Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The number of contractors suspended and debarred hit a 12-year high in 2014 with 1,929 vendors or executives debarred and another 1,009 suspended from federal acquisition.

Compare those numbers to what the Interagency Suspension and Debarment Committee reported in its fiscal 2020 report released earlier this year: 1,256 companies or executives debarred and 415 suspended.

That’s a 34% drop in the number of debarments and a 59% reduction in the number of suspensions.

Now take into account the amount of money spent on federal procurement has increased to $665 billion in 2020 from $448 billion in 2014 — a $217 billion or 32% increase.

By raw numbers alone, more money going out the door and fewer contractors doing bad things that would require agencies to take these extraordinary actions may not compute.

This is some of the logic probably used by Sens. Elizabeth Warren (D-Mass.) and Ben Ray Luján (D-N.M.) in a recent letter to the Justice Department seeking it take a more aggressive suspension and debarment position.

“The department has broad authority to debar any government contractor that has committed a covered violation as long as the department follows proper referral and debarment procedures. Notably, the department can debar even companies that it does not directly do business with, and a contractor can be debarred even for conduct that does not relate to any of its government contracts,” the senators wrote in their Aug. 11 letter to Attorney General Merrick Garland and Deputy Attorney General Lisa Monaco. “The department’s historically lethargic use of its debarment authority sends a clear message: Corporate criminals can engage in any kind of wrongdoing, and — after receiving an occasional fine or slap on the wrist — can return to business as usual, receiving millions (and in some cases, billions) in taxpayer-funded government contracts. Corporate criminals and their top executives can rest easy knowing that no matter how egregious, how extensive, or how long-lasting their misconduct, the government will welcome them back to the contracting table with open arms. It is time for this lax approach to change. The department’s prosecutors and procurement staff should use all the tools at their disposal, including suspension and debarment, to deter corporate criminals.”

Warren and Luján offered four ways DoJ could be more aggressive, including taking on a governmentwide role for debarring contractors.

Letter is missing broader issues

The letter received a lot of attention in the contracting community. Some of it in mocking praise, where experts offered comments like “it’s great the senators are paying attention to federal contracting, but maybe they should read the suspension and debarment regulations first.”

Some of it in bewilderment about what suspension and debarment is and why agencies tend to use it.

“They are asking that Justice adopt a role that it hasn’t historically done. DoJ has suspended and debarred contractors who deal with DoJ, but what this letter is asking them to do is adopt role of super all-encompassing S&D authority for the government,” said John Chierichella, the CEO of Chierichella Procurement Strategies and a long-time federal procurement lawyer. “What that would do is put the authority into the hands of agency that may not be, and probably will not be, the agency that was the ‘victim’ of the underlying wrongdoing. DoJ is not the agency that will suffer the consequences of having a contractor excluded of providing goods and services to that agency.”

He said politicians who make these types of proposals should pay attention to the standards for suspension and debarment in the regulations.

“That is what is missing from this letter,” he added. “What I believe is that if we would follow this new policy that the senators want to impose, you would see an agency whose role is what? Prosecution. They look to punish people. That’s their role in life. They will go out and apply this broadly and they will look to punish contractors and they will not understand the people who need these companies to perform this mission.”

Other federal contracting experts echoed Chierichella’s comments, saying Warren and Luján are missing the broader rationale for suspension and debarment.

Not a punishment, but a protection

Time and again lawyers say suspension and debarment is not a punishment, but a way for agencies to protect themselves. Even the interagency S&D committee makes that point in a recent document dispelling misconceptions about suspension and debarment.

Question: Can the suspension and debarment remedy be used for punishment or penalties, or as an enforcement tool?

Answer: No. The suspension and debarment remedies are used prospectively to protect the government’s interests and assess business risk.

Robert Burton, a partner with Crowell & Moring and a former deputy administrator in the Office of Federal Procurement Policy, said generally speaking, the suspension and debarment process works well. Both as a deterrent and as a way to protect agencies.

“If a company has taken corrective action and maybe entering into a civil settlement, most agencies find it hard to punish them further because that has been done by criminal or civil authorities,” Burton said. “Since it’s not a punishment tool, does the government need to be protected from an entity after the company took corrective action and put in internal controls to prevent issues in the future?”

Chierichella added when agencies put the suspension and debarment standards in contracts, vendors took note. He said companies tend to rectify any potential or real problems to prevent themselves from receiving what many refer to as the “death penalty.”

“These regulations have been effective and companies pay a lot of attention to this list of factors that determine whether they may violate rules that could get them suspended or debarred,” he said.

Burton and others say the government has a lot of tools at their disposal to punish contractors for poor performance on a contract or for other issues.

Eric Crusius, a procurement attorney with Holland & Knight, said agencies can terminate a contract, write a negative past performance review, both of which should have a desired effect that doesn’t potentially harm the future of a company and their employees.

“The agency that contracts with the contractor often has the best insight of the contractor’s conduct and present responsibility,” he said. “Further, the contracting agency best understands the practical implications of a debarment, like is the company vital to their supply chain?”

Crusius said Justice would have no insight into those details, which could cause bigger problems for agencies.

Ways to improve S&D

The suspension and debarment process is far from perfect, experts say.

Barbara Kinosky, the managing partner of Centre Law and Consulting, said agencies too often go after small businesses because they have fewer resources to fight back.

She said the senators correctly pointed out that cases against companies like Balfour Beatty or Schneider Electric are much more difficult to win than those against small businesses.

“I have been retained, as an expert witness, in several matters that involve False Claims Act issues and suspension or debarment. I have noticed from my experience that DOJ appears to prefer proceedings against small businesses who do not have the legal budget to hire platoons of attorneys,” she said. “I suspect that Balfour Beatty has the luxury of having lobbyists on Capitol Hill, something most small businesses do not have. And let’s add to the mix, how difficult it would be for the military to find another contractor for badly needed housing. On the record it appears that Balfour, a repeat offender, should be debarred. And so should Avanos Medical who put medical lives at risk. But Avanos just reported operating profit of $46 million. So I ask the question, who is the easier target?”

Burton said if there was one area where DoJ could be more helpful around suspension and debarment, it would be how they share information with agencies.

He said there are cases where agencies need to take protective action and issue a suspension but can’t because DoJ prosecutors will not share information during an investigation.

“It’s important to understand that the idea of ‘adequate evidence’ is a low bar. DoJ doesn’t have to show everything, but some things would be incredibly helpful while not compromising an investigation,” Burton said. “The senators make a good point that there could be more activity in this whole area in respect to protecting the government. The numbers are rather surprisingly low, especially in view of problems we’ve seen with fraud regarding grant money through the American Rescue Plan Act. Agencies have been overly cautious and maybe in some instances S&D could be used more widely to protect government.”

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Concerns about organizational conflicts of interest among vendors providing, for instance, technology planning services and technology implementation services, is as old as federal acquisition itself.

But over the last few weeks, OCI has received more attention and consideration among agencies, and it should be seen as a warning sign to batten down those OCI hatches.

First, Senate Homeland Security and Governmental Affairs Committee members introduced the Preventing Organizational Conflicts of Interest in Federal Acquisition Act and it passed out of the full Senate on Aug. 2. The bill is a direct response about a potential OCI between McKinsey and Associates, drug development companies and the Food and Drug Administration — more on that later.

A day later, the Defense Health Agency issued a notice under its Military Health System Enterprise Information Technology Geographic Service Provider (GSP) requirement that calls out seven companies who are conflicted out of bidding on the potential $1.5 billion contract.

Federal procurement experts and lawyers say a notice like this has rarely been seen publicly and gave DHA a lot of credit for taking these public steps.

The third example of an OCI issue impacting the federal acquisition community came Aug. 12 when the Government Accountability Office sustained a protest by Guidehouse over an award by the Secret Service and the Department of Homeland Security to Deloitte.

The $20 million task order through the OASIS vehicle run by the General Services Administration focused on CFO support services, including conducting budget and financial management operations.

Guidehouse alleged the Secret Service made several mistakes, but GAO upheld two of the complaints with the biggest one focused on OCI.

Requirement to disclose potential conflicts

The three of these taken separately don’t really amount to much — a single piece of legislation that may not make it into law; a specific instance of a contract notice; and a random GAO decision.

But when you bring the different pieces together, it starts to create a picture of OCI issues gaining more attention across the federal sector.

“Companies that receive taxpayer dollars from federal contracts should not turn around and advise clients to take actions that are against the interests of the American people,” said Sen. Gary Peters (D-Minn.), chairman of the committee and one of the lead sponsors of the bill, in a statement. “This bipartisan, commonsense legislation will require federal contractors to disclose any potential conflicts of interest before they are awarded a federal contract to ensure they are effectively serving taxpayers.”

Rep. Carolyn Maloney (D-N.Y.), chairwoman of the Oversight and Reform Committee, introduced a companion bill in April. The committee approved a substitute amendment in July that matches the Senate’s version of the bill, clearing the way for a full vote by the House.

