Inside the Reporter's Notebook: Swinging exit doors at VA, DHS, GSA; Procurement fun at HHS

Friday - 8/8/2014, 5:52pm EDT

"Inside the Reporter's Notebook" is a biweekly dispatch of news and information you may have missed or that slipped through the cracks at conferences, hearings and the like.

This is not a column nor commentary — it's news tidbits, strongly sourced buzz, and other items of interest that have happened or are happening in the federal IT and acquisition communities.

As always, I encourage you to submit ideas, suggestions and, of course, news to me at jpmiller@federalnewsradio.com.

Be the first to know when a new Inside the Reporter's Notebook is posted. Sign up today for our Inside the Reporter's Notebook email alert.


VA IT office's exit door swings open for two, maybe more

A huge wave of exits may be coming to the Veterans Affairs Department chief information officer's office in the coming months.

The beginning of this swell already has begun with Charles De Sanno, VA's executive director for Enterprise Technology and Infrastructure Engineering, and Stan Lowe, VA's chief information security officer, heading out the door in the coming months.

Multiple sources confirm De Sanno is retiring and taking a position in the private sector. Sources say De Sanno wouldn't say where he was going just yet, but he's likely leaving at the end of August.

Sources say Lowe also is heading to the private sector, leaving VA as early as September.

Additionally, there are possibly two or three other senior executives looking to leave VA in the coming months.

A VA spokeswoman couldn't confirm the De Sanno and Lowe's impending departures.

"VA lawyers have told VA they cannot confirm departures of any employees' intentions to leave and can only acknowledge departures after the employees are gone," said a VA spokeswoman. "All those you mentioned are still working in OIT."

The potential mass exodus from VA's Office of Information Technology isn't surprising given two recent developments.

The first is the continued pressure on VA by the House Veterans Affairs Committee over its IT and cybersecurity woes. The committee planned a cyber hearing in July, but postponed it. Sources say it will be rescheduled for September most likely.

The second reason is the new leadership at VA. Secretary Robert McDonald officially came on board July 30 and Deputy Secretary Sloan Gibson has been in place only since February.

The loss of De Sanno and Lowe comes as Lorraine Landfried, VA's deputy CIO for product development, resigned in July.

Lowe came to VA in October 2010 and assumed the CISO role in January 2013.

De Sanno has been with VA for 25 years. As the executive director for Enterprise Technology and Infrastructure Engineering, De Sanno directs the enterprise technology engineering efforts for systems solutions across the department.


GSA loss is DoT's gain

A big move in the federal cloud computing world is about to happen. Multiple industry sources confirm that Maria Roat is likely headed to the Transportation Department to be its chief technology officer.

Sources say all that's left is the official paperwork to be completed, but as one industry source said, "It's been an open secret for a few weeks now."

Roat has been the director of the Federal Risk Management and Authorization program at the General Services Administration since January 2013. She has been a driving force behind the cloud cybersecurity program and moving it from the initial operating capability to full operational capability.

Matt Goodrich likely will be Roat's interim replacement, and another industry source said he is the leading candidate to be the full-time FedRAMP director.

Once the move is finalized, Roat would manage the business technology and governance and technology strategy and modernization activities of the department, according to the job posting on USAJobs.gov.

Roat also would lead the Technology Control Board (TCB), which is made up of IT representatives from all of the DoT's bureaus. The control board ensures the agency implements technology that meets DoT standards, architecture and shared services mandates.

Before coming to GSA, Roat was the deputy CIO at FEMA and served as chief of staff in the DHS Office of the Chief Information Officer.


Another DHS cyber executive heading to private sector

The Homeland Security Department also is facing a similar set of senior executive departures as VA.

Jenny Menna, DHS' director of stakeholder engagement and cyber infrastructure resilience (SECIR), joins Larry Zelvin as the latest to head to the private sector.

