The votes are in for the 2025 FedScoop.

See the winners!

Army cloud office to be set up by March, CIO says

The Army’s new Enterprise Cloud Management Office will be in “full swing” by March, Army CIO Lt. Gen. Bruce Crawford said Tuesday.

The ECMO aims to help the Army achieve “convergence,” a strategic objective to combine information and capabilities across warfighting domains by having central data and cloud enterprise capabilities.  Paul Puckett, a former technology officer at Pivotal Software with technology experience in government, will lead the office to be the Army’s cloud and data hub.

To achieve the “monumental task” of data migration, the Army plans to spend $730 million of reallocated funds for its cloud efforts through fiscal 2023, Crawford said at AFCEA’s Army IT Day.

“We needed to centralize all things cloud,” Crawford said. “The ECMO is designed to better Army commands through a centralized office, and improve the ability to facilitate cloud projects and oversee migration to the cloud network.”

The office will remove some Army direct reporting units and other parts of military bureaucracy that “lack of organic capacity to get started” on building cloud networks, Crawford said in November.

Crawford hinted that the ECMO will initially have a small staff — its mission will be “less about numbers and more about capabilities.”

Creating the office was a part of a new and vigorous push by the Army to up its cloud game. Obtaining artificial intelligence capabilities through enterprise cloud computing is a priority for Secretary Ryan McCarthy.

Later during the event, Jennifer Potts, deputy project manager for the Army Enterprise Systems Integration Program, said “millions” of Army data points are being migrated to the cloud each day. 

“It is really an exciting time to be in this space,” she said.

How agencies are implementing better service and mission-focused solutions

DHS tests AI for making sense of contractor past-performance data

The Department of Homeland Security is almost done with the first phase of a project that will allow federal agencies to use artificial intelligence for a task that can be overwhelming for humans: extracting, analyzing and visualizing the underutilized data in the governmentwide system for contractor past-performance records.

Next week DHS will finish reviewing services from nine vendors who were given data sets from the Contractor Performance Assessment Reporting System (CPARS). Before awarding contracts worth more than $250,000, agencies review historical data in CPARS to see how offerers acted under previous agreements. It’s not an easy task.

With more than 1 million records covering 60,000 contractors, CPARS can bog down contracting officers, said Polly Hall, acquisition innovation advocate director of the Procurement Innovation Lab at DHS. They can sort records by contract value, Data Universal Numbering System (DUNS) number or performance period, but even once those filters are applied, the results frequently still number in the hundreds and can only be viewed one PDF at a time.

“There’s risk involved in that,” Hall said, while speaking at the ACT-IAC AI/IA Forum on Wednesday. “As a human, I might not read something in a given record that will be very relevant to my decision as a contracting officer in the source selection.” Agencies attempt to mitigate that risk by having offerers complete past-performance questionnaires, but vendors paint themselves in a good light and rarely distinguish themselves from their competition, Hall added.

Due to budget constraints, the Office of Procurement Operations (OPO) within DHS opted against buying a solution and instead issued a general solicitation in August under the relatively new Commercial Solutions Opening Pilot Program authority. The solicitation sought AI prototypes that could quickly find a vendor’s past performance records and possibly even predict if they would deliver on a contract.

“What we want is the output from the solution,” Hall said. “We want that output in the form of a CPARS AI report or maybe a subscription service with a dashboard and other visualization capabilities to help us extract, analyze and visualize the data.”

DHS envisions a commercial, multi-vendor marketplace where report or subscription services are sold — similar to the credit-report marketplace, she added.

Nine AI-enabled prototypes

The department committed in its solicitation to providing vendors with CPARS data and access to users — contracting officers, contracting officer representatives and CPARS focal points — for prototypes and received about 40 proposals.

DHS used peer review to select nine services in September for prototyping: Hangar Government Solutions, Accenture, CORMAC, IBM Global Business Services – US Federal, Strongbridge, World Wide Technology, TrueTandem, ElectrifAi, and Federal Government Experts.

When prototype contracts were awarded, DHS lacked the ability to go into CPARS with an application programming interface (API) or script and pull out the records in batch. Instead records were downloaded one PDF at a time and prepared and parsed into CSV files. Data had to be human-rated so vendors could use it to train their AI algorithms and then masked to protect contractor information being shared.

Vendors have participated in interactive demonstrations leading up to the final demonstrations of phase one next week. DHS requires vendors produce a CPARS AI report so the department can validate the system ingests the data and provides meaningful insights.

Explanations of AI methodology and recommendations for improving CPARS data quality are also expected from each vendor.

DHS can then award follow-on contracts, up to $50,000 in value, without further competition.

