TMF Board investing methodically in new projects: Clare Martorana
The Technology Modernization Fund has $766.1 million left because the board is methodically investing in projects with the “greatest chance of success,” federal Chief Information Officer Clare Martorana said Monday.
Initial project proposals take 100 hours to review and move to the second, final phase: a full project proposal, where agencies must demonstrate their commitment to the board‘s performance- and milestone-based transformation process.
To date the TMF has received $1.2 billion to fund federal IT and cybersecurity modernization projects, between the annual budget process and American Rescue Plan Act, and the board has committed $408.9 million of that money.
“We have limited funding, so we have to invest in agencies that are committed to the framework of us building in an iterative manner,” Martorana told The Daily Scoop Podcast. “In showing us that they have the change management capabilities, that they’re willing to dig into the business process.”
The TMF Board also looks at agencies’ agile acquisition methods, whereas in an ideal situation the fund would have $10 billion and the board more leeway to invest, Martorana said. Agencies have submitted more than 130 proposals seeking more than $2.5 billion.
Both the board and the Federal CIO Council have been releasing modernization playbooks on a “pretty consistent basis” to help agencies complete TMF projects faster, Martorana said.
“The playbooks are really going to be some of the catalysts for transformation,” she said.
Most recently the TMF Board awarded $9 million for two projects modernizing systems and protecting personal data at smaller agencies, the U.S. Postal Regulatory Commission and the Selective Service System.
In both cases the agencies presented minimum viable products that could serve as models for others as they move to Cloud First software and data architectures for security, Martorana said.
The TMF Board continues to look at other proposals in the first tranche of rolling submissions.
“We are still going full steam ahead on the entire portfolio of projects that came in under the American Rescue Plan,” Martorana said.
Nominate the Best Bosses in Federal IT
Department of Defense software leader to depart
Jason Weiss, the Department of Defense’s chief software officer, is leaving his role, he announced in a LinkedIn post yesterday.
Weiss came into the job in October 2021 having served as the director of software modernization since January of that year. He oversaw the adoption of software development and modernization of legacy applications in the department.
He was the first department-wide chief software officer, a role created in late 2021 as part of the DOD’s plans to pursue a more joined-up approach to digital warfare. The appointment came shortly after the departure of Air Force chief software officer Nic Chaillan in September.
In his post, Weiss touted progress on a variety of initiatives to include, the DOD’s DevSecOps strategy, the API task force and software modernization strategy, which was signed by the deputy secretary of defense Feb. 2.
The department is in the midst of evolving into what leaders have referred to as a data centric future where software is modernized and data is organized in a way to allow information to flow easier for faster decision making.
As part of the department’s push toward realizing its new concept of joint all-domain command and control (JADC2), which seeks to more seamlessly connect sensors and shooters to allow for faster decision making on the battlefield, it is moving out on two specific DevSecOps projects.
The first is modernizing how the department patches applications, aligning it to the way commercial industry does it, and the second is reformatting problematic applications to allow them to better share data on the network.
It is unclear who will fill Weiss’s role after he departs on April 15.
Bid protest could lead to ‘protracted fight’ over $11B DISA contract award
A recent mega contract award by the Defense Information Systems Agency is being challenged, a development which could throw a wrench into one of the Pentagon’s biggest IT reform initiatives.
In February, DISA issued a contract award worth up to $11.5 billion to Leidos for Defense Enclave Services, an effort to consolidate the networks of the department’s non-warfighting support agencies known as the “Fourth Estate.” However, on March 10 General Dynamics Information Technology filed a bid protest with the Government Accountability Office.
“GDIT challenges DISA’s conduct of discussions, technical evaluation, price evaluation, past performance evaluation, and the resulting tradeoff decision,” according to a source familiar with the protest who requested anonymity to discuss the situation.
GAO’s decision is expected no later than June 20.
Defense Enclave Services is a high priority for the Pentagon.
