Current and former federal technology executives say software supply chain security emerged as one of the biggest challenges last year given both the attention ...
If you are looking for consistency in your business life, the federal technology sector is a great place to be.
Let’s be clear, things change. New priorities emerge. Old priorities fall below the radar.
But year after year — and I’ve been doing this now for 25 years — there consistently are story lines that ebb and flow like a good soap opera. But instead of the “shocking” revelation of a character coming back from the dead or out of coma, it’s more about a storyline or character coming back from a long vacation.
For 2022, federal technology storylines continued to focus on cybersecurity, IT modernization and the skillsets of the workforce, while areas like customer experience, supply chain security and many others emerged.
Federal News Network asked former and current federal technology executives to weigh in on that year that was 2022 and offer their take on how the storylines drew in the audience over the last 12 months.
The panelists are:
KF: To enable chief information officer oversight of IT investment portfolios across the federal government, many agencies are transitioning to large, cross-cutting IT contract vehicles. Two examples are: the Joint Warfighting Cloud Capability (JWCC) at the Defense Department and State’s Evolve indefinite delivery, indefinite quantity (IDIQ). DoD’s multiple-award JWCC vehicle provides DoDwide access to commercial cloud capabilities directly from class-leading cloud service providers. The Department of State’s multi-billion dollar Evolve IDIQ program will do the same across all major technical service areas. Following strategy development, acquisition planning and industry outreach, we recently released the final request for proposals. Positioning the federal government to leverage large multi-award IDIQ contracts is a major step forward. At State, effective procurement of IT services and products for the department is also key to Secretary Antony Blinken’s agenda to build a State Department equipped to innovatively and securely operate in the 21st century.
JD: FedRAMP Authorization. I can remember when this bill was first introduced, and we worked on refining the language around the same time the Modernizing Government Technology Act was moving forward. I think the presumption of adequacy in the Federal Risk Authorization Management Program (FedRAMP) authorization language should be helpful to agency CIOs who must take on the risk and cloud service providers seeking to enter the market, but it is still a challenge for new entrants to find an agency sponsor for their solutions. The language also emphasizes the need for automation and sharing of FedRAMP package information — all helpful to the agencies seeking secured solutions and opening the market to more solution providers. The language also establishes the Federal Secure Cloud Advisory Committee providing a forum for better stakeholder collaboration — especially with cloud service providers. The committee is supposed to have 15 members, including five cloud service providers and the General Services Administration is directed to appoint these members within 90 days of enactment. I hope GSA moves quickly on this requirement.
Customer experience executive order. I know the EO came out in December 2021, but we really saw a lot of activity in the customer experience area as agencies pivoted in 2022 to deliver on the promise of the EO and the President’s Management Agenda outlined customer experience priorities. In 2022, agencies put people in place and really focused on moving forward with the journey mapping of life experiences. And the Technology Modernization Fund tagged $100 million to support customer experience initiatives — the first CX-related TMF award was made in December. I can remember having customer experience conversations at GSA when I was there in 2019, but in 2022 there was just a lot more buzz governmentwide about how to deliver on customer experience. This activity gives contractors the demand signals that help shape solution delivery.
MH: Overall, I think we have made significant progress in cybersecurity generally, and zero trust specifically. Beginning with the issuance of the OMB zero trust strategy in January 2022, we have seen OMB, along with the Cybersecurity and Infrastructure Security Agency (CISA) aggressively push agencies toward zero trust adoption. With the Defense Department’s release of their own zero trust reference architecture and strategy later in 2022, we have the makings of some significant changes in how federal networks are secured. These policies, combined with increased attention and in some cases funding from Congress, has us moving in the right direction on cybersecurity.
The other success I’d point to is CX. Similar to what we have seen with cybersecurity, the CX executive order seems to have jump started agencies focus on critical CX initiatives. As we look ahead to the 2024 budgets we expect to see increased funding requests for CX-related initiatives, as a result of the EO, as well as other CX-related initiatives. I’ll add that TMF has played a role here too, announcing earlier this year that $100 million in TMF funds would be dedicated to CX projects. This is starting to pay real dividends.
