Inside the Reporter's Notebook: FedRAMP compliance results months away, OMB's word of the year: Effectiveness

Friday - 6/6/2014, 3:51pm EDT

"Inside the Reporter's Notebook" is a biweekly dispatch of news and information you may have missed or that slipped through the cracks at conferences, hearings and the like.

This is not a column nor commentary — it's news tidbits, strongly sourced buzz, and other items of interest that have happened or are happening in the federal IT and acquisition communities.

As always, I encourage you to submit ideas, suggestions and, of course, news to me at jpmiller@federalnewsradio.com.


FedRAMP compliance results months away

Why fret over a deadline anyway? The government is filled with deadlines that few pay attention to. Heck, the Defense Department just issued a proposed rule that Congress called for in the Defense Authorization bill from 2008 — more on that later.

But the administration's requirement for agencies only to use cloud services that have been approved through the Federal Risk Authorization Management Program (FedRAMP) starting June 5 will be one of those with long legs, playing out over the course of the summer.

First off, the Office of Management and Budget isn't going agency-by-agency this week to check on compliance.

Instead, OMB will oversee how agencies met this goal through existing processes.

"The Office of Management and Budget will conduct oversight through PortfolioStat and other processes to support the annual FISMA Report to gauge agency efforts to meet the June 2014 deadline," said an OMB spokesman in an email statement. "As necessary, OMB will work with agencies if the deadline isn't met."

Federal CIO Steve VanRoekel updated the PortfolioStat process in May detailing a series of deadlines.

The first was May 30, by which time agencies had to identify their programs that will go through the PortfolioStat process and by May 31 when they must update their integrated data collection to assess progress against their 2013 goals. Then, by June 19, OMB will finish its assessment of agency programs and schedule a two-hour PortfolioStat session to happen before July with agency CXOs.

So we really will not know how agencies are doing with FedRAMP compliance until September at the earliest when the PortfolioStat sessions are completed and analyzed.

And remember, agencies have a fair amount of leeway in meeting FedRAMP because if a vendor they want to use or are using isn't approved, but in the queue to be approved and all signs are positive, that is good enough.

The enforcement piece also will fall to agencies within their contract requirements, meaning new contracts or follow-on task orders will include clauses mandating FedRAMP compliance.

Currently, there are 12 cloud service providers with approval from the Joint Authorization Board (JAB) — made up of the General Services Administration and the departments of Defense and Homeland Security — and four with agency authorizations.

Click on the image to view larger.

Government sources say the JAB is activity processing 14 cloud providers and has eight others in the queue.

One government source, who requested anonymity in order to speak to the press, said the JAB has the ability to process 10-to-12 vendors at a time.

The source said the JAB will have a schedule in place likely by next week as to when those eight in the queue will be ready to provide FedRAMP compliant services.

"The JAB expected some cloud providers to be ready last fall, but some have dragged their feet," the source said, explaining why there is a waiting list. "They waited to early this year to submit paperwork and that threw the JAB off schedule."

And don't forget, the JAB recently updated the cloud security standards to meet new controls under the National Institute of Standards and Technology Special Publication 800-53 Rev 4. This means current and future cloud services providers will go through the process, to some extent at least, again over the next 12-18 months.

GSA held the first of two FedRAMP information days with the first being June 4 for industry, and the next one happening June 10 at the agency's National Capital Region building on 7th and D Streets in Washington, D.C.

If you missed the June 4 industry day, here's the slide deck from that event.


OMB's word of the year: Effectiveness

Going back to PortfolioStat for a moment, OMB is placing a lot of emphasis, and expectation, on the investment review process this year.

Effectiveness is the key word coming from VanRoekel, his boss, Beth Cobert, OMB's deputy director for management, and others from OMB.

"Based on the lessons learned last year, we have made some additional changes. For example, in the past, in the first two years of PortfolioStat we really focused on identifying opportunities for cost savings. That's resulted in identification of almost $2 billion worth of savings opportunities," said OMB deputy CIO Lisa Schlosser during a panel discussion on the 24th annual CIO Survey sponsored by TechAmerica and Grant Thornton on June 5 in Washington. "We revised PortfolioStat a bit this year. We aren't just focused on creating efficiencies, but effectiveness. How do we really look at the outcomes that we are driving from our investments? How are we better serving the customer? You will see a lot of emphasis on measuring customer satisfaction."

As part of the PortfolioStat effort, OMB issued the annual 42-page fiscal 2016 IT budget capital planning guidance on May 27. In the IT portfolio section, OMB detailed the 48 data elements that need to be answered in their budget submission.

OMB also highlights effectiveness in the IT capital assets/investments section. In that part of the guidance, OMB stated agencies should implement a process that simplifies or otherwise redesigns "work processes to reduce costs, improve effectiveness and maximize the use of commercial services and off-the-shelf technology."