Under the indefinite-delivery, indefinite-quantity contract, which has a potential 10-year period of performance with a base ordering period that runs through February 2026 and three optional two-year periods to extend, Leidos was tasked to lead the Fourth Estate Network Optimization (4ENO) initiative — an effort to move 22 agencies and field activities to a single platform.
The new platform, called DoDNET, will house common IT elements like personnel, contracting and communications systems. Leidos was chosen to lead the management and operation of the greater network architecture and to be responsible for helping the agencies optimize their IT portfolios in the move over to the single platform.
“We have to evolve the [Defense Agencies and Field Activities] from unique information environments to a single digital enterprise. This will address the cost, security and integration issues that result from having separate networks, compute, and cybersecurity services and it will allow us to establish the modern infrastructure foundation and unified architecture needed to deliver cohesive combat support capabilities to the warfighter,” Don Means Jr., director of DISA’s Operations and Infrastructure Center, said in a statement after the contract award was announced.
Unifying the 22 agencies on a single, streamlined network will provide cost-efficiency, defendability from cyberattacks and agility for modern IT development by eliminating “unnecessary complexity within the IT space,” DISA said in a release.
Matthew Moriarty, a member at Schoonover & Moriarty LLC, who specializes in federal government contracting litigation, said he isn’t surprised that such a lucrative contract award is being protested by a company that lost the competition.
“When you’re talking about dollar figures of this amount … I would consider it unusual to not see a protest,” Moriarty told FedScoop.
Moriarty is not involved in this dispute over Defense Enclave Services, and he declined to discuss the merits of GDIT’s case and the likelihood that it will succeed, noting that he hasn’t seen any documentation related to it.
But speaking of these types of bid protests more broadly, “I think that these companies spend a great amount of time and effort on their proposals, and they genuinely believe that they should have been selected to receive these contracts,” he said. “When you talk about $11 billion, it’s not a hard decision to make to try to stay in the fight.”
He added: “I don’t want to be cynical about it either because, you know, a lot of work goes into these proposals and … these companies genuinely believe that they are providing the best option. I am not trying to suggest that it’s just part of the game. I’m saying the sunk cost analysis would indicate that you’re not losing a lot” by protesting.
Large IT services programs can be especially competitive because of the number of providers that can potentially do the work, he noted.
One potential outcome of the Defense Enclave Services dispute is the Government Accountability Office sustaining GDIT’s protest. When GAO sustains a protest, it typically recommends that the agency that issued the award reevaluate the proposals and determine a new awardee, Moriarty explained.
“That doesn’t necessarily mean [there will be] a different awardee, it just means a different evaluation process,” he said. “What GAO is saying when it sustains a protest is that it believes that there was an error in the process that led to the award decision. And it’s not going to necessarily suggest that you start over at the beginning with a fresh procurement, but it may suggest start over at the beginning of your evaluation process and reevaluate proposals.”
If a new award decision is made, the loser of that competition could make another protest bid, according to Moriarty.
“They would not be precluded from bringing another GAO protest because it would be a new award decision,” he said. “It would be a new decision … that they would have a right to challenge.”
It’s also possible that GDIT’s protest will be denied.
“If all the [government contracting] paperwork is bulletproof for lack of a better word, then GAO is going to deny the protest and … you would think that the parties involved would take a look at that, you know, and examine whether it would make sense to keep fighting,” he said.
If it loses its bid protest at the Government Accountability Office, GDIT could choose to take its arguments to a different venue — the Court of Federal Claims — to continue the legal battle, Moriarty noted.
“Ultimately, it could turn into a protracted fight, or perhaps not,” he said.
GDIT, Leidos and DISA declined to comment about the bid protest.
IRS teams old and new working in tandem on IT modernization
The IRS’s new Taxpayer Experience Office is already working with its IT, digitalization and policy shops to identify projects that will produce the most modernization, according to agency officials.
Processes the four teams agree to expedite may be public-facing or internal, depending on the return on investment (ROI), with TEO handling the former and the Enterprise Digitalization and Case Management Office the latter.
