouring more money into a black hole is not a solution. What we need is solid oversight that is backed by reliable information in order to determine the true state of our federal IT and to determine whether federal IT projects are delivered on time and on budget.”

Hice’s comment may come off as partisan given Republicans general dislike for spending more money.

But stepping back from the “politics” of the concept, OMB’s oversight of federal spending has become less transparent.

The PortfolioStat and TechStat processes from the Obama administration have been in a deep slumber for more than five years. Former OMB staff have said PortfolioStats have not been regularly performed for several years. Instead, OMB reassigned resources to other priorities.

The PortfolioStat implementation guidance hasn’t been updated since 2015 and there no public discussion by OMB about how they are using the process to address IT projects that may be in trouble. In fact, the Government Accountability Office made recommendations in 2015 to improve the PortfolioStat process and OMB implemented two of four of those suggestion with GAO closing the two that weren’t implemented.

The Federal IT Dashboard does still discuss savings from PortfolioStat, more than $407 million in fiscal 2021 alone. But there is little public evidence for how agencies achieved those savings and what OMB’s role was in overseeing those efforts.

OMB designed TechStat and PortfolioStat to bring some much needed top-level oversight to federal IT projects. At one point, OMB encouraged agencies to do their own internal oversight sessions and several did early on.

But what has happened over the last five-plus years around oversight of IT project is unclear, and that lack of transparency came out during the hearing.

Del. Eleanor Holmes Norton (D-D.C.) asked Martorana that exact question.

“Empowering CIOs and then holding them accountable for using their authorities effectively is the goal of our subcommittee through the biannual FITARA scorecard,” he said. “So may I ask you, how will you work with Congress to provide the public data and information that will help you and your efforts to highlight IT leadership and accountability?”

Earlier on during Holmes Norton’s questioning, Martorana offered some insights into how she views her role. She said the Federal CIO helps agency CIOs navigate a complex set of rules, regulations and laws that drive their operating environments.

“It is really incumbent upon this role to make sure we are playing an oversight role, that we are measuring and where we are able to that we are sharing best practices across every federal agency and CIO that I work with,” she said. “We’re all trying to solve the same problems. We don’t want to start from a blank piece of paper. So when one agency does goes on an IT modernization journey, for example, we want to make sure that we share those best practices across the entire federal enterprise.”

Hice piled on this line of questioning later in the hearing.

“You bring up your position, and with the ability you do or do not have to actually produce change. I’m curious about that. I’m going to give you three questions that I would like for you to respond back to the committee,” he said. “Question number one, can you supply this committee with a copy of your job description? Secondly, who established that position? How did the process come about that the Federal CIO position was established? And then thirdly, do other CIOs recognize this position and do they submit to your proclaimed authority? If you can send me an answer to those questions here in the next week or so I would appreciate it.”

Rep. Gerry Connolly, chairman of the subcommittee, added to Hice’s request seeking answers about the Federal CIO’s relationship with the Federal Chief Technology Officer, which is currently vacant as the Biden administration hasn’t nominated anyone yet, and how the roles of those two offices have evolved over the past decade.

All good questions from Hice, Connolly and the members because throwing more money at a problem rarely has been the answer and usually just exacerbates the underlying issues for why more money is needed in the first place.

What is the Federal CIO’s oversight role and how are they ensuring agencies are accountable for IT spending? And please don’t tell me the budget side of OMB and desk officers are the first line of defense.

TMF slush fund?

Hice reiterated his concerns about the Technology Modernization Fund from the FITARA hearing in July. It’s a good sound bite, for sure. While there is little evidence or truth behind that thought, Hice, once again, highlights OMB’s ongoing challenges to communicate and demonstrate the value of the TMF.

Hice’s comments focused on OMB’s reduced requirement for agencies to repay the “loans,” and whether OMB is ignoring the spirit and intent of the TMF’s underlying law, the Modernization Government Technology Act.

“The broader MGT Act meant doing away with the types of ancient systems that still run too many of our vital government programs. In addition, the tenet of the TMF was that it would create an efficient cycle,” he said. “The Biden administration has opted for partial or even minimal reimbursements. I want to know why. It’s also emphasizing cybersecurity and customer experience projects, which in and of themselves are fine, but doing so rather than retiring old systems. Again, it’s not that these practices in and of themselves are bad, but it simply and clearly is not the intent of Congress. So why is the administration doing this? We need answers. Does the savings based model of the TMF not work? Or is it simply inconvenient? This committee needs to know and what progress is being made to retire legacy systems.”

On a side note, Hice asked if there was a definition of legacy systems, which smart folks in industry pointed out to me that yes, there is, of course. And it’s in the MGT Act as IT systems that are “outdated or obsolete system of IT.”

But going back to the TMF, questions about the repayment requirements have long been a sticking point for both agencies and Congress.

Martorana said the year before OMB changed the repayment process, the TMF Board saw only one proposal to obtain money. That may be the first time we’ve heard that tidbit about the lack of interest in applying for the TMF.

Martorana offered a few statistics about the impact and excitement over the TMF since the repayment changes and the flush of money that came in.

She said the board received more than 150 TMF proposals for projects totaling over $2.8 billion.

“The TMF Board has invested more than half of the TMF ARP funding, and – as the board continues to invest the remaining ARP funds – our goal is to balance speed with ensuring we invest in high quality, impactful proposals that have a high likelihood of success,” Martorana said in her written testimony. “Looking ahead, we will focus on targeted investment areas, such as those in the Customer Experience (CX) Allocation announced in June 2022, as well as coordinate within OMB and with other key stakeholders to set goals for the next fiscal year that better integrate agency budget requests and results.”

Martorana promised Hice and the subcommittee that repayment remains a goal for every TMF project.

“I think within the next year you are going to see such dramatically improved outcomes from the TMF projects, because we are managing them in a completely different way than we did previously by having technologists upfront in every single part of the investment,” she said. “We review our investments quarterly, if people are not hitting their milestones, we do not give them additional funding. If teams are failing at a component, we rally people together to be able to support them with the subject matter expertise that will help them be effective and efficient.”

But as Martorana shared, calculating and achieving cost savings from IT modernization projects isn’t easy.

Before becoming Federal CIO, Martorana was the CIO at the Office of Personnel Management where she tried to modernize old mainframes and eventually move the workloads to the cloud.

“The challenging part was we weren’t able to recognize the cost savings as quickly as I would have hoped. You had to start first by reengineering all of your business processes because you can’t just lift and shift and do exactly what you did on the mainframe without interrogating the way that you do business because newer systems are differently efficient, and they potentially have the opportunity for us to really leapfrog. So you want to make sure that you’re thinking about the business process and not just moving old antiquated because that’s the way we did it 25 years ago to the cloud, for example,” she said. “I had originally planned once we were able to get the new mainframes up and running, I thought we would be able to sunset the old equipment, so get rid of operations and the maintenance cost and all of the ancillary costs, and staffing that had to be burdened managing those systems. It took years of compliance activity that we needed to go through in order to actually get those offline and stop paying for both. So we were really challenged in recognizing cost savings.”

It’s clear OMB has to explain to Congress why achieving cost savings, while admirable, may not make the most sense as one key end goal. Martorana’s example is a good start, but they need about 20 more explained in grave detail so it sinks in with members.

Law or not, FedRAMP must improve

Connolly has been on a bit of a mission to codify the Federal Risk Authorization Management Program (FedRAMP) for the past few years. His FedRAMP Authorization Act of 2021 was the first bill the House passed in January. Additionally, the House adopted the bill as an amendment to the 2023 defense authorization act, giving it another path to become law.

It’s now a question of whether the Senate will support it, and previously, the Senate Homeland Security and Governmental Affairs Committee had been hesitant, particularly Ranking Member Sen. Rob Portman (R-Ohio).

But Sen. Gary Peters (D-Mich.) and others introduced the Federal Secure Cloud Improvement and Jobs Act last fall to provide “quicker, more secure commercial cloud capabilities in government, which will improve cybersecurity and empower agencies to deliver modern digital services to citizens.” The bill made it out of committee in May, but hasn’t advanced on the Senate floor.

No matter what happens with the FedRAMP bill, Martorana said OMB recognizes the program needs to improve.

“We’re on a path to really make sure that FedRAMP is the most robust marketplace it can possibly be. But there are many small companies with  innovative software that we would love to be able to have go through the FedRAMP program, but it is cost prohibitive for some of these small organizations,” she said. “We have actually asked members of my team to work collaboratively with GSA and the program team and really roll up our sleeves. We need to fix this to make sure that not only we are supporting the supply chain issues, making sure they’re secure software development, but also making sure that we can meet the speed of the need of federal agencies to have some innovative technology available to them with the umbrella security of the FedRAMP seal of approval in a way.”