“Avoiding OCIs is particularly important for consulting contracts where government is paying for expert advice for sensitive matters,” Malone said during the July 14 markup. “This bill would make long overdue revisions to strengthen rules on OCIs. The rules on OCIs have not changed significantly since they were issued in the early 1990s despite many major changes in the government contracting landscape.”

Maloney added that the regulations across government vary and the bill would help bring some standardization to how agencies apply the tenets of OCI.

More specifically, the Preventing Organizational Conflicts of Interest in Federal Acquisition Act would require agencies to identify potential conflicts for specific contracts early in the process.

Federal contractors would have to disclose other business relationships with entities that conflict with the specific work that an agency has hired them to do and would also have to disclose new potential business that opposes ongoing services they are providing to agencies.

The legislation also would require federal agencies to assess and update their procedures for determining whether contractors could have a conflict of interest.

DHA notice on seven vendors

This just the latest attempt by Congress to address OCI challenges.

The law firm Miller & Chevalier wrote in April about bids to improve how agencies deal with conflicts. The firm wrote that in 2007, the Advisory Acquisition Panel released a report that indicated that “the potential for OCIs has increased significantly in recent years” and “[t]he contracting community needs more expansive and detailed guidance for identifying, evaluating, and mitigating OCIs.”

Then in the 2009 Defense authorization bill, lawmakers called for the Federal Acquisition Regulations Council to review conflicts of interest rules and contract clauses. This led to a proposed rule to address OCI issues in 2011.

Miller & Chevalier said that proposed rule, was withdrawn in March 2021 based on the “amount of time that has passed since publication of the proposed rule and potential changed circumstances.”

Now despite this rule never coming to fruition, DHA took steps to get in front of any potential conflicts with his mega IT services contract.

The reason why DHA called out companies including Perspecta Enterprise Solutions, Capgemini Government Solutions, Guidehouse and Tenacity Solutions was the team won the $2 billion MHS Enterprise IT Services Integrator (EITSI) blanket purchase agreement (BPA), where they are providing program manager support services and working on the government side to help DHA manage the follow-on contracts for geographic service providers.

DHA says these companies would be conflicted out of bidding on any “work for the duration of the BPA and for 18 months after the final day of performance under the BPA or any call orders thereunder.”

For these companies, the OCI notice likely wasn’t surprising, but the fact DHA issued it publicly definitely raised some eyebrows in a good way.

Protest of Secret Service award upheld

The third piece to this puzzle came on Aug. 12 when GAO sustained Guidehouse’s protest.

The GAO lawyers didn’t hold back on just how poorly the Secret Service did in addressing potential OCI issues.

“First, the record reflects a fundamental misunderstanding on the part of the contracting officer regarding the legal standards related to impaired objectivity OCIs. Further, contrary to the arguments of agency counsel, the record reflects that the contracting officer did not in fact take a ‘close look,’ or carefully consider, whether Deloitte’s ability to render impartial advice to the agency under the CFO support services task order would be undermined by the firm’s competing interests under the TOPS/FRED task order,” GAO wrote. “The analysis demonstrates that the agency failed to give meaningful consideration to whether a significant organizational conflict of interest exists here.”

Deloitte also holds the TOPS/FRED task order, which is for financial data and reports that are utilized for the agency’s budget analysis and management functions and also for services such as program management; operations and production support; software and hardware performance; information system security officer support; system utilization/performance/improvement; software maintenance; training; and enhancements.

GAO found that the contracting officer’s failed to properly consider whether Deloitte could objectively do the work under the CFO Support Services contract given its work on TOPS/FRED.

“For purposes of an impaired objectivity OCI analysis, however, it is wholly irrelevant whether the two efforts are same or similar in scope or size; instead, what is relevant is whether the contractor would be in a position of reviewing its own work or otherwise unable to perform its obligations in an impartial manner. Consequently, we find the contracting officer improperly substituted similarity (or lack thereof) between the two efforts for a reasonable determination of whether Deloitte’s work on the CFO support services task order could be objectively performed in light of its work on the TOPS/FRED task order,” GAO wrote. “Additionally, the record does not support the agency’s assertion that the contracting officer conducted a detailed review of the requirements for the two efforts. To the contrary, the record reflects that the contracting officer’s assessment was limited to reviewing the top-level/overall objectives of the CFO support services without any analysis or consideration of the many hundreds of work activities required for the two efforts. Absent a consideration of these requirements here, the agency’s OCI analysis lacked a reasonable foundation.”

Those were pretty strong words from GAO.

While the bill is far from guaranteed to becoming law, the fact is Congress is paying more attention to OCI and that will have a trickledown effect on agencies and vendors alike. Given DHA’s notice and GAO’s most recent protest decision, it seems logical for agencies to ensure contracting officer under how best to determine OCI and for vendors to do more than say they have put up a “firewall.”

To listen to the Federal Newscast on your phone or mobile device, subscribe in PodcastOne or Apple Podcasts. The best listening experience on desktop can be found using Chrome, Firefox or Safari.

After four years of stability in the chief information officer’s role, the Small Business Administration is back to the CIO shuffle.

Since Maria Roat left in 2020 to become the federal deputy CIO, SBA is on its third technology leader as Stephen Kucharski assumed the acting title in late June or early July.

Kucharski replaces Luis Campudoni, who had been acting since January when he took over for Keith Bluestein.

Campudoni returns to his former deputy CIO role.

Bluestein took a leave of absence in January and now, according to his post on fundraising site GiveSendGo, now SBA is trying to remove him from federal service.

Bluestein said he filed a claim with the Merit Systems Protection Board (MSPB) on July 8.

“Once the administrative law judge (ALJ) reviews the preliminaries, they will establish a calendar or schedule for events to occur such as discovery, motions, hearing, etc. The process is very event driven and the MSPB has a very good record of sticking to their 120-day process timeline. What does that mean? Once the ALJ sets the schedule we will have a very compressed time to interview witnesses and such before our hearing. This is a huge step for us as we were unable to compel anyone from my agency to offer us statements after I was notified of what I was charged with,” Bluestein wrote. “Despite having more than ample people that could offer a counter to the agency narrative, the indications we have were that the agency discouraged any government employees from engaging in any conversations with me or my legal representatives. Therefore, the deciding official (person who made the decision to remove me) only considered one side of the argument as legitimate.”

Bluestein said he believes the appeal to MSPB will expose “this false narrative” about him.

It’s unclear what the “false narrative” Bluestein is referring too as the reason for his initial leave of absence and now seemingly removal from federal service.

An SBA spokesman said back in January and again on Aug. 4 that the agency doesn’t comment on personnel matters.

As for the new acting CIO, Kucharski has been with SBA for 23 years, including the last 14 as a senior executive. He comes to the acting CIO role after leading the systems delivery of SBA’s Office of Capital Access programs for the Recovery Act, the Jobs Act, the CARES Act, the Economic Aid Act and the American Rescue Plan Act, including the Paycheck Protection Program that processed 14 years’ worth of SBA loans in 14 days.

Multiple sources say while Kucharski is a capable technologist, putting him in charge of the CIO’s shop is another questionable move by SBA leadership.

Current and former government sources familiar with SBA say Kucharski’s move does a few things that are causing concern.

One former federal executive said moving the system lead from the Office of Capital Access to the CIO’s role is a major power shift.

“The new leadership of Capital Access wants to make their mark by making SBA a venture capital company. This would have SBA becoming a direct small business loan maker rather than guarantor for all small business loans. Right now, disaster loans are currently direct loans. The whole operation is built on a 1990s legacy system that was a real problem with PPP, and it is hard to see how it could be modernized for the new role,” said the source, who requested anonymity.

Another source said Kucharski is not a “hands on” technology leader and not as “forward thinking” as he needs to be given SBA’s progress over the last five or six years.

“SBA has been asking around for anyone interested in the [CIO] job. A number of folks have said no, because the mess Maria and Guy [Cavallo, the OPM CIO] cleaned up has now built back up and it’s getting messier and messier,” the second source, who requested anonymity, said. “It’s a shame, too. It goes to show all the good work folks do and put in can get erased really fast due to poor follow on leadership.”

SBA says Kucharski laid out four main objectives as acting CIO:

• Fully leveraging the technology investments and process improvements that enabled SBA’s successful implementations of the CARES Act, Economic Aid Act and the American Rescue Plan.
• Embracing SBA’s mission IT successes by harmonizing shared service models for cloud services, performance data reporting and help desks.
• Continue the cybersecurity and network modernization across SBA’s nationwide sites, datacenter and colocation facilities, and headquarters.
• Executing the administrator’s “My SBA Initiative.” This strategic priority will improve the way SBA delivers services to small businesses but also improve how SBA program offices collaborate and work together.

Kucharski is saying all the right things in his goals and plans. But sources say SBA has taken steps backward since Roat and her team in the CIO’s office have moved on to new jobs around government.

SBA was a model of IT modernization for four years but slipped backwards over the last year or so. Let’s hope Kucharski gets the agency back on track since Roat famously said she burned the bridges back to on-premise data centers.

