Tales from GAO’s open recommendations: CyberStat overhaul, bridge contract guidance paused

Sometimes the best part about being a reporter is getting under the covers of a report or a website and finding some news.

It’s as much about the hunt as it is the kill, so to speak.

The first document that you had to read deep into to find the news nuggets was from the Government Accountability Office’s report on open recommendations for the Office of Management and Budget.

GAO said it made 10 new recommendations for a total of 35 to improve government performance, increase spending transparency, improve acquisition management and reduce costs, reduce governmentwide improper payments, strengthen information security and establish controls for disaster relief.

The first piece of news is that OMB is bringing back CyberStat sessions, or something similar.

In response to a July 2019 recommendation from GAO, OMB said they plan to enhance CyberStat sessions based on agency feedback.

OMB says it created an “updated concept of operations document that is currently in draft. To fully implement this recommendation, OMB needs to finalize and release the CyberStat concept of operations document and increase agency participation in CyberStat meetings,” GAO stated.

OMB launched CyberStat in 2011 to gain more insight along with agency chief information security officers or other cybersecurity officials to review Federal Information Security Management Act (FISMA) metrics and address any challenges.

Read more: Cybersecurity News

But after holding 24 reviews in 2016, it’s unclear if OMB continued these efforts. There were only two mentions of these sessions in the fiscal 2017 FISMA report to Congress and no mention at all in the 2018 report. OMB’s 2019-2020 FISMA guidance to agencies also didn’t mention anything about CyberStat.

“By increasing the number of agencies participating in CyberStat meetings, OMB gains an opportunity to assist agencies with improving their information security posture. OMB also would increase its ability to oversee specific agency efforts to provide information security protections for federal information and information systems,” GAO stated.

Bridge contracts guidance falling down

Nearly five years ago, the Government Accountability Office suggested the Office of Federal Procurement Policy issued a policy to address a growing concern about bridge contracts.

No, not acquisitions to pay for actual bridges. That would make too much sense.

These are mostly short-term contracts where an agency needs services to continue until it can award a new contract.

GAO said OFPP guidance “would help gain visibility and enable efficient management on the use of bridge contracts in federal agencies. Although these contracts can sometimes be a useful tool to avoid a gap in services, they are typically envisioned to be used for short periods of time.”

But now, OFPP told GAO maybe new guidance isn’t needed.

Read more: Acquisition News

“In January 2020, however [OMB] noted that they are reviewing the extent to which OMB guidance is necessary moving forward,” GAO stated. “Without this guidance, agencies may continue to use noncompetitive bridge contracts frequently or for prolonged periods of time, potentially paying more than they should for goods and services.”

In December 2018, GAO found during fiscal 2013 through 2017, agencies spent more than $15 billion per year, or about 30%, of IT contract spending on a noncompetitive basis through bridge contracts.

“GAO estimates that about 7% of noncompetitive IT contracts and orders were used to support outdated or obsolete legacy IT systems. Officials from the agencies GAO reviewed stated these systems are needed for their mission or that they are in the process of modernizing the legacy systems or buying new systems,” the report stated.

DoD ending its CIO leadership program

The next place where you had to look hard to find the news was the announcement by the Defense Department that it was ending its CIO Leadership Development Program at the National Defense University after 30 years.

Ok, it wasn’t really buried and DoD, to their credit, said it was the “last iteration” of the course in the headline of the release announcing the final graduates.

But what DoD didn’t answer was the why, especially since few could argue with the program’s success.

NDU launched the CIO leadership courses in 1990 with a goal of training military, civilian and international leaders to improve how they manage and understand technology. DoD says more than 1,500 students have graduated from the 14-week program, which provides participants with the CIO certificate, a diploma, and course work applicable toward a master of science degree in government information leadership.

NDU spokesman Mark Phillips said in an email that the decision to end the program is part of a large transformation going on across the university. He said no decisions about what the future technology or cyber courses will look like are final so he didn’t have much more to offer.

The decision by DoD, however, attracted the attention of four lawmakers, who wrote to Secretary Mark Esper and Deputy Secretary David Norquist, seeking more details.

Read more: Reporter’s Notebook

“We believe that academic programs specializing in cyber and information warfare should not be relegated to standalone elective courses within other NDU colleges, in lieu of their full degree or certificate-granting status at the CIC. We fear that such an action sends the wrong message to our warfighters and to our adversaries,” wrote Sens. Mike Rounds, R-S.D., and Joe Manchin, D-W.Va., and Reps. Jim Langevin, D-R.I., and Elise Stefanik, R-N.Y., in the April 24 letter. “The strategic environment today demands carefully calibrated strategy, policy and operations in cyberspace and the information domain. Accordingly, we should be building up — not diluting— cyber education for military and civilian personnel.”

The lawmakers pushed even harder about the decision, saying there are several components, including the Under Secretary of Defense for Policy, U.S. Cyber Command and the CIO, who “have made clear that this decision would cause unacceptable harm to the joint mission of training and cultivating a professional cyber workforce, resulting in a workforce shortfall in the face of ever-increasing demand for cyber expertise and cyber professionals.”

What complicates this situation even more is the CIO leadership program is codified in law. The legislators say Title 10 of the U.S. Code establishes the program as a “constituent institution of the NDU.”

“As such, it is our expectation that any action to eliminate, subsume into another college, or institutionally diminish the CIC would require a change in law or prior explicit congressional approval,” the lawmakers wrote. “We understand that — while a final decision surrounding the CIC is yet to be announced and no legislative proposal has been delivered to the Congress — some CIC faculty have already left and potential students are not applying to CIC programs due to the uncertainty surrounding the future of the CIC. It greatly concerns us that the NDU appears to have encouraged this uncertainty and attenuation, failed to respect the Congress’ intent and institutionalization of the CIC in law and may not be able to restore that lost expertise and capability. In view of that, we expect to work with you, the Joint Staff, and the President of NDU to make sure that this avoidable gap in professional military and civilian education is promptly addressed.”

It’s hard to believe DoD is just going to end the CIO and cyber education programs, but not providing a little insight around the direction they are heading  is one of those frustrating moments that leaves us all shaking our head because it easily could’ve been avoided.

Related Stories

Comments

Sign up for breaking news alerts