TEO launched at the start of March to improve taxpayers’ experience with digital tools like fully transparent accounts, expanded e-File and payment options, digital signatures, and secure two-way messaging, and it’s hit the ground running.
“We already engage with the Taxpayer Experience Office,” said Harrison Smith, co-director of EDCMO, during an ACT-IAC event earlier this month. “This is an area where we are constantly working horizontally to identify projects that fit the greatest number of enterprise needs.”
For its part, EDCMO focuses on taking paper processes digital where the cost savings are highest and the processing hours and employees in seats lowest.
Digital transformation efforts start small — relying on the IRS‘s policy team to optimize business processes and technology — but already EDCMO achieved a 178% ROI in its first year.
“If you can work one project for one form that saves you $20 million, my real question is: When’s the next form that we can look at?” Smith said.
At the same time the IRS issued the first wave of job postings for more than 200 technologists on March 16 it plans to hire to continue modernizing IT. Positions range from entry-level to supervisory across system development, architecture, engineering, cybersecurity, IT operations, network services, and customer support.
Desired skillsets are cloud, zero-trust security, low- and no-code enterprise platforms, machine learning and artificial intelligence, and NoSQL databases.
Modernization projects new hires may work on include the integrated technical team modernizing the Individual Master File, which is the IRS’s core tax processing system, or the Enterprise Case Management Initiative modernizing applications, services and processes.
The IRS faces a daunting, largely paper-based backlog of tax returns every year. The backlog of Form 1040, or individual income tax return, submissions stood at 6 million and Form 941, or employer quarterly tax return, submissions at 2 million as of Dec. 23.
As was the case with COVID-19 recovery, the IRS is also called upon to administer relief like Economic Impact Payments and advance payments of the Child Tax Credit.
“This is an excellent opportunity to join the IRS Information Technology team and make a real difference for our tax system and the nation’s taxpayers,” said Chief Information Officer Nancy Sieger, in the jobs announcement. “This is a great opportunity for people looking to further their technology careers; we have experienced teams of programmers, IT specialists and cybersecurity experts looking to further accelerate modernization efforts.”
The IRS has also increased use of its streamlined procurement and phased-funding program, Pilot IRS, to deploy software and digital tools. Pilot IRS pilots have helped uncover systemic issues, as well as everyday business processes that need to be phased out based on where the agency is headed, said Molly Cain, associate director of enterprise digitalization.
Every pilot has a postmortem performed to determine what worked, what didn’t, where they can be scaled, and when the CIO’s Office should take over.
The IRS has been good about hosting Pilot IRS listening sessions where officials discuss the IT innovations needed to address the agency’s nagging problems. Tech companies need to take those seriously and speak to an IRS contracting officer when a desired innovation isn’t possible, Smith said.
On the flip side, robotic process automation, ML and AI are “shiny objects” that don’t always have the policies or business processes lined off to support them, he added.
“If you don’t have those all stitched together across the enterprise then, at best, you’ll get a really great tool — hopefully used by a small subset of people, when it’s likely an enterprise challenge,” Smith said.
GSA launches modernized federal IT dashboard
The General Services Administration launched a modernized Federal IT Dashboard providing increased visibility into agency cost and management data Monday.
ITDashboard.gov tracks agencies’ IT cost, schedule and contract data for more than 7,000 investments as collected through their internal capital planning and investment control tools.
GSA‘s Office of Government-wide Policy announced in January its plan to replace the 12-year-old Federal IT Dashboard ahead of the release of the White House’s fiscal 2023 budget proposal, slated for March 28.
“As federal agencies make critical investments in upgrading their IT infrastructure and improving digital service delivery, it’s vital for the public to have visibility into how these dollars are being spent,” said GSA Administrator Robin Carnahan in the announcement. “By making information about federal IT management and spending more accessible and user-friendly, this new dashboard will incentivize agencies to be more efficient and effective and offer valuable insights to our federal partners and the public.”