USAID, NARA name new CIOs

Three other changes in the CIO ranks you may have missed too.

My colleague Justin Doubleday broke the news that Jason Gray, the Education Department CIO, was heading to become the CIO at the U.S. Agency for International Development. That opens up a spot at Education.

Gray is taking over for Jay Mahanand, who quietly left that role in January to take over as CIO at the United Nations World Food Program.

That means Education is now looking for a new CIO just as USAID filled their whole.

Now, the transition at the National Archives and Records Administration was a lot more typical.

Sheena Burrell, who has been the deputy NARA CIO for February 2020, assumed the top slot earlier this month, according to her LinkedIn profile.

She takes over for Swarnali Haldar, who retired in July after more than eight years in the role.

Burrell has been with NARA since 2019, coming to the agency as an associate CIO for business and investment management. She has worked in the federal government since 2001 when she started at the Social Security Administration as a policy analyst.

As the CIO, Burrell inherits a $126.8 million IT budget, according to the IT Dashboard. Of that $126.8 million, more than 40% ($41 million) is spent on development, modernization and enhancement efforts. NARA also is managing the cost and schedule of its projects well, according to the dashboard.

Burrell also has been leading an effort to move NARA toward a zero trust architecture, with a big focus on protecting their data.

DoD, ATF lose cyber executives

There were a few other technology executives on the move you may have missed.

Jay Ribeiro, the chief information security officer at the Justice Department’s Bureau of Alcohol, Tobacco, Firearms and Explosives, announced on July 29 he was leaving after four years in the role.

Ribeiro said his last day would be Aug. 26.

“Packing it all up. #bittersweet moment. After 4 great years — time to accept another challenge. Time to get uncomfortable. Thank you #ATF for all the love and support,” he wrote on LinkedIn.

Ribeiro joined ATF in 2019 after serving as the CISO for the Federal Election Commission for almost two years. He also worked at the State Department, the Air Force, the Army and for the Defense Department in various cyber roles.

Ribeiro didn’t say what he would be doing next or who would be acting CISO in the interim.

Over in the DoD CIO’s office, deputy CISO Mark Hakun is retiring after 34 years of federal services. His last day was at the end of July.

DoD CIO John Sherman said on LinkedIn that Hakun was a top cyber professional who impacted the intelligence community and DoD.

“I can’t wait to see what he’s going to accomplish in the next phase of his career. I’ve been lucky to work Mark since 2018, when he was the deputy NSA CIO, Sherman wrote. “Fair winds and following seas, Mark, and thanks for all you’ve done here in DoD CIO!”

Hakun served for more than two years as NSA deputy CIO and before that spent more than a year on detail as the director of the National Background Investigation Services where he modernized the IT services to conduct investigations and move them back to DoD from the Office of Personnel Management.

Additionally, Hakun served in executive roles at the Space and Naval Warfare Systems Command and served in the Navy for almost a decade.

Finally, former DoD chief data officer David Spirk landed a new job. He is now a senior counselor for Palantir Technologies.

Spirk left DoD in May after just over two years as its CDO. He also worked at the U.S. Special Operations Command for two years in a similar role.

He wrote on LinkedIn that he will be “focused on the U.S. government and international business. I’ve dedicated my career to ensuring the U.S. government has a data strategy that protects against our adversaries and leverages the best technologies to ensure our competitive edge. Palantir not only provides this technology, but even more important is their mission-focus on ensuring we extend this lead and that data-driven decision making is at the forefront of our national security strategy.”

Dr. Clark Cully is acting CDO for DoD.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

House Oversight and Reform Committee members were more engaged this past Thursday on federal IT management issues than we have seen in some time.

Not only were the questions relevant, but the lawmakers did not stray into the silly, non-sequitur or totally unrelated world that could’ve easily happened during the 14^th iteration of the Federal IT Acquisition Reform Act (FITARA) scorecard hearing on July 28.

While agency progress on the scorecard stagnated, mostly due to yet another disagreement between Rep. Gerry Connolly (D-Va.), the chairman of the subcommittee on government operations and the co-author of FITARA, and the Office of Management Budget. This time it’s over cybersecurity scores. The biannual hearing highlighted continued progress in several categories amid a lot more “Fs” and “Ds” than we’ve seen over the last few years.

Here are three takeaways from the 14^th FITARA hearing that you may have missed.

Data centers, still?

All signs pointed to the subcommittee sunsetting the data center category after every agency received an “A” grade on FITARA 13.

But like a Washington Commanders fan, hope is easily crushed in a short amount of time.

Connolly is, indeed, terminating the data center optimization category, but reviving his pet project, data center closures as a category under FITARA 15 and beyond.

“It’s time to shift this metric to make it more focused and relevant. As promised, the previous methodology is sunset in this scorecard, scorecard 14,” Connolly said. “It’s our hope that focus on this category will enhance federal government’s movement to the cloud.”

The data that will help determine agency grades in this new category comes from a letter the subcommittee sent to agency CIOs on July 13, asking questions about current and future data center closure plans.

“Notwithstanding many agencies’ progress, several agencies have yet to complete their data center consolidation plans, and future closures and the savings those closures will secure are expected to drop and eventually diminish. Specifically, 17 agencies report no plans for future data center closures, and more than half of the remaining planned data center closures are slated for completion by the end of fiscal year 2022,” Connolly wrote in the letter, which Federal News Network obtained. “Given the subcommittee’s rigorous and successful oversight history of data center consolidation, we intend to continue our work until agencies realize all potential benefits.”

Agencies had until July 27 to answer five questions:

• How many M-19-19 defined federal data centers does your agency currently operate?
• If you are unable to answer the previous question based on the M-19-19 definition, how many federal data centers does your agency currently operate following the most up-to-date Integrated Data Collection guidance?
• Of these operating data centers, how many are key mission facilities?
• Since the enactment of FITARA, how many data centers have you closed?
• Has your agency closed the maximum number of federal data centers possible?
  • If no, please explain why and provide the timeline expected to complete data center closures.
  • If yes, please justify the reasons why your remaining federal data centers are vital to your agency’s operations.

“The subcommittee plans to use these answers as part of a new methodology. The goal is to ensure agencies think strategically about their costly data center use, incentivize the closure of underutilized data centers and save taxpayer dollars,” he said at the hearing. “One of the reasons we wrote every agency as we’re re-tooling this category of the scorecard is we didn’t want to lose this metric [of closing data centers]. We’re going to continue to update that database and work with you in making sure as you said they’ve got a good reason to justify what they’ve got and what their plans are.”

Carol Harris, the director of IT and cybersecurity at the Government Accountability Office, said agencies need to have a good reason for still having data centers today versus putting workloads and applications in the cloud.

“We want to see the goal of every agency is to employ a hybrid model, where at least some of their infrastructure is cloud based. And then others are on site,” she said. “But for agencies to have, again, a large amount of their infrastructure being operated in data centers that’s a red flag.”

For the most part, experts have said there shouldn’t be too many red flags out there. Even the data on the Federal IT Dashboard shows the juice in the data center closures orange may not be worth the squeeze any more. Agencies closed 680 data centers out of a planned 734 in fiscal 2022 and still have 1,519 open. But many of those 1,519 are either on the classified side or mission critical.

“All the low hanging fruit has been picked so to get the fruit higher up on [the] tree, agencies need to buy ladders to get to them,” said one federal official familiar with the data center initiative. “Agencies will need data centers to achieve their missions and they wouldn’t consider consolidating them because of the negative impact on their mission. Optimization of those remaining data centers is tricky because getting there can be expensive.”

Since 2017, agencies have closed 4,329 data centers and saved or avoided spending more than $4.7 billion.

The Defense Department is responsible for a high percentage of the open data centers, with 601 as of June 2022.

Lily Zeleke, the DoD deputy CIO for information environment, clarified the current status of DoD’s data center closure effort in an email to Federal News Network.

“In 2016, DoD made a goal to close a total of 281 data centers by fiscal 2022. As of March of this year, DoD has closed 96% of these and is on track to close the remaining 4%, or 12 data centers, by the end of the fiscal year,” she wrote.

John Sherman, the DoD chief information officer, told the subcommittee the Pentagon has closed more than 230 data centers so far this year.

“The holdup has been moving some secret level systems that we needed to get moved over, but all the unclassified [systems], we’re basically done with that,” he said. “This has been one thing that among a number that we’ve been very grateful for FITARA to help drive the way ahead on that to get us to where we need to be as we move to cloud based technology.”

What’s ironic about the subcommittee’s decision to keep data centers as a FITARA category is there is an effort in the Senate to remove the requirement for agencies to track cost savings and do more to cyber secure their current data centers.

The Senate Homeland Security and Governmental Affairs Committee plans to markup Sen. Jacky Rosen’s (D-N.V.) bill on Aug. 3.

Specifically, it would require OMB to coordinate a governmentwide effort to develop minimum requirements for federal data centers related to cyber intrusions, data center availability, mission-critical uptime, and resilience against physical attacks, wildfires, and other natural disasters. It also strikes language in FITARA referring to data center consolidation to ensure that federal agencies focus on the cost savings and avoidances that can be achieved through optimization, given the success of past data center consolidation efforts.

