Reporter’s Notebook

jason-miller-original“Reporter’s Notebook” is a weekly dispatch of news tidbits, strongly-sourced buzz, and other items of interest happening in the federal IT and acquisition communities.

Submit ideas, suggestions and news tips  to Jason via email.

 Sign up for our Reporter’s Notebook email alert.

Technology executives on the move at Education, OPM, HHS

The Education Department lost two top technology executives this week. The Department of Health and Human Services filled three key technology roles. And the Office of Personnel Management made quick work to name a new permanent chief information officer.

These are just a few of the big personnel changes in the federal IT community. And this isn’t even counting the 10 or so CIOs who are leaving this week when their political appointments comes to an end.

Let’s start with the Education Department changes. It may be a case of the time of the year. New year, new start. It may be a case of executives looking for new opportunities with all the threats about “shutting down” the Education Department by the incoming administration. Or, it may be a case of a new CIO wanting their own people in key positions. Thomas Flagg came over to Education in October. Or, may be there is something more going on that we don’t know about.

No matter the reason, Education has two big holes to fill with Steven Hernandez, the agency’s chief information security officer, moving to the U.S. Agency for International Development to be its deputy CIO and CISO. And Brian Bordelon, Education’s deputy CIO, moving to the Commerce Department to be its chief technology officer and deputy CIO.

Hernandez, who also is the vice chairman of the CISO Council, is joining his old boss Jason Gray, the USAID CIO, who was Education’s top technology executive for more than six years. Gray joined USAID in August 2022.

Steven Hernadez is the new CISO and deputy CIO at USAID.

“While I am thrilled about this next chapter, it is bittersweet to leave a team I hold in such high regard,” Hernandez wrote in an email to staff, which Federal News Network obtained. “You have risen to every challenge and proven yourselves to be, in my opinion, the best cybersecurity team in government. Together, we have tackled some of the most complex cyber challenges in the world, and you have never let me down. It has been both a privilege and an honor to serve as your leader, and I am incredibly proud of all we have accomplished.”

Hernandez’s first day at USAID was Monday.

Hernandez was the Education CISO for more than seven years and previously worked at HHS.

During his tenure at Education, he oversaw the agency’s move toward zero trust with a recent focus on orchestration and automation.

Bordelon’s departure was a little more surprising. He had been deputy CIO only since August and been with Education for a little more than 18 months.

But he’s joining Commerce as Brian Epley, the agency’s new CIO, creates his own team of executives.

Bordelon, who also worked for the Environmental Protection Agency, the Defense Logistics Agency, the Defense Department and the Army, helped the Education Department modernize its delivery of cloud services through its Pivot H hosting contract.

“That allowed us not just a reduction in what we’re spending or what we’re charging our different operating centers, but it’s also given us the opportunity to move to a model where we have more flexibility and more scalability,” Bordelon said before he left on Ask the CIO. “Our customers can choose if they want to use AWS or if they want to use Microsoft’s Azure. On the qualitative side, it gives them the ability to build things in those clouds. And as we talk about data integration and as we talk about artificial intelligence and other future and emerging technologies, we’re just in a better place.”

Bordelon said one of Education’s top priorities for 2025 is to continue to modernize the Ed.gov website and improve its user experience.

“A shout out to the whole team and what we’ve done is we’ve changed the governance model of how it’s done. Rather than having IT folks run this, they’ve built it, but the content is managed by the offices, so the governance has changed, so it’s more agile, more user friendly and standardized across the board,” he said.

While Education is looking to replace two technology executives, OPM and HHS filled key holes.

At OPM, Melvin Brown II steps up to become the permanent CIO, replacing Guy Cavallo, who retired after 23 years in government on Jan. 10.

OPM promoted Melvin Brown to be its permanent CIO.

Brown II has been OPM’s deputy CIO since January 2021, following Cavallo over from the Small Business Administration.

Additionally with Brown II’s ascension, James Saunders, OPM’s CISO, becomes the new deputy CIO and Danielle Rowell is the new acting CISO. She has been the agency’s chief of cyber engineering since November 2022.

During his tenure as deputy CIO, Brown II has helped OPM manage its costs in moving to the cloud. OPM recently completed a two-year sprint to move more than 50 applications and systems off premise. Now OPM has 90% of all of its applications in the cloud.

“Now our focus over the next couple of years is going to be around modernization and optimization. How do we get the max that we can out of our cloud investment? How do we optimize at scale? And then how do we reimagine or modernize our applications with a focus on AI and envisioning what that application will look like now as we reimagine that in an AI environment,” Brown II said in a recent interview with the Federal Drive with Tom Temin. “We had to get things into the cloud so that we can take advantage of cloud services. And so now that we in the cloud, we can now take advantage of services that we could not have taken advantage of when we were in an operating environment.”

Brown II inherits a $280.8 million IT budget, according to the Federal IT Dashboard.

Of that, more than $184 million is considered operations and maintenance (O&M) and 16 out of 52 investments are considered a moderate or high risk.

Over at HHS, the new office of the Assistant Secretary for Technology Policy filled three key roles as part of the reorganization kicked off last summer.

HHS recently named:

Rouault comes to HHS after spending the last three years with the U.S. Digital Service where she worked on two big efforts around modernizing unemployment insurance and leading the facing financial shock portfolio.

Alicia Rouault is new the associate deputy assistant secretary for technology policy and CTO at HHS.

“Together we’ll be building out a new Office of the Chief Technology Officer at HHS, charged with leading HHS’ digital strategy and digital services for HHS programs, developing HHS data policy, anticipating emergent technology and data needs, and coordinating innovation across HHS programs to encourage experimentation, R&D and adoption of new technology,” she wrote on LinkedIn.

Honey returns to the role of CDO in some respects. She was acting CDO and executive director of data operations from 2019 to 2020. She also has been working other data-centric roles at HHS since 2020, including the lead data scientist for HHS’s InnovationX and COVID-19 Diagnostics Informatics working group.

Dierks returns to government after about a 15-year absence. She served from 2006 to 2009 as a fellow with HHS and the Food and Drug Administration working on an assortment of public health and risk mitigation projects.

She comes to HHS after being the chief data officer at Komodo Health for the last five years, where she spearheaded the development and evaluation of AI-powered healthcare analytics tools for life sciences companies, healthcare practitioners and patient advocacy groups.


For 2025, the return of IT efficiency and effectiveness

If the federal IT sector had a news year’s party, the theme could easily be “What old is new again.”

Along with the new Trump administration, the initial priority areas for federal agencies, and specifically for technology programs, is efficiency and effectiveness.

As one federal expert said, we haven’t seen this type of specific call out for E&E — what I’m calling efficiency and effectiveness starting now — since the early 2000s. Clay Johnson, the former deputy director for management at the Office of Management and Budget during the George W. Bush administration, was often quoted as saying the goal of managing federal programs is to ensure they are getting better every year.

This is not to say the preceding or post-Bush administrations didn’t have similar goals, but the whole point of the first President’s Management Agenda was to drive E&E across back office and administrative functions.

The so-called Department of Government Efficiency (DOGE) is picking up that mantle, setting a much wilder goal of cutting $2.6 trillion from the federal budget.

Whatever DOGE ends up doing, federal technology will undoubtedly play a major role in all aspects of the effort.

Putting the DOGE effort aside for a minute, federal experts recognize the upcoming year will mean driving their focus deeper to moving away from legacy IT systems and modernizing systems and services.

These two activities will lead to better cybersecurity and better capabilities through artificial intelligence and generative AI.

Federal News Network asked a panel of current and former federal executives for their opinions about 2025 and what federal IT and acquisition storylines they are following over the next 12 months. If you are interested in previous year’s predictions, here is what experts said about 2023 and 2024.

  • Gundeep Ahluwalia, the former Labor Department CIO and now executive vice president and chief innovation officer at NuAxis
  • Julie Dunne, former House Oversight and Accountability staff member and now a principal with Monument Advocacy
  • Mike Hettinger, former House Oversight and Accountability staff member and now a president of Hettinger Strategy Group
  • David Larrimore, the chief technology officer for the Department of Homeland Security
  • Gary Washington, the chief information officer of the Agriculture Department

What are two IT or acquisition programs/initiatives that you are watching closest for signs of progress and why?

MH: I am definitely watching the Federal Risk Authorization Management Program (FedRAMP) for progress. They’ve made a lot of changes this year and I think there are still some.

Mike Hettinger is president and founding principal of Hettinger Strategy Group and former staff director of the House Oversight and Government Reform Subcommittee on Government Management kinks to be worked out. The program management office’s transition and the restructuring of the joint authorization board process represent critical changes intended to accelerate the adoption of secure cloud computing across government, while broadening the aperture of the program to include smaller providers. Whether or not this works as intended, is worth tracking.