Two applications — the IT Collect Application Programming Interface (API) and the OGP Visualization Platform — supplanted the legacy dashboard, following a year-long modernization effort.
IT Collect API gathers data from agencies using the latest standards and code capabilities and will handle future data calls from the Office of Management and Budget and other agencies that OMB allows.
The OGP Visualization Platform uses that API and others to ingest data and make it publicly available for visualizations.
New Army unit will combine military intelligence with open source data on foreign adversaries
The Army has created a new group that will blend historical military intelligence activities with commercial data and public information to support cyber operations, according to a spokesperson.
While designated under Intelligence and Security Command, the Cyber Military Intelligence Group (CMIG) will directly support requirements for Army Cyber Command and function under its operational control, according to an Army news article released in February. It will direct, synchronize and coordinate intelligence support for cyber, information and electronic warfare operations while also providing support to U.S. Cyber Command and other combatant commands.
The unit will perform functions not found anywhere else within the Army or intel community, an Intelligence and Security Command spokesperson told FedScoop, noting that Army Cyber Command was the only service component command without a military intelligence brigade for intelligence support.
By blending military intel with commercial data, publicly available information on foreign adversaries and certain national intelligence systems, it will provide insight necessary for Army Cyber Command to operate and defend networks and influence foreign audiences, the spokesperson added.
The team brings together personnel from a wide variety of disciplines across the intelligence and non-intelligence communities.
Army Cyber Command has been in the midst of a multi-year transformation effort to expand its focus beyond cyber to the broader information environment to pursue what it calls “information advantage,” deliberately eschewing the term “information warfare.”
The unique assets the new CMIG brings will provide Army Cyber Command the specialized intelligence it needs to drive operations in the information environment to ensure information advantage, the spokesperson said.
As part of its transformation effort, Army Cyber has charted a phased 10-year approach involving several organizational changes, realignments and creation of new entities.
In October, the command activated the 60th Offensive Cyberspace Operations Signal Battalion.
“This one-of-a-kind unit has a specialized mission to install, operate, maintain, and defend critical infrastructure and supporting networks to enable information advantage for Army and joint cyber forces,” 1st Lt. Garrett Steinbrugge, executive officer for Company C of the battalion, said during the activation ceremony.
The organization will also support operations for U.S. Cyber Command, performing duties related to Task Force Echo, a National Guard effort that has been underway since 2017. Little public information is known other than it supports full spectrum cyber operations. The task force has supported Cyber Command’s Cyber National Mission Force, which conducts offensive ops under the guise of defense to protect the nation from malicious cyber actors. Sources have indicated that it has also supported Joint Task Force-Ares, which sought to limit the Islamic State group’s abilities in the digital world.
While not “trigger pullers,” sources have also indicated the task force provides infrastructure support.
During a March 17th ceremony, the group was placed under the Army’s Cyber Protection Brigade, according to an Army release.
VA and Cerner to investigate cause of Spokane electronic health records outage
The Department of Veterans Affairs and medical records company Cerner will perform a “full root cause analysis” and establish an action plan to prevent further outages after an electronic health records system was affected by a software bug earlier this month.
A department spokesperson confirmed to FedScoop that the records system was taken offline at about 1:30 p.m. on March 3 after a technical defect in a software update was discovered.
As a result of the software bug, the system mixed up certain patient records, leading staff at the Mann-Grandstaff VA hospital and associated clinics in Washington and Idaho to revert to paper records.
It is the latest problem to hit the VA’s troubled electronic health records modernization program, which has provoked ire from lawmakers and frontline medical staff.
VA has worked to rectify errors caused to veterans’ health records as a result of the system data mixup, and as of March 17 only five records remained to be corrected, the department said.
The outage affected the records of veterans receiving treatment at the Mann-Grandstaff medical center in Spokane, as well as clinics in Wenatchee, Washington; Libby, Montana; Coeur d’Alene, Idaho; and Sandpoint, Idaho.