What that effort will look like is unclear.

To their credit, the FedRAMP program management office has consistently looked for ways to improve the speed, but not lose any rigor of the program. That led them to developing the FedRAMP tailored process as well as the use of Open Security Control Assessment Language (OSCAL) to automate the security documentation process and speed up approvals.

Just last week, FedRAMP issued its draft Authorization Boundary Guidance, which is critical to helping cloud service providers and their security package going to the JAB. The guidance is open for public comment until Oct. 17.

The federal cybersecurity community is seeing an unusual amount of change.

In the last five weeks, no fewer than six chief information security officers or deputy CISOs took on new positions across the government.

The movement among cyber executives may not be surprising given new data ISC² that says there are more than 2.72 million open cyber jobs worldwide with opening reaching 3.5 million by 2025. Additionally, from the Enterprise Strategy Group that 60% of respondents in recent study says it takes two-to-five years to become proficient in cybersecurity and 17% says it takes more than five years.

At a micro level, agencies and contractors are using, in some cases pay — think financial services agencies — and in most cases, mission appeal as the way to attract experts from other organization.

Basically, as we’ve heard over the last decade, the competition for cyber talent is hot and these executives moving to new positions or taking on new duties is expected given the seemingly never-ending desire for these skillsets.

Let’s start with Jay Riberio who joined the Department of Transportation as its new CISO and associate chief information officer on Aug. 28.

He comes to DOT from the Justice Department’s Bureau of Alcohol, Tobacco, Firearms and Explosives as the CISO. He was with ATF since 2018. Prior to that, Ribeiro worked at the Federal Election Commission and the State Department in senior IT roles.

Riberio takes over for Andrew Orndorff, who had been DOT’s CISO and associate CIO for strategic portfolio management for the last two years.

In coming to DOT, Riberio inherits a $345 million cybersecurity budget in fiscal 2022, up from $334 million last year. DOT requested $391 million for 2023.

More specifically, Riberio is on tap to receive as much as $48 million, up from $39 million in 2022, in direct cyber funding from Congress. In the House version of the 2023 spending bill, lawmakers wrote the money would be for “essential program enhancements, infrastructure improvements and contractual resources to enhance the security of the department’s computer network and to reduce the risk of security breaches.”

VA promotes Sherrill, Roy

Another CFO Act agency turned to a familiar face to be its new CISO.

The Department of Veterans Affairs named Lynette Sherrill as its new deputy assistant secretary for information security and CISO also on Aug. 28.

In an email to staff, Assistant Secretary for OI&T and CIO Kurt DelBene said Sherrill, who had been acting CISO for seven months, will lead cybersecurity programs and risk management activities.

“In her seven months as acting CISO, Ms. Sherrill has already led high-profile efforts, including the development of VA’s new zero trust first cybersecurity strategy — the heart of OIT’s approach to security excellence. Additionally, she is driving efforts to implement continuous evaluation of systems and metrics, allowing OIT to respond to cyber threats in real time,” he wrote. “As she begins her role as the permanent CISO, I’m confident she will continue to lead with vision and passion in service of our nation’s veterans.”

Sherrill has been with VA since 2004 starting out in IT security after working in industry and for the Army earlier in her career. Before she became acting CISO after Paul Cunningham retired in February, Sherrill was executive director of the enterprise command operations where she oversaw tools and capabilities to understand the dependencies across VA’s large network and monitor the IT infrastructure to address problems before they impact the network.

As the CISO, Sherrill inherits a cyber budget of $450 million in 2022. VA requested a $137 million increase in 2023.

Joining Sherrill is Faith Roy as her new deputy CISO and executive director for cybersecurity integrations, logistics and planning in the Office of Information Security.

DelBene said Roy is responsible for implementing cybersecurity programs, policies and strategies. She had been acting deputy CISO since Sherrill moved up in February.

“Ms. Roy brings a wealth of public and private sector expertise in information technology, human capital and financial management. She is also a U.S. Army Veteran,” DelBene wrote.

Similar to Sherrill, a few others ascended to new positions in their agencies.

Treasury, CBP hire new executives

The Treasury Department named Christopher Adams its new CISO for departmental offices in headquarters in August as well. Sarah Nur remains the Treasury CISO.

He has spent much of his career in working for the Air Force and is currently an Air Force reservist with the 7th Space Operations Squadron where he is assistant director of operations.

Treasury has a $829 million cyber budget in 2022 and a significant increase to $970 million budget if Congress funds the 2023 request. Adams doesn’t control the entire budget, but some of the funding will go to securing departmental offices systems and data.

More specifically, House lawmakers approved $135 million for Treasury’s cybersecurity enhancement account, which is $55 million more than it received in 2022, but $80 million less than it requested.

Lawmakers said in its report on the bill that CEA is “a dedicated account designed to identify and support departmentwide investments for critical IT improvements, including the systems identified as high value assets.”

Once the spending bill becomes law, Treasury will have 60 days to submit a quarterly spend plan to Congress detailing how they will obligate funds, any carryover funding from previous years and how that money will be spent.

After serving for two years as the deputy CISO, Scott Davis took over as the top cyber executive at the Customs and Border Protection directorate in the Department of Homeland Security.

He joined CBP in 2020 after spending two years as the Labor Department’s  deputy CISO. He joined the government in 2010 coming from industry to work on cyber issues for the old National Protection and Programs Directorate at DHS. NPPD is now they Cybersecurity and Infrastructure Security Agency.

Finally, the Defense Department brought in a familiar face to take over some key cyber activities.

Ray Letteer started in a new position as the principal deputy director for risk assessment and operational integration at DoD CISO on Aug. 15.

“It has been an honor and privilege to serve in my prior roles in the Marine Corps, and I will carry with me those lessons and examples learned over the past 19 years into my new position. Semper Fi!!” he wrote on LinkedIn.

Letteer spent the previous 19 year with the Marine Corps where he was compliance branch deputy chief for cybersecurity and its authorizing official for the last two-plus years. He also served as the Marines CISO and chief of the cybersecurity division for 16 years.

SSA’s new cyber, technology leaders

One last new person in the cybersecurity community is Tim Amerson, who became the deputy CIO and deputy CISO at the Social Security Administration on Aug. 12.

He joins SSA from VA, where he was the director of infrastructure operations cybersecurity management for the last four years. Amerson worked at VA for nine years and spent 32 years serving in the Army National Guard before retiring in 2018.

And finally, one non-cyber related move that is valuable.

Sudhanshu ‘Sid’ Sinha is the new chief technology officer (CTO) at SSA, filling a position that has been vacant for some time.

Sinha comes to SSA after spending the last eight years with the IRS, where he was director of enterprise architecture. In that role over the last 11 months, he helped lead the architecture strategy and modernization planning and execution for the American Rescue Plan Act (ARPA).

“[I] had a great start the first week, meeting with the solid leadership team at SSA. I am looking forward to continuing my public service, improving outcomes and experience for the American public that rely on the SSA,” Sinha wrote on LinkedIn. “[I] wish to also convey thanks to my IRS colleagues and collaborators, for an amazing run over the last nine years.”

He previously worked as the deputy CIO for the U.S. Mint and worked in assorted IT roles in industry.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

In about 30 days, one of the longest running and most successful small business programs will expire.

The House will have 14 days in September with votes scheduled to reauthorize the Small Business Innovation Research (SBIR) program when it returns to Washington, D.C. after Labor Day. Meanwhile, the Senate reconvenes on Sept. 6 and doesn’t spell out how many days it plans to be in D.C. and voting on bills.

To be sure, the fate of the SBIR program hangs in the balance of what Congress can do by Sept. 30.

If Congress doesn’t act, and it’s still a pretty big if at this point, the SBIR program would come to an end after 40 years. And this would be a travesty.

As Emily Murphy, the former administrator of the General Services Administration and long-time Hill staff member who worked on small business acquisition issues, wrote in April when she warned of the program’s impending expiration, the results of the SBIR program speak for themselves.

“Companies such as iRobot, Sonicare and Symantec are household names. Per the Small Business Administration, 70,000 patents and 700 public companies have resulted from the program. A recent study by scholars at Rutgers and the University of Connecticut looked at SBIR awards at the National Science Foundation and found that the SBIR program allowed the government to select risky but high impact ventures,” she said.