There is no guarantee Rosen’s bill ever becomes law, but it’s clear that House and Senate lawmakers are not on the same page when it comes to data center closures. And the question remains why Connolly is so focused on data center closures still? It’s clear agencies still have work to do and there are remaining open ones post potential cyber risks to agencies, but given the progress over the last decade and limited oversight resources the subcommittee has, it seems like their time could be used on more pressing IT management issues.

Most agency CIOs and industry would agree too.

FISMA grades — worthless or valuable?

The argument over the value of Federal Information Security Management Act (FISMA) metrics and reports date back to the pre-historic days of the internet, or as some of us call it the late 1990s.

Going as far back to the pre-cursor to FISMA, the Government Information Security Management Act (GISRA), the question many asked was whether Congress could legislative better cybersecurity.

The answer is yes and no.

The most recent FITARA hearing demonstrates the conundrum.

While 10 agencies saw their FISMA-specific scores drop due to the lack of publicly available data, the CIOs who testified as well as some members of the committee questioned the validity of the grades.

“We’ve talked about cybersecurity, I would say of the areas of the scorecard, certainly, it’s not an accurate reflection. In my view of our posture relative to cybersecurity, we’ve actually spent a lot of time and focused energy on improving cyber across agency and we’ve done so since the start of the pandemic,” said Vaughn Noga, the CIO for the Environmental Protection Agency. “The pandemic really forced us to rethink how we are managing our IT remotely, how we’re protecting them, how we’re securing our patching them. So I don’t necessarily think it’s an accurate reflection, but we talked about that, it’s just one perspective, which is the IG assessment.”

GAO’s Harris added the data is by far not complete, calling the data the subcommittee used only a subset of what’s needed to measure an agency’s true cyber posture.

“There are many other inputs that should be incorporated if you want to have a comprehensive overall grade of what an organization’s cyber posture is,” she said. “I think that the challenge in this particular iteration, cyber because there was only one metric available for us to utilize, I do believe that that is not an accurate reflection of where agencies are at with cyber.”

Rep. Jody Hice (R-Ga.), ranking member of the subcommittee, asked the questions that many CIOs and other federal cyber experts believe to be true about the FISMA IG reports, “This current scorecard then as it relates to cyber relatively worthless at this point?”

Hice’s question begs a larger discussion about whether FISMA itself has outlived its usefulness. House and Senate lawmakers are updating the law, which Congress last improved in 2014.

Grant Schneider, the former federal chief information security officer, said there still is real value in having an outside third party evaluate an organization’s systems.

At the same time, FISMA evaluations are a trailing indicator on a subset of systems and that makes them less valuable.

“We would look at the IG reports and the agency self assessments to understand an agency’s cyber posture. I found the self assessments to be fair and candid. I never felt like the agencies were trying to game the system. They were being honest and accurate,” Schneider said about his tenure at OMB in an interview with Federal News Network. “The other things we would look at were the high value assets and other work in the HVA assessments from CISA. We would look at incident data as well. We also looked at goals and metrics we were putting out quarterly in addition to the annual self assessment.”

Basically, Schneider, who is now the senior director of cybersecurity services for Venable, described the potential data GAO and the subcommittee could have looked at to give a more accurate grade on the FITARA scorecard. That is if OMB had been more, let’s say, cooperative and recognized the potential brouhaha the lack of cross-agency goals would cause during the hearing.

Now the back and forth between OMB and Connolly is great for the gossip pages, and there is plenty of juice to squeeze from that orange, such as Connolly’s claim that OMB “freely expressed contrition” about the cybersecurity scores, but let’s save that for another time.

The fact is FISMA never has been an accurate reflection agency cyber posture, the federal IGs either refuse to, or just plainly can’t, understand that and change their metrics despite years of attempts to do just that, and CIOs frustration over the lack of holistic metrics all made this effort more of a checklist than a true analysis.

Schneider said there is always plenty of non-public data that OMB can share with GAO and the subcommittee to help round out an agency’s cyber posture along with the FISMA reports.

“It’s incumbent on cyber professionals to consider the sensitivity of any vulnerability or risk information that they make public, but that said, I don’t think anything we were publicly reporting on gave me any concerns or we wouldn’t have done it,” he said. “In our conversations with the Hill or with GAO, I think they always wanted more data, but they understood the need to protect the systems and some public reporting helps and some goes too far and we need to be concerned about it. There are draft FISMA reports that I took sections out of just because I was uncomfortable with data being disclosed. Some of that data I would’ve felt comfortable not to share publicly, but share with GAO and the Hill. And there was information that I would not want to share even with GAO or the Hill and just keep inside OMB.”

By the way, the IG community is once again is updating its approach to cybersecurity oversight. Hopefully some of the message from the FITARA 14 hearing gets back to them so they rethink the entire FISMA oversight process.

One of the last FITARA scorecards?

Several former and current Hill staff members brought up the fact that this may be one of the last FITARA hearings. There is both a growing feeling that after 14 scorecards, the value and impact have diminished quite a bit.

Add to that with Republicans expected to take over the House after November, would the potential leaders spend time on IT management when they have made it clear they plan to go after the Biden administration for what they deem are bigger issues?

Julie Dunne, a former House Oversight and Reform Committee staff member for the Republicans, said she expects more aggressive oversight if Republicans are in the majority.

“I could see more attention focused on the fact that while FITARA helps push agencies in the right direction, federal IT acquisition has remained on GAO’s high risk list since 2015,” said Dunne, who now is principal at Monument Advocacy, in an email to Federal News Network. “I think the FITARA scorecard will stick around, perhaps somewhat minimized because of other investigations. It’s a fun, pre-packaged hearing, and GAO likes doing it. The members also like metrics.”

Ross Nodurft, a former Senate appropriations committee staff member and chief of OMB’s cyber office, said he could see the number of FITARA hearings decrease to one time a year.

“I am confident that, if the Republicans win the majority, there will still be a significant bipartisan focus on the issues of technology modernization and cybersecurity,” said Nodurft, who now is a director of cybersecurity services at Venable. “Rep [James] Comer (R-Ky.), ranking member of the full committee, and his team on the committee understand and appreciate the important role that technology plays in agencies meeting their missions. Whether it’s protecting the homeland or providing critical services to voters, both parties are invested in moving government digital innovation forward.”

Dunne added she actually thinks IT oversight will be tougher, as will the oversight of the Technology Modernization Fund (TMF).

“They’re going to have to increase transparency about the repayment decisions and account for all that funding to the Technology Transformation Service (TTS) at GSA, those are the questions I’d ask,” she said. “The cybersecurity grade will also get lots of continued attention, especially when the next big breach hits.”

The TMF and its payback model came up during the FITARA hearing

Rep. Jake LaTurner (R-Kan.) questioned GAO’s Harris about whether it was worth attaching more conditions to the TMF funds, which could be tracked under the FITARA scorecard, to ensure agencies are using the money to update legacy systems.

“I think that agencies should be fully carrying out TMF as it was intended in the law, which is to address legacy issues. So I think that’s the criteria that the selection board utilizes that emphasis on legacy, it would be a great thing,” Harris said. “I also think that agencies need to focus on the open recommendations that we have made in TMF, relative to ensuring that they have reliable cost estimates for their projects, as well as reliable savings that they expect to achieve once those projects are fully deployed.”

Hice too expressed frustration over the TMF, saying the Biden administration is using it in a way that “amounts to a slush fund.”

“The idea behind the TMF was that agencies would create savings by retiring old systems. Those savings would then be used to repay the fund and allow for additional modernization projects. It was intended to create an efficient cycle,” he said. “But the executive director of the TMF Board gave us nonsensical answers about how the savings would be realized by the public. They’re not going to make agencies pay back the TMF funds. This is clearly ignoring the intent of the Modernizing Government Technology Act.”

It’s likely OMB, especially with the recent ruling from GAO, would disagree with Hice’s hyperbole about the TMF being a slush fund and the administration ignoring the intent of the MGT Act, but it’s a signal of how the Republicans view the effort so far.

Dunne said as the scorecard continues to evolve, the idea of using the PortfolioStat process – which, by the way, when was the last time OMB even conducted a PortfolioStat review, maybe five years, according to some – to address technical debt and legacy IT is an interesting idea that complements the goals of the MGT Act.

While few believe FITARA will go away in its entirety, the focus of the scorecard seems destined to change and the frequency of the subcommittee’s public oversight also seems likely to decrease. The question, as always, is how can lawmakers find the right balance between oversight, accountability and value without creating a checkbox exercise for agencies, which seem to quickly understand how to “game” the system to get higher grades?

To listen to the Federal Newscast on your phone or mobile device, subscribe in PodcastOne or Apple Podcasts. The best listening experience on desktop can be found using Chrome, Firefox or Safari.

