Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

What seemed like a never-ending debate over the definition of data centers between the House Oversight and Reform Subcommittee on Government Operations and the Office of Management and Budget was primed for round nine at the 13^th Federal IT Acquisition Reform Act (FITARA) hearing on Jan. 20.

But instead of another round about discussion between the Government Accountability Office, subcommittee lawmakers and the administration, the squabble never happened.

Instead, observers got a bit of a pleasant surprise—and let me speak for all of us who have watched this circumlocution since 2013—as the GAO and the subcommittee are ready to retire the data center consolidation and optimization category under the FITARA scorecard. Every agency received an “A” grade for the first time ever under this long-argued over category.

Rep. Gerry Connolly (D-Va.), the chairman of the subcommittee, the co-author of FITARA and the one member who is most upset about the eight-year debate over the definition of data centers, readily admitted the fight isn’t over.

“I want to congratulate agencies for getting all ‘As’ in this category. But that is not to be construed as a ‘mission accomplished’ moment by any means,” he said at the hearing. “Given the subcommittee’s oversight history on federal data center consolidation, we approach this accomplishment with a bit of a jaundice eye.”

While Connolly and other subcommittee members may continue to push the Office of Management and Budget for a definition of a data center that supports their point of view, the fact is FITARA 14 will include new metrics and data center consolidation and optimization likely will not be one of them.

And the fact that the subcommittee and GAO are updating the scorecard metrics is one of the three big takeaways from the FITARA 13 hearing.

Jump starting agency efforts

The subcommittee’s plans to revamp the FITARA scorecard isn’t just about “retiring” the data center category. Connolly said agency progress across the board has stagnated.

“From November 2015 through December 2021, agencies receiving C or higher grades increased from 29 to 100 percent and for the most recent scorecard, 50 percent of agencies received an A or B,” he said. “To continue driving progress, the scorecard needs to evolve to reflect the changing nature of IT services and to guarantee we are accurately assessing the modernization and IT management practices of federal agencies. The goal here is to incentivize progress, not to get a gold star on our foreheads.”

The question now, of course, is how to make the scorecard more valuable?

This has long been a challenge with the FITARA scorecard. GAO made changes in 2020, removing the software licensing category and adding the Enterprise Infrastructure Solutions (EIS) category.

Even before that change, industry experts were calling for changes as far back as 2016.

“The early stages of FITARA, no question, these metrics were relevant. It was forward looking, and it dealt with efficiencies and savings within our agencies. But with all the agencies now receiving an A, on this current scorecard, I think it’s a fair question as to whether indeed, we’ve reached a point of diminishing returns. And we need to legitimately consider where do we go from here?” said Rep. Jody Hice (R-Ga.), ranking member of the subcommittee. “I believe it’s time to take a hard look at how FITARA can evolve from this point. During [Jan.11] Federal Information Security Management Act (FISMA) hearing, I specifically asked the GAO witness whether the current FISMA metrics give an accurate picture of the agency’s security posture, and the clear answer was no. So I think again, that’s an indication that we need to evolve and go to the next step.”

Mark Forman, the former administrator for e-government and IT at OMB, offered his usual sage advice through a post on LinkedIn about FITARA.

Forman, who now is the executive vice president for Dynamic Integrated Services, emphasized that while the process could benefit from more of an outcome approach, there’s a bigger issue at hand.

“The underlying accountability issue has always been that the program and financial people do not respect and follow the authorities of the CIO, and the scorecard confirms that chronic issue,” he wrote. “While Congress fragmented IT management planning among CIOs, CDOs, CISOs and CFOs in various laws including the Evidence Act, Congress continues to leave be the language in 44 USC 3506(a)(4) that says program offices are responsible for applications and the IT surrounding those information resources. In fairness, it does require collaboration with the CIO, but that rarely happens. So, two key questions underlie these FITARA scores: first, why doesn’t Congress have agency heads testify for the agencies that get C or less; and does Congress need to eliminate/modify the 3506(a)(4) language?”

The subcommittee received a host of ideas from current and former federal officials.

Several witnesses put the cyber metric near the top of the list as needing to be revamped.

Carol Harris, director of information technology and cybersecurity at the GAO, said the subcommittee should use the Biden administration’s May 2021 cyber executive order as the basis. She also suggested adding IT supply chain risk management as another category under the new cyber metric.

“We’ve done work for you very recently to take a look at that pulse check across the federal government. We have work that that that can support either evolving the metric to expand into supply chain as well as expanding to take a look at more enterprisewide cyber initiatives,” she said.

Ann Dunkin, the Energy Department CIO, said the FISMA metrics are not an accurate reflection of DoE’s performance. She said there’s a lot of consolidation metrics and they are pass/fail, meaning they don’t reflect the true progress an agency is making to secure their networks and data.

Suzette Kent, the former federal CIO, piled on to Dunkin’s idea, saying the cyber metrics aren’t using real-time data and don’t bring value to agency’s ability to dynamically address cyber challenges.

Beyond cyber, the witnesses also agreed that measuring how agencies are addressing the hiring and training of the workforce also would be beneficial, as well as IT budget and planning.

Kent said adding a customer experience or service metric, including borrowing measures from industry, would serve agencies well.

Several witnesses also promoted the idea of a different cadence for the issuance of the scorecard. Harris said for some metrics, such as IT modernization, a once-a-year review would serve agencies better, while for others automating the collection of data would mean checking in more often.

David Powner, the former GAO director of IT issues and now executive director of MITRE’S Center for Data-Driven Policy and director of strategic engagement and partnerships, offered the subcommittee the most important factor in changing the FITARA scorecard.

“It is critical that the updates to the scorecard are coordinated with the federal CIO and OMB since they have been and will be the source of most of the data used in the grading process,” he said.

EIS not a priority?

The March 2022 deadline for agencies to move at least 90% of their telecom inventory off expiring contracts and moved to new Enterprise Infrastructure Solutions (EIS) contracts is coming fast, and the scorecard showed 15 out of 24 agencies are not looking good.

The subcommittee asked several witnesses the simple question: why is EIS so difficult?

Unfortunately for the subcommittee, the question is much simpler than the answer.

GAO’s Harris said agencies are not prioritizing the transition to EIS.

That, however, may not be a truly fair assessment, and her comparison to the software licensing category, which GAO and the subcommittee retired in 2021,  isn’t necessarily apples-to-apples in terms of how agencies prioritize the initiative. Software licensing was a data collection and rationalization effort. EIS transition is a total network overhaul.

Spires, the former IRS and DHS CIO, may have come closer to why EIS, and really all telecommunications transitions over the last 30 years, struggle.

“I think many agencies struggle because of the workforce issues that we face within federal IT. Many of the OCIO organizations do not have all of the talent that they need to effectively manage their IT, and that is one of the key issues that we face in federal IT. And it manifests itself in many ways and one of those is in this example [of EIS transition],” he said. “It is a significant undertaking to migrate from one major networking contract to another. It takes a lot of work behind the scenes within these agencies to make that happen and I think many agencies struggle with that, while they’re also dealing with the day-to-day operations and trying to modernize some applications and all the cybersecurity issues. I think workforce issues are all really behind a lot of where we see struggles with these. And that’s concerning.”

Guy Cavallo, the CIO at the Office of Personnel Management, told the committee his agency just awarded a contract under EIS last April and has been actively moving network circuits and telephone circuits to the new contract.

“I fully expect that we will meet GSA’s deadline. I needed to bring in additional resources. I have them on board now and we are actively moving now, and I’m confident that we’re going to meet the deadline,” he said.

Dunkin said DoE also awarded contracts under EIS for data and voice and is making progress toward meeting GSA’s September 2022 goal of fully disconnecting from the Networx contract.

“We will be leveraging GSA’s expertise, as well as that of our transition management vendor, to implement risk mitigation strategies and to accelerate our transition,” she said.

The question that no one asked is what is OMB, OPM and GSA doing to fill those talent gaps and what are some short term solutions because hiring and training experienced telecommunications expertise is not possible in the next nine months.

It may also make sense for the subcommittee hold a specific EIS hearing with GSA, OMB and a few agencies that are furthest behind, otherwise the initiative will continue to struggle.

All about the people

And speaking of people, OPM and Energy both highlighted significant steps to close those technology skillset gaps.

Cavallo, who has been the OPM CIO for about a year, said he reduced the OCIO’s vacancy rate by about 20% since the beginning of fiscal 2021.

“We not only have brought on new, talented staff, but we are also investing in our existing staff, including providing unlimited access to online technical training courses and, specifically, investing in training courses related to cloud technologies, agile development and cybersecurity,” Cavallo said. “Our goal is to build a comprehensive workforce that is trained and certified in today’s skills to help OPM take advantage of the latest advancements in technology and cybersecurity to better meet 21st century customer expectations.”

Over at Energy, Dunkin said the new Omni internship program will begin to address the skillset challenges her agency faces.

“This summer we will have 200 students from overburden and underserved communities coming out to our DoE sites and plants across the nation in cohorts. We’re paying these students, the government often offers unpaid internships, these are paid internships. And second of all, we’re providing the support to get them to our often remote locations. So we’re ensuring they have transportation, we’re ensuring they have housing, and we’re making sure that they’re part of a cohort so they will carry their experience on and then we’re going to bring those same students back to other parts of the department each summer, so they get a whole view of DoE,” she said. “Hopefully, we’ll turn those into federal employees going forward.”

Dunkin added DoE also will continue to use hiring flexibilities like direct hiring authorities to bring in new people with needed skillsets more quickly.

The need to address workforce issues was a common theme during the hearing, but there were few solutions discussed.

Connolly introduced legislation called the NextGenFeds Act in December to establish a comprehensive Federal Internship and Fellowship Center within the Office of Personnel Management to administer, manage, and promote all federal internship and fellowship programs. OPM, meanwhile, finalized a new policy that allows agencies to strategically recruit certain students to positions in the competitive service on a term or temporary basis. It finalized another policy that allows agencies to rehire former federal employees at a higher grade level than when they left government.

But all of that doesn’t address the needs of today and it’s more about the needs of the future to bring in employees who under 30 years old.

And that brings us back around to the challenges of today agencies face with the EIS transition, with cybersecurity, with project and program management and many other disciplines.

