Inside the Reporter's Notebook: The funny side of strategic sourcing; NSTIC turns 3

Monday - 4/28/2014, 4:00am EDT

"Inside the Reporter's Notebook" is a biweekly dispatch of news and information you may have missed or that slipped through the cracks at conferences, hearings and the like.

This is not a column nor commentary — it's news tidbits, strongly sourced buzz, and other items of interest that have happened or are happening in the federal IT and acquisition communities.

As always, I encourage you to submit ideas, suggestions and, of course, news to me at jpmiller@federalnewsradio.com.


Strategic sourcing's humorous side?

Federal procurement is rarely funny. And even more rare is when a government-to-government rebuff becomes public like the ongoing quarrel between the Small Business Administration and bid protestors, and the General Services Administration over the Office Supplies 3 contract.

First a little background: GSA issued the solicitation for version 3 of the Office Supplies strategic sourcing contract (OS3) in January. It was not well received by the contractor community, facing 14 pre-award protests to the Government Accountability Office. As part of the GAO's review of the protests, attorneys asked SBA to analyze GSA's justification for consolidation contracting requirements under OS3. The Small Business Jobs Act requires agencies to perform an analysis on any negative impacts the consolidation would have on small firms, and possible ways to mitigate them.

SBA found GSA didn't perform an appropriate analysis and thus its justification was inadequate.

Here comes the funny part. GSA actually wrote to GAO complaining that one of the protestors was "leaking" information to the public and the press, and then asked GAO to issue a "cease and desist" letter to the protestors. (Check out the full email exchange).

"Protester KPaul filed a protest with GAO and is now asking federal agencies to end their participation in the subject contract/procurement (and another, current GSA contract that is not the subject of this protest) without waiting for a decision from GAO," Kristen Nowadly, assistant regional counsel for GSA wrote to GAO's Katherine Riback. "GSA submits that this correspondence is highly improper during the pendency of this protest."

Jonathan Kang, assistant general counsel for GAO, responded to Nowadly with what many consider a smackdown.

Kang wrote because "there is no protective order for the protests, and thus there are no restrictions on the parties' ability to share documents or information," and "With regard [to] your concern about correspondence by the protesters with other government agencies, this is a matter outside of our jurisdiction. Our rules do not contemplate that we may restrict the ability of parties to a protest to correspond with other government agencies."

Several experts were surprised by GSA's request for a "cease and desist." Basically, GSA wants GAO to stop the bad press it was getting for not doing what's required under the law.

There are no rules against consolidation or bundling, but there are requirements to fulfill, and SBA found GSA didn't meet them.

An increase in contract consolidation and bundling is a rising concern across the government, and SBA's willingness to hold an agency such as GSA accountable is an important footnote to this story.


NSTIC turns 3, patience required

Anyone who has ever taken care of or spent time with a 3-year-old knows the patience that's needed. Sometimes that same approach is needed with government programs.

And then there are times when both are the case as it is for Jeremy Grant. As a father of two young kids and now the dad of the 3-year-old National Strategy for Trusted Identities in Cyberspace (NSTIC), Grant fully knows that sometimes controlling expectations are tough.

Grant blogged April 22 on the 3-year anniversary of NSTIC's release and the progress the effort has made since 2011.

"I'm quite thrilled with what we've been able to do in three years. We've accomplished quite a lot and continue to make lot of progress," he said in an interview. "It is safe to say, and NSTIC isn't the only one that faces this, that there are a lot of expectations from government and the community as a whole when things like this get rolled out."

NSTIC, for those of you who need a refresher, is a White House strategy with the President's signature detailing a vision and four principles along with short and long-term goals to move the government and industry at-large away from using usernames and passwords and to strong identity management processes.

After three years, it makes sense to ask what is going on. Anytime the White House puts its muscle behind a program, vendors want contracts and agencies want to see benefits.

Grant said contracts are more in the form of pilot programs, funded at about $16.5 million, and benefits for agencies are coming.

The latest cyber bug, Heartbleed, and almost every other vulnerability over the last few years that takes advantage of weak usernames and passwords is a reminder of why NSTIC is important.

Grant said these cyber threats show why NSTIC must succeed and is succeeding in changing how the government and industry looks at cybersecurity.