The VA’s medical center at Spokane was the first rollout location for the department’s 10-year endeavor to move away from the open-source Veterans Health Information System Technology Architecture (VistA) and migrate VA and DOD data to a Cerner-built cloud system.
Details of the outage come after the VA’s Office of Inspector General last week published a trio of reports that identified major concerns about care coordination, ticketing and medication management associated with the EHR program launch.
In its deep-dive report looking at care coordination following the new records system rollout, the department’s OIG substantiated deficiencies over the migration of patient information, which in some cases was transferred with errors. The watchdog found also that in the new system that electronic flags to identify patients at high risk for suicide and with behavioral concerns had failed to activate.
VA’s OIG in the second instalment of its investigation highlighted concerns over the helpdesk ticketing system for the new records system, which have previously been raised by frontline staff. Among the issues identified by the watchdog were concerns that Cerner service desk support staff were not able to view and replicate reported issues, closed tickets prior to resolution and did not communicate ticket status to end users.
The helpdesk ticketing system for the EHR is run by the VA Office of Electronic Healthcare Record Modernization and Cerner.
In its third report instalment, VA’s OIG found that the new records system had on occasion discontinued future medication orders written by providers, failed to process certain outpatient medication orders and allowed registered nurses to order prescriptions without the necessary approvals from doctors.
A Cerner spokesperson referred a request to comment to the VA.
NASA agrees to insider threat risk assessment of unclassified systems
NASA management has agreed to conduct a risk assessment of its unclassified systems to determine if its insider threat program should be expanded to include them, according to an Office of Inspector General report.
The agency plans to assemble a cross-discipline team with representatives from the offices of Protective Services and the Chief Information Officer, as well as the OIG Cyber Crimes Division by Dec. 1, 2023.
OIG recommended the move after finding that — while NASA appropriately implemented its insider threat program established in 2014 for classified IT systems — the agency’s unclassified systems still contained high-value assets and critical infrastructure facing “higher-than-necessary risk.”
“While NASA’s exclusion of unclassified systems from its insider threat program is common among federal agencies, adding those systems to a multi-faceted security program could provide an additional level of maturity to the program and better protect agency resources,” reads the report released Monday. “According to agency officials, expanding the insider threat program to unclassified systems would benefit the agency’s cybersecurity posture if incremental improvements, such as focusing on IT systems and people at the most risk, were implemented.”
NASA management further agreed to establish an insider threat working group with the offices of Protective Services, the Chief Information Officer, and Procurement and human resources by Dec. 1, 2023.
The working group will assess the resources needed to expand the insider threat program to protect unclassified systems from cybersecurity threats posed by employees and contractors. Limited staffing, technology resources and funding present challenges to expansion, as does the fact the offices of Protective Services and the Chief Information Officer share handling of unclassified systems, the Office of Procurement manages contracts, and the Office of the Chief Financial Officer grants and cooperative agreements.
The insider threat program currently consists of one full-time government employee and two contract employees performing user activity monitoring for anomalous activity with the help of software and resides within the Office of Procurement. Agency-wide insider threat training and a reference website for identifying threats, risks and follow-up are also provided, and the program is expanding contractor disclosure requirements to limit the risk of foreign influence during procurements.
“Nations such as Russia and Iran wage sophisticated cyber espionage campaigns directed at the
acquisition of U.S. trade secrets in both the private and government sectors, while other countries like
China attempt to blur the line between informal technology transfer and intellectual property theft by
recruiting leading U.S. experts in high-tech fields,” reads the report. “Currently, China is by far the most prolific sponsor of such recruitment programs through what it calls ‘talent plans.'”
OIG found NASA’s risk is “significant” given its ties to academia, research institutes and international partners.
Accidental leaks through phishing or forwarding of sensitive emails are most common at NASA, followed by misuse of networks or databases to skirt the agency’s cyber policy and then data theft for sale or inappropriate release. Improper use of NASA IT systems increased from 249 incidents in 2017 to 1,103 in 2020, 343% growth, with the most prevalent error being the failure to protect sensitive but unclassified information by, say, sending an unencrypted email containing such data, according to an OIG report from May.