Effectiveness also popped up in the operational data section where OMB told agencies to develop operational metrics, of which at least three should "measure the effectiveness of the investment in delivering the desired service or support level. One metric should reflect customer results (e.g. service quality); another should reflect how processes and activities were improved to produce these results (e.g. productivity); and the other should reflect a technology metric (e.g. reliability and availability)."

Other metrics should focus on strategic and business results, financial performance and innovation.

On a totally different OMB note, Schlosser said the CIO Council and the Chief Human Capital Officer's Council got together in the last few months to figure out the IT workforce issues they should address collaboratively.

Schlosser said the CIO Council's workforce subcommittee is leading this effort with the CHCO Council.

"What are the skill sets we need to put in place now? What are the emerging skill sets like the digital service experts or like the cyber liability engineers that can operate in today's environment," Schlosser said. "The second part of that is looking at the way we are training individuals who are currently in the government to take on those roles and take on roles like agile development process. We are still kind of training on waterfall methodology in the federal government. We need to train agile development."

She said the workforce subcommittee will develop a strategy for which workforce issues need addressing first. Schlosser said that plan should be out by late summer or early fall.


Kerber joins GSA to lead cloud credential program

A new, but familiar face is coming to government to run the Federal Cloud Credential Identity Exchange (FCCX) at the policy level.

Jennifer Kerber will join the General Services Administration in its Office of Citizen Services and Innovative Technologies, sources confirmed.

This will be Kerber's first stint in government, but she's been in the federal community for more than a decade. Kerber comes to GSA from the Government Transformation Initiative, where she served as executive director since April 2013.

Sources say GTI, which has been focused on the financial transformation of the federal government to make it more efficient and effective, will go dormant for several reasons, including its chairman David Walker's decision to run for Lt. Governor of Connecticut.

As the director of the FCCX, Kerber will work in partnership with the Postal Service, NIST and other agency partners of the program. Kerber is replacing Katie Lewin, who retired in March and now works for CSC.

Kerber comes to GSA to run the FCCX program at a critical time. Postal Service is expected to launch the first iteration of the credential exchange this spring.

Prior to GTI, Kerber spent 8 ½ years at TechAmerica, including the last nine months of her time there as president of the TechAmerica Foundation.

Kerber also has worked for Jefferson Consulting Group.

Also on the move at GSA is Sonny Hashmi. The acting CIO since January and deputy CIO since January 2011, Hashmi ascended to the permanent top technology spot this week.

Not really a surprise, as Hashmi has shown he's a deserving successor to Casey Coleman, who left government in January after seven years as GSA's CIO.

"The advice I would extend is something that was once passed along to me: 'The bigger the job, the more distractions there are. Staying focused on what is actually being achieved is what matters. Try to look back on any given day, week, or month and be able to say 'Here's what we got done,'" said Coleman, who is now a client executive vice president at AT&T Government Solutions, in an email to Federal News Radio.


Senate committee pushes back on funding cut to NSTIC

The other bit of good news for federal identity efforts came from Senate lawmakers, who reversed their House counterparts in funding the National Strategy for Trusted Identities in Cyberspace effort for 2015.

House lawmakers are showing signs of losing their patience with the NSTIC program after only two years when they cut its funding to $5.9 million from $16.5 million next year.

"Given the lack of progress associated with the pilots funded thus far, the recommended amount only supports ongoing programmatic efforts and does not include the second year of funding for fiscal year 2014 grant awardees or funds to award new grants in fiscal year 2015. NIST shall provide a report to the Committee within 120 days of enactment of this Act regarding the status of each of the pilots funded and milestones achieved, the near-term plans for continuing this program, and proposed future efforts. NIST shall use the remaining $10,600,000 proposed for NSTIC to enhance research and standards activities in its core lab programs," the House report stated.

The House passed the Commerce, Justice and Science 2015 appropriations bill on May 30.

But Senate Appropriations Committee approved the CJS bill with the full $16.5 million going to NSTIC.

First, the full Senate must pass the CJS bill with the provision, and then the two houses of Congress must agree to a final bill. But the fact the Senate committee didn't go with the House cut is an important milestone.

Along with the funding for NSTIC, the Senate committee also approved $401 million for the FBI's next generation cybersecurity initiative and $159 million for the National Science Foundation's comprehensive national cybersecurity initiative.

IT Job of the Week

The Labor Department's modernization effort is looking for a new leader. The agency has a job opening for an associate deputy CIO, who will plan, direct and facilitate key elements of the department's IT modernization project. It's a major program and multiyear effort to consolidate numerous IT infrastructures within Labor, which will result in shared services that are common among the agencies.

Applications are due June 27.

RELATED STORIES:

May 23 -- Inside the Reporter's Notebook: FedBizOpps contractor admits to hacking

May 9 -- Inside the Reporter's Notebook: GSA takes 18F on a magical mystery tour

April 28 -- Inside the Reporter's Notebook: The funny side of strategic sourcing; NSTIC turns 3