The General Services Administration is once again struggling with a major systems modernization project, causing an increasingly high level of frustration among vendors and grantees. Now, a powerful congressman is demanding answers about why three months into the transition to the new way for vendors to identify themselves for federal contract or grant awards, GSA hasn’t resolved serious issues with the system.

Rep. Gerry Connolly (D-Va.), chairman of the Oversight and Reform Subcommittee on Government Operations, wrote to GSA on July 15 seeking answers to questions about the transition to the Unique Entity Identifier from the DUNS number. The UEI is a 12-character alphanumeric identifier that is owned and managed by the government. It connects agencies and companies throughout the federal award lifecycle whether it’s writing a contract or managing a grant.

“According to many of my constituents, they have encountered significant difficulty in migrating their existing contractor accounts into the new framework, jeopardizing their businesses and their ability to pay their workers. I write to request information on GSA’s transition to a new Unique Entity ID (UEI) and to determine whether GSA is providing all necessary assistance to the federal business partners federal agencies rely on every day,” Connolly wrote in the letter obtained by Federal News Network. “I have heard from constituents who have struggled to transition to the new unique identifier — and in some cases were removed entirely from the GSA online system. Moreover, when seeking help and assistance from GSA, these government partners were often provided links to unhelpful online frequently asked question pages or stuck on telephone calls for hours with customer service representatives who were unable to help troubleshoot the problems.”

GSA kicked off the transition to the UEI on April 4, promising it had learned the hard lessons from previous system modernization efforts like move to SAM.Gov that initially stumbled.

But the problems with obtaining a UEI number, the lack of clear and urgency response from GSA and the long wait times at the call center are culminating as agencies enter the fourth quarter buying season.

Stephanie Kostro, the executive vice president for policy for the Professional Services Council, an industry association, said many of the problems fall into two buckets.

“One is a registration issue. If you tried to update your banking information, like you switched banks or are using a new account, you apparently have to deactivate your SAM.gov account and reactivate it. But the way the validation system works is if you have a typo or forget a comma or try to insert a suite or room number but it doesn’t match with state corporation registration, it will get rejected. And once you get rejected, you are no longer in the system and no longer eligible for awards or payments,” she said. “The second category are the trouble ticket submissions. We have heard that there are some tickets are now 12 plus weeks old without resolution. It doesn’t seem like GSA is identifying the issues and resolving them quickly. When you have something for 12 weeks like a small business not getting paid, this is a huge issue.”

Fumbled the April 4 launch

These issues come after GSA already fumbled the April 4 launch when it overlooked a rule in its random number generator for UEI that prevented it from compiling curse words as part of the generator. Federal News Network obtained a list of about 10,000 UEI numbers that had to be changed because they included words like “fart” — 14 of them did, by the way — and other “not appropriate for work” words, such as 34 instances of the “F” word.

GSA acknowledged the challenges and is promising to address the UEI transition issues.

Dave Zvenyach, the deputy commissioner of GSA’s Federal Acquisition Service, said in an email to Federal News Network that fixing the UEI transition is a top priority.

“Although we are making progress, we know there are entities who are waiting for their case to be resolved. Resolving their specific, individual cases is paramount for us. And we will not let up until entities can register in SAM in a predictable, timely basis,” he said. “We are working to address each ticket as quickly and efficiently as possible and to improve the new system for both new and renewing entities. We are working with other federal agencies to identify opportunities to reduce the impact on entities affected by this process.”

A GSA official said the UEI transition problem is impacting about 20% of all vendors who have to through a manual review of their request. The official said overall about 200,000 companies have made it through the validation process.

The government’s move away from DUNS numbers will end a 40-plus-year relationship with Dun & Bradstreet where the government has spent hundreds of millions of dollars to use the proprietary system to identify companies.

In March 2018, GSA awarded Ernst & Young a five-year, $41.7 million contract to run the UEI initiative. Ernst & Young will provide services to validate the identity of each entity (company, individual, organization, etc.) wanting to do business with or receive assistance from the government, GSA stated in a release. GSA said the contract will reduce unnecessary duplication across the government by ensuring individual agencies do not have to separately contract for these services, but will instead receive the service by way of SAM.gov.

Missed opportunities, delayed invoices

While few may have argued with the move away from DUNS, contractors and grantees are frustrated with how the transition is going and the time GSA is taking to resolve the UEI issues. Experts say the UEI transition problems may be causing great harm to large and small firms alike.

Federal News Network learned from a contracting officer at the Defense Department, who requested anonymity because they didn’t get permission to speak to the press, that they have a small business who is owed $400,000 but can’t get GSA to resolve their UEI issue.

Another small business in the professional services sector is waiting on a payment of more than $200,000 and learned that an agency customer wanted to issue them a task order, but couldn’t because of their UEI situation.

“We thought we did everything we were supposed to do, but when our UEI was assigned to us, it must have been assigned to us using the actual name of company versus the way we had been referred to over the last decade in federal systems,” said one industry executive, who requested anonymity so as not to make GSA mad. “It’s a self-created problem by GSA and we are just in this caught pattern of calling the contact center at GSA and they will send an email, but they will not put you in touch with anyone who can solve the problem. It’s an obtuse process to resolve this current situation and we are flying blind right now.”

And grantees are unable to provide humanitarian and other aid despite the U.S. Agency for International Development or the State Department awarding the grant because of the UEI delays.

Cynthia Smith, director of government affairs and advocacy at Humentum, a global nonprofit working with humanitarian and development organizations to improve how they operate and to make the sector more equitable, accountable, and resilient, said she knows of projects in Turkey and Jordan that are delayed because local sub grantees can’t get UEI numbers.

“We also know of cases where have local partners have prepared for and worked with large international non-government organization to prepare bid and was barred at the last minute because they couldn’t get the UEI number resolved,” Smith said in an interview with Federal News Network. “We are shutting out those who we say are important to advance the local agenda of this administration.”

Robert Shea, the national managing principal for public policy at Grant Thornton, said his company was able to resolve its UEI issues in a matter of weeks, but the impact on companies is real.

“During the time you are figuring this out, you can’t get paid, you can’t access your Contractor Performance Assessment Reporting System (CPARS) ratings and that could significantly damage ongoing procurements because you can’t access, review or appeal CPARS ratings,” he said. “It seems intuitive that you would test bunch of different scenarios before going live with a system that impacts every vendor of the largest buyer in the world.”

Call center, response backlog

The biggest complaints are GSA’s lack of response to the entire situation.

PSC’s Kostro said GSA suggested its members contact the ombudsman with urgent requests.

An email from PSC to its members, which Federal News Network obtained, recommended that when companies reach out to the ombudsman they should “Please include: (1) the legal name of the entity; (2) the UEI number; (3) the FSD ticket #(s); and (4) a summary of the issue(s), which may include any urgencies (e.g., not getting paid, not being able to bid). Please do not submit documentation with personal identifiable information (PII), financial, or other confidential information to the Ombudsman’s office.”

Humentum’s Smith said her members have been told to work through their customer agencies like USAID and State and ask them to bring urgent problems to GSA, especially those impacting new entrants into the federal market.

“GSA’s response been highly inefficient and not proving effective. They need more communication and to offer more proactive channels to address the urgency of the situation,” Smith said. “It would be great to see that type of reflection of awareness of this problem. Because these really do have real life and death consequences. We need a greater window into their strategy for clearing the backlog.”

Roger Waldron, the president of the Coalition for Government Procurement, said in an email to Federal News Network, said GSA needs to do more to address the UEI transition issues.

“The transition hiccups are real, and the potential impact on contractors can be catastrophic, as it can prevent them from competing for new requirements or even getting paid for work they have performed. Regardless of whether it involves a relatively small percentage of contractors, the fact that the impact can be so severe should prompt an all-hands-on deck response from GSA,” he said. “In response to UEI challenges, effective communication from GSA is vital. The agency needs to increase the pace and tempo of messaging to the procurement community on the steps being taken to address the current situation.”

Zvenyach said as GSA continues to make progress in fixing the UEI transition, it will make sure the time frame is more transparent and visible to everyone.

“Our goal as an agency is to make it easy for businesses, nonprofits, other governmental agencies and partners to do the critical work of government – and these validation issues have made it harder for too many organizations. We are doing all that we can to resolve these issues as quickly as possible and will continue to push for better outcomes for our partners both inside and outside the government,” he said.

GSA says as of early July it has resolved 81% of the trouble tickets and continues to reduce the backlog and shorten the time it takes to register in SAM.gov.

July not only marks the half way point of the year, but it also marks the time when a lot of federal executives retire or change jobs internally to get some time in place before the beginning of the next fiscal year.

Over the course of the last few months — since the last time I wrote about people on the move — the federal community has seen State Department and FEMA chief information officers leave for the private sector and deputy federal CIO Maria Roat retire after a successful 41-years career.

You’ve seen new CIOs coming to the FCC and the U.S. Citizenship and Immigration Service (USCIS).

Here are a few changes that may have flown under your radar over the last few months.

Let’s start out with a few changes at the General Services Administration.