Now it seems likely that Congress will renew SBIR and all this consternation will have been for naught. But the question remains is whether they let it expire on Sept. 30 and renew it in October or November or whenever, and what impact that will have on agencies and industry alike will be significant. The threat of expiration already put agencies behind the time curve, Murphy said.

“Some small businesses will see an expiration as a sign the program isn’t stable, and may go elsewhere instead of becoming the next generation government contractors we need. They will look for other R&D funding paths that don’t promote federal mission needs, or may simply stick to traditional lines of business,” Murphy said in an interview with Federal News Network. “The government risks foreign countries closing the innovation gap, and warfighters, medical researchers, and others not receiving the support, tools and technologies they need to meet their mission.”

The authorization would impact the Defense Department in a big way, but it also would impact the National Institutes of Health, the Energy Department, NASA and the National Science Foundation.

Are “SBIR mills” a problem?

At the heart of the matter is Sen. Rand Paul (R-Ky.), ranking member of Small Business Committee, concerns about SBIR and how some companies game the system.

Paul outlined his concerns about of what he calls SBIR mills at a hearing last September on SBIR and its cousin the Small Business Technology Transfer (STTR).

“But only a select few win and have figured out how to make the SBIR program work for them and them alone. Some companies have been so successful in creating an entire business model and revenue stream that is solely for these grants they are known as SBIR mills. An analysis by the State Science and Technology Institute (SSTI) showed that from 2009 to 2019, 21% of the awards were made to the mills, which the institute defined as ‘firms who receive more than 40 phase one awards,’” Paul said. “Forty grants to just one company, may raise a few eyebrows as unnecessary and excessive and someone abusing the system. According to SBA’s public data, 196 businesses received more than 100 awards each. Some businesses received more than 900 awards. Sounds like somebody has figured out the system here.”

There is a lot of debate about whether SBIR mills really are a problem. As Paul highlighted, 21% of the SBIR awards from 2009 to 2019 went to these “mills,” but what he doesn’t mention is SSTI found 41.5% of the awards went to just one company and 56% of the awards went to companies winning two-to-19 awards, which is a pretty big spread. But this means a majority of all awards went to companies winning fewer than 20 total awards over a 10-year period. That is an average of two awards a year. Given the Defense Department made almost 17,000 individual phase 2 awards worth $14.4 billion between 1995 and 2018, two a year doesn’t seem too crazy.

A spokesperson for Paul said in an email to Federal News Network that ongoing negotiations are close to coming up with a compromise bill.

“Legislative aides for the Senate and House Small Business Committees and the House Science Committee have been in bipartisan bicameral negotiations every day for the last few weeks. As they were putting the final touches on compromise legislation to reauthorize the program, lobbyists for some of the worst offenders tried to stop Congress from taking action to curb SBIR mill abuse and destroy critical research security measures to secure the taxpayer’s investments in R&D from China, Russia, and other foreign influence,” the spokesperson said. “While our team has continued to push for a deal and work towards a compromise, Democrats are now the ones backing away from their own proposal to establish a benchmark for commercialization rather than a cap on awards.”

Cautious optimism remains

Sen. Ben Cardin (D-Md.), chairman of the Small Business Committee, offered a little more optimization about the likelihood of reauthorization.

“The SBIR and STTR programs harness the creativity and ingenuity of America’s entrepreneurs and innovators to solve the most pressing public health and national security challenges confronting our nation. Congress must reauthorize SBIR and STTR before they expire on Sept. 30 to avoid disrupting the research of small business participating in the program,” Cardin said in a statement to Federal News Network. “I will continue working in good faith with my colleagues to reach a bipartisan compromise that will reauthorize SBIR and STTR before it expires while protecting our national security and bringing more of the programs’ technologies to market.”

The Defense Department, which is one of the largest users of SBIR, offered its feedback on the reauthorization in July as well as comments on what the expiration would mean.

“Failure to reauthorize the [SBIR/STTR] programs will result in approximately 1,200 warfighter needs not being addressed through innovative research and technology development,” wrote Heidi Shyu, the undersecretary of Defense for research and engineering, and Bill LaPlante, the Undersecretary of Defense for acquisition and sustainment, in a letter to the House Small Business Committee. “Without a program targeted towards small businesses, the department will potentially lose access to talent and innovation inherent in America’s small businesses. In addition, uncertainty in the program will discourage small companies from doing business with DoD in the future.”

DoD says the return on investment through SBIR investments is substantial and increasingly making the program more valuable.

DoD, for instance, already put out a notice on Aug. 24 saying if Congress doesn’t reauthorize SBIR by Sept. 30, it will not move forward with its current broad agency announcement.

Eric Blatt, a lawyer with Scale LLP who advises startups that engage the SBIR program, said the program’s disruption also would mean companies possibly having to lay off employees, close altogether or seek funding from elsewhere, including China, which is a concern Paul brought up as a reason to hold up the reauthorization.

“SBIR is an important source of funding for companies, which are using this in addition to venture capital and other sources of funding. It’s very difficult to take an early stage company and bring the technology to market, and disrupting any source of funding can be disruptive or even fatal to that effort,” Blatt said in an interview with Federal News Network. “A lot of the technology that DoD wants to fund is hard to get venture capital dollars for because the DoD market is a difficult nut to crack and VCs look at that market as less attractive. This makes SBIR an incredibly important program to fund defense-oriented technology.”

A scalpel, not a blunt change to SBIR

Murphy, Blatt and other experts say concerns about SBIR mills are overblown. Yes, there will be some bad actors and they do need to be addressed and potentially removed from participating in the program.

“Any program of this size has underachievers, but the test Congress is promoting is a very blunt tool when we need a scalpel to determine who is producing results and who is not,” Murphy said. “There are better ways to address possible problems, such as requiring more reporting of the outcomes of phase II awards and if or when there are phase III awards or other types of commercialization.”

Blatt added many companies agree with the notion of adding more rigor to commercialization requirements of SBIR, some of which Congress is considering.

“Misuse of the SBIR program is not a significant issue in the scheme of things,” he said. “I don’t think reauthorization should hinge on this issue. It’s not a bad thing for companies to have incentives to do everything they can to turn their technology into competitive products. There are a lot of proposals on the table that have broad-based support and would further incentivize effective commercialization efforts.”

In the end, that’s what Sen. Paul is trying to do, make the program more effective and ensure the money that DoD and other agencies award is creating the next Pixar or global positioning satellite technology vs. the next Betamax or LaserDisc.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The number of contractors suspended and debarred hit a 12-year high in 2014 with 1,929 vendors or executives debarred and another 1,009 suspended from federal acquisition.

Compare those numbers to what the Interagency Suspension and Debarment Committee reported in its fiscal 2020 report released earlier this year: 1,256 companies or executives debarred and 415 suspended.

That’s a 34% drop in the number of debarments and a 59% reduction in the number of suspensions.

Now take into account the amount of money spent on federal procurement has increased to $665 billion in 2020 from $448 billion in 2014 — a $217 billion or 32% increase.

By raw numbers alone, more money going out the door and fewer contractors doing bad things that would require agencies to take these extraordinary actions may not compute.

This is some of the logic probably used by Sens. Elizabeth Warren (D-Mass.) and Ben Ray Luján (D-N.M.) in a recent letter to the Justice Department seeking it take a more aggressive suspension and debarment position.

“The department has broad authority to debar any government contractor that has committed a covered violation as long as the department follows proper referral and debarment procedures. Notably, the department can debar even companies that it does not directly do business with, and a contractor can be debarred even for conduct that does not relate to any of its government contracts,” the senators wrote in their Aug. 11 letter to Attorney General Merrick Garland and Deputy Attorney General Lisa Monaco. “The department’s historically lethargic use of its debarment authority sends a clear message: Corporate criminals can engage in any kind of wrongdoing, and — after receiving an occasional fine or slap on the wrist — can return to business as usual, receiving millions (and in some cases, billions) in taxpayer-funded government contracts. Corporate criminals and their top executives can rest easy knowing that no matter how egregious, how extensive, or how long-lasting their misconduct, the government will welcome them back to the contracting table with open arms. It is time for this lax approach to change. The department’s prosecutors and procurement staff should use all the tools at their disposal, including suspension and debarment, to deter corporate criminals.”

Warren and Luján offered four ways DoJ could be more aggressive, including taking on a governmentwide role for debarring contractors.

