Inside the Reporter’s Notebook is a biweekly dispatch of news and information you may have missed or that slipped through the cracks at conferences, hearings and other events. This is not a column or commentary — it’s news tidbits, strongly-sourced buzz, and other items of interest that have happened or are happening in the federal IT and acquisition communities.

As always, we encourage you to submit ideas, suggestions and, of course, news to Jason via email.

Be the first to know when a new Inside the Reporter’s Notebook is posted. Sign up today for our new Reporter’s Notebook email alert.

GSA eases burden on agencies, vendors with schedule consolidation

The General Services Administration is trying to tame its schedule contracts.

After years of expansion, GSA decided to go in the opposite direction and consolidate its professional services offerings.

On Oct. 1, GSA’s Federal Acquisition Service completed a year-long effort to take about 5,000 contracts and 4,500 contractors down to about 4,000 total for both. About 330 vendors held multiple professional schedules, adding cost and time to the administration of the contracts.

Tiffany Hixson, GSA’s regional commissioner and professional services category executive, said Oct. 8 that the agency consolidated eight professional services schedules into one called the professional services schedule.

Read more

Taking the buzz out of the ‘Internet of Things’

The buzz around the term the “Internet of Things (IoT)” isn’t being lost on the government.

Agencies are hearing about the world we are supposedly moving toward — everything is connected, all the time and data is being collected, analyzed and used to help you do everything from buying food to becoming healthier to alerting you to sales at your favorite store.

But sometimes the government must be a little bit of a buzz kill.

The Internet of Things isn’t new to the government, nor is it the next great wave of change. Sorry to all those people who love the IoT concept.

The Oct. 7 AFCEA Bethesda, Maryland, breakfast on IoT made it clear that the government has been in the “Internet of Things” for quite some time, and to go further some fundamental changes need to occur.

Read more

GSA veteran to give VA’s customer service office a much-needed boost

The Veterans Affairs Department’s customer experience office is getting some much needed and welcome help.

Darren Blue, the General Services Administration’s Public Buildings Service director of the National Capital Region, is joining VA as its deputy chief customer experience officer.

Blue will work with Tom Allin, who leads VA’s effort to radically change how the agency serves veterans.

Allin’s decision to bring on Blue makes total sense. Who better to help with customer service than someone who managed a quarter of all federal real estate and brought in half of all PBS’ revenue?

Add to that the fact that Blue is a veteran, having served in the Army for nine years, including an overseas tour during combat operations in support of Operations Enduring and Iraqi Freedom, and it seems like VA has found a good match.

Allin told me Oct. 8 at the ACT-IAC Customer Service Summit in Washington that he was excited for Blue to join VA and very much welcomed the additional help.

Read more

The buzz around the term the “Internet of Things (IoT)” isn’t being lost on the government.

Agencies are hearing about the world we are supposedly moving toward — everything is connected, all the time and data is being collected, analyzed and used to help you do everything from buying food to becoming healthier to alerting you to sales at your favorite store.

But sometimes the government must be a little bit of a buzz kill.

The Internet of Things isn’t new to the government, nor is it the next great wave of change. Sorry to all those people who love the IoT concept.

The Oct. 7 AFCEA Bethesda, Maryland, breakfast on IoT made it clear that the government has been in the “Internet of Things” for quite some time, and to go further some fundamental changes need to occur.

Let’s start with how government is ahead of the rest of the IoT world.

Take the State Department. It wanted to measure and alert people about the air pollution in China.

Brian Nordmann, a senior arms control adviser for State, said the embassy decided to collect data and post it on Twitter. The hourly feed as to whether the air is “hazardous” or “very hazardous” has hundreds of thousands of followers in China.

“We started looking at other things that you can do with iPhones. It’s got accelometers on it, so it knows how you are holding the phone and it will adjust the image. Well those accelometers are good enough that you can actually make a small seismograph out of that,” he said. “So rather than having this network of big seismographs around the world to detect what’s going on — and we use seismographs to detect not just earthquakes, but whether there is a nuclear test underground — so if you get enough of these iPhones in this area and you can do it from about 100 kilometers away, it will detect a tremor of a nuclear device. We started exploring how to use the accelometers for that.”

Nordmann said the microphone also is sensitive enough that it can detect an infrasonic noise.

“We have these guys out in the University of Hawaii who are working with the microphones to see how low of a signal it can actually detect,” he said. “The professor at the University of Hawaii went to his local Apple store and bought 12 of the new iPhones 5. Apple contacted him about why he was buying these Apple phones. He said we are using for infrasonic detection and Apple didn’t know the phones could do these things.”

Both of these are but two examples of how agencies or government funded research is knee deep into this “IoT” thing.

Jeff Booth, an information applications and standards division director in the First Responders Group in the Science and Technology Directorate at the Department of Homeland Security, puts a finer point on how the government views IoT. He said the concept isn’t about the technology in and of itself, but what it can do for the mission.