“We have an opportunity to signal priority and investment in our most precious resource in all of federal IT, the people. The metrics must ensure that priority is given to skills development and work,” Kent said. “Workforce performance should be included [in future FITARA scorecards] because as we’re evolving the technology ecosystem, we cannot under invest in our federal workforce.”

President Barack Obama wouldn’t give his up. President George W. Bush wasn’t allowed to have one, even though he wanted one.

For about 15 years, the BlackBerry phone was Velcroed to every federal and industry executives’ hand from the Oval Office on down.

While the news on Jan. 4 that Research-In-Motion (RIM) dropped its support for the BlackBerry phone wasn’t surprising to say the least, it did make you stop and think about the impact of the device on the federal sector.

Roger Baker is a former Commerce Department chief information officer. He offered a memory from January 2001:

“We needed to quickly support the mobility needs of the new secretary and his team, so about two days after inauguration we had our BlackBerry vendor in to get us information. They were able to get us 12 BlackBerrys set up and delivered about two days later. Each was labeled with an individual’s name (for the secretary, chief of staff, CIO, etc.) except one with no label. When I asked about it they said ‘it’s for your boss’s boss.’ The secretary was headed to the White House that afternoon so I took him his and asked him if he wanted to offer the unlabeled unit to his boss. He said sure, and took it with him.

“The next day the unlabeled unit was handed back to me with the explanation that the president wanted to keep the unit, but the Secret Service wouldn’t allow it.”

From the late 1990s to the mid-2010s in meeting rooms from the White House to the Pentagon, on the metro and airplanes and during emergencies, federal employees and contractors fell in love with, became addicted to, and realized the potential of the handheld device.

“The BlackBerry revolutionized the way the federal government worked. It was the first to make remote work possible,” said Clint Robinson, a former vice president of government relations for Research in Motion, which developed the BlackBerry, and a former associate administrator in the General Services Administration’s Office of Congressional and Intergovernmental Affairs. “It fundamentally changed how people work and changed managers’ expectations of people who work for them — for better or for worse. We joked about this at BlackBerry, that if you didn’t get a response back in 15 minutes, you started to worry the person was in a car accident or something. You expected an immediate response, and while you can argue whether it’s healthy or not, you no longer were tethered to your desk so you have more freedom.”

Robinson, who now is a partner with Capitol Counsel, called it an “amazing time” when he worked for RIM between 2006 and 2015.

Robert Shea, a former associate director at the Office of Management and Budget and now national managing principal for public policy at Grant Thornton, described the culture change that began to take place during the early days of BlackBerry.

“I remember vividly OMB Deputy Director for Management Clay Johnson and I in a meeting with then GSA Administrator Steve Perry and his then Chief of Staff David Safavian. A noise emitted from David’s Blackberry and he picked it up and began to talk into it as if it was a phone. It seemed so absurd to me I reached down, took off my shoe, and began to talk into it à la Maxwell Smart. Laughter ensued.”

While BlackBerry didn’t offer any statistics or numbers about just how well the device permeated the government, there was a time when the device was a status symbol, an emergency lifeline and showed the path of the future.

Articles from the height of the BlackBerry show just where it stood. In a 2012 article in InfoWorld, RIM said it had over 1 million government customers in North America. Government Executive reported that in 2009 77% of all federal managers said they used the BlackBerry device.

Craig Luigart, the former CIO at the Education Department and now CTO for health technologies at the Veterans Health Administration in the Department of Veterans Affairs, said in 1999 he became the first agency technology executive to bring BlackBerrys into government.

“I came from private industry in Atlanta and at that time was working with BellSouth and the original BlackBerry for alerting homecare nurses and other health care aligned uses.

“When Secretary Richard Riley selected me in late summer to take over the CIO job I brought with me the knowledge of what the BlackBerry could do and a connection to the then CEO and president of BlackBerry Jim Balsillie.  Having talked to Jim they had not yet considered a federal channel. I told Jim I had a contact I would make for him and that if it worked out we might actually desire to be the first federal department with the BlackBerry and its new capability to provide Microsoft Outlook services.

“Shortly after I arrived at Education as Riley’s CIO I called Dendy [Young, then CEO of GTSI] and Jim and said ‘I think I have a marriage for the two of you that would be of mutual benefit.’

“Shortly we had the devices and services on GTSI’s GSA schedule and Education became the first user of BlackBerry in the federal government. I showed it around at the CIO Council meeting and to Jim Fyzik [the co-chairman of the council] and the rest is history.”

In a Federal News Network online survey of its audience, 73% of respondents said the BlackBerry device was “very impactful” on their agency or office.

Respondents said the biggest impact was that it created the “always on” culture by making remote work possible. Making email the preferred way their agency communicated was the next most impactful way in which the BlackBerry changed their office or agency.

Retired Coast Guard Rear Adm. Bob Day, the president of BlackBerry Government Solutions, said in an email to Federal News Network that more than 20 years ago the company helped usher in the beginning of the mobile workforce, letting employees have the flexibility to work wherever and be productive.

He said what agencies liked most about the BlackBerry was its secure mobility.

“It is not just the independence that the handset provided that made it so alluring. Since the company’s very beginning, BlackBerry has always taken security seriously, and the security and privacy of the BlackBerry device was lauded by federal executives, who relied on their BlackBerry devices to communicate sensitive and classified matters,” Day said. “The handset provided federal staff with the confidence and ability to work on-the-go while also giving them the peace of mind to know their work was safe and secure.”

Karen Evans, former OMB administrator of e-government and IT during the George W. Bush administration and now managing director of the Cyber Readiness Institute, highlighted what many thought was the best part of the BlackBerry: The keyboard.

“The transition to Blackberry was great. You no longer had to carry multiple devices because everything was integrated into the one device. I do remember we had to get legal opinions regarding records management due to the capabilities. The QWERTY keyboard was the best! No smudged screens.”

A majority of Federal News Network’s survey respondents and the former federal executives expressed their enduring love for the keyboard.

Everything from the click-clack-click noise the keys made to the speed and ease by which you could type to the way the curved shape of the device comfortably fit into two hands, the BlackBerry, for many, was a perfect fit.

Renee Wynn, the former NASA CIO and now CEO of RP Wynn Consulting, delayed her move to an iPhone as long as she could.

“I loved my Blackberry and hated giving it up. What I loved was the keyboard.  I could listen to speakers and take notes because I didn’t have to look down to make sure I was on the right keys thus rendering notes useless! Auto-correct wasn’t a dastardly thing back then!”

Simon Szykman, former Commerce CIO and now senior vice president for client growth at Maximus, praised a feature that most of us take for granted with today’s devices.

“The BlackBerry Auto Text feature allowed a user to define a text shortcut that would automatically expand to something longer, for example you could set ‘TYVM’ to automatically be replaced with ‘Thank you very much,'” he said. “It was such a convenience and a timesaver that I had trouble getting by without it once non-BlackBerry smartphones became prevalent both in government and personal use. There are now multiple keyboard apps that have that functionality, but it took surprisingly long for that capability to be implemented outside of the Blackberry ecosystem. Even today whenever I upgrade my own smartphone, I re-implement the same Auto Text replacements that I was first using two decades ago and have grown accustomed to.”

Joe Paiva, the former CIO at Commerce Department’s International Trade Administration and now vice president of the public sector for HireVue, had to make an extra effort to get his staff to give up their BlackBerrys:

“It was 14 years after the BlackBerry had been launched, but only two years after the first iPhone appeared on Verizon’s network. The ITA had started replacing Blackberrys with the iPhone just before I arrived, but the project was halted because almost every single person outside of headquarters, which is 90% of the ITA, were furious. They very correctly and understandably complained that email took way too long to sync, and people were missing everything from warnings of inbound rockets in Israel to time critical trade negotiation notes. That part wasn’t funny, but what happened next most definitely was …

“Of course, we immediately started working day and night to fix the network and sync problems, and within a relatively short period of time had them all resolved. So, I took another trip out into the field to see if folks were now happy with their iPhones. Much to my chagrin, I found dozens of users with BlackBerrys on their belts and iPhones still in boxes in their desk drawers. Frustrated, I said, ‘You know folks in DoD and lots of other agencies are stuck with Blackberrys, and would love to have the option of using the iPhones sitting in your desk drawers. What gives?’

“Without hesitation, an entire group of folks sitting in one room looked at me, and said ‘We’re not giving up our keyboards, and you can’t make us.’ So began a multi-month campaign during which I very literally needed to fly around the world prying BlackBerrys out of peoples’ hands in order to get them to at least try an iPhone.”

Robinson, the former vice president of government relations for RIM, said while most users extolled the keyboard, the BlackBerry’s battery life and the ability to change out batteries were features few, if any, of today’s handheld devices can match.

“Carriers loved the BlackBerry because it was an efficient consumer of data. It had a low profile on carrier networks,” he said.

The keyboard, the battery life and the other aesthetic features of the device is what many people focus on. But Robinson and BlackBerry’s Day point to another characteristic that the government loved: RIM’s security.

Robinson said the encryption RIM used and the fact it was made available for customers created trust across all government and industry users.

“BlackBerry operated its own enterprise server and made available a level of security and reliability that was not available anywhere else. From a CIO’s standpoint, it was a perfectly secure network,” he said.

Dave Wennergren, the former Navy CIO and now CEO of the American Council for Technology and Industry Advisory Council (ACT-IAC), credited his former boss Dan Porter, then the Navy CIO, to making BlackBerrys widely available across the service.

“The Navy definitely took a leadership role in deploying BlackBerrys, from working with the company on security measures, secure servers in the U.S., smart card readers, etc., that would make them a go-to solution for years, to deployment plans that accelerated the demand signal for these devices that allowed you to be connected anywhere, anytime.

“One of the early steps we took was to deliver BlackBerrys to the top leaders of both the Navy and Marine Corps, a move that immediately won the leadership team over to the power of these devices, broke down numerous barriers to their widespread adoption and created energy and peer pressure around keeping up with the bosses. We also outfitted the entire Department of the Navy CIO team with BlackBerrys, to include the clerical staff.

“This was a radical idea at the time, but helped pave the way for the democratization of technology and the recognition that these powerful tools allowed the entire workforce, not just the bosses, to be more productive and provide better customer service.”

