Inside the Reporter’s Notebook is a biweekly dispatch of news and information
you may have missed or that slipped through the cracks at conferences, hearings and other events. This is not a column or commentary – it’s news tidbits, strongly-sourced buzz, and other items of interest that have happened or are happening in the federal IT and acquisition communities.
As always, we encourage you to submit ideas, suggestions and, of course, news to Jason via email.
There always has been healthy tension between auditors and operators. After what seemed a thaw between inspectors general and IT executives over the last few years, a recent event highlighted the continued friction between the two parties in how agencies protect federal data and networks.
During last Thursday’s panel discussion sponsored by AFFIRM in Washington, several CISOs and agency chief information officers talked about the difficulty in moving to a risk-based framework.
Jim Quinn, the lead system engineer for the Department of Homeland Security’s continuous diagnostics and mitigation (CDM) program, said too often IGs rely on checklists to determine whether or not agencies complied with the policy and law requirements.
“They have a standard pro-forma checklist that says ‘Have you done A, B and C?’ with no acknowledgement of whether A, B and C are really things that are important to what you are trying to achieve or whether you have done other things to make those controls less relevant because you’ve put compensating things in that limits your risk on them,” he said. “I think that this is one of the challenges, even looking at things like Federal Information Security Management Act (FISMA) metrics is how do we allow the agencies and departments and the mission groups to really be able to say ‘You have to look at the risk I’m willing to take in the context of what I am doing.’”
The Transportation Department is an outlier when it comes to implementing the Federal IT Acquisition Reform Act (FITARA). It’s not that Richard McKinney, the DoT chief information officer, and other senior executives at the agency don’t believe in the spirit and intent of the law. It’s just DoT must deal with its 800-pound gorilla in the form of the Federal Aviation Administration and the fact that the FAA comes under a different set of rules than other parts of the department.
McKinney raised some eyebrows at the AFCEA Bethesda breakfast last week, saying the FAA’s lawyers decided the administration will not have to follow FITARA the same way as the rest of government.
McKinney clarified his statement after the event to say, yes, the FAA is following FITARA — for human resources, for planning, for accountability. The one area the FAA is different is on the procurement front where FAA CIO Tina Amereihn will approve all IT acquisitions instead of McKinney. FITARA requires agency CIOs to approve all IT spending, but includes the ability for the headquarters CIO to delegate some of that responsibility to the bureau level.
McKinney called the change a customization of FITARA based on current laws.
McKinney said because of the way Congress created the laws governing FAA acquisitions, administration lawyers and DoT executives decided best way forward was to have him delegate the IT spending approval authority to Amereihn.
The new Pentagon technology shared service went live July 20, and is moving toward full operating capability in the coming year. The move to full operational capability is developing the roadmap for others across DoD to follow.
Defense Department chief information officer Terry Halvorsen said he’s pleased where the Joint IT Single Service Provider-Pentagon (JITSSPP) is today.
Barbara Hoffman, DoD’s deputy chief management officer, said the last 45-to-60 days they have been looking at contract consolidation and the best way to merge the two main components of this new organization—the Army IT Agency (ITA) and Enterprise Information Technology Service Division (EITSD).
“We are still working some of our initial service consolidations for video teleconferencing, service desk and the computer network defense,” Hoffman said during a recent call with reporters. “That is all moving along nicely and we are now entering into the phase for when we go FOC, which is an undetermined time, but we do have to start thinking and prepping for that.”