“Our intent is to maintain as much competition as makes sense as we move forward into the next phase — likely more prototyping with a more robust, larger data set,” Hall said. “All of the vendors have concurred that’s definitely a need.”

More data will ensure services aren’t overly sensitive and can support more data as it scales, she added.

Not just for DHS

CPARS is expected to merge with nine other legacy contract-award systems under beta.SAM.gov within two years.

DHS essentially offered to manage CPARS on behalf of the government and formed a coalition with the Office of Federal Procurement Policy that’s funded by the Chief Acquisition Officers Council, which also provides vendors access to users, Hall said.

The Navy owns CPARS through the Integrated Award Environment at the General Services Administration. So DHS also needed IAE’s involvement to eventually access live-production data through a third-party API.

OPO additionally partnered with the DHS chief information officer and the Center for Accelerating Operational Efficiency, the department’s center of excellence managed out of Arizona State University.

Survey finds DOD contractors know little about forthcoming cyber standards

The Defense Department has been planning for nearly a year to update its cybersecurity certification framework for vendors who handle its sensitive information — but that’s apparently news to some contractors.

A new survey published by Tier 1 Cyber found few DOD vendors are aware of the DOD’s new cybersecurity standard for contractors, the Cybersecurity Maturity Model Certification (CMMC). Only 24 percent of the responding defense contractors could accurately identify its acronym in the survey.

Overall, the survey found contractors have “gotten the message” on the importance of cybersecurity, but few have implemented mitigation efforts to the imposing threats, Tier1 Cyber CEO Bret Cohen told FedScoop.

The survey was conducted in November and solicited responses from a random sample of 150 government contractors with revenues of more than $15 million annually. Two-thirds of the respondents were DOD contractors with the vast majority employing more than 1,000 people.

The defense industry is targeted by state and rogue actors seeking to obtain sensitive national security data. To strengthen the military supply chain, the DOD launched CMMC as a top-down cybersecurity review and new framework to ensure compliance with cyber standards for all contractors.

The Cybersecurity Maturity Model Certification will replace the National Institute of Standards and Technology standards for cybersecurity as it is phased into the contracts later this year. Currently, contractors only need to self-certify NIST compliance. That will change under CMMC, with all companies in the DOD supply chain needing a third-party accredited authenticator to certify their level of cybersecurity compliance on a five-level scale. The security level will comport with the type of data contractors are given, with highly classified material only being awarded to high-level certified contractors.

The process could take up to a year, most of which will be while companies assure the “maturity” of their network security, Cohen said. Beyond initial certification, contractors will also need to continuously ensure security compliance; they risk losing certification in the event of a breach, according to the DOD’s frequently asked questions page on CMMC.

The upcoming rules are not the only thing respondents displayed a lack of knowledge on. Cohen was also surprised by the low levels of trust DOD contractors say they have for third-party vendors. Only 12 percent of the defense contractors surveyed said they trust their vendors, an apparent weak link in the chain. Cohen interpreted that as evidence that contractors aren’t concentrating on their vendors’ security or, worse, just don’t know the state of their third-party vendors’ security.

Other contractors surveyed showed little implementation of cyber mitigation efforts beyond “water cooler conversation” about the topic. Many employees’ personal devices lacked security software, and training was not a regular practice for many of the contractors surveyed.

Cohen said he anticipates other government agencies to adopt models similar to CMMC and the DOD’s implementation will likely continue on track, despite his company’s survey finding limited understanding among contractors.

Survey finds federal agencies embracing zero-trust security model

Nearly half of federal government IT executives in a new survey said their agencies are moving away from traditional network perimeter defense tactics and taking steps to adopt identity-centered, or zero-trust, security strategies to protect their digital resources.

The survey also found, executives at agencies which have developed security strategies in line with the administration’s Federal Identity, Credentialing and Access Management FICAM policy requirements reported being better positioned to:

Read the full report.

The study presents a clearer picture of how well federal agencies are embracing the shift in security practices toward a perimeter-less data environment, where identity and authentication tools are used as the primary tool for managing access to federal resources and information systems.

“Security Without Perimeters: Government’s shift to identity-centered access,” produced by FedScoop and underwritten by Duo Security, surveyed 171 prequalified government and industry IT decision makers in November 2019.

The findings not only show how far along federal agencies are in moving towards zero trust, but also points to accelerating interest to moving toward a password-less user experience and a wider range of multi-factor authentication practices.

The importance of identity-centered security

Part of the shift in security approaches reflects recent federal government mandates — from the Federal Data Strategy action plan to the OPEN Government Data Act — are placing greater demands on agencies to use and protect government data more effectively.