Andy Ozment, the assistant secretary for cybersecurity and communications, wrote in a note to staff that Menna's last day will be Aug. 15.

"Jenny has done an outstanding job building a broad security partnership between DHS and the private sector. Her many accomplishments during her tenure at SECIR include standing up the Enhanced Cybersecurity Services (ECS) program, expanding the Cyber Information Sharing and Collaboration Program (CISCP), implementing the Critical Infrastructure Cyber Community C Voluntary Program in support of the NIST Cybersecurity Framework, and significantly increasing engagement with state, local, tribal and territorial governments," Ozment wrote in the email obtained by Federal News Radio. "Perhaps her greatest accomplishment, though, is SECIR itself. She has built an extremely strong organization that the broader CS&C, NPPD, and Department rely upon. Jenny, and the team at SECIR, should be proud of what they have done together."

Ozment said Bobbie Stempfley, deputy assistant secretary for Cybersecurity Strategy and Emergency Communications, will take over for Menna in the interim.

A lot of Menna's time and effort over the last year has been overseeing the development of DHS' piece of President Barack Obama's cyber executive order from February 2013.

House lawmakers recently passed a bill that would codify DHS' communications and collaboration with critical infrastructure providers, provide liability protection for the sharing of cyber threats and attacks, and further establish SECIR's role in working with industry.

Along with DHS' Menna, there have been a few other noteworthy changes.

Jeff Press, the Performance Improvement Council's senior advisor, is moving on to bigger and better things. He's taken a job as the Department of Commerce as the deputy director of Performance Strategy.

Press has been with the PIC since September 2010 and has helped promote the PIC and its role in helping agencies improve how they use data to make decisions.

Another big move on the industry side is Diana Gowen retired as CenturyLink Government's senior vice president and general manager on June 30.

Gowen joined Deep Water Point as a principal consultant working on IT and telecommunications issues.

"Diana has been a strong and effective leader during her nine years with CenturyLink," said Linda Johnson, a spokeswoman for CenturyLink Government. "She and her team have been instrumental in establishing CenturyLink's reputation as an industry-leading broadband, cybersecurity and IT services provider to the federal government. The company recognizes her excellent work on behalf of CenturyLink and our federal government customers, thanks her for her dedication, leadership and many contributions to the growth and success of our business over the years, and wishes her well on her retirement."

Gowen has been an outspoken critic of the General Services Administration's Networx telecommunications contract, and the challenges agencies have had in using it. She's also been CenturyLink Government's public face for the last nine years.


Summer procurement fun from HHS, VA

VA and the Department of Health and Human Services each issued procurements that should raise the excitement level in industry.

VA issued a request for information for the next generation of its technology multiple award contract known as T4.

Meanwhile, HHS released its first request for proposal under its Buyers Club initiative. The HHS Buyers Club is one of a growing number of approaches — think GSA 18F or the Office of Management and Budget's proposed Digital Services office — to bring innovation into the government more quickly and more successfully.

Both procurements are going to attract industry's attention and other agency's interest.

VA awarded T4 in June 2011 to nine large businesses and six small firms to provide IT products and services under a five-year, $12 billion deal. T4 expires in June 2016 so the RFI is VA's first step toward getting the follow-on contract in place in the next year.

Under the draft performance statement of work, VA stated T4 next generation would be for five years with a five-year option. It covers more than three dozen functional and sub-functional areas ranging from program management, strategy, enterprise architecture and planning support to systems/software engineering to IT service management implementation to enterprise application/services.

Responses to the RFI are due Aug. 28

This proposed follow-on to T4 will be a good test of the Office of Federal Procurement Policy's requirement for agencies to submit a business case for new multiple award contracts. Little is known about how OFPP's process is working or what effect it is having on agency decisions to launch multiple award contracts. OFPP's Interagency Contract Directory lists almost 4,000 multiple award contracts for IT and telecommunication services.