JD: Secure Software development (Office of Management and Budget memos September 2022 and June 2023). In March 2024, the Cybersecurity and Infrastructure Security Agency finalized the common secure software development attestation form which triggered deadlines for agencies to start collecting these attestation forms from vendors for critical software in June 2024 and other software in September 2024. It will be interesting to see how this secure software attestation requirement is implemented across agencies in the transition between administrations. Secure software is critical to secure IT solutions.

Alliant 3. The General Services Administration released the request for proposals over the summer and proposals now due Jan 10. Alliant 2 has been an extremely successful contract vehicle facilitating agency customers access to IT infrastructure services, cybersecurity capabilities and emerging technologies. The successor will also be critical to agencies’ cybersecurity and IT modernization goals.

GA: GSA’s multiple award schedules and the National Institutes of Health’s IT Acquisition Assessment Center’s (NITAAC) CIO-SP4 governmentwide acquisition contract.

DL: We are watching HART for progress in 2025. When it reaches operational capability, the Homeland Advanced Recognition Technology (HART) will replace the legacy Automated Biometric Identification System (IDENT) as the primary Department of Homeland Security (DHS) system for storage and processing of biometric and associated biographic information for national security; law enforcement; immigration and border management; intelligence; background investigations for national security positions and certain positions of public trust; and associated testing, training, management reporting, planning and analysis, development of new technologies and other administrative use. We are excited to see substantive progress based upon the technical restructuring and the work we did in 2024 to integrate security into the development and deployment workflows.

David Larrimore is the Homeland Security Department’s chief technology officer.

We are also looking closely at the evolution of the financial system modernization (FSM) – FEMA program. It is designed to handle various financial transactions, including budgeting, accounting, and financial reporting. The system helps FEMA manage its financial resources efficiently and ensures compliance with federal financial management standards. We’ve made significant progress in improving efficiency, transparency and compliance with federal financial management standards. Some key areas of progress include modernization and integration, automation, enhanced reporting, compliance, grants management and data security and integrity. These improvements in FEMA’s financial management system contribute to the agency’s ability to manage its financial resources effectively, support disaster response and recovery efforts and maintain public trust through transparent and accountable financial practices. We look forward to more progress in 2025!

Rank in order these federal IT priorities and offer a few sentences about why you ranked them in this order. (1 being the top priority and 5 being the least)

  • Cybersecurity
  • Implementing AI, including GenAI
  • IT modernization to include moving to the cloud and getting rid of legacy debt
  • Using data to improve decision-making
  • Driving efficiency in programs

JD:
1. Cybersecurity
2. Driving efficiency in programs
3. IT modernization
4. Using data to improve decision making
5. Implementing AI, including GenAI

On cybersecurity, history is repeating itself and telling us what the future will bring. At the end of the last administration, the government was dealing with the aftereffects of Solar Winds-related attack, which ultimately inspired a major cybersecurity executive order (14028).

At the end of this administration, the government is working to understand and respond to the Salt Typhoon attack that reportedly involves a Chinese government hacking group gaining access to U.S. and global telecommunications providers. The government like the rest of the world relies upon this critical infrastructure to accomplish their mission. It remains to be seen what we will learn from Salt Typhoon attack and how that will impact cybersecurity requirements for federal agencies.

I could also see lessons learned impacting GSA’s follow on effort to the Enterprise Infrastructure Solutions contract, which supports federal agencies’ modernization of network infrastructure, and is currently referenced as Next Generation Network Infrastructure strategy.

On driving efficiency in programs, the other items are all tools to accomplish this goal. The topic of IT modernization never gets old and is being discussed in the X/Twitter world as the co-chairmen of the Department of Government Efficiency (DOGE) tweeted a link to a 2019 Government Accountability Office’s report identifying federal IT systems ranging in age from eight to 51 years old.

DL:
1. Cybersecurity
2. Implementing AI, including GenAI
3. IT modernization to include moving to the cloud and getting rid of legacy debt
4. Using data to improve decision-making
5. Driving efficiency in programs

DHS rolled out an IT strategic plan for fiscal years 2024-2028, and all of these priorities are built into our priorities. DHS has a vital mission: With honor and integrity, we will safeguard the American people, our homeland, and our values. This responsibility is carried out by over 260,000 dedicated employees who perform diverse duties, including aviation and border security, promoting trade and travel for economic security, emergency response and cybersecurity. We are committed to embodying the relentless resilience of the American people, ensuring a safe, secure and prosperous homeland in a constantly evolving global environment. To adapt to the ever-changing landscape, the DHS IT community will equip the department with secure and resilient capabilities. This will also promote interoperability, information sharing and collaboration among DHS and its partners.

GA:
1. Driving efficiency in programs with focus on customer experience
2. Using data to improve decision-making
3. Implementing AI, including GenAI
4. IT modernization to include moving to the cloud and getting rid of legacy debt — DevSecCXops will pick up!
5. Cybersecurity

GW: Most of them have a dependency on the others. All these need to be priorities and implemented to reach more enterprise IT goals. If you are to be secure, provide value and reduce total cost of ownership, I believe these are major components towards accomplishing those goals. I also believe we need to have a more digital ready workforce.

1. Cybersecurity
2. IT modernization to include moving to the cloud and getting rid of legacy debt
3. Implementing AI, including GenAI
3(a). Using data to improve decision-making
3(b). Driving efficiency in programs

MH:
1. Implementing AI, including GenAI — I think AI remains at the top of the priority list. The incoming administration is almost certain to rescind the Biden AI executive order and replace it with their own version. That alone will keep it at the top of the priority list.

2. Cybersecurity — Cyber remains a top two priority and we are always one breach away from it moving up the list.

2. Driving efficiency in programs — It’s been a while since we’ve really put efficiency and effectiveness front and center, maybe going all the way back to the George W. Bush administration but the DOGE is putting a major spotlight on this area of focus.

4. IT modernization to include moving to the cloud and getting rid of legacy debt — IT modernization is likely to remain a top issue for the incoming administration. Like data and some of the other issues it likely gets folded under the DOGE umbrella.

5. Using data to improve decision-making — Data remains a top five area of interest, but it’s likely to get pulled more into the DOGE effort than it is to stand out on its own.

If 2023 was all about zero trust and customer experience and 2024 was all about AI, what do you think will emerge as the buzzword of 2025 and why?

DL: We think AI will continue to be the buzzword of 2025. I previously mentioned the progress we made in 2024 on our AI pilots, and there are more tremendous opportunities for AI to enhance the

DHS mission. We plan on continuing our lines of effort around AI, including:

  • Responsibly leveraging AI to advance homeland security missions while protecting individuals’ privacy, civil rights and civil liberties
  • Promoting nationwide AI safety and security, and
  • Continuing to lead in AI through strong, cohesive partnerships.

DHS is looking forward to using the results of our 2024 AI pilots to assess the efficacy of AI in improving its mission capabilities. Currently, each pilot team is partnering with privacy, cybersecurity and civil rights and civil liberties experts throughout their development and evaluation process. This work will inform departmentwide policies on AI governance.

Gundeep Ahluwalia is a former Labor Department’s chief information officer.

GA: Customer experience and efficiency. With the change of party, the focus on efficiency and effectiveness will be an obvious focus. It is my belief that this cannot come without unfaltering focus on customer experience and digital tools to deliver it. DevSecCXops.

MH: I definitely think AI carries over from 2024 into 2025, so we will continue to see a lot of focus there. The emerging trend is efficiency and effectiveness (broadly) but this will play out in the context of the DOGE.

JD: Quantum computing. Quantum computing is a serious national security challenge and will impact federal agencies IT systems. Quantum computing is expected to make current encryption methods obsolete; thereby exposing highly sensitive government communications and data. Data stolen today that may not be accessible today could be accessible in the future with the application of quantum computing capabilities. The United States and China are locked in a national security race to master this technology.

Some experts estimate such quantum computing capabilities could be available in 2030. This means the U.S. government like the rest of the world must prepare. In this Congress, there were efforts to move forward on the National Quantum Initiative Reauthorization Act (S.5411), which we can expect to resurface in the next Congress. Also watch for NIST developments. NIST has been preparing for years to support Federal Information Processing (FIPs) standards for the post-quantum cryptography to support key security applications like digital identity verification.

GW: AI and legacy IT.


No surprise: AI, cyber continued to dominate in 2024

It’s no surprise that artificial intelligence remained a top storyline over the last 12 months. Agencies detailed 1,000 more use cases in the most recent update from the Office of Management and Budget.