JV: Accomplishment number one is the award of the DoD cloud contract. Finally! This contract award was on a protracted timeline. It is an important example for us in that as much as the federal community has goals to simplify the contract activities, obtain improved volume pricing and increase consistency — it will take several steps, or phases, to achieve them. This procurement should remind us that competition is part of the fabric of our country. The award went to four vendors and should take us a bit closer to realizing the goal of improving pricing due to the volume of work they will be receiving. This provides some consistency for the commercial companies involved, simplify some of their contract activities and, hopefully, provide some stability for fiscal planning and employees.
JA: With major IT and data modernization initiatives underway at the Centers for Medicare and Medicaid Services, the Food and Drug Administration, the NIH, the Centers for Disease Control and Prevention and the Department of Health and Human Services reaffirmed their commitment in 2022 to invest in IT, overhauling their technology spend to improve efficiencies and make services easier for citizens and employees to use. Applying learnings from the COVID-19 pandemic, this was an impressive step by the agency to further prepare themselves for the CX executive order and the public’s expectations for a digital government. Citizens increasingly expect public services to function with the agility and accessibility as the private sector. This is a step in the right direction for one of the largest U.S. federal agencies.
Second, the Binding Operational Directive (BOD) from CISA at the start of the 2023, BOD 23-01, refocused many agencies on the steps they need to take towards automated asset management in 2023. In line with existing progress towards zero trust architectures, this is an exciting and necessary forcing function across the federal government.
KJ: CISA initiated true customer assessments and cyber expertise across departments and agencies that will lead to improvements of cyber postures of these organizations. Under the leadership of Jen Easterly, CISA leadership brought the critical resources to the table to closely examine an agencies cyber posture from all angles from Architecture to Identity to Zero Trust roadmap planning and governance.
AD: At DOE, we’re really excited about the interagency collaboration to deliver dashboards and tools to support the president’s Justice40 initiative. Both independent and shared efforts are happening across the administration at the White House and multiple cabinet level agencies to track impacts to underserved and overburdened communities and to track delivery of benefits to those communities. These efforts are making a difference to get Bi-partisan Infrastructure Law (BIL) and the Inflation Reduction Act (IRA) funds to the communities with the greatest need.
Within DOE we’re really excited about Frontier, the first exascale supercomputer and, currently, the fastest computer in the world. While I don’t oversee research at Oak Ridge National Laboratory, the advancements in supercomputing will directly impact IT, information management, operational technology and cybersecurity throughout DOE, the government and the private sector.
JD: Section 876 authority. This is a little in the weeds, but I’ve been pleased to see GSA’s use of the Section 876 authority, increasing competition at the task order level. This was a provision I worked on in the 2019 National Defense Authorization Act and now GSA is adopting this approach in major upcoming contracts like OASIS+ and Alliant 3. Before this authority became available, we were asking potential contractors to spend a lot of money in developing proposals to make their best guess on pricing. Section 876 authority gives acquisition professionals the flexibility to find the most qualified contractors and then make them compete on price at the task order level. It seems intuitive that you’re not really going to know how to price at any kind of detailed level when vetting contractors at the master contract level because you don’t know exactly what agencies are going to need until they issue specific requirements at the task order level.
GSA/DIU partnership. In the federal acquisition world, agencies are always on the hunt to expand the access to technology, and I think the partnership GSA announced in May 2022 with the Department of Defense’ Defense Innovation Unit (DIU) was a great step forward toward that end. GSA and DIU signed a memorandum of understanding (MOU) to make it easier for agencies to access innovative technology solutions by bringing DIU technology solutions to GSA’s multiple award schedule. I think this type of coordination across government is critical to ensure agencies have access to emerging technologies.
JA: In late 2021, the Biden administration published its President’s Management Agenda, which underscored the need to deliver greater digital services for citizens and employees. Following pandemic shifts in how citizens expect to interact with the public and private sectors, the PMA was an inflection point in the federal government’s ever-evolving digital transformation. By designating 35 high impact service providers, the administration created focus and priorities for an overwhelming task. Throughout 2022, we saw agencies accelerate improvements in customer experience and chart a course for integration of cross-agency functions and programs.