Just a few months after Sonny Hashmi, GSA’s commissioner of the Federal Acquisition Service, shuffled the chairs of most of his senior leadership team, another piece to the puzzle falls into place.

Sam Navarro became the director of customer services for the Technology Transformation Service’s Centers of Excellence. He had been the director of the customer strategic solutions division in FAS’s IT Category for two-and-half years and then a strategic advisor for ITC since May.

Among the projects Navarro worked on during his time with ITC was the recent agreement GSA and the Defense Innovation Unit signed to make it easier for non-traditional companies to do business with the government.

“We could Fastlane them [onto the GSA schedule]. They have a sponsor so we could get them on a lot faster. We’re looking at least from 15, anywhere to 30 days getting them on schedule so they’re readily available for government competition,” Navarro said in May.

He joined GSA in 2014 and previously worked as a civilian for the Army in technology support roles.

In GSA’s Office of Governmentwide Policy, Alex Cohen, the director of emerging technology, announced in June he was leaving federal service.

“I will be leaving government service at the end of the week for a new adventure in the private sector. It has been an honor and a privilege to work with so many talented and hardworking people over my 10+ years in the government,” Cohen wrote on LinkedIn. “Government service is not easy. Sometimes the challenges can seem insurmountable. I have been known to describe innovation in government as a willingness to bang your head against a brick wall until the wall goes away. However, the work we do matters. The progress we make matters. The continued success of the government is a testament to all the federal employees and contractors that work tirelessly everyday to make America a better place. To anyone considering federal employment, I urge you to do so. It has been some of the most rewarding work of my life. It may be hard but it is critical!”

During his two-plus years at OGP, Cohen led the policy efforts around everything from credentialing of artificial intelligence (AI) tools on federal networks to cyber insurance to edge computing to agile and dev/ops development.

Cohen hasn’t said where he is heading next in industry. He previously worked at the Census Bureau and the Energy Department as well as in the non-profit and industry sectors.

Former FSS commissioner passes away

And finally some sad news related to GSA. Donna Bennett, the long-time executive in the Federal Supply Schedule, passed away July 2 at the age of 74.

Bennett served as the commissioner of the FSS from 2000 to 2005 when she retired. She worked for GSA for 21 years and in federal service for more than 35 years.

After retiring, Bennett joined the Logistics Management Institute as a senior vice president. She worked there for eight years until fully retiring in 2013.

She is survived by Randy, her husband of 33 years, and their daughter Kathy Fumagalli (Bennett).

Over at the Education Department, Margaret Glick became the CIO for the Office of Federal Student Aid in May. She replaced Mia Jordan, who left in October to join Salesforce.

She has been with FSA since 2016 starting as a program analyst and then rising to be the director of the Next Gen program for the last year.

Before coming to FSA, Glick worked at DePaul University in Chicago and for Sallie Mae.

Cyber QSMO gets reinforcements

Chad Poland moves into a new role for the Quality Service Management Office for cyber as a project lead at the Cybersecurity and Infrastructure Security Agency in DHS,

Poland had been CISA’s associate CIO for IT investment and compliance since 2018.

He also worked at DHS headquarters CIO office for eight years before moving to CISA.

NOAA and the FBI also joined the fad of naming new senior technology leaders.

Tonya Ugoretz, who you may know from her time leading the Cyber Threat Intelligence Integration Center, became the new assistant director of the FBI’s intelligence directorate in May.

She is the first FBI intelligence analyst to lead the directorate.

“As a law enforcement and intelligence agency, the FBI occupies a unique and vital place at the intersection of foreign and domestic threats, criminal and national security authorities, and public and private sector engagement. This is a proud moment for our intelligence workforce, but I stand on the shoulders of thousands of FBI employees in dozens of job roles over the years who have collected, analyzed, and acted on intelligence since decades before the National Security Act of 1947,” Ugoretz wrote on LinkedIn. “I’m excited to lead our talented intelligence workforce into our next chapter, which will be full of challenges, opportunities, and risks that we will weigh according to the FBI’s mission: Protect the American People and Uphold the Constitution.”

She returned to the FBI in 2018 after three years leading CTIIC where she was the deputy assistant director of the intelligence directorate.

NOAA named Frank Indiviglio as its new chief technology officer.

He has worked at NOAA since 2011 and most recently served as the deputy director of the high performance computing center.

“It is an honor to be able to serve in this capacity, and I am looking forward to working with my colleagues and partners to advance NOAA’s scientific mission through the effective adoption of technology,” he wrote on LinkedIn. “I’m also looking forward to continuing to work with all of my colleagues at the Federal CIO Council – Innovation Committee, Future Advanced Computing Ecosystem, and NITRD, which allows me to be part of the larger community that is addressing interagency challenges.”

There is a new unwritten rule at the Department of Homeland Security these days: Don’t use the word pilot or demonstration program in public or in official documents.

Seems a little odd?

Calling something a pilot in government is like shaking someone’s hand when you first meet them. It’s a well-worn and appreciated custom.

But at DHS these days, the words are verboten thanks to a little noticed provision in the Department of Homeland Security’s section of the fiscal 2022 omnibus spending bill.

Yes, Congress included in new language that requires DHS to submit a report on any pilot or demonstration program that “uses more than 5 full-time equivalents or costs in excess of $1 million.”

That requirement has caused a lot of consternation across DHS during fiscal 2022, according to multiple sources.

“This caught a lot of folks by surprise. It wasn’t seen until mostly after the fact that this was going to be problematic for the department after reading it,” said Chris Cummiskey, the former acting undersecretary for management at DHS and currently CEO of Cummiskey Strategic Solutions. “This is going potentially stifle the innovation that you often get with pilots to test out different approaches. It will apply limitations on advancing the pilots without approval from appropriators and that will make it difficult to operate these programs.”

To be clear, lawmakers aren’t forbidding any pilots or demonstration programs, but they do want a lot more data from DHS than they had been getting.

“Congress doesn’t know if there are a lot of programs. It had become apparent to some members of Congress over time DHS was doing things that were pilot in nature and they would ask questions like what are the metrics or goals or time frames, how many personnel are involved and at what point will it go from a pilot to regular operations,” said a source familiar with the provision, who requested anonymity to speak about the House Appropriations Committee’s thinking. “Very consistently, Congress would not get the responses and that there didn’t seem to be a lot of forethought or a lot of documented language about the pilots.”

So House appropriators added a host of new requirements for DHS to address in their reports that are due 30 days before the pilot or demonstration program begins, including:

• Objectives that are well-defined and measurable;
• An assessment methodology that details — the type and source of assessment data; the methods for and frequency of collecting such data; and how such data will be analyzed;
• An implementation plan, including milestones, a cost estimate, and schedule, including an end date; and
• A signed interagency agreement or memorandum of agreement for any pilot or demonstration program involving the participation of more than one Department of Homeland Security component or that of an entity not part of such department.

The source said DHS shouldn’t have been surprised by the provision. Lawmakers included similar language in the 2021 appropriations bill, but it ended up being only in the statement language versus being statutory in 2022.

“The department ignored it in 2021. Now it could’ve been a new administration coming in late and not having access to transition stuff when they should’ve and it stopped them from hitting the ground running. But lawmakers also wanted to make a point that this was something they wanted DHS to do,” the source said. “There were a lot of conversations in 2021 about the statement and lawmakers didn’t get a lot of feedback from DHS about the 2022 language. They seemed to say they could execute on the request.”

Multiple requests to DHS for comments about the provision and its impact were not returned.

Senate Appropriations Committee spokesman said the provision originated in the House.

“Its purpose is to provide oversight of ‘pop-up’ pilot programs at DHS, which typically did not track performance and impacts but largely acted as a justification for expanding the pilot itself,” the spokesman said.

Threshold for pilots is low

Cummiskey and other former DHS executives say the data call and putting together the reports shouldn’t be a huge lift for agency leaders.

Rafael Borras, the former DHS undersecretary for management and now president and CEO of the Homeland Security and Defense Business Council, said Congress created a low threshold for reporting and it will cover quite a large number of programs. But, at the same time, he said it shouldn’t too difficult to pull that information together.

“If you own the pilot or demonstration program, you should have that information available. The bigger question is why does Congress want the information and how will they use it,” Borras said. “Congress may not look at 100 reports, but they will look at the one or two and that may create some challenges for DHS.”

Cummiskey estimated it could be as many 40 different pilot or demonstration programs across the entire agency.

Troy Edgar, the former CFO for DHS and now a partner for federal finance and supply chain transformation with IBM Consulting, said another concern is how these requirements will slow down pilot work, which, in turn, can slow down departmental transformation and modernization.

He said the five full-time equivalents and $1 million thresholds seem low for an agency with a budget of over $82 billion.

Provision not about stopping innovation

Borras added that his big concern is adding this to the dozens, or even, hundreds, of other reporting requirements DHS already has to deal with.

“The department must uncover what is root of this and then address the root problems Congress is worried about,” he said. “If it is because they are not transparent and open enough, the DHS must deal with that. A simple report from the undersecretary for management doesn’t get at the root issue.”

