New bill would protect federal telework from ‘rollback’
House Democrats Gerry Connolly and John Sarbanes want to save federal telework.
The two introduced a new bill — the Telework Metrics and Cost Savings Act — to the House on Thursday in a bid to require that agencies continue to support expanded teleworking opportunities moving forward.
The bill is a direct response to new policies at the Department of Education and U.S. Department of Agriculture, both of which recently announced that they are shrinking employee telework availability from four days a week to just one. The decisions drew ire from employees and concern about what the influx of commuters could mean for infrastructure in the D.C. area. Connolly, of Virginia, and Sarbanes, of Maryland, both serve large populations of federal workers who could be affected by receding telework policies.
“Instead of instituting mindless, sweeping bans on telework participation, agencies should be expanding teleworking options,” Connolly said in a statement. “Telework is supposed to be a tool for promoting government efficiency, performance, and emergency preparedness.”
If passed, the bill would require that agencies set telework participation goals and would establish a guide that agencies can use for assessing and reporting telework cost savings. It would also require that the Office of Personnel Management establish a plan to keep telework at its current high of 22 percent, or increase that number. This, Connolly and Sarbanes point out, can prevent backtracking like in the case of the Department of Education and USDA.
Telework isn’t just a cost-saving measure, Connolly and Sarbanes note. Flexible working requirements also have a huge impact on the kind of talent the federal government is able to recruit.
“We are making great progress with widespread adoption of telework in the federal government,” Connolly said. “We cannot go in reverse. Telework is a valuable tool for not only government efficiency, but also recruitment and retention of a talented federal workforce.”
“We must push back against the Trump Administration’s repeated attacks on federal telework programs, which make our government work better for the American people,” Sarbanes, who also authored the Telework Enhancement Act of 2010, said in a statement.
U.S. CIO Suzette Kent keys in on talent gap as root of federal cyber struggles
Suzette Kent is only five months on the job as federal CIO, but she’s quickly learned what’s at the heart of the government’s cybersecurity challenges.
Testifying Wednesday before the House Oversight and Government Reform Committee on the federal government’s struggles safeguarding its information, Kent repeatedly pointed to the lack of tech talent as the root of agencies’ perennial cybersecurity woes.
Asked how lawmakers could be of assistance in helping agencies better secure their IT infrastructures, Kent pointed immediately to a “continued focus on workforce activities.”
“In many cases, we still have almost a 25 percent gap in the number of cybersecurity resources we need across federal agencies and what we actually have in place,” she said. “And particularly we have some gaps in leadership and places where we have open positions that are key leaders. In many cases the individuals, when we get them in, their tenure is less than 12 to 18 months. There are multiple workforce actions, both at entry level and at leadership, and there are things that we continue dialogue with the private sector to see if we can fill those gaps.”
Kent — who had not worked in the federal government before joining the Trump administration — said there are still about 15,000 unfilled IT and cybersecurity positions around government. It has been a grueling battle for agencies, with the leadership of the Office of Personnel Management, to catalog those positions to get a better idea of exactly what they have and what they need. OPM just recently renewed its efforts on that front, saying it will survey agency hiring leaders and possibly offer new direct-hire authorities for IT and cyber roles.
Gene Dodaro, head of the Government Accountability Office, said it’s OPM’s current classification system that’s the problem.
“That system was created many years ago, it didn’t contemplate cybersecurity, they haven’t adapted over time and so right now the phase one of what the current administration is currently doing is to take stock of what cybersecurity skills exist across the government,” Dodaro said. A recent report from Dodaro’s GAO team found that OPM is struggling to meet its goals in the initiative. “We should’ve known this for years earlier and developed new systems in place,” he said Wednesday.
And he doesn’t think, necessarily, that throwing more direct-hire authorities at agencies will alone fix the issue.