AD: Going for the relatively obscure, I think that the efforts of the artificial intelligence community to respond to the request to inventory federal use cases has come together faster than anticipated and is providing information that will help the federal community learn from each other. We’re already seeing outreach within that community as departments and agencies look at each other’s inventories, ask each other questions leverage discuss leveraging capabilities. This is helping the government know what the government knows. This mirrors DOE’s internal efforts to inventory our capabilities in 5G and cyber defense research with the explicit goal of helping DOE and our interagency partners know what DOE knows.
I’m well aware that we haven’t met all the expectations for the EO on cybersecurity, but the reality is that the federal government as a whole has made an amazing amount of progress on a huge scope of work that was added to an already full plate without incremental funding. In particular, organizations are making substantial progress towards not only implementing multi-factor authentication and zero trust across the enterprise, but, more importantly, in making the cultural change required to fully execute this transition.
KF: The Department of State has rapidly made progress in implementing the standards established in E.O. 14028 [cybersecurity]. In less than two years since President Joe Biden signed the executive order, the Department of State has made strides in establishing a zero trust security framework, encrypting data in transit and data at rest and pursuing more thorough cyber supply chain risk management programs. The Department of State has also successfully implemented multi-factor authentication (MFA) across all our systems.
AD: The conflict in Ukraine has, once again, raised the level of cybersecurity threat to the public sector. In DOE’s case, that means not only our IT assets, but also our operating technology including the power grid and our manufacturing plants, our research assets across the national labs and the privately run energy sector. We anticipate that the threat level will only ratchet up. We must continue to be vigilant and take a risk based approach to the threats facing our assets and employees.
MH: Software supply chains emerged as a significant challenge in 2022 and this is certain to carry over into next year. At the end of the day, this is really a compliance issue but one that’s going to come fast and furious next summer as the self-attestation requirements of OMB memo M-22-18 kick in. How industry responds to these requirements, along with how flexible OMB will be with their implementation, will go a long way toward determining how much of a burden this might be. I remain hopeful that strong compliance with the self-attestation requirements, will stave off the more burdensome and costly full-blown software bill of materials (SBOM) requirements that continue to hover in the background.
KJ: Cybersecurity remains the biggest challenge overall; however, maintaining that balancing act where modernization initiatives and other efforts don’t get bogged down where departments and agency executives are just catching on that cyber is serious. We have management executives that are overly excited and easily go down the rabbit hole on issues that CIOs have had to address for a long while.
Delivering on modernization and transformation efforts will continue to be a challenge given the persistent cybersecurity threats that remain across the federal landscape. IT Executives are for great reasons being hamstrung by cyber threats — which then lends opportunity for delays on the CX and modernization front.
JD: Supply Chain Security. Supply chain security has emerged as a complex issue that can impact contractors in large and small ways that become apparent with new prohibitions and/or compliance challenges. It can cover everything from manufacturing and building up the industrial base to buy domestic or buy allied to federal acquisition requirements to build secure IT solutions and mitigate national security risks by limiting procurement of certain goods and services.
KF: As many organizations can attest to, attracting and retaining top cybersecurity talent remains a challenge. We are often in direct competition with popular tech companies, as well as our partner agencies within the federal government. Recruitment and retention will continue to be a challenge as we head into 2023.
JV: The federal budget process takes too long and is always a gamble for departments which develop budgets two years in advance. The ability to implement security and IT capabilities just doesn’t happen overnight. Any break in funding or delay of programs can have very negative impacts on services to citizens.
JA: Cybersecurity was clearly a top concern for all organizations in 2022. While progress was made by agencies in scoping their zero trust plans, the CISA BOD 23-01, emerged as an important set of objectives for all agencies to improve asset visibility and vulnerability detection. Understanding the devices, data and applications on your network, are three of the pillars of CISA’s zero trust maturity model. Implementation of this BOD will advance zero trust plans in a meaningful way in 2023 and beyond.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Jason Miller is executive editor of Federal News Network and directs news coverage on the people, policy and programs of the federal government.
Follow @jmillerWFED