At the same time, public and commercial enterprises recognize that perimeter defense tactics are no longer effective by themselves in protecting sensitive data from hackers and insider threats.

Agencies, however, are making mixed progress in adopting a zero-trust approach. About  half (48%) of federal government IT decision-makers reported their agency is substantially on its way to adopting an identity-focused approach to protecting access to agency resources. However, 3 in 10 government respondents say their agency still relies heavily on perimeter defense tools or policies.

But for those implementing identity verification technologies, such as multifactor-authentication, respondents report their agencies are able to accelerate their move to the cloud and more modern applications and devices.

“By surrounding their data with precision identity and access controls, agencies can better secure their information and improve the user experience for employees and citizens,” the report suggested.

Among various authentication options available to agencies, respondents ranked multifactor one-time password; randomly chosen password/PIN; and out-of-band authenticators as their top three choices for where they plan to increase investments over the next two years.

And as organizations move away from username and password, technologies such as multifactor authentication and password-less user experience will become more relevant, suggest the findings. A little more than half of respondents indicated their agencies are planning to move towards a password-less user experience within the next two years.

Challenges to implementing identity-centered security

Moving to an identity-centric, perimeter-less data environment, however, requires a combination of policy, investment and technology decisions, the report noted.

A majority of government respondents confirmed that their agency has mostly or fully completed inventory of the people, devices and other non-person entities accessing networks and applications — a necessary prerequisite to creating a zero-trust environment. However, between 41 and 48 percent of respondents said their agencies are still in the early stages of taking inventory.

And nearly half or more of respondents said their agency or organization has minimal to average capabilities in determining ensuring basic security capabilities required to establish a zero-trust environment — such as knowing which devices are owned by the enterprise and which are not, or whether communications and individual connections are secure.

Obstacles vary to adopting a zero-trust strategy, but the top three ranked reasons that agencies struggle with include a lack of staff expertise, insufficient budget and a lack of standardized IT capabilities.

Moving forward

While the standards for creating a Zero Trust Architecture ecosystem are still evolving, agencies now have access to several valuable resources to guide their efforts, the report concludes, including:

Read the report, “Security Without Perimeters: Government’s shift to identity-centered access” for detailed findings on how the progress federal government is making to move to zero-trust.

This article was produced by FedScoop and underwritten by Duo Security.

USDA’s Chad Sheridan leaving government

Chad Sheridan is preparing to leave government and take a role in the private sector.

Sheridan will be departing from his role at the U.S. Department of Agriculture at the end of January, the agency confirmed to FedScoop. This brings an end to Sheridan’s 2more than 25 years in government, both at USDA and in the Navy.

Sheridan told FedScoop that it feels “bittersweet” to leave USDA but that he’s excited to take on a cross-agency perspective in his next role.

Sheridan most recently served as the chief of service delivery and operations at USDA’s Farm Production and Conservation Business Center. Previously he was the CIO at USDA’s Risk Management Agency until Secretary Sonny Perdue reorganized the agency’s disparate and siloed CIO structure under one central CIO in October 2018. Since then he’s been working to “move the needle” on key customer-focused initiatives like the Farmers.gov portal.

When it comes to creating an enterprisewide resource in government, Sheridan advised that inertia is the primary force that agencies need to overcome. “You’re going to have to learn by doing,” he said. “Try, bump your head, learn, move on.”

Sheridan will join NetImpact Strategies as chief innovation officer in mid-February.

CenturyLink wins EIS award with military’s school system

CenturyLink has won another award under the General Services Administration‘s $50 billion telecommunications and network modernization contract.

This time, the Department of Defense Education Activity issued CenturyLink a $75 million task order under the Enterprise Infrastructure Solutions (EIS) program.

The one-year contract with 12 optional years marks the first DOD task order under EIS.

CenturyLink will be tasked with providing virtual private networking, internet, voice and video services to the DODEA — the pre-kindergarten through 12th-grade school system for children of service members who live on U.S. military bases around the globe.

“DODEA put its trust in CenturyLink to provide its staff and tens of thousands of school-aged children of military families with a reliable, robust and secure network that will support desktop computers, printers, mobile devices and video collaboration services in a 21st century learning environment that spans the globe,” David Young, CenturyLink’s senior vice president for public sector, said in a statement. “We’re focused on modernizing and updating DOD’s learning network so DODEA can concentrate on its mission to educate, engage and empower military-connected students to succeed in a dynamic world.”

CenturyLink, the first of nine providers to receive an authority to operate under EIS last year, has already won two other awards under the larger program. Just last week, the Department of Interior issued the company a $1.6 billion task order with option periods that could run through 2032 to manage the agency’s core network services and access services like Wi-Fi. And last April, NASA issued CenturyLink the first task order on the EIS program to deliver core network services.