“The value is defined by the user so the Internet of Things, I think, value is still yet to be defined,” Booth said. “There are emerging capabilities. Many of the sensors will be applied to some of the areas we support.”

Chris Greer, the director of the smart grid and cyber-physical systems program office at the National Institute of Standards and Technology, echoed Booth’s comments about the value of IoT.

He said whatever will promote investment and the ability to exploit the capabilities will be a main driver of IoT.

“From our perspective, the driver is interoperability,” Greer said. “A device implemented for one function can be used for other. It happens at the application level, but for IoT you have to get the platform right.”

Greer and others point to the big gaping hole when it comes to interconnected devices — privacy and civil liberties protections.

He said from an architecture perspective, industry and government haven’t paid enough attention to those things yet. And part of that is the inability of Congress to keep laws up with the changing technology.

“We are driven by the Privacy Act of 1972. They did not even predict there would be computers that everybody had on their desks or in their homes,” Nordmann said. “So they wrote this Privacy Act that said,  ‘Your data is your data and you get to control it and the government cannot possess it without your permission.’ Now we’ve got 300 million people whose data is currently moving around on the Internet of Things. We cannot have possession of that information. We cannot have that information and your name anywhere each other. We have to file massive amounts of paperwork to explain what we will do with the information and how we will not connect it to an individual person.”

He said IoT or smart cities or electronic health care can’t be done easily without solving the Privacy Act challenges.

Nordmann said a recent experience at State proves that out.

He said State hosted a challenge where it would give $5,000 to a winner to solve a problem, and it ended up being a debate among lawyers about how to use the rules under the Privacy Act.

State included a few sentences in the challenge saying participants consented to having their data used by the department.

Nordmann said the lawyers were unhappy with the language and turned it into a 28-page public-consent document for a $5,000 challenge.

“It wasn’t one of these things you could scroll through and click, ‘I agree’ and get through this. They had on every page a button to click, ‘I agree.’ Nobody read through the entire 28 pages and we couldn’t figure why we had only 200 people competing when the year before when the lawyers didn’t know we were doing it, we had over 1,000. It was all because of the consent form,” he said. “So far, we haven’t been able to get the attorney general to get together a meeting of all the department lawyers in one room to figure this act and figure out how it works for us or against us.”

So while the government has been using sensors and collecting non-citizen data for some time, the move to what some see as the more valuable information needs some help.

Until Congress modernizes the Privacy Act, this concept of the Internet of Things will be based on a series of one-offs for agencies to get approval from citizens.

The Veterans Affairs Department’s customer experience office is getting some much needed and welcome help.

Darren Blue, the General Services Administration’s Public Buildings Service director of the National Capital Region, is joining VA as its deputy chief customer experience officer.

Blue will work with Tom Allin, who leads VA’s effort to radically change how the agency serves veterans.

Allin’s decision to bring on Blue makes total sense. Who better to help with customer service than someone who managed a quarter of all federal real estate and brought in half of all PBS’ revenue?

Add to that the fact that Blue is a veteran, having served in the Army for nine years, including an overseas tour during combat operations in support of Operations Enduring and Iraqi Freedom, and it seems like VA has found a good match.

Allin told me Oct. 8 at the ACT-IAC Customer Service Summit in Washington that he was excited for Blue to join VA and very much welcomed the additional help.

Blue joined GSA in 2008 serving in multiple roles, including as assistant commissioner for facilities management, where he provided strategic direction and innovations for building operations and small construction projects. He also led the agency’s emergency response and recovery office, where he led GSA’s effort to respond to disasters.

Along with Blue there were several other notable personnel changes in the federal community.

David Rude , the Defense Department’s chief learning officer, is moving to a new role.

In an email obtained by Federal News Radio, Rude said he will become the CLO of the National Nuclear Security Administration in November. Rude’s last day at DoD is at the end of October.

CLOs are seeing their profiles rise across the government as the human resources function begins to separate from the training roles.

For example, the Homeland Security Department recently said it would hire a new chief learning and engagement officer position to lead the effort to improve employee morale and overall satisfaction.

A Federal News Radio survey from May found CLOs’ recent rise is due to two main reasons, budget tightening and workforce turnover.

The Federal Deposit Insurance Corporation has a new chief information officer.

Larry Gross moves to the FDIC from the Agriculture Department’s Farm Service Agency. Gross replaces Barry West, who went on administrative leave back in June under unknown circumstances. West resigned from the FDIC in August and now is leading a private sector firm.

Gross comes to the FDIC after only being with the Farm Service Agency CIO since April. He joins the financial oversight agency after previously working also as the principle deputy CIO at Interior Department for almost five years. He also worked as the associate CIO for Electronic Government at the Treasury Department.

Another law firm is trying to get in on the big business that is cybersecurity.

Venable joins a growing trend of traditional law and lobbying firms making big hires under a cybersecurity services banner.

