Now that the new cloud standards for high security systems are out under the Federal Risk Authorization Management Program (FedRAMP), the next step is to normalize the standards with the Defense Department’s security requirements guide for level 4 systems.

DoD’s SRG level-4 is for controlled unclassified information or other mission critical information. DoD updated its SRG in March, saying level 4 is considered FedRAMP-plus for security controls.

According to a white paper from Coalfire Public Sector, the DoD level-4 SRG has 370 total controls, up from 326 under FedRAMP moderate and DoD SRG Level 2.

The Defense Information Systems Agency plans to update the SRG now that the FedRAMP high baseline version 1.0 is final.

Matt Goodrich, the FedRAMP director, said the number of controls under the high baseline increased to 421 from 325, including several required by DoD.

“A vast majority of the new controls relate to stricter processes and automation requirements around technical implementations,” he said. “There weren’t major changes in terms of capabilities [as compared to the draft high baseline], but there were a few control additions and tighter implementations that are present in the final baseline that were not in the original baseline requirements.”
(more…)

Dave Mader wants to take the government back to the 1980s.

No, we aren’t talking about leg warmers, parachute pants and puffy shouldered blouses or even Wang computers with green screens — though some of those may still exist. Rather, Mader, the Office of Management and Budget controller, wants to change the view of internal controls in agencies back to what it was 30-plus years ago.

“One of the challenges we have been wrestling with over the last couple of the years we’ve been at OMB, if you go back to the origins of internal controls in the 1980s, it was more about internal controls over a program,” Mader said during a June 29 event sponsored by the Partnership for Public Service in Washington. “I think we can blame us, the CFO community, because we’ve embraced this to such an extent that people run around and say, ‘These are financial internal controls.’ But no it’s not. We want people in program offices to start understanding the requirements they have under A-123 for internal controls and we see internal controls as a tool you would use to mitigate risk.”

The idea that everyone should understand and consider internal controls is part of OMB’s update to Circular A-123, which includes a new section on enterprise risk management. (more…)

Government contractors shouldn’t be celebrating that the number of suspensions and debarments dropped in fiscal 2015.

While it’s good news that agencies used a tool that many procurement attorneys call “capital punishment for contractors” slightly less last year, what really stands out in the annual report from the Interagency Suspension and Debarment Committee is why the numbers went down.

Source: Interagency Suspension and Debarment Committee’s fiscal 2015 report to Congress.

The real telling number is the 30 percent increase in the use of “show cause” or investigative letters as well as a 25 percent increase in the use of administrative agreements.

Rob Burton, a former Office of Federal Procurement Policy deputy administrator and now an attorney with Crowell & Moring in Washington, said the 30 percent increase in the use of “show cause” is an important change because too often suspension and debarment punish contractors before the trial, basically causing a “guilty until proven innocent” scenario. (more…)

Let’s play a game of connect the IT and digital services dots.

First dot: The House Oversight and Government Reform Committee’s hearing on legacy IT systems in late May.

Second dot: The committee’s hearing on the U.S. Digital Service and the General Services Administration’s 18F in June.

Third dot: The surprising decision by Phaedra Chrousos, the commissioner of the new Technology Transformation Service (TTS) at GSA, to step down from her position after only six weeks when she goes on maternity leave in July. There are strong rumors that the decision by Chrousos to leave may not been of her own thinking. But that’s a story for another time.

Fourth dot: Two letters from the committee to the Government Accountability Office asking for a report on USDS and 18F’s decision-making around what projects they take on, and on the authorities of federal chief information officers. (more…)

The General Services Administration is looking for its third manager to lead the Integrated Acquisition Environment (IAE) program in three years.

Eric Ferraro, who has been the assistant commissioner for the Integrated Award Environment (IAE) since July 2015, has stepped down and accepted another position in the Federal Acquisition Service’s Integrated Technology Service.

Federal News Radio obtained an email from FAS Commissioner Tom Sharpe confirming the change and the fact that Kevin Youel Page, FAS’s deputy commissioner, will be taking over on an interim basis. (more…)

Terry Halvorsen, the Defense Department chief information officer, wasn’t surprised in the least bit by the reaction he got when he announced he wants to phase out the Common Access Card (CAC) over the next two years.

“It’s a two-year goal and plan. Do I have all the details worked out? No. Was I surprised by the reaction? Absolutely not. It panned out exactly how I thought it would, but that’s part of why you do it,” Halvorsen said June 17 at a lunch sponsored by AFCEA Northern Virginia’s chapter in Vienna, Virginia. “Part of setting these goals and coming public is to get the dialogue, and not just the dialogue in the building, but to get the dialogue outside the building to get people in industry thinking, ‘Now they’ve said they are going to do it, let us think hard about how we help them and frankly how do you make money on doing that, and how do you help us get there.’ I will keep saying we will do this as it improves security, improves agility and, hopefully, lowers the overhead cost of maintaining that system.”

Halvorsen said he thinks all of that is doable in a 24-month timeframe.

But he also didn’t offer too many more details about how he would move to a more secure, agile identity authorization, authentication and verification process.