As for why we are talking about the BlackBerry in the past tense today, as Robinson rightfully pointed out, there are hundreds of thousands of words written by professors, journalists and analysts that delve into RIM’s mistakes and inability to keep up with the changing desires of society. Time magazine wrote in 2013 about the “fatal mistake” that doomed BlackBerry. Just last week, BusinessInsider revisited this often talked about story, saying it failed to innovate and became complacent. There’s even an entire Reddit thread from 2015 where users tried to answer the question why BlackBerry failed as a device provider.

But this retrospective isn’t about why RIM and BlackBerry ultimately fell out of favor and halted support for the phone devices. It’s about the impact this one small device had, and will continue to have, on agencies and industry.

The fact, as we’ve seen both anecdotally and from the survey, is that federal employees and industry will remember, praise and even denounce the BlackBerry as one of the biggest game changers over the past 25 years.

Robinson said maybe the best story about the impact of the BlackBerry came from a member of Congress, most of whom are not known for their savvy use of technology.

“When I was at Research In Motion (RIM), our co-CEOs Jim Balsillie and Mike Lazaridis would often come to Washington for customer meetings and to meet with members of Congress on whatever policy matters were pertinent at the time. Once, Jim and I were taken by staff to the Rayburn room in the Capitol to meet with a member from Florida. We sat down and she said, ‘Before you say anything, I just want you to know that my BlackBerry has made me a better legislator, a better friend and a better mother.’ Jim said, ‘Wow. Thank you. I believe our work here is done.’”

While many can debate the era — or error to some — that BlackBerry ushered in, the “always on” culture and the expectation that emails need to be answered in minutes and not hours, the device broke down barriers, opened the eyes of agencies and industry leaders to the true potential of remote work and democratized technology from the board room to the back room to the customer service desk.

Tucked into page 6, second paragraph down on the page of the Defense Information Systems Agency’s new strategic plan is a humdinger of a sentence.

Under the Readiness Through Innovation section of the strategy, DISA seemed to be throwing a heck of a curve at industry when it wrote (my emphasis added):

“We are implementing multiple contracting initiatives to ensure best value in all our programs. One of the programs, Joint Warfighting Cloud Capability (JWCC) seeks to create a multi-vendor acquisition vehicle that the greater DOD can leverage to obtain services directly from commercial cloud service providers. This would eliminate the need for third party resellers, integrators, achieving efficiencies as a result.”

It seemed this 14-word sentence left some in industry flabbergasted and surprised, to say the least.

“Those efficiencies from resellers are small and there isn’t a huge margin there, so there are a lot more places to go to improve contracting, especially IT contracting, that would bear more fruit,” said one industry expert, who requested anonymity because their company does business with DISA. “As for integrators, I’m not sure how this affects them by having to deal directly with cloud service providers. It definitely cuts out the reseller. But DoD still will need someone to build these services and applications. The integrators and resellers have the skillsets that don’t exist in DoD and probably shouldn’t. Industry has skilled engineers to fix problems with technology. Their skillsets are important and valuable to bring in to DoD.”

Other industry experts questioned whether this was just a poor choice of words by DISA or if it’s a major policy change.

Sharon Woods, the director of DISA’s Hosting and Compute Center, offered more details about DISA’s thinking after she spoke at the recent AFCEA DC lunch on cloud computing.

“Systems integrators have been key partners in our computing and hosting journey, and they will continue to be. So I think that it is important that we continue to leverage their experience as well as the technical capabilities that they bring to bear,” Woods said in an interview. “We have limited resources within the department, and we are working very hard to continue to help our workforce acquire new skills, but the system integrators bring a level of talent and capability to the table that we can never replicate.”

She added the system integrators will partner with the commercial cloud vendors rather than be at the forefront of the cloud implementation effort.

“This is where I think there’s no one-size-fits-all solution. But I think that system integrators play a critical, critical role in making sure that we’re able to implement and adopt hosting and compute on the kind of scale that is necessary for the department,” she said.

But some experts believe DISA doubled down on that strategy when it decided to end its support for the milCloud 2.0 platform, run by a systems integrator, in this case General Dynamics IT.

DISA announced in December that it would pull the plug on milCloud 2.0 in May after having decided it no longer met the Defense Department’s needs.

“DISA is trying to change way they acquire cloud and cloud services. They are trying to become quicker at it,” said another industry executive, who requested anonymity. “They are trying to get the right partnership teams in place, and when they say eliminate integrators, they are trying to eliminate having to keep doing separate contracts. What you will see in this is all of the four companies that are on this, Google, Microsoft, Amazon Web Services and Oracle, will bring partners — and probably more partners than less — so they can do more things under this contract, and that way DISA doesn’t have to go back and ask for those services under new contracts. Also it’s clear that DISA doesn’t know how to go forward on this, based on what we are seeing so far. I applaud their effort, but they don’t know how this is going to work in real life quite yet.”

A former DISA executive, who also requested anonymity, called the language “inartful.”

“I think the bigger message is Sharon Woods [the director of DISA’s Hosting and Compute Center] and folks out of the Defense Digital Service want to contract directly with the cloud service providers and not the integrators. They think typical integrators are slow, cumbersome and want to go directly to CSPs,” the former executive said. “I’m not sure if that is the correct approach or not. Microsoft and AWS always went through resellers because the resellers did work that the CSPs didn’t want to do. The last thing technology companies want do is put [value-added resellers] out of business because they rely on them.”

A DISA spokesperson offered little insights into the organization’s thinking.

“Innovation is not only a major component of DISA’s new strategic plan, it is also central to our recent organization redesign.  We will continue to look to industry to help with innovation and deliver the right capabilities for the Department at best value,” the spokesperson said in an email to Federal News Network. “DISA remains committed to fair and open competition and intends to leverage the acquisition process to ensure receipt of capabilities that offer an optimal combination of cost, technical expertise and capability to the department and taxpayer. There are now, and will continue to be, many opportunities for equipment resellers, integrators and all industry partners to support the department as we continue to innovate and address the current and future battlefield.”

Cloud doesn’t work out of the box

For some industry sources, Woods’ and DISA’s comments rang hollow.

Another industry source, who also requested anonymity, placed the blame on the sentence and new approach in the strategic plan — and the move away from integrators and third-party resellers — squarely on Woods’ shoulders.

“Sharon has said there is no value of system integrators. She has been anti-SIs and proudly put it out there,” said the executive. “But that goes against the way the market works. There are several cloud companies that don’t sell directly to the government and go through VARs and channels. It’s incredibly short-sighted.”

The source added the value of an integrator is because not every technology, cloud or otherwise, works out of the box, so to speak.

“Every technology implementation is different. There is niche and domains that only integrators bring to the table. Microsoft, AWS, Google and Oracle want to have partners for a reason,” the source said. “The Joint All-Domain Command and Control (JADC2) program will have to involve integrators and the cloud. How will DoD do the cloud piece without integrators? What does this no integrator thing really mean for the mission and tactical programs?”

The former DISA executive agreed that integrators and third-party resellers bring expertise to the table that CSPs, the military services and Defense agencies don’t have.

“Integrators bring professional services and specific things that aren’t focused on at the product level, even more with these contracts that have a huge program management requirement, whether it’s security or cost reports or other contract deliverables that happen on a regular basis,” the former executive said. “There are general things that VARs or SIs are set up to do. Now the cloud providers will have to do that and hire staff to manage deliverables versus just focusing on delivering secure, agile cloud services.”

Other experts say DoD is setting the Joint Warfighting Cloud Capability (JWCC) similarly to the intelligence community’s C2E program with multiple cloud providers and integrators as partners.

“DoD doesn’t want to deal with integrators and have to compete the task orders among them. But I think you’d like to have integrators in there,” said the former DISA executive. “If under JWCC, DoD can direct awards to all five companies, then it’s protest proof. JWCC is just the underlying infrastructure, the services PEOs will build on top of it such as those command and control applications or targeting applications.”

Support for milCloud 2.0 mixed

When asked about milCloud 2.0 delivering a similar services as JWCC, Woods said, without discussing specific program names, that there are requirements for on-premise cloud hosted in DoD data centers, as well as in the commercial cloud environment.

“It’s not a binary choice. It’s really important that these things are interoperable and thought about as an ecosystem of capabilities along with the traditional data center footprint,” she said. “All of these programs bring different capabilities to the table, and part of the HACC’s job is to help enable them to work better together. So from a mission owner’s standpoint, they see unified hosting and compute because we are doing the work behind the scenes to help make these capabilities stitch together.”

Not everyone thought ending milCloud 2.0 was a bad idea and a sign of things to come for DoD. Paul Puckett, the director of the Army’s Enterprise Cloud Management Agency, wrote on LinkedIn that DISA should have shut down milCloud 2.0 several years ago.

“We have a REALLY big problem with continuing down a path that was the right decision when it started but the wrong decision now as the world shifts around us. milCloud made sense in 2013, but it doesn’t in 2021,” Puckett wrote. “Those decisions aren’t easy and oftentimes come with high scrutiny. Whether you agree or not, I commend Sharon Woods and [DISA Director] Lt. Gen. [Robert] Skinner for making tough decisions.”

Whether or not the milCloud 2.0 decision is part of the broader DISA strategy, industry experts see the system integrator and reseller language as part of a consistent message coming from industry, and one Skinner made clear at the industry day in October: Industry needs to help DoD do more with what they’ve got and not spend more on tools and capabilities.

“DISA talks about the end user a lot in their strategy and that is a different way of thinking for them,” said one of the industry sources. “Traditionally they thought mission partners needed them more than DISA needed them, but Skinner has done a great job making DISA more customer focused. I think that is the biggest thing that stood out to me about the strategy.”

The big question is how DISA’s strategy document and plans around integrators flow down to the program managers across DoD. Do they pay attention, or do they continue to push forward business as usual?

There may be no better feeling than when a bunch of tidbits from assorted events, interviews and releases all come together to create a story. I imagine it’s like a sculptor with a lot of extra pieces lying around their studio, having that moment of clarity of how their next piece of art will come together.

It’s been nine years since I launched this feature and I still surprise myself nearly every week with how stories come together. The federal and industry experts and sources who provide me immeasurable support, insights and ideas that form the notebook hopefully have an impact on the three “Ps” of the federal government: Policy, people and programs.