Letter is missing broader issues

The letter received a lot of attention in the contracting community. Some of it in mocking praise, where experts offered comments like “it’s great the senators are paying attention to federal contracting, but maybe they should read the suspension and debarment regulations first.”

Some of it in bewilderment about what suspension and debarment is and why agencies tend to use it.

“They are asking that Justice adopt a role that it hasn’t historically done. DoJ has suspended and debarred contractors who deal with DoJ, but what this letter is asking them to do is adopt role of super all-encompassing S&D authority for the government,” said John Chierichella, the CEO of Chierichella Procurement Strategies and a long-time federal procurement lawyer. “What that would do is put the authority into the hands of agency that may not be, and probably will not be, the agency that was the ‘victim’ of the underlying wrongdoing. DoJ is not the agency that will suffer the consequences of having a contractor excluded of providing goods and services to that agency.”

He said politicians who make these types of proposals should pay attention to the standards for suspension and debarment in the regulations.

“That is what is missing from this letter,” he added. “What I believe is that if we would follow this new policy that the senators want to impose, you would see an agency whose role is what? Prosecution. They look to punish people. That’s their role in life. They will go out and apply this broadly and they will look to punish contractors and they will not understand the people who need these companies to perform this mission.”

Other federal contracting experts echoed Chierichella’s comments, saying Warren and Luján are missing the broader rationale for suspension and debarment.

Not a punishment, but a protection

Time and again lawyers say suspension and debarment is not a punishment, but a way for agencies to protect themselves. Even the interagency S&D committee makes that point in a recent document dispelling misconceptions about suspension and debarment.

Question: Can the suspension and debarment remedy be used for punishment or penalties, or as an enforcement tool?

Answer: No. The suspension and debarment remedies are used prospectively to protect the government’s interests and assess business risk.

Robert Burton, a partner with Crowell & Moring and a former deputy administrator in the Office of Federal Procurement Policy, said generally speaking, the suspension and debarment process works well. Both as a deterrent and as a way to protect agencies.

“If a company has taken corrective action and maybe entering into a civil settlement, most agencies find it hard to punish them further because that has been done by criminal or civil authorities,” Burton said. “Since it’s not a punishment tool, does the government need to be protected from an entity after the company took corrective action and put in internal controls to prevent issues in the future?”

Chierichella added when agencies put the suspension and debarment standards in contracts, vendors took note. He said companies tend to rectify any potential or real problems to prevent themselves from receiving what many refer to as the “death penalty.”

“These regulations have been effective and companies pay a lot of attention to this list of factors that determine whether they may violate rules that could get them suspended or debarred,” he said.

Burton and others say the government has a lot of tools at their disposal to punish contractors for poor performance on a contract or for other issues.

Eric Crusius, a procurement attorney with Holland & Knight, said agencies can terminate a contract, write a negative past performance review, both of which should have a desired effect that doesn’t potentially harm the future of a company and their employees.

“The agency that contracts with the contractor often has the best insight of the contractor’s conduct and present responsibility,” he said. “Further, the contracting agency best understands the practical implications of a debarment, like is the company vital to their supply chain?”

Crusius said Justice would have no insight into those details, which could cause bigger problems for agencies.

Ways to improve S&D

The suspension and debarment process is far from perfect, experts say.

Barbara Kinosky, the managing partner of Centre Law and Consulting, said agencies too often go after small businesses because they have fewer resources to fight back.

She said the senators correctly pointed out that cases against companies like Balfour Beatty or Schneider Electric are much more difficult to win than those against small businesses.

“I have been retained, as an expert witness, in several matters that involve False Claims Act issues and suspension or debarment. I have noticed from my experience that DOJ appears to prefer proceedings against small businesses who do not have the legal budget to hire platoons of attorneys,” she said. “I suspect that Balfour Beatty has the luxury of having lobbyists on Capitol Hill, something most small businesses do not have. And let’s add to the mix, how difficult it would be for the military to find another contractor for badly needed housing. On the record it appears that Balfour, a repeat offender, should be debarred. And so should Avanos Medical who put medical lives at risk. But Avanos just reported operating profit of $46 million. So I ask the question, who is the easier target?”

Burton said if there was one area where DoJ could be more helpful around suspension and debarment, it would be how they share information with agencies.

He said there are cases where agencies need to take protective action and issue a suspension but can’t because DoJ prosecutors will not share information during an investigation.

“It’s important to understand that the idea of ‘adequate evidence’ is a low bar. DoJ doesn’t have to show everything, but some things would be incredibly helpful while not compromising an investigation,” Burton said. “The senators make a good point that there could be more activity in this whole area in respect to protecting the government. The numbers are rather surprisingly low, especially in view of problems we’ve seen with fraud regarding grant money through the American Rescue Plan Act. Agencies have been overly cautious and maybe in some instances S&D could be used more widely to protect government.”

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Concerns about organizational conflicts of interest among vendors providing, for instance, technology planning services and technology implementation services, is as old as federal acquisition itself.

But over the last few weeks, OCI has received more attention and consideration among agencies, and it should be seen as a warning sign to batten down those OCI hatches.

First, Senate Homeland Security and Governmental Affairs Committee members introduced the Preventing Organizational Conflicts of Interest in Federal Acquisition Act and it passed out of the full Senate on Aug. 2. The bill is a direct response about a potential OCI between McKinsey and Associates, drug development companies and the Food and Drug Administration — more on that later.

A day later, the Defense Health Agency issued a notice under its Military Health System Enterprise Information Technology Geographic Service Provider (GSP) requirement that calls out seven companies who are conflicted out of bidding on the potential $1.5 billion contract.

Federal procurement experts and lawyers say a notice like this has rarely been seen publicly and gave DHA a lot of credit for taking these public steps.

The third example of an OCI issue impacting the federal acquisition community came Aug. 12 when the Government Accountability Office sustained a protest by Guidehouse over an award by the Secret Service and the Department of Homeland Security to Deloitte.

The $20 million task order through the OASIS vehicle run by the General Services Administration focused on CFO support services, including conducting budget and financial management operations.

Guidehouse alleged the Secret Service made several mistakes, but GAO upheld two of the complaints with the biggest one focused on OCI.

Requirement to disclose potential conflicts

The three of these taken separately don’t really amount to much — a single piece of legislation that may not make it into law; a specific instance of a contract notice; and a random GAO decision.

But when you bring the different pieces together, it starts to create a picture of OCI issues gaining more attention across the federal sector.

“Companies that receive taxpayer dollars from federal contracts should not turn around and advise clients to take actions that are against the interests of the American people,” said Sen. Gary Peters (D-Minn.), chairman of the committee and one of the lead sponsors of the bill, in a statement. “This bipartisan, commonsense legislation will require federal contractors to disclose any potential conflicts of interest before they are awarded a federal contract to ensure they are effectively serving taxpayers.”

Rep. Carolyn Maloney (D-N.Y.), chairwoman of the Oversight and Reform Committee, introduced a companion bill in April. The committee approved a substitute amendment in July that matches the Senate’s version of the bill, clearing the way for a full vote by the House.

“Avoiding OCIs is particularly important for consulting contracts where government is paying for expert advice for sensitive matters,” Malone said during the July 14 markup. “This bill would make long overdue revisions to strengthen rules on OCIs. The rules on OCIs have not changed significantly since they were issued in the early 1990s despite many major changes in the government contracting landscape.”

Maloney added that the regulations across government vary and the bill would help bring some standardization to how agencies apply the tenets of OCI.

More specifically, the Preventing Organizational Conflicts of Interest in Federal Acquisition Act would require agencies to identify potential conflicts for specific contracts early in the process.

Federal contractors would have to disclose other business relationships with entities that conflict with the specific work that an agency has hired them to do and would also have to disclose new potential business that opposes ongoing services they are providing to agencies.

The legislation also would require federal agencies to assess and update their procedures for determining whether contractors could have a conflict of interest.

DHA notice on seven vendors

This just the latest attempt by Congress to address OCI challenges.

The law firm Miller & Chevalier wrote in April about bids to improve how agencies deal with conflicts. The firm wrote that in 2007, the Advisory Acquisition Panel released a report that indicated that “the potential for OCIs has increased significantly in recent years” and “[t]he contracting community needs more expansive and detailed guidance for identifying, evaluating, and mitigating OCIs.”

Then in the 2009 Defense authorization bill, lawmakers called for the Federal Acquisition Regulations Council to review conflicts of interest rules and contract clauses. This led to a proposed rule to address OCI issues in 2011.

Miller & Chevalier said that proposed rule, was withdrawn in March 2021 based on the “amount of time that has passed since publication of the proposed rule and potential changed circumstances.”