“To be very clear, we are a on two-year plan to move off the CAC card for access to our information systems. I think it will still play a role for inside physical access, and certainly we will still have a physical identity card,” Halvorsen said. “But I want to make it clear, when we replace the CAC card, it will be public-key infrastructure. It will be multi-factor. We will not do this until we have a plan that doesn’t just keep security at the same level. Part of what’s driving that is we are not keeping pace in the mobility space inside the DoD like I think we need to. We need to be able to do more software-based authentication using different methods. It could be biometrics. It could be personnel data. It could be behavior. Those things have to come in.”

Halvorsen said they are working on a detailed plan to get off of it in two years. He admitted it may take longer than expected, and DoD may be operating with both CAC and its replacement for a short period of time.

(more…)

The “Rule of Two” is mandatory for the Veterans Affairs Department no matter how well they are doing in meeting their small business goals.

When vendors sign an invoice and send it to the government for payment, they are acknowledging they have met the requirements under the contract.

These were the major outcomes from two cases decided last week by the nation’s highest court.

While both these cases will have long-lasting impacts on the federal procurement community, a little-known rule by the Railroad Retirement Board (RRB) is what contractors really should be paying attention to over the summer.

The RRB issued an interim final rule May 2 to nearly double the cost per incident under the False Claims Act (FCA).

“Penalties under the False Claims Act pegged at the current rate of inflation for a long time and they are adjusted up or down, but they haven’t been for quite a while,” said Bill Wilmoth, a partner with the law firm Steptoe & Johnson and a former U.S. attorney for the Justice Department. “The Railroad Retirement Board was the first agency to make the upward adjustment and my opinion and others is it’s just a matter of time before every federal agency changes their regulations to up the penalties.”

Wilmoth, who blogged about the potential for FCA penalties in May, said the interim rule the RRB released in May would increase the amount per claim vendors could be held liable for to between $10,781 and $21,563, from $5,500 and $11,000.

The RRB interim rule is set to take effect Aug. 1.

(more…)

The General Services Administration’s plans to develop a new way for agencies to buy cybersecurity services off of the IT schedule contracts is raising eyebrows across the vendor community.

Both for the potentially large amount of money agencies will spend — the White House did request $19 billion for cybersecurity in fiscal 2017 — and for the fact of creating a new special item number (SIN) may not make sense based on the sole fact that these services are constantly changing and improving and it’s unclear how GSA will keep up with the evolutions.

“Some might argue that the current requirements of the SIN are actually government-unique given the references to the four Office of Management and Budget memos and 16 National Institute of Standards and Technology documents! But, at the same time, the government does want to get everyone performing to the current standards and putting this kind of detail into the SIN requirements makes it contractually binding,” said Steve Charles, ImmixGroup co-founder. “It all seems good now, but GSA never seems to be able to keep things current so I think we should demand that they define the process whereby we all will know how to help keep everything current.”

Charles said GSA needs to establish a transparent and clear link in the contract to these standards and remain committed to pushing contract modifications to change when the government updates cyber requirements.

(more…)

The Office of Management and Budget quietly put some policy muscle behind the latest initiative to create an identity management and access control solution for citizen-to-government interaction.

Federal Chief Information Officer Tony Scott sent a cover letter and memo to agency CIOs last month highlighting the General Services Administration’s 18F’s new Log-in.gov effort.

“As announced in the Cybersecurity National Action Plan (CNAP), part of this initiative is for the federal government to build on previous efforts and take steps to safeguard personal data in online transactions through a new plan to drive the federal government’s adoption and use of effective identity proofing and strong multi-factor authentication methods,” Scott wrote in the cover letter, which Federal News Radio obtained. “My team and I will be monitoring the progress of this effort very closely and it is being tracked as part of ongoing CNAP governance.”

The nine-page memo, which wasn’t previously publicly released, included with the cover letter the implementation plan for Section 3 of the 2014 Executive Order 13681 — commonly known as the chip-and-pin memo.

While most of the memo is background, it does include specific milestones between April and October to move Login.gov from a concept to a reality.

For example, the memo calls for OMB and GSA by April to establish a program office, name a director, develop criteria to prioritize the projects and determine metrics to measure moving to the online transactions platform.

As far as we can tell publicly, they accomplished most of this.

(more…)

The House Homeland Security Committee is touting an impressive record over the last year.

During the 114th Congress, the committee has approved 80 bills, of which 70 have passed the House and 16 have been signed into law by President Barack Obama.

The only committee that has been busier is the Energy and Commerce Committee, said Rep. Mike McCaul (R-Texas), the Homeland Security Committee chairman.

But what’s just as impressive is the committee is following up on some of that legislation that has become law — many times a rarity unless there is a problem or specific event.

The Cybersecurity Act of 2015 is the latest example for the House Homeland Security Committee.

The committee will hold the first of two hearings on the bill’s implementation this week. On June 15, the committee will hear industry’s perspective with representatives from the U.S. Chamber of Commerce, the U.S. Telecom Association and two vendors scheduled to testify.

Then on June 22, the Homeland Security Department and possibly others from the administration are expected to testify.

A committee aide said the goals for both hearings are simple: To find out what impact bill has had so far and what else is needed going forward.

(more…)