“Reporter’s Notebook” is a weekly dispatch of news tidbits, strongly-sourced buzz, and other items of interest happening in the federal IT and acquisition communities.
Submit ideas, suggestions and news tips to Jason via email.
Don’t ever tell me summer is a “down time” in the federal IT and acquisition communities. The Office of Management and Budget has been pushing out memos like summer blockbuster movies — hopefully with better results.
Contract awards and bid protests continue to be hot and heavy, especially in the Defense Department.
But there may have been a few important news items that slipped through the proverbial cracks of your news cycle.
First off, federal chief information officers are getting a new role — software sheriff. CIOs must develop an inventory of software licenses, track spending and find opportunities for consolidations and savings under the MEGABYTE Act.
President Barack Obama signed the Making Electronic Government Accountable By Yielding Tangible Efficiencies Act of 2016 into law July 29.
Rep. Gerry Connolly (D-Va.) believes agencies can have their cake and eat it too when it comes to IT legacy modernization.
Connolly is supporting both the $3.1 billion IT Modernization Fund (ITMF) developed by the Obama administration and introduced in the House by Rep. Steny Hoyer (D-Md.), and the MOVE-IT Act introduced July 14 by Rep. Will Hurd (R-Texas) and Sens. Tom Udall (D-N.M.) and Jerry Moran (R-Kan.).
The Modernizing Obsolete and Vulnerable Enterprise IT (MOVE-IT) Act would create working capital funds in each agency as part of a decentralized approach to addressing the growing problem of legacy IT systems across the government.
Connolly’s co-sponsorship of the MOVE-IT Act along with his vocal support of the ITMF created an “only in DC” optics problem, which he quickly tried to address in an internal memo to Hoyer trying to explain how both of these bills could work together.
Agencies are just about three weeks into the federal fourth quarter procurement spending spree and, like the weather, the buying is heating up. Contractors know taking vacations in August and September are all but verboten because of the wave of solicitations coming out.
Bloomberg Government says on average the government spends about 32 percent of their contracting budget during July, August and September.
The Defense Department, which usually leads the way when it comes to year-end spending, is trying to improve the process on both ends of the equation.
Ken Brennan, the deputy director for services acquisition in the Office of Defense Procurement and
Acquisition Policy in DoD, said the Pentagon is rolling out a new forecasting tool to better describe what it’s buying and who is buying it.
“We shared it with the broader community, but it’s not significantly robust yet. We need to know what folks are looking to buy so we can identify them and connect them to a solution that meets their requirements,” Brennan said at an event hosted by the Association of Proposal Management Professionals (APMP) in Vienna, Va. on July 20. “We believe this holds great promise for us. We have a long way to go and a lot of things that happen in the fourth quarter are discretionary so we are really trying to see how we keep that appetite in check.”
DoD is building the forecasting tool based on work done in the small business arena to leverage the software they are using.
How many times is your agency told to measure and mitigate risks when it comes to cybersecurity because there is no way to protect all your systems and data?
The problem with that concept is the first part, measuring risk, especially around cyber. That is difficult because of the dynamic nature of the threats and vulnerabilities. An application is safe now, but an hour later a hacker discovers a vulnerability and exploits it.
This is where a new partnership between George Mason University and Vencore comes in. Over the next two months, George Mason faculty researchers will work with Vencore to take the initial steps toward developing a cyber risk assessment methodology and tool to help agencies and other organizations analyze the value of the data and determine how best to mitigate potential cyber threats.
“The project itself fits right in with the themes of Defense Advanced Research Projects Agency, Homeland Security Department and other major research initiatives in the federal government, trying to address this question of how do we know if we are secure and what’s the value of the next $100,000 or $1 million of investment for overall security posture and addressing enterprise risk,” said Jean-Pierre Auffret, director of the Research Partnerships and Grants Initiative at George Mason University in Fairfax, Virginia. “These are some of the important questions tied in with some of the challenges with cybersecurity metrics and also some of the challenges with new technologies such as Internet of Things.”
Auffret said the idea of putting a value on data and on protecting that data is something the energy sector and others are starting to do take on more aggressively.
The Homeland Security Department and the General Services Administration put two more key pieces in place under the Continuous Diagnostics and Mitigation (CDM) program.
GSA, acting as the procurement arm of the CDM program, awarded the continuous monitoring-as-a-service contract — also known as task order 2F — to ManTech. Under this sixth part of task order two, GSA and DHS are asking ManTech to provide services to at least 44 small-and-micro agencies, ranging from the Consumer Product Safety Commission to the Federal Trade Commission to the Postal Regulatory Commission.
GSA and DHS awarded the first contract under phase 2 of the CDM program for privileged access controls to Knowledge Consulting Group (KCG), which ManTech bought in June 2015.
This means ManTech essentially won both task orders with the first one being worth $25.5 million and the second one being worth $85.4 million equaling $110.9 million in total.