But the 1,700 use cases alone don’t explain why AI continued to dominate the news, the sessions at nearly every federal conference and on Capitol Hill. One of the reasons agencies and industry were so excited about the potential and real capabilities of AI last year had more to do with all the work that these organizations had done over the previous decade. The focus is on the data and its governance. The move to the cloud to modernize systems and applications. Basically, the lead up to taking AI from an idea or concept to the pilot stage, which happened in the 2010s, made these capabilities possible in 2024.

Along with AI, cybersecurity and the implementation of a zero trust architecture remained, and will continue to be in 2025, a top priority for many federal leaders. The recent cyberattack against the Department of Treasury capped an otherwise eventful year with both Volt Typhoon and Salt Typhoon making federal and private sector chief information security officers stay up late to deal with these threats.

Additionally, agencies saw over the last 12 months several significant changes in federal policies from cloud security to the digital experience they provide to citizens to strengthening accessibility requirements of federal digital services for the first time in many years.

With so much going on across the federal sector, Federal News Network asked a panel of current and former federal executives for their opinions about 2024 and what federal IT and acquisition storylines stood out over the last 12 months.

The panelists are:

  • Gundeep Ahluwalia, the former Labor Department CIO and now executive vice president and chief innovation officer at NuAxis
  • Julie Dunne, former House Oversight and Accountability staff member and now a principal with Monument Advocacy
  • Mike Hettinger, former House Oversight and Accountability staff member and now a president of Hettinger Strategy Group
  • David Larrimore, the chief technology officer for the Department of Homeland Security
  • Gary Washington, the chief information officer of the Agriculture Department

Here are the 2023 and 2022 year in reviews as well, in case you were interested in comparing previous responses.

What are two specific accomplishments in 2024 within the federal IT and/or acquisition community? Please offer details about those accomplishments and why you thought they had an impact and what changes they brought.

MH: The issuance of the cybersecurity maturity model certification (CMMC) final rule represents a significant accomplishment. With all of the fits and starts that have come with that program, to get the final rule issued this year is a major step forward. As we move into 2025 and beyond, the requirements of CMMC are going to be felt across the government contracting industry.
Next, I’d say the overall progress agencies have made in implementing zero trust, as required by the cyber executive order and multiple related directives. There’s still a long way to go but progress has been significant.

JD: The Federal Risk Authorization and Management Program (FedRAMP) Modernization memo from the Office of Management and Budget. Over the summer, OMB updated its 2011 FedRAMP memo. The updated FedRAMP memo was a much-needed refresh and offers a lot of promise toward the goal of increasing the number of FedRAMP-authorized software-as-a-service (SaaS) providers. Streamlining processes through automation and leveraging commercial sector security practices are important reforms. The July 2024 OMB FedRAMP memo offers the promise of significantly reducing the time and expense vendors must invest to become FedRAMP authorized.

Julie Dunne, a former House Oversight and Reform Committee staff member for the Republicans and now a principal at Monument Advocacy.

Technology Modernization Fund. I was involved in drafting the original Modernizing Government Technology Act that created the TMF because Congress recognized the need for a multiyear funding capability to fund IT modernization projects. It’s gratifying to see the success of the TMF with over $1.05 billion invested in 69 projects across 34 federal agencies. I do wish there was a bit more transparency to the process so we can all learn from successful applications and better assist agency customers.

GA: Implementation of Enterprise Infrastructure Solutions (EIS) task orders, above 90% of the transition has occurred, this was a monumental task, one that could not have been achieved without coordination, cooperation between vendors, the General Services Administration and all the federal agencies.

DL: We recently announced the launch of DHSChat, a new artificial intelligence (AI) powered chatbot designed exclusively for internal use within the Department of Homeland Security. DHSChat is a significant step forward in leveraging secure, cutting-edge technology to enhance productivity and in supporting our critical missions. By using DHSChat, employees are able to perform routine work more efficiently, including summarizing complex documents and reports, generating computer code and streamlining repetitive tasks like data entry. With this new tool, thousands of employees are able to leverage generative AI capabilities safely and securely using nonpublic data. In the future, we hope to create a secure internal knowledge hub, which staff can query for information about DHS policies, data and other internal information. By collaborating with cloud, cybersecurity, privacy, civil rights and civil liberties experts across the department, DHS developed guardrails for DHSChat to ensure that it is effective, safe, secure and responsible.

David Larrimore is the Homeland Security Department’s chief technology officer.

In September 2023, we released our first set of policies surrounding the responsible use of artificial intelligence. In March 2024, OMB issued Memo M-24-10 with governmentwide requirements for AI risk management, as directed in President Joe Biden’s AI executive order. Where requirements differed between DHS’s internal AI policies and M-24-10, we met the higher standard.
Over the course of 2024, we re-reviewed every AI use case at DHS, searched out new and previously un-inventoried use cases across the department, and identified safety- and/or rights-impacting AI use cases that required compliance with M-24-10 minimum risk management practices.

In this process:

  • We identified 39 safety- and/or rights-impacting use cases, 29 of which are deployed and 10 are pre-deployment as of Dec. 16.
  • Of the 29 deployed use cases, 24 already comply with minimum risk management practices, while OMB approved short compliance extensions for five use cases.
  • We determined that DHS did not need to issue any waivers of required risk management practices for any deployed use cases.
  • We determined that 27 AI use cases do not meet the M-24-10 definitions for safety-and/or rights-impacting AI, despite falling under OMB’s presumed impacting categories.

Many teams across DHS put in a lot of hard work to reach this milestone. We implemented new and complex policies at a rapid pace to meet ambitious timelines as a step to increasing transparency and responsible AI use. We will continue to mature our approach to AI governance over time as technology evolves.

GW: I think the AI guidance and the digital experience efforts. I think both are good steps to a more modern, effective and cost-efficient government.

From a federal IT/acquisition perspective, what is one word or phrase will 2024 be remembered for and why?

Gary Washington is the CIO of the Agriculture Department.

GW: Challenging. I say challenging due to all the programs and new areas of focus that required attention this year such as AI, cybersecurity and modernization.

JD: Artificial Intelligence. There was a significant amount of policy activity in 2024 with task forces, conferences, executive orders, OMB memos and legislation. The conversations were varied in terms of topics and especially when it comes to AI risks and opportunities. The next administration appears poised to shift the conversation more toward innovation versus establishing a regulatory-like framework for AI. Meanwhile, agencies are already buying AI-enabled tools and inventorying their use cases.

MH: DOGE — is that even a word? The idea of government efficiency and effectiveness, including broadly how we use technology, is D.C.’s hottest club right now and that effort is just ramping up.

DL: I think we will remember 2024 as the year of “pilots.” In March 2024, DHS became the first federal agency to roll out a comprehensive “AI Roadmap” to integrate the technology into a variety of uses. The AI roadmap announced three generative AI (GenAI) pilots to test the effectiveness of GenAI solutions and their potential to enhance mission-specific capabilities in a safe, responsible, and effective way. These pilot programs were housed in the United States Citizenship and Immigration Services (USCIS), Homeland Security Investigations (HSI) and the Federal Emergency Management Agency (FEMA).

By October 2024, DHS successfully tested these pilot programs, while protecting civil rights, privacy, and civil liberties. The department gained valuable insights into the real-life impact of GenAI tools as well as their limitations. Learnings from these pilots will help guide the development and deployment of other AI tools throughout the department.

GA: Protests have become staple to the acquisition process. Both trigger-happy incumbents and government mistakes have stalled so many large contract awards and start an incessant cycle of suboptimal bridges.

What emerged as the biggest challenge of 2024 that will have an impact into 2025 and beyond?

DL: Making the shift to continuous modernization practices like SecDevOps automation and human-centered design (CX) continues to be a challenge. Large monolithic IT programs are bound by traditional mechanisms for funding and risk management that can’t easily adopt continuous modernization practices like “modernizing in place” and require us to focus on bringing technical talent more intently into those programs to create the foundations for change. Adopting these practices are tantamount to ensuring our IT systems can continue to meet the needs of the mission.

GW: Decreasing technical debt and legacy IT.

JD: Artificial intelligence for the reasons stated earlier.

GA: Protests, outcome-based contracting.

MH: Artificial intelligence dominated 2024 and there’s no sign of it slowing down in 2025. While the technologies that make up “AI” are still in the growth and development stage, how we buy and use AI was everywhere in 2024. As the new administration gets ready to take over, their vision of AI, which differs in many areas from the current administration, is going to take center stage.


As the Acquisition World Turns: OFPP turns heat up on primes

Protests of contracts went down last fiscal year.

The micro-purchase threshold, the simplified acquisition threshold, the 8(a) sole source contract ceiling and several other similar acquisition limits are likely to increase in 2025.

And the oversight and accountability of subcontracting efforts by prime contractors is getting more scrutiny.