As always, I encourage you to submit ideas, suggestions, and, of course, news to me at jpmiller@federalnewsnetwork.com.

The 2021 list shows the continued churn across the federal IT and acquisition communities with many of the same topics emerging as most popular in 2021.

See how these 10 compared to 2020’s top notebook stories.

Here are the top 10 Reporter’s Notebook stories in 2021.

1. CMMC update: Pilots, 3PAOs and more of what vendors need to know

The Cybersecurity Maturity Model Certification was probably the most watched, talked-about and criticized topic of 2021. Vendors, the Defense Department and civilian agency readers alike had an insatiable appetite for the latest details about one of the biggest changes in the federal community in decades. While the CMMC Advisory Board received its fair share of criticism, some of it deserving and some not, its monthly town hall meetings provided important updates during the early stages of the program.

2. These 7 agencies will be looking for new CIOs next week

Every four years, this story emerges and rightfully so. The fact is people like people news. Nearly a year after tallying up the CIOs who will be leaving, it’s good to see that that number of open CIO positions at CFO Act agencies is down to two, with the Senate confirming the last two political CIOs, Veterans Affairs CIO Kurt DelBene and DoD CIO John Sherman, in the last few weeks. Only the departments of Health and Human Services, and Interior have acting CIOs.

3. Technology Modernization Fund on track to receive biggest pay day ever

The build up to the eventual $1 billion allocation to the TMF energized the federal IT community. Many vendors, who still do not quite understand how the TMF works, and agencies, many of which are frustrated today by the slow roll out of the funding, were excited to see lawmakers finally buying in with real funding to address the ever-growing technical debt the government faces. The TMF will continue to be one of the biggest story lines of 2022.

4. GSA kick starts 2021 with an acquisition potpourri

This is the type of story that the Reporter’s Notebook was made for. Individually, none of these items were worth their own article, but when you see a trend and pull all the pieces together, you have an important and valuable news story. The General Services Administration met many of its acquisition goals in 2021 with the award of ASTRO and initial awards under 8(a) STARS III. The Polaris governmentwide acquisition contract (GWAC) and the continued development of the services marketplace will be among the big story lines of 2022.

5. DHS, NSA creating reusable pieces to zero trust foundation

Months before President Joe Biden’s executive order mandating the move to zero trust, the buzz around this latest cyber construct was accelerating to its zenith. This story resonated with the audience because it was two real examples of zero trust in the proverbial wild. The National Security Agency and the Department of Homeland Security were on the leading edge a year ago. Today, NSA and DHS are among the many agencies that are figuring out how to pull these zero trust tools and concepts together to better protect their systems, people and data.

6. DoD planning to create big data platform to better understand supply chain risks

One of the other important roles the notebook plays is shedding some light on federal initiatives that, in this case, the Defense Department failed to do. DoD plans to build a big data platform for supply chain information. It wanted industry feedback on some ideas and what capabilities are potentially available and decided, for whatever reason, to only ask a small group of vendors. It was surprising the number of companies who asked me for the RFI, demonstrating that more transparency should always be the rule not the exception.

7. Obituary: GSA’s Rob Coen

The passing of Rob Coen was one of the saddest parts of 2021. There were so many people who learned about Coen’s death via this notebook item. There isn’t much to say about this, or really any other untimely death, just that we were better off knowing Coen and will continue to miss him.

8. CISA’s still overcoming challenges 5 years after Cybersecurity Information Sharing Act became law

This was a story from 2020 that snuck back into the top 10 for 2021. Of course cybersecurity remained one of the hottest topics last year and with all the discussion around threat intelligence, public-private partnerships and the like, it’s no surprise readers were looking for the latest update on the Cybersecurity and Infrastructure Security Agency’s efforts to improve cyber information sharing.

9. Data remains biggest obstacle to meeting 2023 deadline for TBM

Technology Business Management standards couldn’t be considered a hot topic in 2021. The Office of Management and Budget nor the CIO Council released new guidance or playbooks to put TBM on agencies’ radars. But just when you thought TBM was possibly being put on the back shelf, OMB began to address one of the biggest challenges of a successful TBM implementation: Data. This common obstacle for CIOs, CFOs and other budget formulation experts is part of the reason this story made it into the top 10.

10. Industry’s patience wearing thin with DoD’s CMMC, GSA’s follow-on to OASIS

This story generated probably the most feedback, and frustration, of any notebook item in 2021. Usually letters to agencies are blasé, a dime a dozen and don’t ever amount to any real change. But these associations captured the frustrations of industry around two major initiatives where more discussion, communications and transparency would always be better than less. CMMC and the new services multiple award contract from GSA will remain big story lines to follow in 2022.

As I enter my 14^th year hosting Ask the CIO, which is the longest running program on Federal News Network, the show’s evolution is clear.

It went from a one-on-one interview program focused on agency technology executives, chief information officers with an occasional deputy CIO or chief technology officer, to one that talks to an assortment of federal executives from across the CXO community about technology.

This evolution was both a conscious decision and one that happened naturally as technology permeates every facet of federal mission areas.

This is why it is no surprise that the top 10 Ask the CIO shows in 2021 ran the gamut across the CXO community.  See how they compared to what was most popular in 2020.

Here are the top 10 for 2021:

1. Money for IT modernization is available, if you know where to find it

I have to admit I’m a little surprised by this one. Maybe it was the power of talking to former federal technology executives like Mark Forman and Gloria Parker, or maybe it was the headline and timing of the interview, coming out about two months before Congress passed American Rescue Plan Act with its $1 billion for the Technology Modernization Fund, or maybe it’s just a recognition that IT modernization continues to be the most talked about topic in federal IT year after year. No matter, it was the most popular show of the year because it resonated across the community.

2. NITAAC details timing, evaluation plans for $40B IT services contract

While the number one show of the year was surprising, this interview with the National Institutes of Health IT Acquisition and Assessment Center (NITAAC) was a shoe-in to be among the most popular. The CIO-SP4 acquisition was one of the most talked about, complained about, protested about and focused on acquisitions over the past year. It will be a story that continues to give in 2022.

3. Cloud-based internet isolation initiatives to give DoD new kind of cyber protections

The pandemic and the release of the Trusted Internet Connections 3.0 use cases made cloud and cybersecurity a popular topic over the last few years. This interview from October 2020 remained relevant and showed that our audience found it by searching for possible solutions to these ongoing challenges.

4. GSA’s next set of acquisition modernization initiatives to focus on services, automation, data

This interview was a perfect example of Ask the CIO’s evolution. Sonny Hashmi, the commissioner of the Federal Acquisition Service at the General Services Administration, is a former CIO, who now is leading an acquisition organization. Our discussion at the Coalition for Government Procurement’s spring conference, highlighted the interaction of technology, data and automation and the federal acquisition process.

5. SSA’s disability case app modernization serving as building block to future transformation

This is where Ask the CIO shines, by giving usually media-shy organizations, like the Social Security Administration, an outlet to highlight important and successful IT efforts. This was the first interview with the SSA CIO in nearly four years and showed just how much progress the agency has made during that time.

6. Cyber dashboards exemplify CDM’s evolution under Cox

If Ask the CIO was like “Saturday Night Live,” Kevin Cox may just hold the record for most appearances. It was clear the former program manager for the continuous diagnostics and mitigation (CDM) program at the Cybersecurity and Infrastructure Security Agency in the Department of Homeland Security understood the value of messaging, media and promoting the success of CDM. It was a bittersweet “exit” interview after Cox decided to move back to the Justice Department to be its deputy CIO.

7. VA extending pandemic IT mindset to continue modernization acceleration

Give Paul Brubaker a microphone and you’ll get some of the best quotes of any federal technology executive in or out of government today. Brubaker, one of the original authors of the Clinger-Cohen Act and the holder of many federal executive positions, is another master of messaging, in this case talking about the Veterans Affairs Department’s new portfolio management approach to take advantage of the momentum that came from the pandemic. It showed how VA could be flexible, agile and deploy new systems and technologies rapidly.

8. FDIC, State finding novel approaches to bring new technology to users

This show was another example of Ask the CIO’s evolution. I moderated a panel at an AFFIRM event and it turned out to be one of the most popular shows of the year. It’s yet another testament to the fact that agencies are far from running in place in modernizing technology processes and applications. Sometimes it just takes the right prodding to get them to highlight their successes.

9. GSA makes course corrections with its commercial platforms initiative

Besides the No. 1 show, this was the other episode that surprised me by making it into the top 10. GSA’s commercial platforms initiative didn’t receive a lot of attention in 2021 as compared to previous years and the pandemic seemed like the perfect opportunity to prove its value. The jury still is out on the commercial platform initiative, especially with Congress telling GSA to test out the other two platforms in the coming year. This story will continue to give in 2022.

10. DHA performing some much needed IT system house cleaning

The top 10 lists ends with a recent Ask the CIO interview about the Defense Health Agency and it isn’t surprising that it’s one of the most popular in 2021. What struck me about this interview was just how big DHA was and how much Pat Flanders and his team is doing to modernize its technology. DHA is consolidating and standardizing to reduce the burden of managing and maintaining some 200 different IT and services contracts.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

If you don’t look closely, 2021 seems eerily similar to 2020 for the federal technology community.

Topics like the pandemic, cybersecurity, cloud and the like were all big movers and shakers over the last 12 months.

But if you peel back the onion or curtain, or whatever cliché you prefer, the next 12 months will be strikingly different if — and it’s a big if — the Office of Management and Budget, the Cybersecurity and Infrastructure Security Agency and Congress can come together to further push the evolution of IT modernization and cybersecurity.

For insights about the past and future of federal IT, Federal News Network asked for feedback from former federal IT executives:

• Suzette Kent, former federal chief information officer
• Eric Olson, former Treasury Department CIO
• Dave Wennergren, CEO of ACT-IAC and former Defense Department principal deputy CIO
• Mike Hettinger, president and founding principal of Hettinger Strategy Group and former staff director of the House Oversight and Government Reform Subcommittee on Government Management
• Rich Beutel, managing principal and founder of Cyrrus Analytics and a former counsel for acquisition and IT policy/cloud for the House Committee on Oversight and Government Reform
• Rob Dapkiewicz, senior vice president and general manager of MetTel Federal

For you, what were the two biggest federal technology stories of 2021?