In this case, Ari Schwartz, the former senior director for cybersecurity at the White House, joined the Venable as its managing director of cybersecurity services in October. Venable said in a release that Schwartz will work with the firm’s attorneys to provide companies with a holistic approach to addressing cybersecurity issues. In his role as the managing director of cybersecurity services, Schwartz will provide cybersecurity consulting services for the firm, assisting organizations with understanding and development of risk management strategies.

The Federal Times first reported Schwartz’s departure from government.

A February 2015 paper from Hanover Research, which was prepared for the Indiana University Maurer School of Law, found there is a growing demand for lawyers to work on cyber and privacy issues. The researchers said large and medium sized law firms created cybersecurity practice groups over the last few years, but they are, in some cases, finding it difficult to hire qualified attorneys.

“Although the market for cyberlaw services remains in a nascent stage, experts expect that in the long term, the field will continue to grow,” researchers said.

So Schwartz’s move is another example of the private sector “poaching” from the government. Over the years, we’ve seen this with technology management experts, contracting officers and specific research and development areas, but only in the recent memory has cybersecurity expertise been a commodity worth “stealing” from the government.

Schwartz has been with the White House since June 2013, serving in a privacy and civil liberties oversight role and then moving into a special adviser and senior director role. Before coming to the White House, Schwartz worked at the National Institute for Standards and Technology.

He also worked for the Center for Democracy and Technology and for the Center for Effective Government before joining the government.

Finally, Gwynne Kostin is taking on a new role for a year as an IPA fellow in the Partnership for Public Service’s Ready to Govern initiative.

She will help lead the presidential transition effort from a policy perspective. She told me in her new role she will work with agencies to help prepare their policy and programmatic priorities and goals for the next administration. She said it’s less operational and more focused on what new leaders need to know when they arrive at their respective agency.

Kostin has been GSA’s director of its digital government and digital services innovation center since May 2012.

NextGov first reported Kostin’s new role.

The General Services Administration is trying to tame its schedule contracts.

After years of expansion, GSA decided to go in the opposite direction and consolidate its professional services offerings.

On Oct. 1, GSA’s Federal Acquisition Service completed a year-long effort to take about 5,000 contracts and 4,500 contractors down to about 4,000 total for both. About 330 vendors held multiple professional schedules, adding cost and time to the administration of the contracts.

Tiffany Hixson, GSA’s regional commissioner and professional services category executive, said Oct. 8 that the agency consolidated eight professional services schedules into one called the professional services schedule.

“It was a tremendous lift for our organization,” said Kathy Jocoy, the professional services schedule project manager. “It is a time saver. It is a cost reduction in management in the schedules and the solicitations not only by GSA, but more importantly for our industry partners. They are not having to manage multiple vehicles to provide the same general type of services, the professional services. And of course, our greatest venture in all of this is that it’s allowing a total solution available to our federal community, whether it’s complex or an independent need. We are providing them with the same quality services from the same quality contractors. We just put it all together in a program that allows them to meet their every need in the professional services arena. We are very excited about it.”

Hixson said the schedule is open for business and agencies can use it today as GSA met its goal to launch this new schedule on Oct. 1.

“We were able to deconflict labor categories, labor category pricing. We were really able to clean up some of the confusion with having three different contracts with the same labor category in it and the same rates,” she said.

GSA expects to save $3.95 million over five years through reduced contract administration costs, and then about $1.3 million a year in cost avoidance after that initial five years.

This change comes after the schedules program has gotten unwieldy for GSA and vendors, to say the least, particularly around the seemingly constant expansion of new services schedules and new special item numbers for specific products or services.

Hixson said some of the large vendors end up holding as many as eight professional services schedules under the old model. Now, each vendor will have one contracting officer handling their professional services schedule and a couple of contracting specialists to help with contract administration.

The IT schedule, known as Schedule 70, and the professional services schedule are the two big dogs for GSA, accounting for about half of the more than $35 billion in revenue annually.

“Over the long term, the consolidated professional services schedule will reduce administrative costs for government and industry, while streamlining access to service solutions at the task order level,” said Roger Waldron, the president of the Coalition for Government Procurement, in an email to Federal News Radio. “It is a win for customer agencies, GSA and its industry partners.”

Larry Allen, president of Allen Federal Business Partners and a long-time GSA observer, said the consolidation makes sense for several reasons, including the most important reason of making it easier for agencies and vendors alike to buy services off of the schedules.

“I would also note that the consolidation of the myriad services schedules was completed more or less on time and that the launch of the new schedule is pretty well on time,” Allen said. “There are many people who would like to see Tiffany take over the Schedules program entirely as they feel she would breathe new life into it and make supporting the program inside the agency with increased resources and emphasis a priority.”

Once GSA gets some experience with new consolidated professional services schedule, Hixson said she plans take the next steps to further streamline the program.