These are the latest among a host of story lines in the federal acquisition community. Welcome to another edition of As the Acquisition World Turns.

The Government Accountability Office’s annual report to Congress on the state of bid protests always is fascinating.

The raw numbers, of course, only tell part of the story. Yes, the number of protests are down, mostly due to the deluge GAO received in 2023 from the ongoing saga that is the CIO-SP4 governmentwide acquisition contract (GWAC) from the National Institutes of Health IT Acquisition and Assessment Center (NITAAC). In 2023, GAO received more than 350 protests alone over CIO-SP4.

Source: GAO Bid Protest Report to Congress for Fiscal 2024.

Speaking of CIO-SP4, May will be five years since NITAAC released the initial solicitation to industry, which has now been modified dozens of times. A common refrain from many industry observers is maybe it’s time for NITAAC to throw in the towel and start over.

More NITAAC news, though it’s not what every bidder wants to hear — or maybe it is — director Brian Goodger has moved on to take a new role as the head of contracting activity at the Health Resources and Services Administration (HRSA). He was NITAAC director for almost two years and served as acting director for almost two years as well.

Ricky Clark, the NITAAC deputy director, is now acting director, a spokesperson confirmed.

The future of CIO-SP4 remains a big questions but that is a conversation for another time.

Let’s get back to GAO’s bid protest report. Two data points help us understand some important facets of federal contracting.

First, GAO continues to provide vendors with relief more than 50% of the time. The 52% effectiveness rate means vendors received some positive result, whether the agency took corrective action or whether they contractor won on the merits of its complaint, more times than not.

“Of the protests resolved on the merits during fiscal year 2024, our Office sustained 16 percent of those protests. Our review shows that the most prevalent reasons for sustaining protests during the 2024 fiscal year were: (1) unreasonable technical evaluation; (2) flawed selection decision; and (3) unreasonable cost or price evaluation,” GAO wrote in its report. “It is important to note that a significant number of protests filed with our Office do not reach a decision on the merits because agencies voluntarily take corrective action in response to the protest rather than defend the protest on the merits. Agencies need not, and do not, report any of the myriad reasons they decide to take voluntary corrective action.”

Second data point: The number of protests of task and deliver orders remained constant. In 2024, GAO heard 346 protests, which is down from 368 in 2023. But over the last five years, the number of task and delivery order protests ranged from a high of 417 in 2020 to a low of 344 in 2022.

With 55% of all contracts now going through task and delivery orders, according to market research firm HigherGov, is it time to reconsider the limits on task order contracts of at least $10 million for civilian agencies and at least $25 million for Defense Department contracts? GAO says in fiscal 2023 agencies spent $759 billion on contracts, an increase of about $33 billion. This means more than $417 billion went through task orders. The question is whether a vast majority of these task and delivery orders are not getting a sufficient amount of accountability and oversight?

Subcontracting scrutiny

Speaking of oversight and accountability, vendors should expect a lot more from the Office of Federal Procurement Policy over their subcontracting efforts.

Christine Harada, the senior advisor for OFPP, issued two new memos last Friday to bring more rigor to two areas of federal procurement that often lagged – subcontracting and procurement forecasting.

Agencies have long struggled to hold prime contractors accountable for meeting small business subcontracting goals. The Navy, for example, in 2020 launched such an effort by auditing its top 10 contracting commands on how primes met their subcontracting plans.

The Small Business Administration also issued a new rule in 2023 that limits to 50% the amount a small business can subcontract to a large business to prevent the contract being just a “pass through.”

The OFPP memo outlines 11 considerations for how agencies can add rigor to their oversight of vendors achieving their small business subcontracting goals. The reason, OFPP and SBA says, small firms are missing out on $1.5 billion in subcontracting opportunities.

“The Small Business Administration (SBA), in its most recent report to Congress on Small Business Subcontracting Plan Goals Status, states that of the more than 2,800 individual subcontracting plans associated with completed contracts, many reported zero goals for one or more of the small business socioeconomic categories,” OFPP wrote. “The report, which analyzes data reported to the Electronic Subcontracting Reporting System (eSRS), further points out that if contractors had met their subcontracting plan goals on prime contracts completed in fiscal 2023, small businesses would have received almost $1.5 billion more in subcontract awards and small business concerns owned and controlled by socially and economically disadvantaged individuals (SDBs) would have received an additional $850 million in subcontract awards.”

Source: OFPP memo from Nov. 29.

Among the things agencies should do to improve their oversight and accountability of small business subcontracting are to use past performance as an evaluation factor for future contracts and to challenges when a prime contractor submits a zero or low percentage for their subcontracting goals.

“Several agencies incorporate, or are experimenting with incorporating, a Small Business Participation Commitment Document (SBPCD) into the resulting contract. The SBPCD is the prime contractor’s proposed response to the small business participation evaluation factors. Reflecting the successful offeror’s small business subcontracting commitment in the contract can provide contracting officers with increased ability to hold the prime contractor accountable for the execution of their commitments to partner and subcontract with small businesses in individual contracts (if the offeror is a small business, the participation commitment would be at the prime contract level),” OFPP wrote. “Review of the contractor’s semi-annual individual subcontract reports (ISRs), or annual Summary Subcontract Report (SSR) for commercial plans, is an integral part of the agency’s responsibility to assess and document the contractor’s efforts to achieve its plan goals in Contractor Performance Assessment Reporting System (CPARS). The achievement of subcontracting goals should be consistently evaluated and performance documented in CPARS following the evaluation ratings. CPARS reporting should reflect not just subcontracting plan shortcomings but also achievements that meet and exceed expectations.”

No crystal ball needed

OFPP’s second memo also is focused on helping small firms, but from a government perspective. Harada instructed agencies to standardize and apply some consistency to their procurement forecasts.

Agencies have six deadlines over the next 18 months and seven ongoing actions they must take to improve their forecasting efforts.

In the short term, agencies must decide by Feb. 28 whether they will host their procurement forecast on a publicly accessible tool or use the Forecast of Contracting Opportunities (FCO) tool, hosted on AcquisitionGateway.gov by the General Services Administration.

Over the long term, agencies must establish a Community of Practice on Federal Procurement Forecasting consisting of designated agency leads and other agency forecasting stakeholders. This group should coordinate with and engage the Procurement Committee for E-government for feedback on potential adjustments to forecasting elements and standards.

OFPP says these new deadlines and steps come from a public crowdsourcing effort through the Challenge.gov platform last fall asking how to improve federal procurement forecasting.

“Campaign participants submitted feedback on forecast information that was strongly supportive of enhanced access through a centralized point, content standardization, timely updates and improved technological solutions,” OFPP wrote.

Dollar thresholds on the rise

Another boost likely is coming for small businesses, this time from the Federal Acquisition Regulations Council.

In a proposed rule from Nov. 28, the FAR Council wants to increase the dollar thresholds for 10 of the most commonly used procurement approaches like the simplified acquisition threshold and the sole source ceilings for socio-economic categories like 8(a), service-disabled veteran-owned small businesses, HUBZone and women-owned small firms.

The council says this is first increase of these thresholds since 2020.

Here are few of the biggest changes on tap:

  • Micro-purchase threshold would increase to $15,000 from $10,000.
  • Simplified acquisition threshold would increase to $350,000 from $250,000
  • Sole source ceiling for socio-economic categories increases to $5.5 million from $4.5 million for most non-manufacturing contracts.
  • The prime contractor subcontracting plan floor will increase to $950,000 from $750,000. The construction threshold will increase to $2 million from $1.5 million.

“The most impactful threshold escalations will likely be associated with the proposed increases to the micro-purchase threshold (MPT) and SAT. According to data from the Federal Procurement Data System (FPDS), the average number of federal awards valued at or below the current MPT ($10,000) during fiscal 2022 through fiscal 2024 was approximately 562,324. Those actions were awarded to approximately 18,440 unique entities. For the same period, FPDS data indicates that between the current MPT and the proposed threshold value of $15,000, another 49,321 awards were made to approximately 13,788 unique entities,” the council wrote. “While it is unclear how much duplication there is between the unique entities for each data point, the data illustrates an approximate 9 percent increase in the number of actions that would be considered under the MPT.”

The increase in the SAT would mean another 5,150 companies, or about 2% more, would be eligible for awards.

Comments on the proposed rule are due by Jan. 28.

Fraud alert

Finally, scammers are breaking out what seems to be a newly favorite tool: The fake request for quotes.

GSA’s inspector general issued an alert on Nov. 20 warning federal executives and contractors to be on the lookout for “scams involving disguised or “spoofed” email addresses that target small businesses and large businesses, including federal contractors registered in SAM.gov.”