Suzette Kent: My answers are not about the “single story” but the results delivered because of what the community accomplished:

• New levels of cyber collaboration and response speed across government, industries and vendor community
• Remote workforce innovation
• Agencies that moved former paper processes to completely digital, for example, temporary worker certifications, Labor Department and Social Security Administration interviews, onboarding and offboard[ing] — not all, but some. They proved business continuity and in most cases delivered high quality, faster results.
• Implemented broad-scale data sharing for all things pandemic related be it vaccine research, vaccine distribution, worksite safety, etc. This demonstrates what can be possible with other types of purpose-driven shared capabilities, and hear that some cross agency collaboration tools might be coming soon too!

Rich Beutel: The momentum to create a modern, 21st century digital government through the embrace of customer experience, as an essential aspect of underlying IT infrastructure essential for government to modernize core service delivery. Virtually all key policy expressions, from the President’s Management Agenda to individual Office of Management and Budget policies and directives, now either expressly or implicitly acknowledge the necessity for government to reform all aspects of essential service delivery, especially to underrepresented and underserved communities, by re-examining how Americans “consume government” and by revamping the IT necessary to effectively serve this goal. In this regard, government’s failure to fully and completely implement the requirements of the two-year old 21st Century IDEA Act stands as a massive program failure across the board.

The awareness that cybersecurity must be “baked-in” to every facet of government IT and digital government, through the adoption of zero trust principles, the botched roll out of the Cybersecurity Maturity Model Certification program and the restructuring of CISA and its implementing elements.

Eric Olson: The long-tail of the Solarwinds exploit: The sophistication, scale and stealth of this exploit will drive federal technology priorities for many years to come. Remote work works:  As evidenced by the annual Federal Employee Viewpoint Survey, federal employee satisfaction is at an all-time high largely driven by remote work. Most department and agencies report no material degradation in mission outcomes as a result of a maximum telework posture.

Dave Wennergren: TMF Fund gets $1 billion: The American Rescue Plan Act of 2021 provides $1 billion for the Technology Modernization Fund, a dramatic increase over the previous cumulative amount provided to the TMF.  IT modernization is still crucial issue, with agencies still spending the majority of their IT budgets sustaining aging legacy infrastructure and systems rather than implementing new, digital-age solutions, and IT modernization efforts need to not only address moving to the cloud, but also retiring/replacing the thousands of legacy systems and applications still in use.  While $1 billion is a small percentage of the $90 billion-plus per year federal IT budget, it is still a dramatic increase, and expectations will be high that the $1 billion is spent effectively. We are at an inflection point. After years of funding the TMF in small bites, Congress has dramatically increased the funding and priority of this work. Investments must be made and measurable outcomes achieved in rapid fashion. If the fund is only drawn down by a small percentage a year from now, or if quantifiable improvements can’t be celebrated, it’s doubtful that there will be any appetite for future significant additional funding. $1 billion should make a noticeable difference, but it will take far more than $1 billion to transform the entire federal technology business.

New PMA announced. The arrival of a new President’s Management Agenda always provides a galvanizing force for agencies to move forward on key issues. It’s a good thing that the new PMA maintains momentum and interest on topics already being worked, as complex change in large organizations takes time. It’s also good to see commitment and attention being placed on technology modernization, cybersecurity, data, digital solutions, customer experience, shared services, improving the acquisition system, the “future of work” and the federal workforce. The things that we measure are the things we focus out time and attention on, and it’s encouraging that federal leaders will be focusing time and attention on these important topics.

Cybersecurity stays in the headlines. From SolarWinds to the Colonial Pipeline, cybersecurity remains a national imperative, with our intellectual capital and competitive advantage at risk. Cyber efforts must continue to adapt to reflect the virtual/mobile/cloud-based world we live in. A lot of attention is being paid to `baking cybersecurity into IT solutions rather than bolting it on as an afterthought. And, it’s good news that cybersecurity and modernizing critical systems are top priorities for the Technology Modernization Fund. One area of cybersecurity that’s getting a lot of attention is the adoption of zero trust architectures. Zero trust has generated a lot of interest as a way to reduce risks while still enabling information sharing and legitimate access. As we have moved into a cloud-based, mobile access, virtual world, it became crucial to shift away from security strategies that may have made initial access hard, but once gained, allowed unfettered access to everything within a network. Zero trust uses a combination of robust identity management, access control, data-level security and strong monitoring to create an environment where positive identification and authorization allow transactions to occur. This topic will remain important in the year ahead.

Mike Hettinger: The biggest federal IT story of the year is SolarWinds. If you look at Congress’s focus since we first learned about SolarWinds, it has been all about cybersecurity and incident response. This has been a big part of congressional oversight, legislation and even funding — CIO offices have seen significant budget increases in fiscal 2022 to address cyber needs. A close second would have to be the TMF funding. Given that the TMF has been historically under-funded, securing $1 billion via the American Rescue Plan was an enormous win for the federal IT community. The key as we move into next year will be to ensure that the projects that have been funded via TMF are successful and that the fund expands to touch on areas other than just cybersecurity needs.

Rob Dapkiewicz: Enterprise Infrastructure Solutions transition, the timeline is compressing very quickly. Overall, EIS awards, orders and transitions are lagging where they should be, with some agencies just now releasing their request for proposals. Supply chain issues with network/telecom equipment: Projects and programs have faced possible delays due to the lack of availability of critical network equipment, e.g., routers. This is also exacerbating the compressed timelines for transition off of Networx, Local Service Agreements, etc., to EIS.

What technology story lines that began in 2021 will grow larger in impact in 2022?

Eric Olson: The Colonial Pipeline Ransomware Attack: Will the federal technology enterprise undertake the massive contingency planning required to rapidly recover from such an attack?  Or, will the federal technology enterprise suffer from “a lack of imagination?” The Technology Modernization Fund: Congress funded the TMF at unprecedented levels for fiscal 2021 and the Office of Management and Budget has determined that full repayment is not required. Will Congress continue to fund the TMF at these levels when repayment is not required and investment decisions of this size are delegated to non-elected federal employees?

Dave Wennergren: I’ll go with the cybersecurity story that I mentioned above. Ransomware, phishing attacks and other cyber threats will continue to be top topics in the year ahead, and we have another election coming, further increasing the level of misinformation that will be fed to the American people. The pandemic has significantly accelerated the migration to a cloud-based, mobile access, virtual world. Security practices must move away from only defending network perimeters and focus on new approaches like zero trust architecture, data-level security and enhanced identity and access management.

Suzette Kent: Progress on digital advancement of citizen services, data and automation achievements and advancing cyber posture.

Mike Hettinger: The focus on cybersecurity is definitely going to carry over into 2022. First of all, the changes to incident response and reporting that have been proposed in Congress have not yet made it across the finish line. We expect those to be front and center early next year. Secondly, between the requirements of the cyber executive order, and the persistent threats that federal systems face, I believe we will continue to see a whole of government approach to cybersecurity in 2022 and beyond.

Rich Beutel: I believe that the focus upon enhanced and expanded “cybersecurity by design” will be a huge continuing story in 2022.

Rob Dapkiewicz: Cybersecurity and keeping pace with the evolving threat landscape, i.e. zero trust. Network modernization, as in transition versus transformation.

Looking ahead into 2022, what are two predictions that the federal technology sector should look out for?

Rich Beutel:  Federal systems will continue to be hacked at an alarming rate until the pain becomes so extreme that major cybersecurity measures are forced upon virtually every agency. Government will embrace the growing awareness that streamlined and rapid acquisition techniques, such as other transaction agreements and commercial solutions openings are essential means to support the government’s access to, and deployment of, critical commercial innovation.

Rob Dapkiewicz: Secure Access Service Edge will gain a lot of traction within federal agencies once they complete their transitions to EIS and then look to modernize and fortify their network architectures, and meet the OMB mandate to implement specific zero trust security goals by the end of fiscal 2024. Remote and hybrid work forces for agencies and industry are not going away.  Agency networks will need to be far reaching and flexible.

Suzette Kent: People and operational changes due to service delivery being significantly more digital, workforce in hybrid location mode and massive growth in automation and artificial intelligence. All drive the need to reexamine workforce, risk practices and operational resiliency.

Mike Hettinger: I know it just came out on Dec. 13 but I think the customer experience executive order is going to have a huge impact. This is the first time we have seen this sort of laser-like focus on CX and the changes likely to come as a result of that are certainly worth watching. Second is zero trust, as 2021 laid a lot of groundwork for zero trust in the federal government and 2022 will be the year of zero trust implementation. Watch for additional policy activity that continues to promote zero trust.

Eric Olson: Zero trust architecture is the centerpiece of the cybersecurity executive order, however, it will take too long to implement and will not be a silver bullet that many want it to be. Aggressive consolidation and harmonization of the federal IT infrastructure is required to reduce complexity and the consequent vulnerabilities. As for the technology talent gap, the federal government is not likely to solve the technology talent recruiting and retention issue any time soon and in some ways is playing a zero-sum game by competing with itself. The federal technology enterprise should more aggressively leverage services from commercial providers to close the gap.

Dave Wennergren: As we navigate the pandemic, two facts remain certain, the pace of change we’ve witnessed in the past year will only continue to accelerate, and, uncertainties will continue to emerge, reinforcing the need for both agility and resiliency. Expectations for rapid adoption of new solutions will continue to increase, placing pressure on the acquisition system and leaders to find innovative approaches. Organizations that are unwilling to embrace rapid change and the adoption of new technologies and approaches will fall further behind and risk irrelevancy.

Rank in order which organization will impact the federal technology sector the most in 2022, from 1 being most impactful, to 5 being least impactful. Explain your order:

Rich Beutel:

1. CISA
2. OMB
3. industry
4. Congress
5. other , i.e. think tanks

The explanation is that I think CISA will be the most critical given the acceleration of cybersecurity threats, the emerging incident reporting obligations and the massive amount of National Defense Authorization Act clauses from the current NDAA. I ranked Congress behind the others because of the continuing political gridlock and inability to reach consensus on much of anything. In my humble opinion, the action next year will continue to migrate to industry because that is where research and development, and innovation are happening.