A comprehensive insider threat risk assessment is intended to identify gaps in administrative processes and cybersecurity.
“At a time when there is growing concern about the continuing threats of foreign influence, taking the proactive step to conduct a risk assessment to evaluate NASA’s unclassified systems ensures that gaps cannot be exploited in ways that undermine the agency’s ability to carry out its mission,” reads the new report.
Soon-to-be-released defense budget will align funding toward JADC2
Despite releasing what a top official referred to as a “seminal document” for the Department of Defense’s new concept for joint all-domain command and control (JADC2), the proof will be in how systems associated with that effort are funded across the individual services. And according to the official leading the charge, there is a funding mechanism in place in the soon-to-be-released fiscal 2023 defense budget request to purchase the technologies and mechanisms needed to make the plan a reality.
“Yes, very clearly. We’ve already had placeholders,” Lt. Gen. Dennis Crall, who heads the Pentagon’s JADC2 efforts, told reporters Friday when asked if there will be funding recommendations reflected in the 2023 budget for that.
The fiscal blueprint will be released March 28, according to reporting from Bloomberg.
The joint all-domain command and control initiative seeks to more seamlessly connect sensors and shooters to allow for faster decision making on the battlefield. Deputy Defense Secretary Kathleen Hicks signed the implementation plan for the JADC2 strategy earlier this week.
However, the military services still have to get on board and fund the programs and efforts that support this larger push to connect systems and improve data flows to allow for decision advantage on the future battlefield.
“Even though … the [implementation] plan itself was recently signed, we’ve been in constant battle or other events with our leadership on where we saw this forming up,” Crall said. “It’s not as though it was just dropped in the environment and we’re now trying to take a look at this for the first time. We had a pretty strong understanding of where these would fall out. And so yes, we have a solid plan, I think, or at least a good recommendation maybe on how that’ll land for ’23.”
There has also been a partnership between the Joint Staff’s Joint Requirements Oversight Council and the deputy secretary of defense through the Deputy’s Management Action Group, a senior review panel, to try to ensure that funding is available to realize the vision for JADC2, Crall said.
Funding should never be put against something that doesn’t have a validated requirement, he added.
First JADC2 efforts
Despite ongoing efforts with the services to game-out concepts and technologies for JADC2, Crall said there are two specific areas that are getting a “disproportional amount of attention” upfront: DevSecOps and the mission partner environment.
On the DevSecOps front, Crall described getting the department onto a modern footing on par with how Fortune 500 companies do business. While not novel in the commercial world, this is a first for the DOD and thus a large undertaking.
First, he explained, the Pentagon is going to take a series of applications the military services have identified and create a secure application and toolkit to allow for real-time patching. In the current environment, patching protocol is problematic, he said.
Second, the department will take some of its most “misbehaving applications,” which Crall declined to identify, and put them in a redevelopment gauntlet to have them reformatted to allow for greater data sharing.
During the Afghanistan drawdown, the department found it difficult to share information in a timely manner. The goal now is to get applications to work properly and provide data to the people or organizations that need it.
Regarding the mission partner environment, which allows DOD and coalition partners to access information, Crall said there has been a lot of testing on data exchange, how data is stored and what security elements are best.
Officials are focusing on challenges with currently fielded systems.
“We’ve got at the Secret level and below a very wonky, problematic array right now with the way that we exchange data with our partners and it’s not sustainable,” Crall said. “It’s expensive, it doesn’t work well and almost every country has some level of bespoke configuration that makes it really hard to manage. We’re taking that on as to how do you take what you’ve got and put it in a repeatable, recognizable, affordable order.”
U.S. Central Command and U.S. Indo-Pacific Command have done “phenomenal” work to this end, Crall said.
“Rather than creating all of that here in D.C., we’ve turned to our combatant commands who have shown progress and we are helping them organize this in the cross-functional team to see if we can replicate that as a standard,” he said.