The IG says vendors should pay special attention to RFQs for electronic equipment such as cell phones, laptops, tablets and other electronic devices, that seemingly come from a “.gov” address, but have a non-government domain extension such as “.net”, “.org”, or “.com.”

“The fraudulent RFQs also appear nearly identical to legitimate RFQs used by federal government agencies, often using the names of real agency officials. However, the fraudulent RFQs have illegitimate contact information, including email addresses and phone numbers that send any correspondence back to the fraudsters and not to any legitimate government entity,” the IG wrote. “If a business entity responds to the RFQ, the fraudster will accept the quote, provide a fraudulent purchase order (PO) and the business is provided with an address to which they can ship the devices. The PO will usually include the ‘signature’ of the federal official, likely copied and photoshopped from publicly available contract files. Payment is usually guaranteed within 30 calendar days of the goods having been received. The shipping addresses vary, but are typically commercial addresses accessible by the public, such as short-term storage companies, warehouses or freight forwarders. When the U.S.-based business submits an invoice for payment to the affected government agency, the invoice is rejected, or no response is provided to the business because the government agency has no records of the fraudulent procurement. At this stage, the business realizes it has been defrauded.”

This isn’t a new scam as one former federal agency CIO found out in May 2023. In the end, the company involved was smart enough to ship the laptops and tablets to the “requesting agency’s” headquarters instead of the commercial address so the only cost was time and shipping.


Excitement growing over GSA’s COMET II program

Listen carefully and you can hear the buzz in the federal market about a new contract from the General Services Administration.

It’s not another big governmentwide contract like Alliant 3 or the ASCEND cloud blanket purchase agreement.

This one is the second generation of the COMET blanket purchase agreement that is going to be used only by GSA.

“GSA saying this contract is a modernization effort and I think that is drawing a lot of interest from a lot of companies. I also think a lot of companies under COMET didn’t have capabilities to bid back in 2019,” said Gissa Sateri, the director of the civilian business unit at SAIC. “I think industry will go after COMET II wholeheartedly as a lot of companies who were subcontractors under COMET will now try to be a prime contractor. The pool of bidders is going to be huge.

SAIC, which won a spot on COMET and plans to bid on COMET II, was one of about 400 companies at the industry day for the BPA last December.

COMET blasted through expectations

GSA awarded COMET in October 2019 to 12 companies for a range of IT services focused only on the Federal Acquisition Service (FAS). COMET replaced the CIO Application Maintenance, Enhancements, and Operations (CAMEO) procurement that GSA awarded in 2014 to a host of large and small businesses with a total ceiling of $400 million.

COMET was so successful that GSA on-ramped several new small businesses after the initial awardees grew too big.

Industry sources say GSA has awarded almost $1 billion under COMET since 2019.

These same sources say they expect COMET II to be a $2 billion vehicle and open for use by anyone at GSA from the Public Building Service to FAS to the Office of Governmentwide Policy, which is a main reason why it’s attracting so much interest.

“GSA really liked the dynamic of COMET. After reading full draft RFP, I get the sense they want to have something similar because of its success and they are forward thinking and asking what the technology roadmap would look like in the next five years,” said Robin Gardner, the GSA account manager for CGI, which also is a COMET BPA holder and plans to bid on COMET II. “GSA has their whole IT playbook and it has been developing the document over last five years. When looking at that as a roadmap, it’s clear it has grown and improved with more definitions for vendors to figure out what technology can be brought into the fold. I think COMET II will be a more robust vehicle that addresses more opportunities they have over next five years with new technologies like artificial intelligence.”

GSA is expected to make 20 awards under COMET II, 10 in the small business pool and 10 in the unrestricted pool. Previously, GSA chose small businesses for about 25% of all awards.

More details out for bidders

GSA recently gave vendors more details about its plans for COMET II, releasing another draft of the performance work statement as well as the drafts of how they will evaluate bids.

Vendors say they had been waiting on GSA to provide this level of detail around the evaluation factors under COMET II, which may start to whittle down the number of perspective bidders.

Gardner said understanding Sections L and M of the draft solicitation will help industry better address the requirements and have a clearer picture of what GSA will be looking for in the bids.

One industry executive, who requested anonymity because their company plans on bidding on COMET II and is familiar with COMET, said there are several key differences between the BPAs.

For example, the new draft BPA has a bigger emphasis on building applications that are cloud native versus under COMET the focus was on building cloud ready applications.

Another area where GSA wants vendors to focus more on in COMET II is human centered design. The industry executive said GSA didn’t even mention HCD in the initial BPA, but now it’s a distinguished as a requirement for all task orders, and it’s included as one of nine technical objectives.

Two other key differences between COMET and COMET II is the focus on small business subcontracting and the requirement for vendors to have two special item numbers (SINs) instead of just one.

Can COMET II stay out of protest purgatory?

COMET II includes a 20% small business requirement at the task order level.

The industry source added companies also must have both the IT SIN and cloud SIN under COMET II. Under COMET, vendors just needed the IT SIN.

“One of reasons for bringing in the cloud SIN may be to open it up more and other contractors instead of just the usual system integrators,” the executive said. “All incumbents have both SINs and anyone looking at this should’ve had time to get both SINs.”

As part of the new documents GSA released last week, vendors received the draft task orders too. Three of them were for IAE projects, while another was for the recompete of the Hailey’s COMET program and the other was for e-commerce tools and capabilities.

CGI’s Gardner said this is another area where GSA altered its plans with COMET II. Vendors must bid on the BPA, but don’t have to necessarily bid on all five task orders. But, she said, GSA has left the option open to award all five task orders as part of making final awards under COMET II.

With the expansion of COMET II and the heavy interest in by contractors, several vendors said they are concerned the BPA could get caught in protest purgatory.

Another industry source said GSA’s communications have been a bit stilted under COMET II so far, especially compared to COMET.

“GSA asked for feedback and they said they would have one on ones. The last time the one on ones were meaningful. This time, they just read back to you what you submitted and whether they would take it under consideration. The community felt like it was a waste of time,” said the source. “We submitted a lot of feedback and it got to point of them saying they wouldn’t read the rest and just take them under advisement. Another mistake was they said they would publish feedback on ebuy and many of us were not happy about that because we submitted proprietary information. I think a lot of folks raised concerns and GSA decided not to do that after all.”


2026 pay raise and 5 other reasons to pay attention to A-11

If the update to Office of Management and Budget Circular A-11 was a box of sugar cereal, the details about the planned pay raise for fiscal 2026 is the toy at the bottom of the box.

The rest of A-11, then, is all the sugary goodness leading up to the prize.

OMB issued its annual Circular A-11 update in late July and the 1,079 page tome is filled with dates and instructions for how agencies should put the final touches on their 2026 budget requests.

Digging deeper into the primer, agencies will find an extensive treatise on everything from improving customer experience to managing federal real property to updated requirements for using evidence and evaluation in programs.

But since everyone just wants to get to the toy at the bottom of the box, let’s start with that.

OMB told agencies to prepare for a 3% civilian pay raise as part of their 2026 budget planning.

“Agencies should consult with their OMB representative on the provisional estimate for the military pay raise for January 2026,” OMB wrote in A-11. “In making their final estimates for the fiscal 2026 budget, agencies should anticipate revising pay raise amounts after the President makes a pay raise decision. Your OMB representative will provide additional guidance during budget season.”

Before you get too excited, or depressed, keep in mind this is just the first step in a long process. But it’s a signal for what the Biden administration is thinking about for 2026.

In fact, the White House just completed one of the final steps for the 2025 pay raise last Friday when President Joe Biden issued his alternative pay plan. He will make the 2% raise final in December when he issues an executive order, assuming Congress doesn’t make any changes to the appropriations bill.

Now that you’ve received the fun toy at the bottom of the box, let’s eat through all the Froot Loops or Honeycombs that is A-11.

Here are five changes or interesting parts of A-11 that agencies should know about:

Budget deadlines approaching

Before OMB started expanding A-11 in the 2000s, the circular has been mostly known as a budget planning document. So in keeping with its history, there are several dates agencies need to be aware of:

  • Initial budgets are due to omb by Sept. 9
  • Agency budget baselines are locked by Dec. 4
  • White House to send budget request to Congress by Feb. 3

All of these dates tend to slip based on a number of factors, including the expected continuing resolution to start 2025 from Congress, possible partial government shutdown should the White House and Congress not agree on a CR and, of course, this being an election year, the new president will want to put their own stamp on any budget request for 2025.

And speaking of CRs and a possible partial shutdown, OMB included in A-11 updated lapse in appropriations plans. Agencies had to submit those documents to OMB by Aug. 1.