This is the fourth win for KCG under the CDM program. The most recent one before the privileged access controls came in March 2015 when the company received a $29 million contract to implement McAfee’s vulnerability manager and ePolicy Orchestrator tools, ForeScout’s CounterACT’s tool for network access control and Splunk’s big data analytics software.
Federal Chief Information Officer Tony Scott got his wish — an alternative to the administration’s idea for how to modernize federal IT systems.
Scott has said many times, including on July 14, that moving off legacy IT systems across the government is a crisis and the administration’s proposal to create a $3.1 billion IT Modernization Fund to do that is the best option.
“I’d ask any of the people in Congress, if you have a better idea get it out there, but if not get on board with this one,” Scott said at the Palo Alto Networks federal forum in Washington. “You can’t sit around and look at your navel and figure it out two-to-three years from now. It’s one of the things that doesn’t get better with age. We need to get on with the business of upgrading and modernizing and do it with vigor.”
Less than an hour after Scott made the call for an alternative to the ITMF, Reps. Will Hurd (R-Texas), chairman of the Oversight and Government Reform Subcommittee on IT, and Gerry Connolly (D-Va.) and Sens. Jerry Moran (R-Kan.) and Tom Udall (D-N.M.) — both members of the Commerce and Appropriations committees — stepped up to the challenge by introducing the Modernizing Obsolete and Vulnerable Enterprise IT (MOVE-IT) Act in their respective chambers of Congress on July 14.
Under the companion bills, Hurd, Connolly, Moran and Udall would take a different approach than the one offered up by the White House and introduced in Congress by Rep. Steny Hoyer (D-Md.).
At least eight months after the final major agency to identify its high-valued assets under the 2015 cyber sprint, the Homeland Security Department is making sure they got it right.
Jeh Johnson, the DHS secretary, issued his second Binding Operational Directive (BOD) in late June.
“This directive mandated that agencies participate in DHS-led assessments of their high value assets and implement specific recommendations to secure these important systems from our adversaries,” Johnson told the Senate Judiciary Committee on June 30. “We are working aggressively with the owners of those systems to increase their security.”
The DHS public affairs office didn’t offer anything beyond what the Secretary said late last month.
One government source told me the directive also is helping agencies document, prioritize, remediate and monitor corrective actions for these high-valued assets.
If you do some digging, there are a couple of clues about what the BOD is focused on.
The first place you look is the Office of Management and Budget’s M-16-04 memo, which included the Cybersecurity Strategy and Implementation Plan (CSIP) from last November. In the memo and plan, OMB directed agencies to not only identify their high value assets, but also their critical architecture to understand the potential impact should those systems and data fall victim to a cyber attack.
Let’s add a little intrigue and nastiness to the already exciting saga of the $1.15 billion cybersecurity contract the Homeland Security Department has been trying to award for the last 10 months.
First the news: Northrop Grumman has submitted a second protest to the Government Accountability Office over DHS’ decision to award the DOMino contract to Raytheon.
DHS confirmed the protest to GAO, but wouldn’t comment any further.
Raytheon initially won DOMino in September. The goal of the huge contract is to provide enhanced protections to federal civilian agency networks, including the operations and maintenance of the EINSTEIN initiative and to design new cyber capabilities for the National Cybersecurity Protection System (NCPS).
Northrop protested the first award. DHS eventually took corrective action and relooked at bids, and decided again to award Raytheon the deal in early June.
Northrop filed its second protest on June 15.
This is where the intrigue and nastiness comes in — Northrop alleges DHS’ evaluation was flawed and there was a conflict of interest arising from Raytheon’s hiring of a former DHS official.
If a category management memo falls in the forest and no one is there to hear it, does anyone care that it fell?
Michael Fischetti
Wrong analogy? Well you get it because that’s the sentiment many are asking as the Obama administration continues its full-court press with changing how agencies buy products and services. Despite multiple memos, including the latest on July 1 around data breach services, and now a proposed rule to all but mandate the use of strategic sourcing contracts, there is a growing question of how does the Office of Federal Procurement Policy ensure the requirements trickle down far enough?
“I think the incentives or punishments around category management are unclear. What will OFPP do about it if agencies don’t follow the memos?” said Michael Fischetti, the executive director of the National Contract Management Association (NCMA). “With the decentralized nature of government acquisition and management, especially at the lower level tier organizations, there are many that may not get the memo or choose just not to respond to it. Chief acquisition officers and senior procurement executives don’t really have a lot of authority.”
Fischetti and other experts don’t disagree with OFPP’s approach to improving how agencies buy and what prices they get. But category management is very much a build it and hope they will come approach.
“Reporter’s Notebook” is a weekly dispatch of news tidbits, strongly-sourced buzz, and other items of interest happening in the federal IT and acquisition communities.