The source said lawmakers want DHS to be innovative and to transform, but have the discipline and rigor associated with spending millions of dollars.

“It’s the kind of discipline that the department needs to make sure it has when it does a pilot. It has to make sure these pilots are effective in way DHS can learn whether or not the pilot achieved the goals intended,” the source said. “It’s beside the point if lawmakers look at all of them, but if it’s hundreds I think we all would be surprised. But lawmakers will look at some of them and ensure the requirements are institutionalized in a way that will result in better pilots going forward.”

The fact that the language isn’t “punitive” or a reaction to something DHS did, as some experts surmised, is a positive thing.

The question Borras, Cummiskey and others asked is whether requiring reports will have the intended affect Congress wants, which is better oversight, accountability and general management of pilot programs. It’s unclear whether new reporting requirements, by themselves, in any federal management realm really changed agency behavior.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Just when you thought government contracting was about to get fun, again, the General Services Administration decided boring is the right approach.

That’s right, I’m saying government procurement and fun in the same sentence because we had an upcoming contract that had so many possibilities intertwined with it. GSA has been planning the follow-on to its highly popular and successful OASIS contract for the past year. It started by calling the vehicle BIC MAC—best-in-class multiple award contract. Oh the possibilities there!

The agency moved to Services MAC for the last few months. And with both of those names, unlike its more traditional and unexciting names like Alliant or Millennial or 8(a) STARS, these names had so much potential for fun in headlines and leads and so much more.

But GSA decided — and I’ll blame the lawyers here, only because it’s always fun to blame lawyers — to pick the name OASIS+, or maybe Oasis-Plus, for the new governmentwide contract, ending any real chance of bringing fun back to federal procurement.

“The name echoes a successful brand that our customers have come to know and trust, reflects the expanded scope of services that will be available through the new program, and embodies the contract’s flexible domain-based structure,” wrote Tiffany Hixson, the assistant commissioner in GSA’s Office of Professional Services and Human Capital Categories in the Federal Acquisition Service, in a blog post from June 15. “The new program will have a broad scope. As their respective ordering periods conclude, the new program will be able to fulfill requirements currently met by GSA’s One Acquisition Solution for Integrated Services (OASIS); Human Capital and Training Solutions (HCaTS); and Building, Maintenance, and Operations (BMO) contracts. In addition, new scope areas include environmental, intelligence services, and large enterprise solutions. Plus, we’ll build-in the flexibility to expand scope as customers identify new federal services needs.”

All kidding aside to the good folks at GSA, the decision around OASIS+/Oasis-Plus is seems small, but important. It’s clear there is recognition in FAS that the current contract is popular, in part because GSA has spent the better part of a decade promoting, creating a brand and working with everyone from the Air Force to the Homeland Security Department to the Army to commit to putting hundreds of millions of dollars through OASIS.

Since 2015, agencies have spent $48.8 billion on OASIS, OASIS small business and OASIS 8(a) through more than 3,200 task orders.

The Air Force remains the largest user, issuing more than 1,000 task orders worth more than $28 billion. The Army is the largest user by total sales with more than $30 billion across 458 task orders.

The updated vision for OASIS+ also recognizes the struggles of the HCATS contract.

GSA awarded HCATS to 109 vendors in May 2016. The 10 1/2 year contract has a ceiling of $11.5 billion and replaced the Training and Management Assistance (TMA) contract run by the Office of Personnel Management for the last two decades. After a series of bid protests, GSA finally issued the notice to proceed for HCATS in September 2016. Over the last almost six years, agencies have not used the contract like may believed they would, awarding 300 task orders worth $764 million.

Six contracts with five for small business

Sheri Meadema, the acting assistant commissioner of GSA’s Office of Professional Services and Human Capital Categories in the Federal Acquisition Service, said during the Coalition for Government Procurement spring conference that the changes to OASIS-Plus also acknowledges what GSA’s customers have said about the draft details of the new contract over the last few months.

“We had originally envisioned one contract with small business reserves, and working closely with the Small Business Administration and our Office of Small and Disadvantage Utilization Office and our customers, quite frankly, we ended up switching that strategy. So the plan is to now award six separate contracts, five of those being for small businesses and the six being unrestricted,” she said. “The second change is scope. Oasis will cover all of the scope areas in Oasis currently today, plus HCATS and building maintenance and operations as those contracts expire. In addition, in the initial stages of the contract, there are additional scope areas that we’re adding on to include environmental intelligence services and a domain we’re calling enterprise solutions, which will be unique to the unrestricted vehicle. That domain is for very large, complex, high-dollar value, non-commercial type work.”

The domains is another change for OASIS+. GSA will add or remove domains based on customer needs and usage throughout the life of the contract.

That gives us a lot more flexibility as things change and customers’ needs change to introduce new scope areas,” Meadema said. “We are trying to keep the solicitation open continuously after we initially close it to deal with solicitation protests. This is all about our ability to onboard industry partners at any time during the contracts life.”

The onramp for OASIS was far from a smooth process, beset by protests and delays.

Meadema said the new contract will make it easier for companies who grow out of the small business size standard to apply to get on the OASIS+ unrestricted version.

“The evaluation criteria will drive the highly qualified pool of vendors that we’re trying to attract. We’re not recreating the Multiple Award Schedules. We are setting the bar relatively high,” she said. “That being said, we are giving careful consideration to how high we set the bar for unrestricted. So again, we can allow companies who re-represent their size to move on to another vehicle.”

Price not a key evaluation factor

As part of the evaluation factors, GSA will be applying the authority it received under Section 876 of the 2018 Defense Authorization bill, where price is most important at the task order level, not at the main contract level.

GSA stated in recent answers to industry questions that OASIS-Plus will not have a total dollar ceiling attached to it, joining Polaris as the only other contract do deviate from the Federal Acquisition Regulations in the last nine years.

Meadema said GSA expects to release some new or updated draft sections of OASIS-Plus for industry comment over the summer and then release the full draft request for proposals in early fiscal 2023. GSA expects to issue the final solicitation in the second quarter of 2023.

The new name, scope and domain changes are important steps for GSA in this journey, but they still don’t necessarily answer all the questions about how OASIS+/OASIS-Plus isn’t just creating a new type of schedule contract. The Coalition has expressed concern over the last year about possible duplication with the schedules, cross-walking what OASIS+ will include and what the schedules already provide.

The next key stop in this journey is when GSA releases the draft RFP for industry comments to see how it differentiates from the schedules and whether it alleviates any concerns in industry about duplication. Most would agree that last thing industry or government needs is another contract that doesn’t add value and meet agency needs.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The return of in-person conferences still is a bit weird. As most attendees will say, it’s great to see people in person, but it’s less fun to wear “real” clothes and shoes. The “business on the top and vacation on the bottom (dress shirt and shorts)” doesn’t work well when you are in a hotel or conference center for most people.

Maybe the best part of the return to in-person events, at least for intrepid reporters, is the ability to ask follow-up questions after a presentation or speech. That is when you turn a story that is likely to be a lemon into sweet lemonade.

At the recent Emerging Technology and Innovation Conference sponsored by ACT-IAC in Cambridge, Maryland, the lemonade was flowing thanks to the bevy of speakers who were willing to talk about all the good things happening in their agency.

From Army chief information officer Raj Iyer offering an update on his digital transformation efforts to Sonny Hashmi, the commissioner of the Federal Acquisition Service in the General Services Administration, talking about the latest contract to buy cloud services, to Stacie Alboum talking about her new job at the Federal Deposit Insurance Corporation as deputy director of enterprise strategy, the news flowed like, well lemonade.

But here are three items you may have missed from the event.

AFWERX moving back to DC

The Air Force’s innovation arm missed the Washington, D.C. metro area after all.

AFWERX closed its offices in Arlington, Virginia during the pandemic, figuring it would use its offices in Las Vegas and Austin, Texas as places to recruit innovative companies.

But like in Godfather Part III, AFWERX may have been screaming  “just when I thought I was out, they pull me back in” to Washington, D.C.

Garrett Custons, a Spark cell director at AFWERX, said the organization is looking for new space in the D.C. metro area.

“It’s really a blank slate with what it could look like,” Custons said. “We want to build out an incubator in the D.C. area. We’d love it to be co-located with other organizations in the government innovator space. We don’t just the space, but a place where tools and products can be tested.”

AFWERX, which the Air Force launched in July 2017, focuses on accelerating agile and affordable capabilities by teaming innovative technology developers in the private sector with Airman and Guardian talent.  In 2020, the Air Force split AFWERX into three different branches: AFVentures, Spark and Prime. The Spark branch is focused on empowering innovation at the operational edge.

Custons said the decision to rethink the need for an office in the D.C. area is based on two factors. The first is internal growth of staff. The second is number of vendors in D.C. metro area.

“This is where the decision makers are,” he said. “It’s a logical progression of the lifecycle of AFWERX to help companies get into the federal market.”