“Plans should be updated in 2025. Agencies must also submit an updated lapse plan to OMB for review whenever there is a change in the source of funding for an agency program or any significant modification, expansion, or reduction in agency program activities,” A-11 states. “Additional guidance on lapse plan submission and review for each potential lapse will be communicated with agencies, as needed.”

Section 280 continues to grow

OMB added customer experience to A-11 back in 2018 under Section 280 and the requirements for agencies are ever expanding. With the Biden administration’s focus on customer experience, OMB added a few important updates starting with high impact service providers, which must, in collaboration with OMB, by May 31,  designate at least two priority services for focused assessment that could include post-transaction customer feedback survey(s).

“Feedback surveys may be deployed at key touchpoints between the customers and the service provider along the service journey, or at the end of the customer journey, for each current designated service,” A-11 states. “Submit the dataset(s) for the post-transaction customer feedback survey(s) of each current designated service on time for each quarter.”

Additionally, OMB says agencies should conduct an annual CX capacity assessment  and submit it to OMB by Feb. 21 for both HISPs and HISP-maintaining departments and discuss the resulting findings with OMB at an annual CX Deep Dive by April 23.

By May 30, agencies must develop a draft CX Action Plan and submit it to OMB. A final CX Action Plan will be part of annual budget for each designated HISP and HISP-maintaining department, with a focus on improvement actions for designated services.

Beyond high impact service providers, OMB also is telling agencies to include employee experience as an overarching component of CX.  Though there isn’t much other details about what this means and how agencies should go about doing this.

A third item of note in Section 280 is OMB is trying to reduce the burden of the now dreaded Paperwork Reduction Act (PRA).

To capture near real-time customer feedback, agencies have found the requirements under the PRA have gotten in the way because it requires agencies to have certain information collection activities approved by Office of Information and Regulatory Affairs (OIRA).

But in A-11, OMB specifically details how agencies can collect citizen feedback without initiating PRA requirements. One way is research with nine or fewer members of the public or by using open ended questions and conducting non-scripted conversations.

In fact, the US Digital Service just released new user research about some common user research approaches that do not require PRA clearance because they do not qualify as an information collection under PRA regulations.

Beyond the ones mentioned in A-11, USDS also highlighted efforts that fall outside of the PRA such as directly observing someone using a product like filling out a form or finding information on a website.

More data on real property

Another big focus by OMB in A-11 was on real property.

We know in OMB’s recent telework report to Congress, the administration said agencies plan to shed millions of square feet of office space in the coming years. For example, the Department of Housing and Urban Development is expected to get rid of about 60% of its office space by 2038.

In A-11, OMB says each agency will need to provide a real property budget exhibit for all 2027 funding. In order to help agencies collect and report this information in an automated fashion, the Federal Real Property Council developed a new method to track budget and expenditure items using budget sub-object class codes in agency financial management systems.

“Agencies are encouraged to adopt the sub-object class codes to better track real property spend categories. However, it should be noted that adoption of the sub-object class codes is not mandatory,” A-11 states. “ Agencies, in their 2027 budget submissions, will have the discretion to follow this method or determine other ways to populate the exhibit.”

Next steps for program inventories

Agencies set up their first program inventories in February after more than a decade of starts and stops. The initial database included spending and performance data on 2,388 programs.

In A-11, OMB told agencies to continue to update that effort. By Nov. 15, 2024, agencies must complete an initial assessment of their current assistance listings and a preliminary plan to work toward establishing a single assistance listing, where appropriate, for each program.

Broad, long-term aspirations

Over the next 10 months, agencies have to update their strategic plan for 2026-2030. Those initial ideas are due to OMB by June.

“Agencies should update as applicable their strategic plans by applying information learned from strategic reviews and other data-driven performance reviews as they are conducted, as well as reflect organizational plans and learning related to the agency’s evidence and evaluation building efforts,” A-11 states. “Additionally, the fiscal 2026-2030 strategic plans will also include a separate section on evidence-building and capacity, implementing requirements aimed at advancing agency evaluation and evidence-building activities identified in the Evidence Act.”

OMB offered some high-level guidance to create new strategic plans and goals, including using language that the public will understand and avoiding technical terms as well as the goals should express future direction or vision.

The final draft version of the new strategic plans are due by September as part of the 2027 budget submission and then after OMB review and agency updates, the expectation is for agencies to publish the new documents along with the 2027 budget request to Congress in February 2026.


AI effort to improve contractor performance ratings stalls

Contractor performance ratings remain stuck.

The General Services Administration made its first set of awards for the next great governmentwide contract.

And it’s the federal fourth quarter buying season.

These are some of the story lines in this latest edition of As the Procurement World Turns.

Agencies are expected to spend more than $200 billion on acquisition programs over the last quarter of fiscal 2024.

Bloomberg Government estimated that 40% to 60% of all federal procurement spending happens in the federal fourth quarter. At the same time, BGov also projected a drop in overall spending this year.

While the focus is on getting money out the door for many agencies, there are a host of policy and programmatic updates that will impact federal acquisition over the next several months.

First off, the initiative to revamp the process for contractor ratings is grounded at the worst and crawling forward at best.

There are two reasons why improvements to the contractor performance assessment ratings (CPARs) remain delayed.

First, the case before the Federal Acquisition Regulatory Council hasn’t moved since 2021. The idea, the change FAR Part 42, would make it easier for a third-party vendors to access these assessment records.

The delay in the FAR case led to the second reason for the delay in improvements to CPARs. The Homeland Security Department ended its pilot to use artificial intelligence for CPARs.

Polly Hall, the DHS senior advisor to the chief procurement officer and former executive director of the Procurement Innovation Lab, which ran the AI CPARs pilot, said the test proved out the capability of using this technology to identify relevant records and information. She said the challenge was how to access the CPARs system where the data lives.

The pilot only used “fake” or anonymized data because of security and privacy concerns.

Hall said the current CPARs system is far from being user friendly and right now there is no path to modernize it.

She said the technology and lessons learned from the pilot aren’t going to waste, however.

“We recognized another use case for front end market research. We are using open source information so contracting officers can shape engagements with industry,” Hall said. “Even if the FAR Case moves forward, we would have to relook at the technology and systems and make sure it’s still right and appropriate. AI has come a long way in four years.”

An Office of Management and Budget spokesperson said the FAR case is on pause to allow further analysis of security considerations, such as roles and responsibilities for the lifecycle management of the data.

“This pause of the regulatory case has not stopped other past performance improvement efforts, that do not involve third party access to the system,” the spokesperson said. “The results of the pilot will be helpful as we evaluate security considerations regarding access and as we consider ways to leverage AI with appropriate risk-management safeguards as envisioned by Executive Order 14110, OMB Memorandum M-24-10, the AI in Government Act and the Advancing American AI Act.”

Ken Susskind, the CEO of GovConRx, who has been a strong advocate over the last few years of reforming and improving CPARs, said the current approach has little to no value because agencies rate most vendors satisfactory. He said the way the government does CPARs hasn’t changed in 30 years.

“The bottom line is there is so much value in the CPARs system and capabilities that it’s sad it’s not available to government and industry,” Susskind said. “The data could help contracting officers make better buying decisions but also help companies improve their chances of winning. But if everyone is rated satisfactory, then CPARs has little to no real value.”

Mike Smith, a former director of strategic sourcing at DHS and now executive vice president at GovConRx, said with the successes of the DHS and other pilots, he hoped the FAR Council would take up this project and support CPARs reforms.

Without the FAR case moving forward, OMB says it still wants agencies to use past performance as an effective motivator of better contractor performance.

The spokesperson said OMB’s new Circular A-137 on strategic data management will provide an “important opportunity to evaluate CPARs data and consider better ways of aggregating, analyzing and presenting performance information.”

OMB says these actions should help contracting officers better understand current market factors and predict which vendor may offer the best value to the government.

OMB says it is working with agencies to prioritize their acquisition data management needs.

In the meantime, OMB also says it supports agencies who want to test and share better ways of conducting intake to, and output from, CPARs.

“With respect to improving intake, for example, several agencies have encouraged their workforce to seek contractor self-assessments that can result in increased communication between the parties during the contract and prior to the agency’s validation of past performance in CPARs,” the spokesperson said. “The General Services Administration has issued guidance to promote self-assessments and created a Notifications or Reminders Automation (NORA) bot based on robotics process automation (RPA) technology that reminds contractors to generate the performance self-assessments. OFPP recognized the acquisition professional behind the bot in 2022.”

Additionally, OMB pointed to other agencies who have used a quality assurance surveillance plan to evaluate performance on task orders and incorporated the information into CPARs, rather than inputting separate ratings that are conducted independent of the surveillance plan.

And at least one agency has piloted a “CPARS lite” process involving an evaluation for simpler commercial buys that helps to promote performance assessment feedback on smaller dollar buys.