“Congress has been very good here — they’ve given a lot of special authorities to the agencies,” he said. “But we found that they have over a hundred special hiring authorities, but they only use about a dozen or so. And so it’s OPM hasn’t really looked at whether these special hiring authorities are being effective or not. This needs more attention. I’m very glad the president reorganization proposal is focused on cybersecurity workforce.”
However, Kent said progress is being made, “clarifying the specific positions, as well as common nomenclature.” She referenced her office’s recent release of the CISO Handbook, which is meant to “ensure that we are holding our cybersecurity teams accountable for the same standards of behavior across all of the agencies.”
“But we still have work to do to fill those positions, and particularly in the entry levels to ensure that potentially we are identifying other skill sets in the federal government that we can move into some of those positions,” she said.
Still, finding and assessing the gaps is only step one in improving the situation, and perhaps a much easier task than figuring out how to compete with the private sector for in-demand cybersecurity talent.
“The primary drivers of the vacancies is that cybersecurity skills are one of the hottest skills in the industry right now and we are competing with the private sector,” Kent said. “As well, these cybersecurity professionals have an expectation of quick mobility, large challenges and some ability to move very quickly in their profession. And some of those things don’t align well” with government bureaucracy. And while the federal government can attract some with its variety of “exciting missions,” she said, “so many times it’s a question of compensation.”
Connolly bill would compel agencies to comply with FedRAMP
With more federal agencies moving to the cloud, Rep. Gerry Connolly, D-Va., wants to compel them to use the Federal Risk and Authorization Management Program to authorize they’re secure in getting there.
Connolly introduced the FedRAMP Reform Act of 2018 on Thursday, requiring federal agencies to report their compliance with the cloud authorization program. The bill also aims to streamline the FedRAMP process.
“Despite its best efforts, the Federal Risk and Authorization Management Program continues to suffer from a lack of agency buy-in, a lack of metrics and duplicative processes that have resulted in a lengthy and costly authorization process for cloud service providers,” Connolly said in a statement. “The FedRAMP Reform Act clarifies the responsibilities of federal and private sector stakeholders, establishes a process for metrics so Congress can evaluate the progress of the program and provides FedRAMP customers with the certainty and process reforms they have long sought.”
Established six years ago to standardize the security assessments of cloud service providers looking to sell to federal agencies, FedRAMP has seen growth. However, it maintains a somewhat rocky relationship with some federal and industry leaders and lawmakers.
Part of the issue comes from the time and cost for vendors to obtain an authority to operate. To assuage those concerns, FedRAMP officials have launched a series of initiatives in the past year to streamline the ATO process, including FedRAMP Tailored.
The bill provides a carrot to both agencies and industry, requiring the program to issue metrics to track “the time, cost and quality of the assessments” of the ATO process. It also directs the Office of Management and Budget and the General Services Administration — which houses FedRAMP — to submit an annual report to Congress detailing the FedRAMP program management office’s performance and status on meeting the metrics.
The legislation offers some proverbial sticks for agencies as well. It codifies the program and requires agencies to comply with FedRAMP requirements for cloud services adoption. Agencies would also have to report their ATOs to the FedRAMP PMO, which would track and assess the authorizations governmentwide, something it already does.
To help streamline FedRAMP as a process, the bill also seeks to eliminate duplication in the security assessments offered by the program’s Joint Authorization Board by deeming any provisional authorization it awards adequate by agencies unless they document otherwise.
The bill also encourages FedRAMP to pursue automation technology to streamline the ATO process, a path program officials have been pursuing since last year.
Connolly, known as a watchdog for federal IT, particularly around data center consolidation and acquisition, is a longtime critic of FedRAMP.
FDIC faces a number of ‘challenges and risks’ in IT governance
The Federal Deposit Insurance Corporation’s IT governance practices leave room for improvement, a recent agency inspector general’s report found.