"If anything, through NSTIC, we've helped drive toward a more mature marketplace," he said. "What has been interesting and our real impact often hasn't been noted has been when new things are emerging in the marketplace, they are paying attention to NSTIC. A number of new companies have come in during their product development stage to talk to us about aligning with NSTIC."

Grant points to the Fast Identity Online (FIDO) Alliance, which includes companies like Google, PayPal and eBay, as one example. The organization is incorporating NSTIC standards into their products and services.

I asked Grant whether NSTIC as a strategy needs to be updated or refreshed after three years.

He said it doesn't because the overall vision and goals remain the same — in a nutshell, get rid of usernames and passwords.

"The strategy is still quite sound," he said. "What may be good, and it's something we are considering doing, is a progress report now that we are three years into the effort. We may list five or six things that we, as the federal government, need to redouble our efforts on, and we would assess our progress against strategy."

Grant added NSTIC is on track to meet many of its 5-year goals, and has met most of its 3-year milestones.

One federal program many are watching closely is the Federal Cloud Credential Exchange (FCCX) program. Grant said it's on track to start testing this spring or early summer. Several agencies are on tap to begin running some initial transactions through the federated cloud this year to test out its initial operating capability.

In the past, I've reported FCCX will connect the departments of Agriculture and Veterans Affairs, the National Institute of Standards and Technology and GSA with third-party credential providers that meet the Federal Identity Credential and Access Management (FICAM) standards.


Cloud security requirements refreshed

Two interesting and important developments last week around mobile and cloud security — two of the hottest topics in the federal community over the last few years — that feds and contractors need to be aware of.

First, the General Services Administration, the Defense Department and the Homeland Security Department plan to issue the updated baseline for cloud cyber standards under the Federal Risk Authorization and Management Program (FedRAMP) by June 1.

Two things vendors need to know from the update: First, cloud service providers already approved by the Joint Authorization Board (JAB) or by an agency as of June 1 will have one year from their annual assessment to meet the new security requirements.

The second is CSPs approved between June 1, 2014 and Jan. 1, 2015 will have one year from the date of their annual assessment to update their security controls.

"The FedRAMP Program Management Office anticipates that the level of effort will require testing between 140 to 150 controls," the PMO wrote in the transition plan issued April 22. "There are approximately 72 new Rev. 4 controls and 70 core controls for annual testing. The FedRAMP PMO will prioritize and adjust the number of controls required for testing based on the CSPs risk posture."

This gives current cloud service providers and those on the cusp of approval some time before having to go through this intentionally rigorous process again, and before having to spend tens of thousands of dollars without at least some time to recoup the investment through contract awards.

The PMO is accepting comments on the transition plan by May 1.

Keith Trippie, the former DHS executive in charge of cloud and now CEO of the Trippie Group, said ensuring FedRAMP is not static is a good thing, but it may be six to 12 months before the updated controls are operationalized, and that is concerning.

"What I'd like to see more over time in addition to revision 4 is a bigger focus on continuous monitoring and continuous assurance, so there is more transparency on virtual assets," he said in an interview. "The more of that that is incorporated in FedRAMP, the better the cloud providers can secure their networks and agency data. Continuous monitoring and assurance will provide agencies over time more details on what are vulnerabilities, current threats are and how they can maximize their risk management posture where investing money into cyber efforts."

He added FedRAMP needs to go down a risk management approach to avoid being another compliance framework exercise.

In the mobile security area, the National Institute of Standards and Technology released version one of a free, open source mobile app vetting system, named AppVet.

According to the CIO Council website, AppVet is a Web application for vetting mobile apps' cyber risks.

"AppVet is designed to easily and seamlessly integrate with a wide variety of third-party tools, including static and dynamic analyzers, anti-virus scanners, and vulnerability repositories through the specification of simple APIs and requirements," the blog post stated. "AppVet also supports easy and seamless integration with clients, including app stores and continuous integration environments."

AppVet, along with DHS' CarWash process, are two emerging area where agencies need help ensuring mobile apps meet federal cyber, accessibility and interoperability requirements.

Trippie said AppVet gives agencies more choices to ensure mobile apps meet their needs, which is a good thing.

"What I'd like to see is agencies take on the concept of building code and making it available, no matter the size of your screen. So instead of building an app or a mobile app, just build an app that's available on any screen from the beginning," he said. "That's why services like NIST's and the CarWash are important to free up the government to build once available on multiple platforms."