“We are going to be looking at the special item number (SIN) structure for professional services schedule this next fiscal year. That will be another very heavy lift,” she said. “What we heard from industry and our customers is that the SIN structure doesn’t align neatly with National American Industry Classification System (NAICS) codes, and so from a small business set-aside perspective, it creates some challenges for contracting officers. So what customers have asked us to do is step back and take a look at the SIN structure, and see what we can do to better align the SINs with the NAICS codes to facilitate a lot cleaner source selection and small business set-aside in the professional services space. I really think FAS will be looking to us to work through this concept, and then see if there is applicability to restructuring SINS to NAICS codes across other schedules.”

Inside the Reporter’s Notebook is a biweekly dispatch of news and information you may have missed or that slipped through the cracks at conferences, hearings and other events. This is not a column or commentary – it’s news tidbits, strongly-sourced buzz, and other items of interest that have happened or are happening in the federal IT and acquisition communities.

As always, we encourage you to submit ideas, suggestions and, of course, news to Jason via email.

Be the first to know when a new Inside the Reporter’s Notebook is posted. Sign up today for our new Reporter’s Notebook email alert.

Fears rise over little-known cyber bill provision

Let’s get beyond the back-slapping and glad-handing over the fact that Senate lawmakers introduced and tucked much needed legislation to protect federal networks into the Cybersecurity Information Sharing Act.

There is one provision in the Federal Cybersecurity Enhancement Act that is scaring both industry and government alike.

And yes, scaring is probably the best word here — not worrying or concerning, but actually putting fear into their minds.

Without a doubt there is a lot of positive requirements in the provision, which Sens. Tom Carper (D-Del.), Ron Johnson (R-Wis.), Susan Collins (R-Maine) and Barbara Mikulski (D-Md.) are sponsoring and added to CISA.

But under Section 209, lawmakers would give the Homeland Security Department Secretary the power to issue an emergency directive when there is a “substantial threat” to the information security of an agency and take “any lawful action with respect to the operation of the information system, including such systems owned or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.”

Read more

DHS meets digital services deadline as hope for governmentwide funding dwindles

Back in December, the Office of Management and Budget gave agencies an Oct. 1 deadline to set up digital services teams as part of the IT budget passback.

So here we are, 10 months after the instructions, and several agencies have met the goal, including most recently the Homeland Security Department.

DHS joins the departments of Veterans Affairs, Commerce and Transportation, and the Environmental Protection Agency and the General Services Administration.

DHS recently hired Eric Hysen as its director of its digital services team. Hysen had been working at DHS for the last few months as part of a team provided to the agency by OMB’s U.S. Digital Services Office.

“For the past year, I’ve been working with U.S. Citizenship and Immigration Services (USCIS) within the Department of Homeland Security, to modernize our country’s immigration system,” Hysen wrote in a blog post. “We’ll be taking the model the U.S. Digital Service has been using for the past year and making it a core part of how DHS does business. We’ll be expanding our work to modernize the immigration system as well as taking on new challenges across DHS’s critical missions — everything from facilitating international trade to responding to disasters to improving the federal government’s information security practices.”

Hysen invited others to join him at DHS to create the digital team.

Read more

DoD’s concerns about industry consolidation may hold water for all of government

Frank Kendall, the Defense Department’s undersecretary for acquisition, technology and logistics, may be rightly concerned about the rate of mergers and acquisitions happening in the federal market.

Kendall issued a statement Sept. 30 after Lockheed Martin’s plan to buy Sikorsky cleared the Justice Department’s antitrust process about the potential impact of mergers and acquisitions on the defense industrial base (DIB).

“Since 2011, DoD’s policy has been that it would not look favorably on mergers of top tier defense firms. Lockheed’s acquisition of Sikorsky does not constitute a merger of two top tier defense firms and it does not violate that policy. However, this acquisition does result in a further reduction in the number of weapon system prime contractors in the defense industrial base,” Kendall said in an emailed statement. “Over the past few decades, there has been a dramatic reduction in the number of weapon system prime contractors producing major defense programs for the DoD. This transaction is the most significant change at the weapon system prime level since the large scale consolidation that followed the end of the cold war. This acquisition moves a high percentage of the market share for an entire line of products — military helicopters — into the largest defense prime contractor, a contractor that already holds a dominant position in high performance aircraft due to the F-35 winner take all approach adopted over a decade ago. Mergers such as this, combined with significant financial resources of the largest defense companies, strategically position the acquiring companies to dominate large parts of the defense industry.”

Read more

Frank Kendall, the Defense Department’s undersecretary for acquisition, technology and logistics, may be rightly concerned about the rate of mergers and acquisitions happening in the federal market.

Kendall issued a statement Sept. 30 after Lockheed Martin’s plan to buy Sikorsky cleared the Justice Department’s antitrust process about the potential impact of mergers and acquisitions on the defense industrial base (DIB).