‘Rigid’ pay system blamed for Federal Cyber Reskilling Academy struggles

The U.S. Merit System Protection Board took aim at a “rigid” government pay system that it said was at fault for the lack of success in federal cyber reskilling programs.

The mid-career employees without an IT background who volunteered for the Federal Cyber Reskilling Academy would have had to take a pay cut if they transitioned to a new cybersecurity job, one cause for a lack of success in the program, according to a January newsletter from the MSPB.

The letter says that Office of Management and Budget Deputy Director for Management Margaret Weichert expressed frustration at the close of the program’s first cohort, saying the fault was in a pay system that “promotes fairness but lacks agility.”

The academy was launched in 2018 by Federal CIO Suzette Kent as a part of the President’s Management Agenda to increase the federal government’s cyber workforce. “Cybersecurity is a key priority for this administration. This is why we need to continue to transform and modernize our efforts to improve our cyber posture,” Kent said in a statement in 2018.

One federal IT official pointed to another problem: You can’t make an expert overnight. The pay cuts would have kicked in because the formerly non-IT workers would have had to fill entry-level jobs, a rank that would match their experience level but not necessarily their seniority in the government.   

“As anyone who’s worked in Cybersecurity can tell you, you can’t learn this stuff in six weeks” Bill Hunt, chief enterprise architect at the Small Business Administration, posted on Twitter.

James Read, MSPB’s director for policy and evaluation, raised the idea of a “rank-in-person” system instead of the current rank-in-position system that dominates the GS pay scales. Rank-in-person would take into account an employee’s unique skills, position, seniority and other factors in determining pay, which would give government agencies more flexibility in setting pay rates.

“These specialized workforces are structured to be more agile than GS employees,” he wrote.

The GS rank-in-position structure does allow for a temporary waiver to avoid a drop in income, but only when an employee is reassigned to accommodate immediate vacancy issues and wouldn’t apply to the employees who volunteered for a reskilling program, like the Federal Cyber Reskilling Academy.

Reskilling, especially in IT, has faced challenges both in and out of government, with many failing to convert workers into full-time IT jobs.

DIU kicks off 2020 with a host of new commercial solicitations

What do small satellite constellations and an artificially intelligent flight instructor have in common? The Defense Innovation Unit is seeking both through its latest round of solicitations.

The Defense Department’s Silicon Valley liaison is kicking off 2020 with a host of new contracting opportunities. In all, the organization has six solicitations currently open to responses.

For example, the DOD is interested in finding a commercial off-the-shelf inventory management solution that can find all the agency’s various network devices and quickly identify any vulnerabilities that need to be patched.

“The DOD’s current systems for inventory management are custom-built and do not interface with best of breed market solutions, do not efficiently identify assets, and do not provide an integrated view of vulnerabilities and patch prioritization across the network or for each asset,” the solicitation reads. “Today it takes time to assess, test, and deploy patches that fix newly identified vulnerabilities. This timeline must be shortened for success.”

Another focus area revealed by the solicitations is pilot training. The DOD wants to “streamline” pilot training with the help of some new technologies, including artificial intelligence.

“DOD is interested in prototyping an AI entity which will provide instruction, analysis, and feedback to student pilots before, during, and after simulator events,” the solicitation reads. The solicitation also requests the hardware and software necessary for a cockpit and flight environment simulation.

Through the commercial solutions opening process, companies that successfully impress the organization with their solution brief, pitch and proposal will be granted an Other Transaction Agreement (OTA) contract to develop a prototype. Companies that successfully pass this stage may be granted another OTA for production.

Other current solicitations involve satellite imagery collection and object detection, predictive health and more.

GSA’s Mary Davie headed to NASA

After more than 30 years at the General Services Administration, Mary Davie is headed to NASA.

Davie, a mainstay in federal IT acquisition for more than a decade, will join NASA’s Mission Support Directorate on Feb. 3, according to an internal GSA announcement Tuesday afternoon from Administrator Emily Murphy. Davie will focus on organizational transformation in her new role with the directorate.

“While we are sad to see her go, we are thrilled for her in this new opportunity. As many of you know, Mary has been with GSA for more than 30 years, starting her career here while in college,” Murphy wrote. “Her contributions to the agency and the federal government have been so numerous, it is difficult to summarize in a single message.”

For nearly two years now, Davie has led GSA’s HR Quality Service Management Office responsible for developing NewPay, a federal shared service for payroll. Prior to that, she served as deputy commissioner of the Federal Acquisition Service and assistant commissioner of the Information Technology Category.

Davie was a FedScoop 50 winner in 2016 and 2017.