Eric Olson:

1. Other – Our adversaries
2. Industry
3. CISA
4. Congress
5. OMB

At scale, the civilian federal government will continue to remain reactive when it comes to leveraging technology: binding operation directives vs. adaptive risk management, and IT modernization vs digital transformation. The most ambitious technology endeavors the federal government will pursue will tend to be the result of actions taken by others such as attacks by our adversaries or applying technology that is most aggressively marketed.

Dave Wennergren:

1. OMB
2. CISA
3. Congress
4. Industry
5. Other

I’ll finesse this answer, as my hope is that OMB, CISA and Congress are all highly impactful (in a positive way) in the year ahead, as that is what is desperately needed. I am very confident that industry will be impactful in a positive way, as long as agencies encourage companies to offer new approaches and solutions, reward innovation and alternative approaches and encourage contracting approaches that allow companies to bring their creativity and skill to bear on the challenges facing government.

Mike Hettinger:

1. CISA
2. OMB
3. Congress
4. Industry
5. Other

CISA has been the most active federal agency for at least the past year. The continued focus on cybersecurity will keep them as the most impactful organization in 2022. OMB, with its complementary role to CISA on cyber, and focus on other key areas like customer experience and federal IT modernization, will have the second-most significant impact. Congress has the potential to be very impactful as well, with a number of key pieces of cyber and IT-focused legislation pending. I ranked industry tied for third.

Rob Dapkiewicz:

1. Other, i.e. GSA
2. OMB
3. Congress
4. Industry
5. CISA

How will the General Services Administration handle agencies that haven’t been able to transition off of Networx by the current deadlines? Will the pandemic and supply chain issues justify another extension beyond May 23, 2023? For OMB, [I considered] budget, EIS oversight, zero trust requirements. How will 2022 midterms change the makeup of Congress and budget priorities Industry will follow the money and pivot as quickly as possible to meet the mission requirements of the federal government. Mergers and acquisitions, which have been numerous in the last few years will continue to be a method for companies to fill perceived capabilities gaps and/or eliminate key competitors. CISA’s mission will continue to be one of the most critical in the federal government as cybersecurity threats escalate further.

As summer turns to fall, changes comes not just to the leaves on trees, but also within the ranks of federal technology and acquisition executives.

Retirements, new jobs inside and out of government and the continued churn of senior executives brings those feelings that turn us shades of reds, oranges and browns inside and out.

By the end of December, two agency chief information officers and one chief technology officer will have left their respective positions.

Federal News Network has confirmed that Russ Roberts, the Transportation Security Administration’s CIO, is retiring on Dec. 31; Janet Vogel, the acting CIO at the Department of Health and Human Services, will be retiring this month; And finally, Ron Bewtra, the Justice Department CTO, is leaving on Dec. 17 to join the private sector.

Roberts is leaving TSA after spending almost four years as its CIO and worked more than seven years in the CIO’s office, joining as the deputy CIO in 2015.

He joined TSA in 2004 and worked on several mission-related projects before becoming deputy CIO. These included managing all technologies and services provided by Secure Flight and the Transportation Vetting System. He also served as TSA’s executive director for mission essential services in the Office of Intelligence and Analysis, general manager for security threat assessment operations in the Office of Law Enforcement/Federal Air Marshal Service and in various leadership assignments overseeing TSA’s criminal, immigration and terrorism vetting program portfolio.

During his tenure as TSA CIO, Roberts set up a digital services team about a year ago to accelerate the development of new capabilities. The digital services team led an effort to turn a manual process into a digital one for Transportation Security Officers to schedule shifts and vacations.

He also drove TSA toward a DevSecOps approach with a goal of making the agency a software-as-a-service (SaaS)-first organization.

Additionally, Roberts was a CIO who tried to keep TSA ahead of the technology curve, such as by moving to Windows 10, by upgrading laptops and desktops and by consolidating infrastructure and data centers.

A TSA spokeswoman confirmed Roberts is leaving, but didn’t say who would be interim CIO. TSA’s deputy CIO is Robert Fortner.

6 CIOs in 6 years at HHS

At HHS, Vogel is retiring after more than 40 years in government, including the last three-plus years with the agency where she has been chief information security officer and then acting CIO.

“My work colleagues have repeatedly risen to address challenges, and together we have succeeded in removing monumental hurdles, and in raising the bar on accomplishments.  It takes a team – so – Thank You!” Vogel wrote in an email to colleagues, which Federal News Network obtained. “I am so proud to have worked side-by-side with so many great people. While I will miss each of you, I am looking forward to new challenges and new adventures. A sense of new-found freedom has entered my consciousness. It’s been great working with all of you, and I truly wish you success and happiness.”

With Vogel leaving, HHS will be moving to its seventh CIO in six years, both permanent and acting. Vogel replaced Perryn Ashmore, who joined Oracle in May after nine months as CIO, who replaced Jose Arrieta who unexpectedly resigned in August 2020.

Since Frank Baitman left in December 2015, HHS has moved from permanent to acting back to permanent and back to acting over the last six years.

That has led some to question both why and whether the HHS CIO needs to be converted to a political position.

As for Vogel, her time at HHS will be more remembered for her work as a CISO than as CIO. It’s not that she didn’t push change across HHS, but six months in the role isn’t a lot of time to make a huge impact.

Among Vogel’s biggest accomplishments as CISO is the overhaul of the Health Sector Cybersecurity Coordination Center (HC3) to ensure the most timely and valuable cyber threat intelligence is provided to healthcare providers, companies and other stakeholders.

Vogel also brought a sense of creativity to cybersecurity training, launching an “escape room” cyber training concept and applying a new risk framework to mobile devices when HHS executives traveled abroad.

Justice CTO heading to private sector

At Justice, Bewtra has been CTO since 2015 and joined the government in 2003 as the head of high performance computing and IT services at the National Oceanic and Atmospheric Administration. Before that, he served in executive roles with industry.

Bewtra also has been the co-chairman of the CIO Council’s Innovation Committee since 2018 and chairman of the Federal IPv6 Task Force.

As the Justice CTO, Bewtra focused on setting the strategic technology direction for the department and supporting on key projects, specifically around artificial intelligence, data management, geospatial data, analytics and cloud computing.

He also led the development and implementation of the department’s network and cloud roadmaps, and the development of a departmentwide technical reference architecture.

Bewtra confirmed his last day is Dec. 17, but said he didn’t have anything more to offer about what he plans to do next.

Along with those three executives, there have been several other moves that are notable.

You may have missed that the Federal Communications Commission CIO Francisco Salguero left in October to join Salesforce as a director and digital acceleration architect. He served as the FCC CIO for almost two years and spent more than 15 years at the Agriculture Department in a variety of technology executive roles, including his last two-plus years as the deputy CIO.

Another significant change came to the Office of the Federal CIO where chief of staff Jordan Burris joined the private sector.

Burris served more than four years in the OFCIO. His last day was Nov. 12 and he joined Socure, an identity management firm, on Dec. 6 as its senior director for product market strategy for the public sector.

“There is never a good stopping point as public service is a relay race. I was called to serve and we did our best to solve problems,” Burris said in an interview. “In my time at OMB, I worked on a plethora of issues and as I was evaluating what to do next, I felt the urgency to help improve and make more secure the use of digital identities, especially to ensure diversity and inclusion challenges. This is an issue I’m passionate about.”

Burris said he’s most proud of his work at OMB to help rescind outdated technology policies, the update to the identity access management and credentialing policy and with the aftermath of the SolarWinds cyber incident.

“I spent a great deal of time partnering with public sector leaders, helping them to recognize and overcome the barriers and requirements they have to meet on top of meeting their mission,” he said. “At Socure, my goal and focus will be to continue those partnerships and continue to build momentum to make meaningful progress around identity and access management and combating identity fraud.”

The other executive on the move you may have missed was Steve Luczynski, the first lead of the COVID Task Force at the Cybersecurity and Infrastructure Security Agency in the Homeland Security Department.

Luczynski said on a post on LinkedIn that he was moving back to the private sector, but hasn’t announced a new position yet.

“I’m proud of the work we did to bolster the cyber and physical security of the numerous entities involved in the research and development, manufacture, and distribution of vaccines. I’m grateful for the opportunity to lead such an incredibly talented team of experts from the private sector and federal government. We had a direct impact on preventing the further loss of American lives,” he wrote in a post. “In parallel, we pushed new ideas for a young agency, and as my deputy stated so well, ‘We exposed cracks in established processes and ways of thinking,’ that needed to see the light of day. We engaged other government agencies to leverage CISA’s authorities and cadre of experts to lead cybersecurity efforts across the healthcare sector. There is a tremendous wealth of talent available to address the complex cyber and physical security issues faced by all the critical infrastructure sectors which enable our national critical functions. I appreciate getting to see their work firsthand, and I know their success will only continue to grow.”

Luczynski previously worked as the deputy director for cyber plans and operations for the Defense Department and for the Air Force as its director of operations for the J3 at U.S. Central Command.

GSA, FDA shuffle leadership chairs

It’s wasn’t all bad news in terms of executives moving to new roles.

Long-time chief data guru at the Commerce Department and the Patent and Trademark Office Tom Beach took on a new role at the Food and Drug Administration in HHS.

Beach wrote on LinkedIn that he is now the director of data governance at FDA.

“It is with gratitude and honor that I take the Oath of Office again for my new role at the FDA. I am doubling down on the fact that public servants are just that — servants of the people,” he wrote in a post. “I look forward to joining team FDA as the director of data governance in support of its incredibly important mission and serving the American people. Much appreciation to all those who help make this happen and ready to roll up my sleeves.”

Beach worked at PTO for 17 years in an assortment of roles, including starting as a patent examiner and rising to become the chief data strategist. He joined the Commerce Department as its acting chief data officer in June 2020 before leaving to join the FDA in November.

Finally, there was some shuffling of the chairs at the General Services Administration.

First, Carlton Shufflebarger, the acting director of IT services in the Federal Acquisition Service, is retiring after 37 years in government on Dec 17.