“Since 2011, DoD’s policy has been that it would not look favorably on mergers of top tier defense firms. Lockheed’s acquisition of Sikorsky does not constitute a merger of two top tier defense firms and it does not violate that policy. However, this acquisition does result in a further reduction in the number of weapon system prime contractors in the defense industrial base,” Kendall said in an emailed statement. “Over the past few decades, there has been a dramatic reduction in the number of weapon system prime contractors producing major defense programs for the DoD. This transaction is the most significant change at the weapon system prime level since the large scale consolidation that followed the end of the cold war. This acquisition moves a high percentage of the market share for an entire line of products — military helicopters — into the largest defense prime contractor, a contractor that already holds a dominant position in high performance aircraft due to the F-35 winner take all approach adopted over a decade ago. Mergers such as this, combined with significant financial resources of the largest defense companies, strategically position the acquiring companies to dominate large parts of the defense industry.”

Broaden Kendall’s comments to all of the federal market — particularly information technology and professional services — and the M&A activity that has been fast and furious over the last two years should be just as concerning for civilian agencies.

John Yim, director at KippsDeSanto & Co., an investment firm that tracks mergers and acquisitions in the federal community, wrote back in August there already have been 39 deals in 2015. In 2014, vendors conducted 79 mergers and acquisitions and in 2013, the number was 65.

“Bolstered by an anticipated uptick in federal spending during quarter four of the government fiscal year 2015 is poised to continue the recent trend of increasing deal counts over the past few years,” Yim wrote. “The expectation of more than 80 deals this calendar year will surpass previous years’ totals and further perpetuate the development of an increasingly active M&A market.”

Add to that a recent survey of government contractors by the Professional Services Council and Grant Thornton that found revenues are flat or decreasing for a majority of respondents and 20 percent say they plan to sell their company in the next two-to-three years and about half said they expected to sell their company in the next three-to-five years.

This data further substantiates Kendall’s concerns over increased M&A activity.

“With size comes power, and the department’s experience with large defense contractors is that they are not hesitant to use this power for corporate advantage,” Kendall wrote. “The trend toward fewer and larger prime contractors has the potential to affect innovation, limit the supply base, pose entry barriers to small, medium and large businesses, and ultimately reduce competition — resulting in higher prices to be paid by the American taxpayer in order to support our warfighters.”

Rich LaFleur, a partner with Grant Thornton and director of the 20th annual contractor survey, said in an interview with Federal News Radio that the M&A activity is being driven by a handful of recent changes in the federal market.

“Without a lot of new contracts, vendors have to look to M&A to grow,” he said. “It’s not M&A for M&A sake. The data indicates less than half of acquisitions end up being effective, while expectation out there is for continued M&A activity.”

He said the survey asked companies who were looking to buy others if they have walked away from a deal in the last year. Nearly 70 percent indicated they had because of something they found during the due diligence stage.

Another potential reason for the increased M&A activity is the rate of incumbents winning follow-on contracts.

Respondents say 75 percent of the time the incumbent contractor wins the follow-on work too.

“The win rate doubles from 33 percent to 66 percent if companies are innovative around creating new joint-ventures or new legal organizations,” LaFleur said. “What does that do is helps the vendor not be a prisoner of their legacy cost structure and the way they did business before. If they create a new company and are innovative around how overhead rates are billed and the amount of general and administrative (G&A) they have to account for, they can increase revenue and profits.”

Not everyone believes increased M&A activity is a bad thing.

The Aerospace Industries Association released a statement reacting to what Kendall said. AIA said the consolidation is a natural result of decades-long trends in defense acquisition.

“Consolidation is market-driven and enhances the efficiency with which we deliver the world’s best equipment to the American warfighter,” AIA said. “We’re seeing fewer and fewer new programs which start farther and farther apart. With fewer programs for which to compete, the stakes for individual companies grow ever higher — loss of a contract competition could mean the end of a company’s ability to compete for defense work. In this environment, it’s no surprise that industry is looking to become leaner and more efficient.”

But when does consolidation go too far and create an oligopoly? When does competition get impacted because there are few large businesses and the rest are small/start-ups? This is a real concern for the entire government that the Office of Federal Procurement Policy, the General Services Administration and DoD need to address.

This post is part of Jason Miller’s Inside the Reporter’s Notebook feature. Read more from this edition of Jason’s Notebook.

Back in December, the Office of Management and Budget gave agencies an Oct. 1 deadline to set up digital services teams as part of the IT budget passback.

So here we are, 10 months after the instructions, and several agencies have met the goal, including most recently the Homeland Security Department.

DHS joins the departments of Veterans Affairs, Commerce and Transportation, as well as the Environmental Protection Agency and the General Services Administration.

DHS recently hired Eric Hysen as its director of its digital services team. Hysen had been working at DHS for the last few months as part of a team provided to the agency by OMB’s U.S. Digital Services Office.

“For the past year, I’ve been working with U.S. Citizenship and Immigration Services (USCIS) within the Department of Homeland Security, to modernize our country’s immigration system,” Hysen wrote in a blog post. “We’ll be taking the model the U.S. Digital Service has been using for the past year and making it a core part of how DHS does business. We’ll be expanding our work to modernize the immigration system as well as taking on new challenges across DHS’s critical missions — everything from facilitating international trade to responding to disasters to improving the federal government’s information security practices.”