Now despite this rule never coming to fruition, DHA took steps to get in front of any potential conflicts with his mega IT services contract.

The reason why DHA called out companies including Perspecta Enterprise Solutions, Capgemini Government Solutions, Guidehouse and Tenacity Solutions was the team won the $2 billion MHS Enterprise IT Services Integrator (EITSI) blanket purchase agreement (BPA), where they are providing program manager support services and working on the government side to help DHA manage the follow-on contracts for geographic service providers.

DHA says these companies would be conflicted out of bidding on any “work for the duration of the BPA and for 18 months after the final day of performance under the BPA or any call orders thereunder.”

For these companies, the OCI notice likely wasn’t surprising, but the fact DHA issued it publicly definitely raised some eyebrows in a good way.

Protest of Secret Service award upheld

The third piece to this puzzle came on Aug. 12 when GAO sustained Guidehouse’s protest.

The GAO lawyers didn’t hold back on just how poorly the Secret Service did in addressing potential OCI issues.

“First, the record reflects a fundamental misunderstanding on the part of the contracting officer regarding the legal standards related to impaired objectivity OCIs. Further, contrary to the arguments of agency counsel, the record reflects that the contracting officer did not in fact take a ‘close look,’ or carefully consider, whether Deloitte’s ability to render impartial advice to the agency under the CFO support services task order would be undermined by the firm’s competing interests under the TOPS/FRED task order,” GAO wrote. “The analysis demonstrates that the agency failed to give meaningful consideration to whether a significant organizational conflict of interest exists here.”

Deloitte also holds the TOPS/FRED task order, which is for financial data and reports that are utilized for the agency’s budget analysis and management functions and also for services such as program management; operations and production support; software and hardware performance; information system security officer support; system utilization/performance/improvement; software maintenance; training; and enhancements.

GAO found that the contracting officer’s failed to properly consider whether Deloitte could objectively do the work under the CFO Support Services contract given its work on TOPS/FRED.

“For purposes of an impaired objectivity OCI analysis, however, it is wholly irrelevant whether the two efforts are same or similar in scope or size; instead, what is relevant is whether the contractor would be in a position of reviewing its own work or otherwise unable to perform its obligations in an impartial manner. Consequently, we find the contracting officer improperly substituted similarity (or lack thereof) between the two efforts for a reasonable determination of whether Deloitte’s work on the CFO support services task order could be objectively performed in light of its work on the TOPS/FRED task order,” GAO wrote. “Additionally, the record does not support the agency’s assertion that the contracting officer conducted a detailed review of the requirements for the two efforts. To the contrary, the record reflects that the contracting officer’s assessment was limited to reviewing the top-level/overall objectives of the CFO support services without any analysis or consideration of the many hundreds of work activities required for the two efforts. Absent a consideration of these requirements here, the agency’s OCI analysis lacked a reasonable foundation.”

Those were pretty strong words from GAO.

While the bill is far from guaranteed to becoming law, the fact is Congress is paying more attention to OCI and that will have a trickledown effect on agencies and vendors alike. Given DHA’s notice and GAO’s most recent protest decision, it seems logical for agencies to ensure contracting officer under how best to determine OCI and for vendors to do more than say they have put up a “firewall.”

To listen to the Federal Newscast on your phone or mobile device, subscribe in PodcastOne or Apple Podcasts. The best listening experience on desktop can be found using Chrome, Firefox or Safari.

After four years of stability in the chief information officer’s role, the Small Business Administration is back to the CIO shuffle.

Since Maria Roat left in 2020 to become the federal deputy CIO, SBA is on its third technology leader as Stephen Kucharski assumed the acting title in late June or early July.

Kucharski replaces Luis Campudoni, who had been acting since January when he took over for Keith Bluestein.

Campudoni returns to his former deputy CIO role.

Bluestein took a leave of absence in January and now, according to his post on fundraising site GiveSendGo, now SBA is trying to remove him from federal service.

Bluestein said he filed a claim with the Merit Systems Protection Board (MSPB) on July 8.

“Once the administrative law judge (ALJ) reviews the preliminaries, they will establish a calendar or schedule for events to occur such as discovery, motions, hearing, etc. The process is very event driven and the MSPB has a very good record of sticking to their 120-day process timeline. What does that mean? Once the ALJ sets the schedule we will have a very compressed time to interview witnesses and such before our hearing. This is a huge step for us as we were unable to compel anyone from my agency to offer us statements after I was notified of what I was charged with,” Bluestein wrote. “Despite having more than ample people that could offer a counter to the agency narrative, the indications we have were that the agency discouraged any government employees from engaging in any conversations with me or my legal representatives. Therefore, the deciding official (person who made the decision to remove me) only considered one side of the argument as legitimate.”

Bluestein said he believes the appeal to MSPB will expose “this false narrative” about him.

It’s unclear what the “false narrative” Bluestein is referring too as the reason for his initial leave of absence and now seemingly removal from federal service.

An SBA spokesman said back in January and again on Aug. 4 that the agency doesn’t comment on personnel matters.

As for the new acting CIO, Kucharski has been with SBA for 23 years, including the last 14 as a senior executive. He comes to the acting CIO role after leading the systems delivery of SBA’s Office of Capital Access programs for the Recovery Act, the Jobs Act, the CARES Act, the Economic Aid Act and the American Rescue Plan Act, including the Paycheck Protection Program that processed 14 years’ worth of SBA loans in 14 days.

Multiple sources say while Kucharski is a capable technologist, putting him in charge of the CIO’s shop is another questionable move by SBA leadership.

Current and former government sources familiar with SBA say Kucharski’s move does a few things that are causing concern.

One former federal executive said moving the system lead from the Office of Capital Access to the CIO’s role is a major power shift.

“The new leadership of Capital Access wants to make their mark by making SBA a venture capital company. This would have SBA becoming a direct small business loan maker rather than guarantor for all small business loans. Right now, disaster loans are currently direct loans. The whole operation is built on a 1990s legacy system that was a real problem with PPP, and it is hard to see how it could be modernized for the new role,” said the source, who requested anonymity.

Another source said Kucharski is not a “hands on” technology leader and not as “forward thinking” as he needs to be given SBA’s progress over the last five or six years.

“SBA has been asking around for anyone interested in the [CIO] job. A number of folks have said no, because the mess Maria and Guy [Cavallo, the OPM CIO] cleaned up has now built back up and it’s getting messier and messier,” the second source, who requested anonymity, said. “It’s a shame, too. It goes to show all the good work folks do and put in can get erased really fast due to poor follow on leadership.”

SBA says Kucharski laid out four main objectives as acting CIO:

• Fully leveraging the technology investments and process improvements that enabled SBA’s successful implementations of the CARES Act, Economic Aid Act and the American Rescue Plan.
• Embracing SBA’s mission IT successes by harmonizing shared service models for cloud services, performance data reporting and help desks.
• Continue the cybersecurity and network modernization across SBA’s nationwide sites, datacenter and colocation facilities, and headquarters.
• Executing the administrator’s “My SBA Initiative.” This strategic priority will improve the way SBA delivers services to small businesses but also improve how SBA program offices collaborate and work together.

Kucharski is saying all the right things in his goals and plans. But sources say SBA has taken steps backward since Roat and her team in the CIO’s office have moved on to new jobs around government.

SBA was a model of IT modernization for four years but slipped backwards over the last year or so. Let’s hope Kucharski gets the agency back on track since Roat famously said she burned the bridges back to on-premise data centers.

USAID, NARA name new CIOs

Three other changes in the CIO ranks you may have missed too.

My colleague Justin Doubleday broke the news that Jason Gray, the Education Department CIO, was heading to become the CIO at the U.S. Agency for International Development. That opens up a spot at Education.

Gray is taking over for Jay Mahanand, who quietly left that role in January to take over as CIO at the United Nations World Food Program.

That means Education is now looking for a new CIO just as USAID filled their whole.

Now, the transition at the National Archives and Records Administration was a lot more typical.

Sheena Burrell, who has been the deputy NARA CIO for February 2020, assumed the top slot earlier this month, according to her LinkedIn profile.

She takes over for Swarnali Haldar, who retired in July after more than eight years in the role.

Burrell has been with NARA since 2019, coming to the agency as an associate CIO for business and investment management. She has worked in the federal government since 2001 when she started at the Social Security Administration as a policy analyst.