Trippie added the opportunities for NIST and DHS are huge, as is the ability for vendors to bring more value to the government around mobile and application testing.


DoD's Brubaker leaving, Carey, Grams land in the private sector

Rob Carey and Todd Grams found new homes. Paul Brubaker is moving out of government, again, to a new place to think deep thoughts, while his old Clinger-Cohen Act buddy Mark Forman steps back into the fray with a big company.

Let's start with Carey, who retired after 31 years in government, which included stints as the Navy's CIO and the principal deputy CIO for DoD. He will join Computer Sciences Corporation, starting Monday, as its vice president and general manager of public sector cybersecurity. In an email confirming his new role, Carey said "It should be fun and a way to improve national security."

Beyond that, more details will emerge about his role in the coming weeks.

Grams, the former Veterans Affairs Department CFO and most recently IRS chief of staff, found a new home at Deloitte federal as a director.

Grams, who retired after 34 years in January, will focus on enterprise risk management, financial management and performance management strategies.

As an aside, Deloitte is building quite a stable of former and highly well- respected federal executives starting with former Virginia Congressman Tom Davis, DHS undersecretary for management Janet Hale, former OMB executive Tim Young — and that isn't even including a host of former Defense Department generals, admirals and others.

Paul Brubaker, the DoD director of planning and performance management, announced Friday to staff he's leaving for the private sector. His last day at DoD will be May 2, he said in an email to staff obtained by Federal News Radio.

"This was not a decision that was made easily. As some of you know, almost 30 years ago I decided to dedicate my career to making government work better. Over the years I have remained dedicated to my personal mission of improving government efficiency and effectiveness while serving in both the government and the private sector," he wrote. "I have always sought positions where I could help to make a difference. Please know that my decision to change positions at this time remains consistent with my continued desire to play a role in positively transforming government."

Brubaker didn't offer details on his new job, but said it will continue to drive government transformation.

Federal Computer Week first reported Brubaker's decision to leave government.

Forman decided it was time to go back to a large company after running his own business for the last two years, Government Transaction Services with fellow former fed John Marshall.

Forman now is the vice president for IT services and cloud initiatives at TASC, a second stint with the company in some respects, working there TASC from 1985 to 1989 before it was bought by Northrop Grumman and then spun off back to TASC in 2010. In his new role, Forman will help oversee TASC's solutions in cyber, cloud and mobile computing, and data analytics.


IT Job of the Week

Several good ones to choose from this week, but I went with the deputy CIO position at the Executive Office of the President. You'll need a top secret/SCI security clearance, but you'll get to help the President fix his remote control to watch the Bulls lose to the Wizards … all kidding aside. It's a plumb White House job in many respects, and focuses on strategy, vision and new media. "The Deputy Chief Information Officer will provide technology vision, operational guidance, and leadership for developing and implementing IT initiatives that create and maintain leadership for the EOP in a constantly changing and politically sensitive organization." Applications are due no later than May 1.


Out&About

  • The Data Transparency Coalition is hosting the Data Transparency Summit on Tuesday, where I'm hosting two panels. The first is with Dick Ginman, the chairman of the Government Accountability and Transparency Board (GAT Board), where he will talk about progress so far and plans for 2014. The second panel is with industry experts on how the DATA Act, which is expected to be approved by the House on Monday, will impact vendors.

  • The Senate Armed Services Committee will hold a hearing on DoD's acquisition system on Wednesday featuring undersecretary of acquisition, technology and logistics Frank Kendall and GAO's Michael Sullivan.

  • AFCEA Bethesda will hold its annual Law Enforcement IT day on Thursday featuring a host of speakers, including Mark Borkowski, the assistant commissioner of the Office of Technology Innovation and Acquisition in DHS' Customs and Border Protection, and TJ Kennedy, deputy general manager of FirstNet.

RELATED STORIES:

April 11 -- Inside the Reporter's Notebook: OMB not a farm team, Strategic sourcing on steroids

March 28 -- Inside the Reporter's Notebook: DoD taking own path with cloud security, Treasury's Reger joins OMB

March 14 -- Inside the Reporter's Notebook: USPS cloud credential exchange almost ready, flood of GSA contract protests