Hysen invited others to join him at DHS to create the digital team.

DHS’ decision to join the ever-growing list of agencies with digital services offices is a good sign. But the ability of these teams to have a long-term impact may be dependent on Congress.

The White House asked for $105 million in its fiscal 2016 budget request to seed digital services teams across the government.

In the meantime, while Congress figures out the budget, OMB is working with others to create a digital services infrastructure.

Additionally, the Office of Personnel Management in May approved “excepted hiring authorities” for digital services positions.

And the Office of Federal Procurement Policy and the U.S. Digital Services office are in the final stages of a challenge competition to create a training course to help contracting officers improve how they buy digital services. Three teams, GovLoop, Team ICF and Management Concepts received $20,000 to conduct a pilot course for 30 students. The winning team will receive $250,000 to expand their pilot program governmentwide.

Congress hasn’t been supportive from a budgetary sense of digital services so far.

The House didn’t mention money for digital services offices in its conference report on OMB’s 2016 budget and reduced the IT Oversight and Reform Fund (ITOR) to $20 million from $35 million.

The Senate also reduced the ITOR fund to $25 million.

“The increase in ITOR funding in fiscal year 2016 will help to grow the USDS team to enable them to serve as a resource across federal agencies,” the Financial Services and General Government conference report stated. “In addition, the increase in funding should be used to support OMB’s newly-formed E–Gov Cyber and National Security Unit [OMB E–Gov Cyber] which focuses on strengthening federal cybersecurity.”

The report also stated that USDS should become more engaged to implement digital and technology practices on the 10 highest priority IT investments across the government.

But $5 million will hardly cover the $105 million in seed money OMB wanted for these teams.

So the question remains whether agencies can “find” enough money to create these digital services teams in spite of Congressional support, and how effective can they be without the necessary seed money?

One solution, GSA has more than $1 billion reserve funding in its Acquisition Services Fund (ASF). Why not “refund” each agency 10 percent of the fees it paid last year for “acquisition” digital experts? I’m sure lawyers could figure out how to make that within the rules that govern the use of the ASF.

This post is part of Jason Miller’s Inside the Reporter’s Notebook feature. Read more from this edition of Jason’s Notebook.

CORRECTION: An early version of the story incorrectly identified who is the lead in taking action if DHS discovers a substantial cyber threat. The agency head is the person that would be given the power to take action if the bill becomes law. Federal News Radio regrets the error.

Let’s get beyond the back-slapping and glad handing over the fact that Senate lawmakers introduced and tucked much needed legislation to protect federal networks into the Cybersecurity Information Sharing Act.

There is one provision in the Federal Cybersecurity Enhancement Act that is scaring both industry and government alike.

And yes, scaring is probably the best word here—not worrying or concerning, but actually putting fear into their minds.

Without a doubt there is a lot of positive requirements in the provision, which Sens. Tom Carper (D-Del.), Ron Johnson (R-Wis.), Susan Collins (R-Maine) and Barbara Mikulski (D-Md.) are sponsoring and added to CISA.

But under Section 209, lawmakers would give the Homeland Security Department Secretary the power to issue an emergency directive when there is a “substantial threat” to the information security of an agency and tell the secretary or administrator that they could take “any lawful action with respect to the operation of the information system, including such systems owned or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.”

Put in more straightforward terms, if DHS determines a cyber threat is so great, it can tell agency leaders to go into their   network or a contractor’s network, which holds federal data, and take actions to protect it.

But government and industry sources said getting DHS help during a cyber attack makes sense, but the provision as written is too broad and basically gives DHS carte blanche to do what they think is best to protect the networks and data.

“Basically, the bill is giving DHS the authority to walk into a commercial facility and take it over,” said one industry source who requested anonymity because they are working with the Hill on this bill. “It’s not just government data when the data is in a multi-tenant set up. We have other commercial clients and other government data mixed in. If DHS is going in, the bill doesn’t include any protection for trade secrets, commercial or financial information, and there is nothing limiting their authority. It just says they have to consult the head of an agency. There are no notifications to contractors or companies that DHS is about to come knock on your door. There is nothing notifying the company to say there is a problem and we will issue emergency authority and take over your systems.”

The sources said the language is too vague and it opens the door to enable a potential for abuse.

“What is an emergency?” another industry source asked. “An undefined emergency and any lawful action, DHS can come in and do anything they want within the law, and who knows what law would look like. This is a reoccurring issue with some legislation involving DHS in terms of giving unbounded discretion to secretary. I’m sure it’s all well intentioned, but there are concerns that there are few limits other than any lawful action and that’s pretty broad.”

Part of the problem with the legislation is it’s not written in a way that takes into account the move of agencies to cloud computing where their data may be intermingled with other agency data or information from other industry sectors or even international organizations.