VA has spent more than $1.5 billion under T4 in 2013, according to data from the Federal Procurement Data System compiled by KRT Associates.

Over at HHS, the Office of the Assistant Secretary for Planning and Evaluation released an RFP for a vendor to:

  • Implement a platform and technical infrastructure supporting ASPE websites, databases and software development environments;

  • Implement a Web content management system and software package similar to SharePoint Foundation or Drupal with a strong preference for open-source;

  • Redesign ASPE's public website and intranet website;

  • Migrate these websites and associated databases to an open source Web content management system; and

  • Modernize two database applications.

HHS is dividing the procurement into four phases all focused on agile development processes.

This procurement is different than others, according to a tweet by HHS CTO Bryan Sivak, is because the agency is paying for a prototype. The two-stage source selection process means vendors have two weeks to submit a proposal. Then, HHS will evaluate bids and select as many as five firms to received $10,000 to create a prototype in three weeks. Finally, HHS will pick one vendor based on their prototype and presentation for the award.

"The down-select process will enable contractors an opportunity to showcase their abilities and expertise by delivering a short-term, functional prototype in support of their proposed concept rather than a detailed paper-based proposal. This proof-of-concept approach is consistent with private sector methodologies," HHS wrote in the RFP. "The Technical Evaluation Panel [will get] an opportunity to see functional prototypes before an award is made, ensuring that a contractor has the ability and expertise required."

HHS also stated that the two-step process will streamline the initial competition and let vendors focus on their core competencies rather than drafting lengthy responses to a solicitation.

It will be interesting to see how industry reacts and HHS evaluates the bids. A successful protest could spell trouble for these efforts to change the federal procurement process. At the same time, if HHS doesn't get the reaction from industry it hopes for, that too could impact future plans for these types of pilots.

The Buyers Club is one of several innovation initiatives industry and Congress are closely watching.

Responses to the RFP are due Aug. 19


Agencies fail email cyber tests

Federal agencies are not adopting industry best practices for securing their email systems.

Even with the move to the cloud, the Online Trust Alliance, a non-profit organization that focuses on enhancing trust and user empowerment of the Web, found only the House of Representatives and the Senate received passing grades when it comes to email cybersecurity.

OTA looked at the adoption of three critical email authentication standards across the top 50 federal websites, the top 100 FDIC insured banks, the top 500 Internet retailers, the top 50 social media sites and the top 50 news or media sites.

"By implementing email authentication, organizations can help protect their brands and consumers from receiving spoofed and forged email," OTA said in the report. "There has been growth in the deployment of email authentication in all industry sectors, yet major and systemic issues remain. The failure to apply authentication standards comprehensively risks placing consumers and employees in harm's way. This is often the result of companies authenticating only selected sub-domains and failing to authenticate their top level domain which is the domain most often abused. The inconsistent use of authentication is like reinforcing and locking the front door to your house, while leaving your side door or garage doors wide open."

Among the Fed 50, OTA found only 4 percent adopted email authentication best practices, such as Domain Keys Identified Mail and not publishing their Domain- based Message Authentication, Reporting and Conformance records.

OTA recommended adopting email authentication across all channels and domains. It said implementing inbound email authentication to protect employees and corporate data from spear phishing is important too.

IT Job of the Week What a challenge this job would be: the chief information security and senior privacy officer for the Centers for Medicaid and Medicare Services. One of the most customer focused and citizen centric organizations in government. CMS holds the personal data of hundreds of millions of Americans, and it would be your job to protect that information. The CISO/CPO would provide expert advice and collaborate with CMS' organizations in developing, promoting and maintaining IT security and privacy measures to protect sensitive information. Applications are due by Aug. 31.

MORE INSIDE THE REPORTER'S NOTEBOOK:

Inside the Reporter's Notebook: Category management launches five pilots; more vendor past performance data

Inside the Reporter's Notebook: FedRAMP compliance results months away, OMB's word of the year: Effectiveness