AFWERX has money set-aside for the office space, but isn’t against the idea of sharing space with other agencies or innovation cells.

Custons said one option would be to share space with the Office of the Undersecretary of Defense for Research and Engineering and the National Security Innovation Network in Arlington, Virginia.

“If a government organization has office space, we’d like to talk to them. It’s hard to know what is available and what’s out there,” he said. “We are talking to the General Services Administration because they have collaboration space that isn’t being used as much as they thought, so maybe partnership play there.”

Commerce BIS sprint to the cloud

You’d think moving to the cloud would by now would be passé. Agencies have been talking about it for more than a decade.

For the Commerce Department’s Bureau of Industry and Security, cloud services represent an entirely new way of doing business.

Mike Palmer, associate chief information officer for BIS, said the goal of moving to the cloud is, of course, IT modernization. But the bigger win will for BIS is how the cloud services will free up data and break down silos.

“We’ve focused over the last six months on upgrading our infrastructure. In January, we decided to take our entire infrastructure to the cloud and out of this archaic on-premise based infrastructure,” he said. “By July 1, our six month move of our entire infrastructure to the cloud should be complete. In the meantime, in parallel, we are starting to do some interesting things with data. It gives us more flexibility to make quicker decisions.”

Palmer said BIS is launching a pilot program around a data warehouse and data sharing platform to improve how they work with the intelligence and law enforcement communities as well as conducting a pilot to take some of its data from licensing offers and turn it into export control impact.

“One of the things we believe in is trying things on a smaller scale and expand it from there so  quick, small investment to prove out a concept,” he said. “The next phase of our product lifecycle modernization effort is to do a lot of user research over the summer as part of our enterprise modernization activities.”

A BIS spokesperson offered a few more details by email.

The spokesperson said the move to the cloud will set the foundation for a broader modernization journey that includes creating new data sharing capabilities, public-facing digital services and a zero trust cybersecurity architecture.  The move to the cloud is expected to improve BIS’s operational resiliency and security, reduce costs, and provide modern tools for developing new software applications that will improve the BIS customer experience.

Palmer said at the event that one of the biggest challenges for BIS is getting the workforce comfortable with using cloud services and no longer being in a physical environment.

BIS expects the infrastructure modernization to save money, but Palmer said the CIO’s office still is finalizing those details.

Coast Guard less disconnected

The Coast Guard Commandant’s tech revolution will not be televised, but it now will be on Zoom or Microsoft Teams.

That’s right, major cutters now have enough bandwidth to use video teleconference platforms.

Brian Campo, the Coast Guard’s deputy CIO, said the service recently upgraded the communication bandwidth for all major cutters, which are out to sea 180 to 200 days a year.

“The Coast Guard has been going out with Navy fleets for the last several years into places like Indo-PACOM and around the horn of Africa, but also going up into the Arctic. These are places were communications are really challenging. So one of the thing we have been trying to do is upgrade equipment, working with industry partners and looking at different communications links we could use,” he said. “One of the most amazing things have done in about the last year is we’ve doubled connectivity to the major cutters. What we have been able to do is upgrade them so that they have enough bandwidth so now on the morale side in some of the mess decks and personnel areas, they can actually get what we would call ‘dirty’ internet to be able to send email back to loved ones. Just recently we just doubled their internet again so they can actually do video teleconferences using Teams and Zoom to actually reach back and talk with their loved ones.”

Former Coast Guard Commandant Adm. Karl Schultz, who retired on June 1, made the increase of bandwidth to cutters a central part of his Tech Revolution plan.

The Tech Revolution Plan includes four other priorities: Data to decisions, software, mobility and the cloud, cyber readiness and command, control, communications, computers, cyber and intelligence (C5I).

Campo said the Coast Guard now is adding two new lines of effort command and control and navigation.

“Each of those two new systems are game changing to the Coast Guard. They are systems we have been leveraging from the Defense Department that we will be retiring in the next few years,” he said. “We are trying to build out some new replacements for those systems and taking a different approach. We are leveraging what we did in the first half of the tech revolution bringing in things like data, making data part of what we do for our C2 systems, making sure as we develop navigational systems we are leveraging the technology through commercial satellite communications. We are thinking about how we can use artificial intelligence to actually build out navigation systems that can manage these over congested ports and work with the shippers to give them more information as they come into a port.”

The Defense Department has always prepared to fight in an environment that is austere, stretches supply lines and unfriendly, to put it mildly.

But that preparation focused mainly around kinetic warfare where Marines or soldiers would have to face an enemy that was, relatively speaking, close and understood.

Todd Harrison, a senior associate in the Aerospace Security Project and Defense Budget Analysis for the Center for Strategic and International Security (CSIS) wrote in a 2021 report that “For some types of non-kinetic attack, third parties may not be able to see that an attack has occurred, or the party being attacked may not know right away who is attacking. For these reasons, non-kinetic attacks may be perceived as less escalatory in some situations, although this remains a point of debate. It can be difficult to determine if some non-kinetic forms of attack are effective, particularly if the effects are not publicly visible. And some methods of attack — such as exploiting zero-day vulnerabilities in a cyberattack — may have a limited period of effectiveness before an adversary develops defenses against them.”

The non-kinetic attacks are not limited to just weapons systems, but logistics to move supplies and troops, communications to make data sharing more difficult and GPS jamming and spoofing.

Today, the Marines are preparing for an environment that is disconnected, denied, intermittent and/or with limited bandwidth (DDIL) where the enemy could be hundreds of miles away, behind screens and impacting both kinetic and non-kinetic capabilities.

The Marine Corps awarded General Dynamics IT (GDIT) a task order under the Defense Enterprise Office Solutions (DEOS) contract to test out how they can receive Microsoft Office capabilities both on-premise and in the cloud in a classified environment approved at the secret level.

The Defense Information Systems Agency and the General Services Administration awarded GDIT the 10-year DEOS contract that has a $7.6 billion ceiling in August 2019. DISA began migrating users to DEOS in January 2021 after protests and corrective action delayed the implementation.

Navy leading DDIL working group

Jim Matney, vice president and general manager of the DISA and Enterprise Services Sector for GDIT’s defense division, said in an email to Federal News Network that GDIT already is supporting an unclassified environment for these services that is rated at impact level 5 (IL5). He said through this proof of concept that mainly will be done in a lab environment, the Marines will be able to see how the enterprise collaboration tools can work in DDIL environments.

The six-month project is worth under $1 million.

The Marine Corps Tactical Systems Support Activity (MCTSSA) has put together a DoD DDIL lab environment where GDIT will evaluate these proposed architectures and developed capabilities.

GDIT says it also will partner with Microsoft to test capabilities, investigate scenarios and provide applicable recommendations for mission partners deployed in a DDIL environment.

“[T]hese collaboration services must also operate on-premises. As cloud service providers are providing more software-as-a-service (SaaS) offerings to support collaboration, such as Office 365, users must have access to the cloud to leverage these capabilities,” Matney said. “The challenge then becomes ensuring the on-premises solution used to support DDIL in an outside the continental U.S. (OCONUS) environment can interface with the enterprise capability that is being used in CONUS.”

Matney said the on-premises collaborative capabilities, such as Microsoft Exchange, Skype for Business and SharePoint, must remain and integrate with the cloud-based services.

GDIT says the proof of concept will include testing several different scenarios to access capabilities including word processing and spreadsheets, email and calendar and file sharing and instant messaging.

All of this is helping the DoD figure out how to deploy DEOS in DDIL environments, where reliable and timely connectivity to warfighters at the tactical edge is critical.

Refine requirements, develop use cases

This task order proof of concept with the Marines is part of the DoD chief information officer’s effort to find technology capabilities that provide seamless operations in denied, degraded, intermittent and limited bandwidth environments.

In 2021, the DoD CIO designated the Department of Navy CIO as the executive agent to lead a cross-service joint working group focused on DDIL.

“These low bandwidth and high latency conditions are prevalent at the tactical edge and experience regular disconnects from the broader network, including cloud services, often for substantial periods of time,” the DON CIO’s office wrote in late 2021. “Network server software and hardware exist at the tactical edge to provide critical IT services and data in these DDIL environments, along with a variety of spectrum communications and unclassified and classified network transports leveraging satellite links and low-Earth Orbit (LEO), Wi-Fi, cellular/4G LTE, millimeter wave/5G and others.”

The working group is leaning on industry for help in refining DoD requirements and use cases to develop standardized architectures and capabilities in these austere environments.

“These tools operate as a hybrid capability, which will allow users access to the full feature set when cloud connectivity is available, but remain productive locally within the DDIL environment,” the DON CIO wrote.

Matney said GDIT is currently supporting multiple agencies across the DoD, civilian, and intelligence sectors with on-premises collaborative capabilities that may be considered and tested as potential DDIL approaches.

The challenge that the Marines are trying to solve isn’t just a Marines or DoD challenge. It’s one nearly every agency from the departments of Treasury to Homeland Security to Justice face. And with so much dependency on email communication and collaboration tools, having access no matter the network environment is critical.