The bill also assumes DHS knows what’s best for an agency when its network is under attack, when in reality Homeland Security will never have the resources or expertise to fully understand every agency’s architecture, which is needed to make immediate decisions to protect their networks.

But some on Capitol Hill said industry and agencies may be overreacting a bit.

A Senate Democratic staff member, who requested anonymity to talk about the bill, said the provision is modeled after one in the cybersecurity bill developed by former Sen. Joe Lieberman (I-Conn.) and Collins back in 2012.

“This so-called reach by DHS, we don’t see that as being the case. The language doesn’t go that far,” the staff member said. “The procedures are taken from the 2012 bill and we heard the concerns of contractors and others and teased them out more. In their shoes, we understand they want to proceed with the utmost caution, and they fear DHS would push every boundary and limit they have in law. We haven’t seen DHS do that, but time-to-time DHS is reluctant to be bad cop so to speak and they have more luck in being the friend and be there to help.”

The staff member said lawmakers fully recognize that agency chief information officers will know their network best, and DHS’ emergency authorities are limited to protective and detective capabilities.

“That’s why the provision says for broader authorities, procedures for use, DHS has got to consult with OMB,” the staff member said. “I think DHS understands busting in to someone’s network and turning things off or changing things wouldn’t be good either.”

Another Senate staff member said one of the goals of the legislation is to broaden DHS’ authority to be able to force agencies to secure their networks if they fail to do so on their own.

Another red flag in the legislation is the assumption lawmakers made around how DHS would apply the EINSTEIN program to contractor systems.

Rich Beutel, president of Cyrus Analytics and a former Hill staff member, said the bill assumes DHS could overlay the software that runs the EINSTEIN intrusion detection and prevention system on a commercial cloud. He said that’s easier said than done.

“You can’t have EINSTEIN monitoring all traffic,” he said. “Cloud service providers and Internet service providers would have the responsibility to sequester the data, break it into two streams of government data and non-government data so EINSTEIN can run over only government data? I don’t think it’s possible. Maybe there is some magic way you can packetize data in some way, but that blows the value proposition for cloud and scalability.”

Johnson summed up the need to empower DHS succinctly:

“Agencies across the federal government are dragging their feet to implement cybersecurity practices already long in place in the private sector that would keep their data secure. These failures have made it clear that current law does not go far enough in requiring agencies to protect their networks,” he said in an emailed statement. “Therefore, using what the Committee learned from its oversight, Sen. Tom Carper and I introduced the Federal Cybersecurity Enhancement Act (FCEA), to provide a comprehensive approach to securing civilian federal agencies’ networks. This bill requires agencies to take the same kind of common sense approaches to secure their networks that private companies have been doing for years — like encrypting sensitive data, installing signature-based intrusion detection systems and using multi-factor authentication. Cyber-attacks, whether for destructive purposes or to steal information, are a significant threat facing our nation today. While there is no silver bullet to protect our networks from cyber-attacks, this bill would make it much more difficult for our adversaries to hack into our networks.”

The House has a similar bill, H.R. 3305, but it doesn’t include the specific provisions talking about giving DHS emergency powers to the extent the Senate’s version does. Rep. Will Hurd (R-Texas) sponsored the six-page bill and it calls for DHS to work with industry to deploy and protect federal data.

The first industry source said Congress is interested in passing cyber legislation in the wake of the massive data breach that impacted the Office of Personnel management.

“The problem is what I will call it in-artful drafting,” said the second industry source. “I’m sure they are trying to address a legitimate concern, but giving any unbounded discretion to federal officials is concerning.”

No one is arguing against the need for better cybersecurity, but it seems once again there’s a lack of understanding from both sides of what is needed and instead of making several small changes, Congress is trying to eat the cyber elephant in one bite. And we know that never works.

This post is part of Jason Miller’s Inside the Reporter’s Notebook feature. Read more from this edition of Jason’s Notebook.

Inside the Reporter’s Notebook is a biweekly dispatch of news and information you may have missed or that slipped through the cracks at conferences, hearings and other events. This is not a column or commentary — it’s news tidbits, strongly-sourced buzz, and other items of interest that have happened or are happening in the federal IT and acquisition communities.

As always, we encourage you to submit ideas, suggestions and, of course, news to Jason via email.

Be the first to know when a new Inside the Reporter’s Notebook is posted. Sign up today for our new Reporter’s Notebook email alert.

State of federal cloud remains optimistic with a chance of budget pessimism

Rep. Will Hurd (R-Texas), chairman of the Oversight and Government Reform Subcommittee on IT operations, asked an interesting question at a recent hearing in Austin, Texas: “What is the state of federal cloud computing?”

Not quite as enthralling as a President’s State of the Union — and of course a lot less standing ovations at Hurd’s hearing — but it brings up a timely question about just how much progress agencies have made since the Office of Management and Budget’s 2011 “cloud-first” mandate. This February will be five years since former federal Chief Information Officer Vivek Kundra issued that mandate.