GSA kicks off OASIS+ awards

GSA made the first set of awards under the OASIS+ professional services multiple award contract on Tuesday.

GSA picked 1,383 small businesses across seven domains, including management and advisory services, logistics services and technical and engineering services, for the tentative awards. GSA still must deal with possible size status protests and do final responsibility determinations.

GSA also will make awards under the OASIS+ unrestricted version and the socio-economic pools like 8(a) and women-owned small businesses over the next several months.

The 10-year OASIS+ contract replaces the popular OASIS multiple award contract that has seen more than $70 billion in obligations since 2015.

The first set of awards come about eight months since vendors submitted bids.

GSA has been working on the follow-on to the highly successful OASIS multiple award contract since March 2021. The effort included 23 program updates to draft requests for proposals (RFPs), three industry days with more than 3,000 participants and more than 1,900 questions between the draft and final solicitations.

New small business rules

Along with GSA’s OASIS+ awards, vendors are focused on two other large governmentwide acquisition contracts. Bids for NASA SEWP VI are coming due Aug. 28, though another extension is not out of the question.

Meanwhile, the National Institutes of Health IT Acquisition and Assessment Center (NITAAC) remains mired in protest purgatory over its CIO-SP4 program. It extended the current CIO-SP3 contract for at least a sixth time. Agencies now can place orders through April 2025.

Even if the FAR Council isn’t moving out on the CPARs rule, it has remained busy finalizing a rule on allowing protests of small business set-aside task orders under certain multiple award contracts. The rule, which takes effect Aug. 29, provides processes and procedures for filing size and socioeconomic status protests associated with multiple-award contracts that are partially set-aside for small businesses or that include reserves for small businesses and orders placed under multiple-award contracts, with the exception of orders and blanket purchase agreements placed under GSA’s schedule contracts.

Another proposed rule to watch, and the Small Business Administration will be holding several listening sessions around the country, is one that would amend the 8(a) Business Development program and size regulations. The proposed rule would consolidate and redesignate the separate recertification requirements for SBA’s size, 8(a) BD, HUBZone, woman-owned small business and service-disabled veteran-owned small business programs to a new section to reduce confusion and to ensure consistent application of the size and status recertification requirements.


Data Dive

Nearly half of all civilian feds are new hires since 2019

A recent thread on the FedNews Reddit page about what would you tell a new hire walking into the federal government sparked a question at Federal News Network.

Just how many people have been hired across the government over the past, say, five years?

Quick to FedScope we went.

If you’ve never used FedScope, it’s a treat. And I don’t mean that in a nice way. It takes a certain skillset, definite patience and some failures to get the hang of it. Luckily, Federal News Network’s Deputy Editor Jared Serbu has “mastered” that expertise.

The results of our search through FedScope were telling. Between October 2019 and September 2023, agencies hired more than 1 million new employees. There are more than 2 million in the federal civilian workforce in both the defense and non-defense agencies.

FedScope is limited in the data it provides, which is why we are only giving the numbers through September of last year.

We further broke down the data by other categories to give you a sense of how agencies are using the broad authorities to fill open positions.

Given the Department of Veterans Affairs’ push to address workforce challenges to improve its service to veterans, it’s no surprise the agency hired the most people over this five-year period. The biggest surprise may be the Interior Department making the top 10, but some of that may be for seasonal workers.

The Office of Personnel Management describes three types of hires in the federal government:
• Competitive
• Excepted
• Senior Executive Service

Let’s start with competitive service, which as the name suggests, is the way a majority of the new federal workers have been hired over the last five years. In all, OPM data shows 541,156 in total competitive hires.

Moving to Excepted hiring, OPM defines this approach where competitive status is not required. Agencies can hire an employee under excepted status through the Veterans Recruitment Appointment or being appointed to a position defined by OPM as excepted, such as attorneys. Since October 2019, OPM data shows agencies have hired 467,092 employees through this approach.

Finally, under SES hiring, agencies brought in 1,522 new leaders over the five-year period. There are only 8,222 members of the SES as of 2022, the most recent data available, which the Partnership for Public Service put together in June 2023. The Partnership found that on average about 200 new people come into the SES each year, but with the number of current senior executives eligible to retire — more than 62% through 2025 — there are more opportunities for agencies to bring new employees into leadership roles.

Obviously, there is a ton of more data to pull from FedScope. Tell me what you thought of this data dive and what other data would you like to see.


People on the move: RRB CIO retires, IRS gets new CRO

The federal fourth quarter kicked off less than a week ago and we are now just over halfway through the calendar year so it feels like a good time to catch up on some of the federal executives who have moved to new roles or retired recently.

There have been a lot of high profile cyber-related folks on the move recently with Chris DeRusha, the federal chief information security officer, leaving in May, and then Eric Goldstein, the executive assistant director for cybersecurity in the Cybersecurity and Infrastructure Security Agency in the Homeland Security Department, announcing his departure two days later.

While DeRusha landed at Google as its director of global public sector compliance, Goldstein waited until last week to announce his next job. He will be the managing vice president and head of cyber risk at Capital One.

“As with any role, transitions are essential. I’m thrilled that my dear friend Jeff Greene has stepped into the leadership seat for the Cybersecurity Division — there is no one better suited for the role,” Goldstein wrote on LinkedIn. “And I’m equally delighted to be starting the next phase in my journey at Capital One, where I’m joining an amazing team that is transforming the financial sector through innovation, scalable risk management, and a laser focus on customer experiences. I’m looking forward to new perspectives while continuing on our shared mission of keeping our country’s critical services safe and resilient against cyber risks.”

Greene came to CISA in May from the Aspen Institute where he was senior director for the cybersecurity program.  Prior to that, he was the chief, of cyber response and policy at the White House’s National Security Council from 2021 to 2022. He also worked at the National Institute of Standards and Technology for five years, for Symantec and was a senior counsel for the Senate Homeland Security and Governmental Affairs Committee for three years.

Along with the top level changes in federal cybersecurity, two more cybersecurity executives headed out the door.

Ross Foard, as senior engineer in CISA’s cybersecurity division, retired after eight years at the agency where he lead efforts on identity security and helping to shape the continuous diagnostics and mitigation program.

Ross Foard, as senior engineer in CISA’s cybersecurity division, retired at the end of June.

“It was a rewarding experience over the last eight years, on par with the eight years I spent as a U.S. Navy submariner at the beginning of my career,” Foard wrote on LinkedIN. “I have been honored to serve as a subject expert and elevate identity and access management (IdAM) and cryptographic capabilities across the federal civilian executive branch (FCEB) and beyond.”

Among the areas Foard helped lead included serving as CISA’s CDM program lead engineer and architect for IdAM capabilities.

He said this helped the CDM program provide identity management and privileged management capabilities to the largest federal agencies and establish the ability to understand who authorized users were by creating a master user record at each agency.

Additionally, Foard served on the Federal Mobility Group (FMG) Mobile Security Working Group, where he helped demonstrate how mobile devices can serve as important and secure sources of identity and enable phishing-resistant authentication.

Finally, Foard highlighted his time as the co-chairman on the Federal CISO council’s ICAM subcommittee.

White House leaders heading back to academia

Jake Braun is a fourth federal cyber leader to move on over the last two months. Braun, the acting principal deputy national cyber director in the White House’s Office of the National Cyber Director, is returning to the University of Chicago where he is a lecturer and on the faculty of the Harris School of Public Policy.

Braun was the executive director of the cyber policy initiative from March 2018 to February 2021 where he joined DHS as a senior advisor to the Management Directorate, which oversees all operations for the department.

He has been working at ONCD since June 2023 as what some would call the functional chief operating officer for the office where he oversaw the implementation of the national cybersecurity strategy.

“Helping run a startup in the White House has been one of the best experiences of my professional career. ONCD has accomplished so much in such a short period of time,” Braun said in an email statement. “I can’t thank the team at ONCD — especially Director [Harry] Coker and Kemba Walden — as well as President [Joe] Biden enough for giving me this opportunity.”

At the recent AFCEA TechNet Cyber conference, Braun spoke about the changes to ONCD over the last year, including growing to almost 100 people.

“One of the main things we are doing, and we haven’t had this before where there is one agency or White House office like ourselves whose sole job is driving federal cohesion on cybersecurity. We do that through implementation of the national cyber strategy. Nearly every agency in the federal government has some aspect of cybersecurity tied to their part of the Implementation of the national cyber strategy,” Braun said.

In a statement, Coker praised Braun’s dedication and efforts to improve the nation’s cybersecurity posture.