Specifically, the IG found, the FDIC could benefit from fully developing long-term strategies for IT initiatives, and getting buy-in on those strategies, before executing. “An IT strategy is an essential part of the Governance Framework,” the report states. But the former CIO of the FDIC, Larry Gross, stopped work on a long-term plan in 2016 order to create a short-term “Action Plan” around specific high-risk IT priorities.
However, “the CIO Organization did not obtain the acceptance of organizational stakeholders within the FDIC’s divisions and offices, particularly for the adoption of cloud technologies, prior to executing its 2016 Action Plan,” the IG found. “As a result, stakeholders were uncertain about the business impacts of the FDIC’s IT strategy and approach.”
Issues like this, and others, adversely impacted the three FDIC IT initiatives that the IG looked into — migrating email to the cloud, deploying laptop computers to employees and contractors, and the planned adoption of mobile managed services. In two of these three initiatives, governance issues seem to have slowed down completion of the project. The email to the cloud initiative, for example, had a planned completion date of Dec. 31, 2016, but wasn’t actually complete until Sept. 2017.
And while email is now taken care of, the IG found that the FDIC has been pursuing broader use of cloud computing for some time. However, despite a 2015 independent assessment from Gartner that concluded that the FDIC needs a cloud strategy, “at the close of our audit, the CIO Organization had not yet finalized a comprehensive Cloud Strategy.”
The IG offers eight recommendations to FDIC CIO Howard Whyte, including that he build an implementation plan to serve alongside an IT strategic plan use enterprise architecture to guide IT decision-making and more.
Whyte agreed with all eight recommendations. His office said that it has already taken action in six of the areas and will address the other two by June 2019.
GSA, OPM aim to have plans for HR solutions shift by this fall
Agency leaders from the General Services Administration and the Office of Personnel Management said Thursday they hope to deliver a plan to Congress this fall outlining how they will shift the government’s human resources services in the coming months.
As part of the Trump administration’s massive government reorganization strategy, OPM will divest itself of much of the transactional operations centered on its Human Resources Solutions office, which includes a “nationwide cadre of consultants, psychologists, IT specialists, faculty and program managers” that assist agencies in their HR missions.
GSA Administrator Emily Murphy and OPM director Jeff Pon told a Senate subcommittee that planning on that move has begun and should produce timelines and business cases “by the end of summer or early fall.”
“Our task force is actually mapping out that project plan so that there will be a smooth transition on it,” Pon said. “What I think you will see after the task force tackles this part of the HRS is a timeline of implementation which we will be sharing with this body, as well as other key stakeholders.”
The move is the first phase in a multi-step plan to remake OPM into solely a personnel policy office within the White House, while also increasing GSA’s role as a products and services provider for the federal government. While both agencies are examining how to move HRS as the first step, future phases could address whether to move federal retirement and health care products and services as well.
Senators repeatedly asked the pair to demonstrate how overhauling OPM will add efficiency to mission delivery, especially given that the agency will retain its policy role.
Pon told the committee that since GSA already maintains the IT infrastructure for a number of the services that OPM uses, it could streamline solutions and make them more interoperable under one roof.
“I think it’s an operational efficiency,” he said. “One part of OPM does the policy end of things. In the other part of the spectrum, we provide services to agencies. The [GSA] does services for IT and acquisition, and I think finance and HR are the next steps to consolidating that back-office infrastructure.”
Such a move could possibly be done by Trump administration without legislation from Congress, Murphy and Pon said, but their legal teams were evaluating how to delineate responsibility for governmentwide programs like USAJobs.
But OPM officials also want to complete their work on the federal employee digital record, which requires them to standardize a data infrastructure that can handle troves of employee information and then hand it to the payroll management teams at GSA.
Murphy said that GSA was leveraging its Office of Shared Solutions and Performance Improvement to assist OPM in its EDR efforts and would be helping agencies on how to populate those records with employee information.
“While Jeff is taking the lead on this, it’s definitely going to be something we do in partnership,” she said. “Because GSA, in our work with shared services, may be able to expedite and help those customer agencies with that part of the process.”