Nearly every CIO is moving something to the cloud — email, public websites and other basic technology services. Others such as the Federal Communications Commission, the Homeland Security Department and even the Medicaid and CHIP Payment and Access Commission (MACPAC) have done a lot more than these basics, putting entire infrastructures in the cloud.

Read more

Cloud bill gains support as FedRAMP sets JAB approval cap

With Rep. Will Hurd’s (R-Texas) field hearing in Austin, Texas last week on the state of federal cloud computing, the challenges around contracting and budgeting for these services remains the biggest obstacle for a wider acceptance.

Most would agree the broad budgetary changes needed for agencies to change the way they buy isn’t happening anytime soon. But there is a growing acceptance that another approach to funding cloud computing is starting to get some attention on Capitol Hill.

Rich Beutel, a former House Oversight and Government Reform Committee senior staff member and one of the main forces behind the Federal IT Acquisition Reform Act (FITARA), has been circulating a cloud bill  with lawmakers over the last six months. Beutel is modeling his cloud bill from a  funding perspective after the continuous diagnostics and mitigation (CDM) program run by the Homeland Security Department.

Read more

DoD’s $1B contract proof new model for GWACs  is working

The General Services Administration’s announcement that it awarded nearly a $1 billion contract on behalf of the Defense Department under the One Acquisition Solution for Integrated Services (OASIS) multiple award contract is noteworthy for several reasons.

Starting off, GSA’s award to Booz Allen Hamilton to provide a host of services under DoD’s Global Threat Mitigation Program is the largest one by dollar figure to date.

Second, it’s solid proof that the Army’s pledge to spend $500 million a year under OASIS in return for reduced fees is working. The Army committed to a high level of spending in March 2015 and this award, which will support an integrated coalition of joint commands, including the Army National Guard, Army Commands/Army Service Component Commands (ACOMs/ASCCs) and Combatant Commands (COCOMs), is part of that guarantee.

Finally, the OASIS model of lowering fees in exchange for a dollar figure commitment is working and likely will spread to future governmentwide contracts such as Alliant 2.

Read more

The General Services Administration’s announcement that it awarded nearly a $1 billion contract on behalf of the Defense Department under the One Acquisition Solution for Integrated Services (OASIS) multiple award contract is noteworthy for several reasons.

Starting off, GSA’s award to Booz Allen Hamilton to provide a host of services under DoD’s Global Threat Mitigation Program is the largest one by dollar figure to date.

Second, it’s solid proof that the Army’s pledge to spend $500 million a year under OASIS in return for reduced fees is working. The Army committed to a high level of spending in March 2015 and this award, which will support an integrated coalition of joint commands, including the Army National Guard, Army Commands/Army Service Component Commands (ACOMs/ASCCs) and Combatant Commands (COCOMs), is part of that guarantee.

Finally, the OASIS model of lowering fees in exchange for a dollar figure commitment is working and likely will spread to future governmentwide contracts such as Alliant 2.

Let’s go back to the award to Booz Allen for a second. GSA said under the five-year indefinite delivery, indefinite quantity deal, Booz Allen will provide assessments to identify and analyze evolving and emerging threats, and provides the potential capabilities the military can utilize to combat the threats.

The services under the contract include program and project management, strategic planning and capabilities, threat, and intelligence analyses and assessments, integrated air and missile defense program support, information, operations and special activity division support and operational influence platform services.

“The ultimate end state of this task order is to bolster the U.S.’s security interests and positions, both at home and abroad, and to protect forces from emergent threats,” GSA said the task order stated.

The Army’s $500 million commitment has gotten off to a strong start.

GSA reported on its OASIS dashboard that the Army is the second biggest spender under OASIS, with more than $106 million obligated so far. The Air Force, which was the first agency to commit $500 million in spending under the contract, leads all agencies with $192 million in total obligations.

The Homeland Security Department, which signed a similar agreement as those signed by the Army and the Air Force and pledged $250 million in spending under OASIS in return for reduced fees earlier this summer, has spent the most under the contract among civilian agencies with $5.1 million.

In all, agencies have obligated more than $412 million across 147 task orders on OASIS and the small business version of the contract since 2014.

Finally, the fee structure piece has been a bugaboo for agencies using GSA contracts for some time. Agencies like the convenience of GSA schedules and GWACs, but continue to develop their own multiple award contract vehicles because of the false belief they can do it cheaper.

On this $937 million award, DoD would’ve paid a fee of more than $7 million under the standards 0.75 percent fee. But with the agreement for a reduced fee in exchange a large dollar figure commitment, DoD will pay a fee of just under $1 million — a nice savings that the Pentagon can use toward other needs.

That type of discount would seem to be attractive to agencies in this time of tight budgets and increasing needs.

This post is part of Jason Miller’s Inside the Reporter’s Notebook feature. Read more from this edition of Jason’s Notebook.