As the CIO, Burrell inherits a $126.8 million IT budget, according to the IT Dashboard. Of that $126.8 million, more than 40% ($41 million) is spent on development, modernization and enhancement efforts. NARA also is managing the cost and schedule of its projects well, according to the dashboard.

Burrell also has been leading an effort to move NARA toward a zero trust architecture, with a big focus on protecting their data.

DoD, ATF lose cyber executives

There were a few other technology executives on the move you may have missed.

Jay Ribeiro, the chief information security officer at the Justice Department’s Bureau of Alcohol, Tobacco, Firearms and Explosives, announced on July 29 he was leaving after four years in the role.

Ribeiro said his last day would be Aug. 26.

“Packing it all up. #bittersweet moment. After 4 great years — time to accept another challenge. Time to get uncomfortable. Thank you #ATF for all the love and support,” he wrote on LinkedIn.

Ribeiro joined ATF in 2019 after serving as the CISO for the Federal Election Commission for almost two years. He also worked at the State Department, the Air Force, the Army and for the Defense Department in various cyber roles.

Ribeiro didn’t say what he would be doing next or who would be acting CISO in the interim.

Over in the DoD CIO’s office, deputy CISO Mark Hakun is retiring after 34 years of federal services. His last day was at the end of July.

DoD CIO John Sherman said on LinkedIn that Hakun was a top cyber professional who impacted the intelligence community and DoD.

“I can’t wait to see what he’s going to accomplish in the next phase of his career. I’ve been lucky to work Mark since 2018, when he was the deputy NSA CIO, Sherman wrote. “Fair winds and following seas, Mark, and thanks for all you’ve done here in DoD CIO!”

Hakun served for more than two years as NSA deputy CIO and before that spent more than a year on detail as the director of the National Background Investigation Services where he modernized the IT services to conduct investigations and move them back to DoD from the Office of Personnel Management.

Additionally, Hakun served in executive roles at the Space and Naval Warfare Systems Command and served in the Navy for almost a decade.

Finally, former DoD chief data officer David Spirk landed a new job. He is now a senior counselor for Palantir Technologies.

Spirk left DoD in May after just over two years as its CDO. He also worked at the U.S. Special Operations Command for two years in a similar role.

He wrote on LinkedIn that he will be “focused on the U.S. government and international business. I’ve dedicated my career to ensuring the U.S. government has a data strategy that protects against our adversaries and leverages the best technologies to ensure our competitive edge. Palantir not only provides this technology, but even more important is their mission-focus on ensuring we extend this lead and that data-driven decision making is at the forefront of our national security strategy.”

Dr. Clark Cully is acting CDO for DoD.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

House Oversight and Reform Committee members were more engaged this past Thursday on federal IT management issues than we have seen in some time.

Not only were the questions relevant, but the lawmakers did not stray into the silly, non-sequitur or totally unrelated world that could’ve easily happened during the 14^th iteration of the Federal IT Acquisition Reform Act (FITARA) scorecard hearing on July 28.

While agency progress on the scorecard stagnated, mostly due to yet another disagreement between Rep. Gerry Connolly (D-Va.), the chairman of the subcommittee on government operations and the co-author of FITARA, and the Office of Management Budget. This time it’s over cybersecurity scores. The biannual hearing highlighted continued progress in several categories amid a lot more “Fs” and “Ds” than we’ve seen over the last few years.

Here are three takeaways from the 14^th FITARA hearing that you may have missed.

Data centers, still?

All signs pointed to the subcommittee sunsetting the data center category after every agency received an “A” grade on FITARA 13.

But like a Washington Commanders fan, hope is easily crushed in a short amount of time.

Connolly is, indeed, terminating the data center optimization category, but reviving his pet project, data center closures as a category under FITARA 15 and beyond.

“It’s time to shift this metric to make it more focused and relevant. As promised, the previous methodology is sunset in this scorecard, scorecard 14,” Connolly said. “It’s our hope that focus on this category will enhance federal government’s movement to the cloud.”

The data that will help determine agency grades in this new category comes from a letter the subcommittee sent to agency CIOs on July 13, asking questions about current and future data center closure plans.

“Notwithstanding many agencies’ progress, several agencies have yet to complete their data center consolidation plans, and future closures and the savings those closures will secure are expected to drop and eventually diminish. Specifically, 17 agencies report no plans for future data center closures, and more than half of the remaining planned data center closures are slated for completion by the end of fiscal year 2022,” Connolly wrote in the letter, which Federal News Network obtained. “Given the subcommittee’s rigorous and successful oversight history of data center consolidation, we intend to continue our work until agencies realize all potential benefits.”

Agencies had until July 27 to answer five questions:

• How many M-19-19 defined federal data centers does your agency currently operate?
• If you are unable to answer the previous question based on the M-19-19 definition, how many federal data centers does your agency currently operate following the most up-to-date Integrated Data Collection guidance?
• Of these operating data centers, how many are key mission facilities?
• Since the enactment of FITARA, how many data centers have you closed?
• Has your agency closed the maximum number of federal data centers possible?
  • If no, please explain why and provide the timeline expected to complete data center closures.
  • If yes, please justify the reasons why your remaining federal data centers are vital to your agency’s operations.

“The subcommittee plans to use these answers as part of a new methodology. The goal is to ensure agencies think strategically about their costly data center use, incentivize the closure of underutilized data centers and save taxpayer dollars,” he said at the hearing. “One of the reasons we wrote every agency as we’re re-tooling this category of the scorecard is we didn’t want to lose this metric [of closing data centers]. We’re going to continue to update that database and work with you in making sure as you said they’ve got a good reason to justify what they’ve got and what their plans are.”

Carol Harris, the director of IT and cybersecurity at the Government Accountability Office, said agencies need to have a good reason for still having data centers today versus putting workloads and applications in the cloud.

“We want to see the goal of every agency is to employ a hybrid model, where at least some of their infrastructure is cloud based. And then others are on site,” she said. “But for agencies to have, again, a large amount of their infrastructure being operated in data centers that’s a red flag.”

For the most part, experts have said there shouldn’t be too many red flags out there. Even the data on the Federal IT Dashboard shows the juice in the data center closures orange may not be worth the squeeze any more. Agencies closed 680 data centers out of a planned 734 in fiscal 2022 and still have 1,519 open. But many of those 1,519 are either on the classified side or mission critical.

“All the low hanging fruit has been picked so to get the fruit higher up on [the] tree, agencies need to buy ladders to get to them,” said one federal official familiar with the data center initiative. “Agencies will need data centers to achieve their missions and they wouldn’t consider consolidating them because of the negative impact on their mission. Optimization of those remaining data centers is tricky because getting there can be expensive.”

Since 2017, agencies have closed 4,329 data centers and saved or avoided spending more than $4.7 billion.

The Defense Department is responsible for a high percentage of the open data centers, with 601 as of June 2022.

Lily Zeleke, the DoD deputy CIO for information environment, clarified the current status of DoD’s data center closure effort in an email to Federal News Network.

“In 2016, DoD made a goal to close a total of 281 data centers by fiscal 2022. As of March of this year, DoD has closed 96% of these and is on track to close the remaining 4%, or 12 data centers, by the end of the fiscal year,” she wrote.

John Sherman, the DoD chief information officer, told the subcommittee the Pentagon has closed more than 230 data centers so far this year.

“The holdup has been moving some secret level systems that we needed to get moved over, but all the unclassified [systems], we’re basically done with that,” he said. “This has been one thing that among a number that we’ve been very grateful for FITARA to help drive the way ahead on that to get us to where we need to be as we move to cloud based technology.”

What’s ironic about the subcommittee’s decision to keep data centers as a FITARA category is there is an effort in the Senate to remove the requirement for agencies to track cost savings and do more to cyber secure their current data centers.

The Senate Homeland Security and Governmental Affairs Committee plans to markup Sen. Jacky Rosen’s (D-N.V.) bill on Aug. 3.

Specifically, it would require OMB to coordinate a governmentwide effort to develop minimum requirements for federal data centers related to cyber intrusions, data center availability, mission-critical uptime, and resilience against physical attacks, wildfires, and other natural disasters. It also strikes language in FITARA referring to data center consolidation to ensure that federal agencies focus on the cost savings and avoidances that can be achieved through optimization, given the success of past data center consolidation efforts.

There is no guarantee Rosen’s bill ever becomes law, but it’s clear that House and Senate lawmakers are not on the same page when it comes to data center closures. And the question remains why Connolly is so focused on data center closures still? It’s clear agencies still have work to do and there are remaining open ones post potential cyber risks to agencies, but given the progress over the last decade and limited oversight resources the subcommittee has, it seems like their time could be used on more pressing IT management issues.