“From the beginning of the Biden-Harris administration, and even earlier, Jake Braun has been a fierce advocate for our Nation’s cybersecurity. At every opportunity, I’ve seen Jake be a champion for the implementation of the National Cybersecurity Strategy, rallying ONCD and our mission partners to collaboratively focus on achieving meaningful outcomes. I am especially grateful for Jake’s advocacy and action on behalf of our nation’s critical infrastructure owners and operators, helping them learn about and take advantage of the resources wisely allocated through the President’s investing in America agenda,” Coker said. “Along the way, Jake repeatedly heard organizations tell us they need two things: resources and trained workers. In every meeting, in every engagement, his focus on having an impact for those on the front lines of our nation’s cybersecurity has been unwavering — that’s leadership. I personally am grateful to Jake for not only his incredible leadership while he’s been here at ONCD, but also his guidance and friendship.”

Outside of the cybersecurity realm, one other federal technology leadership retirement that is worth mentioning. Terryne Murphy, who had been the chief information officer of the Railroad Retirement Board since August 2019, retired after more than 35 years of federal service.

Terryne Murphy retired after 35 years of federal service, including the last five as the Railroad Retirement Board’s CIO.

“To my leaders along the way, thank you — I learned so much from you. Thank you for every opportunity to stretch and to grow, for your counsel, your cover, and your patience while I learned to get better at leading/serving!” Murphy wrote on LinkedIN. “To my colleagues, teammates, and my classmates, thank you — I learned so much from you, too. Thank you for the challenges and the tough lessons to always strive to take the high road and to give back better than what we received! I did my best to serve you all well.”

Rich Kramer is the deputy CIO for the RRB, but it’s unclear if he stepped into the acting role with Murphy’s retirement.

Along with her time at RRB, Murphy also worked at the Commerce Department for 18 months serving as the acting CIO for seven of those months.

She began her career with the Army as a telecommunications officer and after nearly 12 years of service, Murphy joined the civilian sector working at the Justice Department, the Homeland Security Department and the Census Bureau.

Beyond these departures, there are several federal executives who have found new roles in government.

For starters, Mike Wetklow, the deputy CFO for the National Science Foundation for the last eight years, is taking a new job at the IRS as its chief risk officer.

“I am excited to join an organization dedicated to public service and to help drive innovation, leverage data, and improve compliance processes,” Wetklow wrote on LinkedIn. “Most importantly, I look forward to collaborating with the talented team at the IRS and contributing to an environment where we can all thrive.

Wetklow also worked at the Office of Management and Budget’s Office of Federal Financial Management for four years as a branch chief and previously worked at DHS and the Government Accountability Office.

He also was the co-chairman of the CFO Council’s working group on improving the federal financial management workforce.

New leaders at HHS, Air Force

A second federal executive heading into a new job is Melissa Bruce, who is taking over as the deputy assistant secretary for the Department of Health and Human Services Program Support Center (PSC).

She joins HHS PSC after spending the last four years working in the Treasury Department’s Special Inspector General for Troubled Asset Relief Program. (SIGTARP) office. Bruce has been acting IG for the last 2-plus years. Previously, she spent 10 years at DHS in the management directorate and worked in the private sector.

Bruce takes over PSC after several turbulent years, including the cut back of its assisted acquisition services and controversial treatment of its leadership.

Finally, Darek Kitlinski is the new chief technology officer for the Air Force’s Manpower, Personnel and Services (A1). He comes to the service after spending the last almost two years as the chief of the cloud services division for the Army’s Enterprise Cloud Management Agency.

In this new role, Kitlinski serves as the senior civilian advisor on cloud computing, computer systems and information technology.

Kitlinski also has been CTO for the Defense Technical Information Center (DTIC) and chief technology advisor for enterprise architecture, cloud, cyber and governance for the Coast Guard.


Political vs. career: Role of CIO remains unsettled

The Department of Housing and Urban Development is looking for a new chief information officer. HUD is now one of five major agencies looking for a new technology leader.

But unlike the departments of Defense and Health and Human Services, and the Small Business Administration and the Centers for Medicare and Medicaid Services, the HUD CIO didn’t actually leave the agency to create the job opening.

Beth Niblock, who has been CIO since July 2021, moved to a new position as senior advisor for disaster management. The reason for the opening is purely political. HUD decided to move the CIO’s position back to a career one from a political one.

“[O]ver the past few years, HUD leadership determined the department would be best served by having a career CIO to ensure steady and consistent leadership, and to better position the department to deliver high-quality, transformative solutions enabling HUD to deliver on its mission,” said a HUD spokesperson in an email to Federal News Network.

HUD posted the CIO job on USAJobs.gov in mid May and applications are due today. In the meantime, Sairah Ijaz will step in as the acting CIO until a permanent career leader is selected.

Political CIOs close to leadership?

The decision by HUD to transition the CIO position back to career from political isn’t that unusual.

Over the course of the last 28 years — January 2026 will be the 30th anniversary of the Clinger Cohen Act — several agencies ranging from the departments of Commerce, Energy, Treasury and Transportation as well as the Environmental Protection Agency and others have flipped the position back and forth between career and political to suit the needs of the leadership.

But HUD’s decision brought up a long-standing and healthily-debated question of whether CIOs, especially at this point in time of history where technology is at the center of every agency’s mission, are better off being political appointees?

To many, the answer continues to remain as it has for the last almost 30 years: It depends. But what has become clearer than ever is the role of managing, implementing and securing technology puts the CIO and deputy CIO on a higher plane across all agencies. Thus, requiring the federal community to continually re-ask the political appointee question.

“How the agency positions the CIO’s role in theory versus practice for the best possible function is really a question of how the head of the agency and the culture of that agency sets that role up for success,” said Dan Chenok, the former Office of Management and Budget official who helped with the Clinger-Cohen Act and now executive director of the IBM Center for the Business of Government. “Given the ubiquity of technology today, what is the right balance? My own personal view is a political CIO is more likely to be close to the head of the agency, and a career deputy CIO gives you continuity.”

Finding that seat at the table

But that closeness doesn’t always result in a CIO’s success.

If you look at the January 2024 Federal IT Acquisition Reform Act (FITARA) scorecard as one measure of CIO effectiveness, agencies with career CIOs versus those with politically appointed ones faired about the same. Agencies with political CIOs — the departments of Defense, Energy, Homeland Security, Veterans Affairs and HUD — received the same mix of “B” and “C” grades as those with career CIOs.

Simon Szykman, the president and founder of Cambio Digital Transformations and former Commerce Department CIO, said the role of the CIO is inherently not one that strongly aligns with any political ideology.

“Ideally it should not be necessary to make a CIO political appointment in order for that person to support the agency mission, or even the political leadership’s agenda,” he said. “However, the flip side to the argument for career CIOs is that no CIO will be successful if they don’t have that proverbial seat at the table. They need to be able to operate, influence and impact decisions at the senior-most levels. It can be a challenge for career senior executives to fully operate as peers to political leadership, and this challenge can be dependent on agency culture as well the leadership tone set higher up in the administration.”

Many times an agency hires a political CIO because the secretary wants a specific person in that role. That was the case, for example, with Steve Cooper, when he worked at Commerce from 2014 to 2017.

For other agencies like VA, Congress required the position be presidentially appointed and Senate confirmed — one of the few that requires Senate confirmation.

HUD’s great strides

But even then, there is no guarantee of success.

“Moving the CIO to political or a career position is situational and based on the candidates available and what’s going on at the agency at that moment,” said Margie Graves, a former deputy CIO at DHS and federal deputy CIO and now a senior fellow at IBM’s Center for the Business of Government. “A lot of times the decision to bring on a political CIO may be because the secretary wants a specific person on board to do something specific. I would advocate for choosing the best person for the moment. It’s really no different than what you’d do in private sector. And the times I’ve see the decision fail is when the person has no background in the technology management discipline and no expertise. I saw a couple of those at DHS.”

Graves added, at least for the CFO Act agencies, she would prefer to have someone in the C Suite who is “hearing” those political conversations as opposed to someone who is relegated as an “outsider.”

HUD’s reason for moving the CIO back to a career position is not entirely clear. The spokesperson said Niblock and her team have made “great strides over the past few years” to modernize the technology and improve the cyber posture of the agency’s infrastructure. But the spokesperson seems to insinuate there may be some bumpy roads ahead.

“However, HUD’s IT only received 0.5% of the department’s fiscal 2024 budget, which is one of the lowest percentages across cabinet level agencies. HUD is continuing to work with its federal and congressional partners to build on the progress of the past several years, while also continuing to pursue the ability to leverage various funding flexibilities that other agencies are able to leverage, including a working capital fund for its IT needs,” the spokesperson said.

HUD’s IT budget for 2024 is $641 million, of which it is spending only $94 million on development, modernization and enhancement projects. The agency requested $540 million for IT in 2025.

 


« Older Entries