“The hard work and dedication of leaders like Carlton is at the foundation of everything our agency accomplishes. It’s efforts like his that have helped our Office of Information Technology Category support agencies across government to achieve their missions,” wrote Laura Stanton, the assistant commissioner for the Office of Information Technology Category (ITC) in FAS, in an email to staff obtained by Federal News Network.

Shufflebarger joined GSA in 2008 after spending 19 years at the Postal Service.

As acting director of IT services, he was responsible for managing a portfolio of contracts, including governmentwide acquisition contracts such as Alliant 2, 8(a) STARS II, VETS 2 and the multiple award schedule special item numbers (SINs) for IT, professional services, training courses, electronic commerce, health IT services and automated contact center solutions.

“During this time, he led several important GSA initiatives such as the transition to a new operating model and developing business approaches in budgeting, strategic planning, communications and IT tools for a new organization. Most recently, he oversaw the launch of 8(a) STARS III and established the necessary foundation for Polaris. His efforts have helped balloon IT Services business volume to almost $20 billion in the last fiscal year,” Staunton wrote. “His impact on ITC, GSA and indeed the government as a whole has been significant and indelible.”

With Shufflebarger leaving, Staunton said Larry Hale will serve as the acting director of IT services. Hale has been the director of the IT security subcategory for FAS since 2018.

Staunton said in the email that Hale’s previous experience of managing and growing “the Highly Adaptive Cybersecurity Services (HACS) into the fastest growing solution in the ITC portfolio” and partnering “with the GWAC programs as director of strategic business planning and customer development” will be serve him well to continue to drive innovation and progress.

Additionally, Staunton announced Terence Roundtree will be transitioning from his current role as deputy director to serve as the acting director of IT security. Roundtree has been with GSA for 11 years and spent time in industry in cybersecurity focused positions.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

In April 2010, the Office of Management and Budget called for real-time cybersecurity data reporting and the end of compliance and paperwork exercises.

Over the course of the next 11 years, an assortment of federal chief information officers followed with annual Federal Information Security Management Act (FISMA) guidance that played a similar tune.

In October 2012, it was continuous monitoring and collecting data through the Cyberscope tool.

By 2015 in the aftermath of the breach suffered by the Office of Personnel Management, OMB released the cybersecurity strategy and implementation plan (CSIP) for civilian agencies as part of a “broad strategy to enhance federal cybersecurity and fundamentally overhaul information security practices, policies, and governance.”

Over the next couple of years, it was more of the same, less prescriptive, more rigorous, more prescriptive and more rigorous and so on and so forth. Time and again, the annual FISMA guidance was an exercise in hope for change that provided limited improvements in select areas, but too often more paper and compliance efforts.

So don’t be surprised if the most recent FISMA guidance from OMB released Monday doesn’t elicit a feeling of “here we go again” from many veterans of the cybersecurity battlefield.

But if those long-time chief information security officers and information security officers look closely at the guidance, they will notice a distinct difference between then — 2010, 2012, 2015 and so on — and now.

New zero trust deadlines

OMB is moving away from self-attestation. OMB isn’t just saying lets continuously monitor and report the cybersecurity posture of systems, but it’s requiring the use of automated capabilities and the use of data standards to measure progress.

OMB isn’t just changing the metrics but leaving agencies out to dry with their inspectors general who are focused on what the law requires, leading to the expected “slap on the wrist” report.

Instead, OMB worked with the Council of the Inspectors General on Integrity and Efficiency (CIGIE) on new metrics that address continuous authorizations and other risk-based metrics.

And finally, OMB is using the continuous diagnostics and mitigation (CDM) program not just to drive cybersecurity changes like it has tried to do in the past, but to address long-standing problems around the delivery of capabilities, data quality and the move to automation.

“These changes are intended to define a maturity baseline in certain high-impact capability areas, improve the quality of performance data collected at the enterprise level and accelerate our efforts to make more informed risk-based decisions and achieve observable security outcomes,” wrote Jason Miller, OMB’s deputy director for management, in a memo to agency leaders.

The clearest direction in the new FISMA guidance is around zero trust. OMB continues to build on President Joe Biden’s May cyber executive order by setting a deadline of Sept. 30, 2024, for agencies to meet certain goals across all five pillars of the zero trust maturity model.

Under the identity pillar, for example, agencies must “use an enterprise-wide identity to access the applications they use in their work. Phishing-resistant multi-factor authentication (MFA) protects those personnel from sophisticated online attacks.”

Under the networks pillars, OMB says agencies must encrypt all domain name system (DNS) requests and HTTP traffic within their environment, and begin executing a plan to break down their perimeters into isolated environments.

And under the applications and workloads pillar, OMB told agencies to “treat all applications as internet-connected, routinely subject their applications to rigorous testing and welcome external vulnerability reports.”

“As federal agencies face ever more sophisticated attempts to compromise government systems, it is vital that agency security efforts are focused on making it demonstrably harder for our adversaries to succeed,” said Chris DeRusha, the federal CISO, in a statement. “OMB’s updated FISMA guidance is designed to help agencies focus on practical security outcomes by measuring the use of rigorous multi-layered security testing, automation of security and compliance controls and progress in adopting a zero trust architecture.”

Next evolution of CDM coming

Aside from the focus on the move toward zero trust, OMB has continued to update the approach to CDM.

Along with reiterating the requirement to justify why an agency wouldn’t use the tools and capabilities provided by the Cybersecurity and Infrastructure Security Agency, OMB also set two new deadlines for agencies.

First, by April 2022, “CISA, in coordination with OMB and the National Institute of Standards and Technology, will develop a strategy to continue to evolve machine-readable data standards for cybersecurity performance and compliance data through CDM (or a successor process)” — interesting aside here that OMB brings us a “successor” to CDM, which may be the first time this has been mentioned. Though at the same time, let’s not read too much into it, yet.

OMB says the machines-readable data standards will include metrics that will supplement existing CIO metrics from CISA and enable agencies to report their security controls in an automated and timely manner.

“OMB will use these metrics in a scorecard and will begin to grade agencies by December 2022. CISA will enable ongoing access to the data required to grade agencies on the new scorecard (through the CDM federal dashboard or successor) to OMB and the Office of the National Cyber Director no later than December 2022,” the memo stated.

The one thing OMB made clear about the new FISMA guidance is they are not rewriting the law through policy. Senate lawmakers and OMB are working on an update to the legislation, which Congress passed first in 2002 and updated again in 2014.

The Homeland Security and Governmental Affairs Committee introduced and passed the Federal Information Security Modernization Act of 2021 in October. There is no House companion bill.

OMB also signaled changes to the FISMA reporting guidance after the latest report to Congress. DeRusha said at the time the changes to FISMA come from the current cyber threat environment and the continued need to focus on risk-based metrics.

New IG metrics

Moving toward a risk-based approach is a common theme in the new FISMA guidance — and it’s not a surprise. OMB mentions the word “risk” 17 times in 15 pages, including in how agencies should use CISA’s recently released incident response playbook.

“Utilizing the standard incident response playbook will enhance the ability of CISA and other agencies involved in incident response and recovery to assess the risk of vulnerabilities and execute incident response activities,” the memo stated. “The cybersecurity vulnerability and incident response procedures currently used to identify, remediate, and recover from vulnerabilities and incidents affecting agency systems vary across agencies. Standardized response processes ensure a more coordinated and centralized cataloging of incidents and agency progress toward successful responses.”

OMB also made this point in how it developed new IG metrics with CIGIE.

The lack of coordination between OMB and CIGIE often has led to frustrations among CIOs and across the oversight community.

For this year’s FISMA guidance, OMB and CIGIE are transitioning the IG metrics process to a multi-year cycle and thus encouraging agencies to shift to a continuous assessment process for their independent assessment.

“OMB will select a core group of metrics, representing a combination of administration priorities and other highly valuable controls, that must be evaluated annually,” the memo stated. “The remainder of the standards and controls will be evaluated in metrics on a two-year cycle based on a calendar agreed to by CIGIE, the CISO Council, OMB and CISA. These changes do not in any way limit the scope of IG authority to evaluate information systems on an as-needed or ad-hoc basis.”

Additionally, OMB is shifting the due date for the report on how agencies are meeting the IG metrics to July from October to better align with the development of the president’s budget request.

“Reflecting OMB’s shift in emphasis away from compliance in favor of risk management, IGs are encouraged to evaluate the IG metrics based on the risk tolerance and threat model of their agency, and to focus on the practical security impact of weak control implementations, rather than strictly evaluating from a view of compliance or the mere presence or absence of controls,” OMB stated in the memo.

The call to focus on practical security is well heeled in time and remembrance. The question comes back to, as it always does, whether the changes are attainable and how OMB continues to press agencies forward, because DeRusha and others at OMB can’t just sign and forget it.

The streak eventually had to end. The National Institute of Health IT Acquisition and Assessment Center (NITAAC) had won 22 straight protests of its CIO-SP4 acquisition. But like all great runs, there finally was something they couldn’t overcome.

GAO on Nov. 23 ended that streak when it sustained part of Computer World Services Corp.’s protest of the CIO-SP4 solicitation.

CWS claimed the requirement that large businesses who are part of a mentor-protégé program with a small business could only submit two examples of past performance, while other joint ventures or teaming arrangements could submit three examples was unreasonable and didn’t treat bidders equally.

GAO agreed with CWS when NITAAC couldn’t defend its position sufficiently.

“Agencies can shape their solicitation criteria anyway they want, but they need to be able to explain it, and they weren’t able to come up with one here,” said Michelle Litteken, a counsel at Morris, Manning and Martin, who represented CWS before GAO. “They didn’t explain why they were treating a joint venture with a large mentors differently from other partnerships.”

NITAAC is using a scoring sheet approach where bidders receive points for meeting certain gate criteria. Based on the current solicitation, large businesses submitting proposals as part of a mentor-protégé joint venture couldn’t earn as many points as other bidders, creating what CWS saw as unequal treatment.

Litteken said by not imposing the same limitations on all teams, NITAAC is making it more difficult for these mentor-protégé teams to win a spot.

“You can treat people differently if you have a reason for doing it. You can have different point categories if a bidder is large or an emerging large or a small business. But there has to be a justification, and even GAO hints at that in its decision that there could be a reasonable way for the agency to explain what they are doing, what they did, but NITAAC didn’t do it so GAO sustained the protest,” she said. “If agency lawyers had come up with a better explanation we may have lost, but they weren’t able to.”