The pair said their taskforces would likely look at whether to shift health care and retirement operations in fiscal 2020 or 2021, but the EDR operations would play a large role in making those more efficient.
ACLU puts members of Congress in the facial recognition crosshairs
Misidentification by facial recognition technology can happen to anyone — even sitting members of Congress. That’s the attention-grabbing headline of a new study conducted by the American Civil Liberties Union, in which 28 sitting members of Congress were falsely identified as individuals who have been arrested for a crime.
The ACLU’s opposition to law enforcement use of facial recognition tech — specifically Amazon’s Rekognition software — is long-standing and well-documented. But now, the organization is making it personal.
Using Rekognition, the ACLU said it paid $12.33 (“less than a large pizza,” the blog post is careful to point out) to build a database of 25,000 publicly available arrest photos and run that database against public photos of every sitting member of the House and Senate.
The results? The software, according to ACLU, incorrectly identified 28 sitting members of Congress as individuals who have been arrested.
The misidentified congresspeople were men and women, Republicans and Democrats — a diverse bunch including the likes of Rep. John Lewis, D-Ga., Rep. Frank LoBiondo, R-N.J., and Rep. Norma Torres, D-Calif.
The results support the concern that facial recognition technologies like Rekognition are especially likely to misidentify people of color. Thirty nine percent of the 28 misidentified members of Congress were people of color, despite the fact that people of color make up only about 20 percent of the legislative body.
“People of color are already disproportionately harmed by police practices, and it’s easy to see how Rekognition could exacerbate that,” the ACLU writes. The Congressional Black Caucus recently wrote a letter to Amazon head Jeff Bezos, expressing their concern about racial bias in facial recognition technology.
Rekognition is used by the Washington County police department in Oregon and by the city of Orlando — cases that have received criticisms from watchdog groups as well as Amazon employees. It’s unclear if any federal agencies are using Rekognition, but Amazon has marketed the tech to law enforcement at all levels of government.
Despite the criticism, Amazon Web Services’ vice president for worldwide public sector, Teresa Carlson, recently said the company is “unwaveringly” committed to the U.S. government.
“We provide them the tools, we don’t provide the solution application that they build,” she said at the Aspen Security Conference. “And we often don’t know everything they’re actually utilizing the tool for. But they need to have the most innovative and cutting-edge tools they can.”
Echoing previous Amazon statements, Carlson added that government users have a responsibility to use the technology in an “ethical” way. “When the government signs up with us, they still have to have ethical use rights of our tool,” she said. “So if they’re breaking the law, they’re doing something, we would pull that for those reasons. And they sign up and they know the use rights of our tools as well.”
The ACLU’s concern, meanwhile, is that as a society we haven’t fully reckoned with what “ethical” use of this technology looks like. Because of this, and the racial bias concerns, the group argues that the tech is not yet ready for primetime.
“Congress should press for a federal moratorium on the use of face surveillance until its harms, particularly to vulnerable communities, are fully considered,” Neema Singh Guliani, ACLU legislative counsel, said in a statement. “The public deserves a full debate about how and if face surveillance should be used.”
The Pentagon opens JEDI cloud for bidding, still as a single award contract
It’s settled: The Pentagon’s landmark move to the commercial cloud will indeed be through a single award.
The Defense Department, after months of delays and criticism from industry, issued the final request for proposals Thursday for its Joint Enterprise Defense Infrastructure contract — a single-award, indefinite delivery, indefinite quantity acquisition worth up to $10 billion for a possible 10 years. The initial ordering period will be two years, with two three-year options and another two-year option to close it out.
DOD CIO Dana Deasy, who recently was given the lead on the Pentagon’s cloud efforts and specifically JEDI, called the contract a “pathfinder” and “a critical first step in the DoD’s overall cloud environment.”