Most agency CIOs and industry would agree too.

FISMA grades — worthless or valuable?

The argument over the value of Federal Information Security Management Act (FISMA) metrics and reports date back to the pre-historic days of the internet, or as some of us call it the late 1990s.

Going as far back to the pre-cursor to FISMA, the Government Information Security Management Act (GISRA), the question many asked was whether Congress could legislative better cybersecurity.

The answer is yes and no.

The most recent FITARA hearing demonstrates the conundrum.

While 10 agencies saw their FISMA-specific scores drop due to the lack of publicly available data, the CIOs who testified as well as some members of the committee questioned the validity of the grades.

“We’ve talked about cybersecurity, I would say of the areas of the scorecard, certainly, it’s not an accurate reflection. In my view of our posture relative to cybersecurity, we’ve actually spent a lot of time and focused energy on improving cyber across agency and we’ve done so since the start of the pandemic,” said Vaughn Noga, the CIO for the Environmental Protection Agency. “The pandemic really forced us to rethink how we are managing our IT remotely, how we’re protecting them, how we’re securing our patching them. So I don’t necessarily think it’s an accurate reflection, but we talked about that, it’s just one perspective, which is the IG assessment.”

GAO’s Harris added the data is by far not complete, calling the data the subcommittee used only a subset of what’s needed to measure an agency’s true cyber posture.

“There are many other inputs that should be incorporated if you want to have a comprehensive overall grade of what an organization’s cyber posture is,” she said. “I think that the challenge in this particular iteration, cyber because there was only one metric available for us to utilize, I do believe that that is not an accurate reflection of where agencies are at with cyber.”

Rep. Jody Hice (R-Ga.), ranking member of the subcommittee, asked the questions that many CIOs and other federal cyber experts believe to be true about the FISMA IG reports, “This current scorecard then as it relates to cyber relatively worthless at this point?”

Hice’s question begs a larger discussion about whether FISMA itself has outlived its usefulness. House and Senate lawmakers are updating the law, which Congress last improved in 2014.

Grant Schneider, the former federal chief information security officer, said there still is real value in having an outside third party evaluate an organization’s systems.

At the same time, FISMA evaluations are a trailing indicator on a subset of systems and that makes them less valuable.

“We would look at the IG reports and the agency self assessments to understand an agency’s cyber posture. I found the self assessments to be fair and candid. I never felt like the agencies were trying to game the system. They were being honest and accurate,” Schneider said about his tenure at OMB in an interview with Federal News Network. “The other things we would look at were the high value assets and other work in the HVA assessments from CISA. We would look at incident data as well. We also looked at goals and metrics we were putting out quarterly in addition to the annual self assessment.”

Basically, Schneider, who is now the senior director of cybersecurity services for Venable, described the potential data GAO and the subcommittee could have looked at to give a more accurate grade on the FITARA scorecard. That is if OMB had been more, let’s say, cooperative and recognized the potential brouhaha the lack of cross-agency goals would cause during the hearing.

Now the back and forth between OMB and Connolly is great for the gossip pages, and there is plenty of juice to squeeze from that orange, such as Connolly’s claim that OMB “freely expressed contrition” about the cybersecurity scores, but let’s save that for another time.

The fact is FISMA never has been an accurate reflection agency cyber posture, the federal IGs either refuse to, or just plainly can’t, understand that and change their metrics despite years of attempts to do just that, and CIOs frustration over the lack of holistic metrics all made this effort more of a checklist than a true analysis.

Schneider said there is always plenty of non-public data that OMB can share with GAO and the subcommittee to help round out an agency’s cyber posture along with the FISMA reports.

“It’s incumbent on cyber professionals to consider the sensitivity of any vulnerability or risk information that they make public, but that said, I don’t think anything we were publicly reporting on gave me any concerns or we wouldn’t have done it,” he said. “In our conversations with the Hill or with GAO, I think they always wanted more data, but they understood the need to protect the systems and some public reporting helps and some goes too far and we need to be concerned about it. There are draft FISMA reports that I took sections out of just because I was uncomfortable with data being disclosed. Some of that data I would’ve felt comfortable not to share publicly, but share with GAO and the Hill. And there was information that I would not want to share even with GAO or the Hill and just keep inside OMB.”

By the way, the IG community is once again is updating its approach to cybersecurity oversight. Hopefully some of the message from the FITARA 14 hearing gets back to them so they rethink the entire FISMA oversight process.

One of the last FITARA scorecards?

Several former and current Hill staff members brought up the fact that this may be one of the last FITARA hearings. There is both a growing feeling that after 14 scorecards, the value and impact have diminished quite a bit.

Add to that with Republicans expected to take over the House after November, would the potential leaders spend time on IT management when they have made it clear they plan to go after the Biden administration for what they deem are bigger issues?

Julie Dunne, a former House Oversight and Reform Committee staff member for the Republicans, said she expects more aggressive oversight if Republicans are in the majority.

“I could see more attention focused on the fact that while FITARA helps push agencies in the right direction, federal IT acquisition has remained on GAO’s high risk list since 2015,” said Dunne, who now is principal at Monument Advocacy, in an email to Federal News Network. “I think the FITARA scorecard will stick around, perhaps somewhat minimized because of other investigations. It’s a fun, pre-packaged hearing, and GAO likes doing it. The members also like metrics.”

Ross Nodurft, a former Senate appropriations committee staff member and chief of OMB’s cyber office, said he could see the number of FITARA hearings decrease to one time a year.

“I am confident that, if the Republicans win the majority, there will still be a significant bipartisan focus on the issues of technology modernization and cybersecurity,” said Nodurft, who now is a director of cybersecurity services at Venable. “Rep [James] Comer (R-Ky.), ranking member of the full committee, and his team on the committee understand and appreciate the important role that technology plays in agencies meeting their missions. Whether it’s protecting the homeland or providing critical services to voters, both parties are invested in moving government digital innovation forward.”

Dunne added she actually thinks IT oversight will be tougher, as will the oversight of the Technology Modernization Fund (TMF).

“They’re going to have to increase transparency about the repayment decisions and account for all that funding to the Technology Transformation Service (TTS) at GSA, those are the questions I’d ask,” she said. “The cybersecurity grade will also get lots of continued attention, especially when the next big breach hits.”

The TMF and its payback model came up during the FITARA hearing

Rep. Jake LaTurner (R-Kan.) questioned GAO’s Harris about whether it was worth attaching more conditions to the TMF funds, which could be tracked under the FITARA scorecard, to ensure agencies are using the money to update legacy systems.

“I think that agencies should be fully carrying out TMF as it was intended in the law, which is to address legacy issues. So I think that’s the criteria that the selection board utilizes that emphasis on legacy, it would be a great thing,” Harris said. “I also think that agencies need to focus on the open recommendations that we have made in TMF, relative to ensuring that they have reliable cost estimates for their projects, as well as reliable savings that they expect to achieve once those projects are fully deployed.”

Hice too expressed frustration over the TMF, saying the Biden administration is using it in a way that “amounts to a slush fund.”

“The idea behind the TMF was that agencies would create savings by retiring old systems. Those savings would then be used to repay the fund and allow for additional modernization projects. It was intended to create an efficient cycle,” he said. “But the executive director of the TMF Board gave us nonsensical answers about how the savings would be realized by the public. They’re not going to make agencies pay back the TMF funds. This is clearly ignoring the intent of the Modernizing Government Technology Act.”

It’s likely OMB, especially with the recent ruling from GAO, would disagree with Hice’s hyperbole about the TMF being a slush fund and the administration ignoring the intent of the MGT Act, but it’s a signal of how the Republicans view the effort so far.

Dunne said as the scorecard continues to evolve, the idea of using the PortfolioStat process – which, by the way, when was the last time OMB even conducted a PortfolioStat review, maybe five years, according to some – to address technical debt and legacy IT is an interesting idea that complements the goals of the MGT Act.

While few believe FITARA will go away in its entirety, the focus of the scorecard seems destined to change and the frequency of the subcommittee’s public oversight also seems likely to decrease. The question, as always, is how can lawmakers find the right balance between oversight, accountability and value without creating a checkbox exercise for agencies, which seem to quickly understand how to “game” the system to get higher grades?

To listen to the Federal Newscast on your phone or mobile device, subscribe in PodcastOne or Apple Podcasts. The best listening experience on desktop can be found using Chrome, Firefox or Safari.