Reviewing GAO’s decision

NITAAC acting director Brian Goodger said in a statement to Federal News Network that they are reviewing the GAO decision.

“NITAAC is working with our Office of General Counsel in reviewing the recommendations by GAO to consider next steps. Our government customers can rest assured that the NITAAC suite of IT contracting vehicles will continue to provide best in class IT services both now and well into the next calendar year, if needed,” Goodger said.

NITAAC had defended its approach to CIO-SP4 successfully against the almost two dozen other protests. Of the 22 other protests, three have been denied by GAO, 12 have been dismissed and five were withdrawn. The CWS protest was considered three separate filings, two of which GAO did deny.

Despite the protest wins, NITAAC has come under pressure from industry associations and companies for its approach. Multiple amendments and changes to the solicitation and the extension of due dates left many in industry frustrated and confused.

Some in industry continue to believe CIO-SP4 will buckle under all the problems and pressure in 2022. Right now, it’s hard to know what the future of CIO-SP4 looks like, but if past is prologue, NITAAC seems to be on the right track given its track record of wins.

NITAAC is expected to make the first set of awards by the end of February.

“We fully expect and intend CIO-SP4 will be awarded in a timely manner. If there is a delay in the award date of CIO-SP4, please know CIO-SP3 and CIO-SP3 Small Business may be extended up to a year and NITAAC will ensure there is no gap in contractual coverage between CIO-SP3 and CIO-SP4,” NITAAC wrote on its website on Nov. 4.

CISA, GSA team up on cyber acquisitions

The Cybersecurity and Infrastructure Security Agency is, once again, teaming up with the General Services Administration to bring more cybersecurity services to civilian agencies.

The Homeland Security Department’s agency, through GSA, released two interesting requests for information over the last few weeks.

The most recent one, for protective email services, would build on the DHS effort from more than four years ago when it mandated the use of Domain-based Message Authentication, Reporting and Conformance (DMARC) standards.

GSA, on behalf of CISA, issued a request for information seeking industry feedback on three possible approaches to protective email services, the initial set of general and core capabilities of the services and asked vendors to describe their current approach, risks and to make recommendations.

CISA wrote in the RFI that its goals with the protective email service is to:

• Normalize and provide baseline security and visibility for federal civilian agency email.
• Detect and protect federal enterprise from malicious email content as part of the CISA mission to manage FCEB risk.
• Detect and prevent the federal enterprise email from being used as a vector for malicious threat actors against itself and non-federal entities.
• Provide appropriate visibility into agency email traffic to enable CISA Global Operators to conduct cyber hunt and incident response.
• Be able to leverage CISA’s and federal civilian agency entity data holdings in cyber hunt, prevention, mitigation and incident response activities.

Responses to the RFI are due Dec. 20.

The second RFI from Oct. 14 is for end point detection and response (EDR) capabilities. This is part of CISA’s requirements under the May cyber executive order from President Joe Biden.

“CISA is executing an approach where major investments in validated EDR tools can be expanded at agencies. In this model, CISA would, in full collaboration with agencies and their security operations staff, identify and validate specific EDR tools that are functionally capable and compatible with CISA’s mission to unify the federal civilian executive branch (FCEB) enterprise in enabling coordinated threat detection and response,” the RFI stated. “This approach is inclusive of evaluating the existing investments agencies have made in their EDR tooling (and security processes), and soliciting from agencies true technology needs (i.e., gaps in functionality and/or coverage).”

Knowing agencies already have some of the necessary tools, CISA plans to work with agency security operations center (SOC) operations to fill any existing gaps in EDR platforms.

Responses to this RFI were due Nov. 15.

Both of these RFIs signal the continued growth of services either CISA will provide or manage on behalf of agencies. The big question that remains is whether adding more tools and capabilities is what’s needed, or as Alan Paller used to lead the drum beat for, should CISA and agencies focus more on people and soft skills because in the end, the tools can’t stop people from doing dumb things? Maybe the next RFI will be for cyber workforce training instead of more tools to help address this constant shortcoming of all organizations.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne. 

Since Congress approved the ability of vendors to protest task and delivery order contracts in the 2008 National Defense Authorization Act, the federal community has been on edge. Contractors and acquisition professionals alike have expected the number of task order protests to sky rocket and potentially bog down the Government Accountability Office’s system.

While that hasn’t happened in the 13 years since Congress granted this authority, the fiscal 2021 bid protest report to Congress from GAO finally shows a turning tide.

For the first time, the percentage of protests that came from task or delivery order solicitations made up a more significant percentage of the bid protest volume than ever before.

In 2021, GAO said vendors submitted 401 protests from task or delivery order contracts, while the number of protests overall dropped by 12% to 1,897, meaning task and delivery order protests accounted for 21% of all protests. In 2020, for example, task and delivery order protests accounted for 19% of all protests and in 2019, these types of contracts accounted for 17% of all protests.

Emily Murphy, a former administrator of the General Services Administration and senior staff member on the House Armed Services and House Small Business committees, said the increase continues to show the importance of winning these contracts.

“The fact that task and delivery orders were a higher percentage tells me that the amount of money in system wasn’t reason enough for companies not to protest,” said Murphy, who recently joined the George Mason University Center for Government Contracting as a senior fellow. “I think there still is a feeling that if you lost, you want to know why and protesting is one way to find out.”

This increase occurred despite there being fewer large, multiple award task order type of contracts awarded last year.

Barbara Kinosky, the managing partner of Centre Law & Consulting, said despite Congress raising the task and delivery order bid protest threshold to $25 million for Defense Department acquisitions in 2018, the numbers continue to hold steady.

“Even though the number of protests are down 12%, the effectiveness rate is down only 3% so there is an excellent chance for protestors to get some type of relief,” she said.

The effectiveness rate, which was 48% in 2021, is a combination of the number of protests that GAO sustained and the number of protests agencies took corrective action on, meaning that almost half of the time the contractor receives some sort of changes they were looking for in the agency’s decision.

The effectiveness rate jumped to 51% in 2020 — the highest mark ever.

Eric Crusius, a partner with Holland & Knight, said the drop in effectiveness rate but the sustain rate staying the same at 15% means agencies took less corrective action last year.

Crusius, Kinosky and others say this may be related to the drop in total protests because of the increase in the types of contracts agencies used, particularly to meet the needs during the pandemic, that were not protestable such as those under the Defense Production Act or other transaction authorities.

“There was more money in the system last year, and when there is more money in the system, protests historically have gone down,” he said. “There is more for everyone to bid on, there are more task orders too, and both of those are the drivers of lower protests numbers.”

Murphy added another possible reason for a lower number of protests last year was the increased use of enhanced debriefings by DoD and GSA.

Congress mandated DoD provide enhanced debriefings for all awards worth more than $500 million in 2017.

“When we did surveys at GSA, companies told us it was helpful and they were less likely to feel the need to protest if we shared more information,” Murphy said. “If agencies are willing to get into agreements to let lawyers see documents to help vendors know why they lost, there is less of a likelihood of a protest.”

In the 2022 Defense authorization bill, Congress wants DoD to provide them with a briefing on the use and impact of enhanced debriefings by the end of 2021, assuming the bill becomes law.

“The committee is encouraged that in evaluating the extent to which the bid protest system affects or is perceived to affect the quality or quantity of pre-proposal discussions, discussions of proposals or post-award debriefings, the RAND report found that some Department of Defense agencies are improving dialogue with companies to increase the transparency of the procurement process and dissuade unsuccessful offerors from filing bid protests,” the House report stated. “The committee is further encouraged that the enhanced debriefing rights established in section 818 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115-91) were immediately implemented as a class deviation and expects the related Defense Federal Acquisition Regulation Supplement case to be resolved soon. In order for the department to gain the full benefit of enhanced debriefings, the committee emphasizes the demonstrated value of meaningful, in-person debriefings to avoid unnecessarily costly and time-consuming bid protests.”

The experts said one of the biggest surprise from the report was the most prominent reasons for vendors to protest.

GAO listed the top four reasons for sustaining protests as

• Unreasonable technical evaluation;
• Flawed discussions;
• Unreasonable cost or price evaluation;
• Unequal treatment

While three of the four are common reasons, the flawed discussions, which generally means the agency engaged in unequal discussions with bidders allowing one vendor to have an advantage over the others, was the rationale that surprised experts.

“It goes to show how careful agencies have to be when engaging with offerors. Discussions are a ripe area for protest and there is a lot of room for second guessing from a disappointed bidder,” Crusius said. “Usually it’s not intentional and the agency thinks they are helping or not doing a good enough job addressing questions from offerors. It can be complicated especially with services.”

Kinosky added, for many years, flawed or unequal discussions was a difficult point to win a protest on because it was a subjective concept.

“It seems now GAO is focusing on making sure these discussions are equal. In some of cases, we are moving more from subjective to objective standard with discussions. The more of an objective line with what is critical and what isn’t and if all critical issues were raised with each party,” she said. “I really believe it’s more of a viable protest ground these days.”

Another trend that may not be clear in the GAO report is what many believe was a disadvantage for incumbent contractors when it came to cost reasonableness.

Kinosky said many contractors believed that the government was hesitant, in some cases, to pay for experienced workers, who tend to cost more.

“I’m seeing this issue that more in high tech issues where there is a shortage of qualified candidates. The government is doing its own evaluation of the market, and it sees a senior engineer would cost ‘X’ amount of money and if a company’s rates or indirect costs will not support that, they are calling it out more,” she said. “The government expects a more robust cost realism analysis because they are interested in ensuring there is low turnover among companies. I think the government is realizing that price isn’t as important in best value when buying high tech services.”

Murphy said one thing to keep in mind when it comes to GAO’s protest report, the fact that there are less than 1,900 protests against tens of thousands of contract actions that happen every year.

“The fact we are talking about a little less than 2,000 protests is remarkable. It’s a really low amount of protests, and it shows the process works well,” she said. “Yes, it can be painful when it doesn’t, but it does work most of the time. I think the low protest rate is good only if we are doing things the right way. If we have a fear of protests and that interferes with the agency’s ability to innovate or not get what they need, then the number is a bad thing.”