The General Services Administration is once again struggling with a major systems modernization project, causing an increasingly high level of frustration among vendors and grantees. Now, a powerful congressman is demanding answers about why three months into the transition to the new way for vendors to identify themselves for federal contract or grant awards, GSA hasn’t resolved serious issues with the system.

Rep. Gerry Connolly (D-Va.), chairman of the Oversight and Reform Subcommittee on Government Operations, wrote to GSA on July 15 seeking answers to questions about the transition to the Unique Entity Identifier from the DUNS number. The UEI is a 12-character alphanumeric identifier that is owned and managed by the government. It connects agencies and companies throughout the federal award lifecycle whether it’s writing a contract or managing a grant.

“According to many of my constituents, they have encountered significant difficulty in migrating their existing contractor accounts into the new framework, jeopardizing their businesses and their ability to pay their workers. I write to request information on GSA’s transition to a new Unique Entity ID (UEI) and to determine whether GSA is providing all necessary assistance to the federal business partners federal agencies rely on every day,” Connolly wrote in the letter obtained by Federal News Network. “I have heard from constituents who have struggled to transition to the new unique identifier — and in some cases were removed entirely from the GSA online system. Moreover, when seeking help and assistance from GSA, these government partners were often provided links to unhelpful online frequently asked question pages or stuck on telephone calls for hours with customer service representatives who were unable to help troubleshoot the problems.”

GSA kicked off the transition to the UEI on April 4, promising it had learned the hard lessons from previous system modernization efforts like move to SAM.Gov that initially stumbled.

But the problems with obtaining a UEI number, the lack of clear and urgency response from GSA and the long wait times at the call center are culminating as agencies enter the fourth quarter buying season.

Stephanie Kostro, the executive vice president for policy for the Professional Services Council, an industry association, said many of the problems fall into two buckets.

“One is a registration issue. If you tried to update your banking information, like you switched banks or are using a new account, you apparently have to deactivate your SAM.gov account and reactivate it. But the way the validation system works is if you have a typo or forget a comma or try to insert a suite or room number but it doesn’t match with state corporation registration, it will get rejected. And once you get rejected, you are no longer in the system and no longer eligible for awards or payments,” she said. “The second category are the trouble ticket submissions. We have heard that there are some tickets are now 12 plus weeks old without resolution. It doesn’t seem like GSA is identifying the issues and resolving them quickly. When you have something for 12 weeks like a small business not getting paid, this is a huge issue.”

Fumbled the April 4 launch

These issues come after GSA already fumbled the April 4 launch when it overlooked a rule in its random number generator for UEI that prevented it from compiling curse words as part of the generator. Federal News Network obtained a list of about 10,000 UEI numbers that had to be changed because they included words like “fart” — 14 of them did, by the way — and other “not appropriate for work” words, such as 34 instances of the “F” word.

GSA acknowledged the challenges and is promising to address the UEI transition issues.

Dave Zvenyach, the deputy commissioner of GSA’s Federal Acquisition Service, said in an email to Federal News Network that fixing the UEI transition is a top priority.

“Although we are making progress, we know there are entities who are waiting for their case to be resolved. Resolving their specific, individual cases is paramount for us. And we will not let up until entities can register in SAM in a predictable, timely basis,” he said. “We are working to address each ticket as quickly and efficiently as possible and to improve the new system for both new and renewing entities. We are working with other federal agencies to identify opportunities to reduce the impact on entities affected by this process.”

A GSA official said the UEI transition problem is impacting about 20% of all vendors who have to through a manual review of their request. The official said overall about 200,000 companies have made it through the validation process.

The government’s move away from DUNS numbers will end a 40-plus-year relationship with Dun & Bradstreet where the government has spent hundreds of millions of dollars to use the proprietary system to identify companies.

In March 2018, GSA awarded Ernst & Young a five-year, $41.7 million contract to run the UEI initiative. Ernst & Young will provide services to validate the identity of each entity (company, individual, organization, etc.) wanting to do business with or receive assistance from the government, GSA stated in a release. GSA said the contract will reduce unnecessary duplication across the government by ensuring individual agencies do not have to separately contract for these services, but will instead receive the service by way of SAM.gov.

Missed opportunities, delayed invoices

While few may have argued with the move away from DUNS, contractors and grantees are frustrated with how the transition is going and the time GSA is taking to resolve the UEI issues. Experts say the UEI transition problems may be causing great harm to large and small firms alike.

Federal News Network learned from a contracting officer at the Defense Department, who requested anonymity because they didn’t get permission to speak to the press, that they have a small business who is owed $400,000 but can’t get GSA to resolve their UEI issue.

Another small business in the professional services sector is waiting on a payment of more than $200,000 and learned that an agency customer wanted to issue them a task order, but couldn’t because of their UEI situation.

“We thought we did everything we were supposed to do, but when our UEI was assigned to us, it must have been assigned to us using the actual name of company versus the way we had been referred to over the last decade in federal systems,” said one industry executive, who requested anonymity so as not to make GSA mad. “It’s a self-created problem by GSA and we are just in this caught pattern of calling the contact center at GSA and they will send an email, but they will not put you in touch with anyone who can solve the problem. It’s an obtuse process to resolve this current situation and we are flying blind right now.”

And grantees are unable to provide humanitarian and other aid despite the U.S. Agency for International Development or the State Department awarding the grant because of the UEI delays.

Cynthia Smith, director of government affairs and advocacy at Humentum, a global nonprofit working with humanitarian and development organizations to improve how they operate and to make the sector more equitable, accountable, and resilient, said she knows of projects in Turkey and Jordan that are delayed because local sub grantees can’t get UEI numbers.

“We also know of cases where have local partners have prepared for and worked with large international non-government organization to prepare bid and was barred at the last minute because they couldn’t get the UEI number resolved,” Smith said in an interview with Federal News Network. “We are shutting out those who we say are important to advance the local agenda of this administration.”

Robert Shea, the national managing principal for public policy at Grant Thornton, said his company was able to resolve its UEI issues in a matter of weeks, but the impact on companies is real.

“During the time you are figuring this out, you can’t get paid, you can’t access your Contractor Performance Assessment Reporting System (CPARS) ratings and that could significantly damage ongoing procurements because you can’t access, review or appeal CPARS ratings,” he said. “It seems intuitive that you would test bunch of different scenarios before going live with a system that impacts every vendor of the largest buyer in the world.”

Call center, response backlog

The biggest complaints are GSA’s lack of response to the entire situation.

PSC’s Kostro said GSA suggested its members contact the ombudsman with urgent requests.

An email from PSC to its members, which Federal News Network obtained, recommended that when companies reach out to the ombudsman they should “Please include: (1) the legal name of the entity; (2) the UEI number; (3) the FSD ticket #(s); and (4) a summary of the issue(s), which may include any urgencies (e.g., not getting paid, not being able to bid). Please do not submit documentation with personal identifiable information (PII), financial, or other confidential information to the Ombudsman’s office.”

Humentum’s Smith said her members have been told to work through their customer agencies like USAID and State and ask them to bring urgent problems to GSA, especially those impacting new entrants into the federal market.

“GSA’s response been highly inefficient and not proving effective. They need more communication and to offer more proactive channels to address the urgency of the situation,” Smith said. “It would be great to see that type of reflection of awareness of this problem. Because these really do have real life and death consequences. We need a greater window into their strategy for clearing the backlog.”

Roger Waldron, the president of the Coalition for Government Procurement, said in an email to Federal News Network, said GSA needs to do more to address the UEI transition issues.

“The transition hiccups are real, and the potential impact on contractors can be catastrophic, as it can prevent them from competing for new requirements or even getting paid for work they have performed. Regardless of whether it involves a relatively small percentage of contractors, the fact that the impact can be so severe should prompt an all-hands-on deck response from GSA,” he said. “In response to UEI challenges, effective communication from GSA is vital. The agency needs to increase the pace and tempo of messaging to the procurement community on the steps being taken to address the current situation.”

Zvenyach said as GSA continues to make progress in fixing the UEI transition, it will make sure the time frame is more transparent and visible to everyone.

“Our goal as an agency is to make it easy for businesses, nonprofits, other governmental agencies and partners to do the critical work of government – and these validation issues have made it harder for too many organizations. We are doing all that we can to resolve these issues as quickly as possible and will continue to push for better outcomes for our partners both inside and outside the government,” he said.

GSA says as of early July it has resolved 81% of the trouble tickets and continues to reduce the backlog and shorten the time it takes to register in SAM.gov.