“I firmly believe that the JEDI Cloud Program and the RFP being released today is the best strategy for the Department to meet its critical and urgent infrastructure needs,” Deasy wrote in a letter accompanying the RFP, saying it “employs the best standards of competitive pricing, innovation, and security.” He wrote that DOD is “looking for an industry partner who will learn with us and help us find the best ways to bring foundational commercial capabilities to our warfighters … I expect you to continue to put your best foot forward with proposals and show us the best industry has to offer. We’re in this together!”
Not much has changed in the specific JEDI acquisition strategy since the initial draft was published in March. It’s still very much the same massive commercial platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) acquisition it was nearly five months ago. However, the department did include in the final solicitation some key documents for transparency, particularly relating to its case to make a single award. Attached to the RFP are the department’s justification to Congress to make a single award and a more recent letter from Undersecretary for Acquisition and Sustainment Ellen Lord approving the final terms of the single-source, fixed-firm-price contract.
“Modern cloud computing capabilities can access, retrieve, manipulate, merge, analyze, and visualize data at machine speeds, providing substantial decision-making advantages on the battlefield,” Lord’s letter reads. “JEDI Cloud is an acquisition for foundational commercial cloud technologies that will enable warfighters to better execute a mission that is increasingly dependent on the exploitation of information.”
For months and months now, industry stakeholders have lobbied the Defense Department to consider a multiple-award contract, but the acquisition team stood by its decision in the name of speed. According to JEDI Program Manager Lt. Col. Kaight Meyers, the acquisition team received more than 1,500 questions and comments on the contract. DOD will continue to field questions on the RFP until Aug. 16 and host a series of in-person question-and-answer sessions Aug.13-15 at the Pentagon.
Only a few cloud vendors are thought to be in the running for the JEDI contract, including Amazon Web Services, Microsoft Azure, Google Cloud, IBM, CSRA (now part of General Dynamics IT) and Oracle.
The general consensus in the federal IT community is that AWS is a frontrunner, based on its experience hosting the intelligence community’s massive cloud environment and its authorization to handle DOD information up to the Secret level. Teresa Carlson, head of AWS’s public sector efforts, told FedScoop recently that a single award for the JEDI contract “is a good thing.”
However, vendors can achieve required DOD authorizations after winning the award, according to the RFP. Within 30 days of award, the winning vendor would need to meet the department’s unclassified cloud requirements. Then, it would have up to 180 days after award to meet for Secret level requirements, and, likewise, 270 days after award for Top Secret/Sensitive Compartmented Information and Special Access Program requirements.
Industry has until Sept. 17 to issue proposals.
This story is developing. FedScoop will update with new information as it becomes available.
NGA signs new multi-year contract with Esri’s ArcGIS
The vast geo-intelligence resources of the National Geospatial-Intelligence Agency (NGA) have been powered by California-based Esri for about three decades, and the relationship is now set to continue for another five years.
On Wednesday, the company announced that it has signed a new contract to provide the agency with its ArcGIS mapping technology, which is part of the backbone of NGA’s mission of providing geospatial intelligence to U.S. soldiers, government leaders, first responders and more. As NGA’s website proudly proclaims, “anyone who sails a U.S. ship, flies a U.S. aircraft, makes national policy decisions, fights wars, locates targets, responds to natural disasters, or even navigates with a cellphone relies on NGA.”
Esri, meanwhile, is a giant of similar stature in its own field. A report from 2015 concluded that the company has a 43 percent market share in the GIS market.
“We are honored that NGA has selected Esri for this new contract,” Jack Dangermond, founder and president of the company, said in a statement. “NGA is a valued partner to us, and we will continue to support NGA’s mission to provide access to cutting-edge geospatial technology to the greatest number of users in the intelligence community and the Department of Defense.”
The new contract, of an undisclosed dollar figure, sets Esri and NGA up to work together for the next five years. Esri has been selling its technology to NGA (and to its predecessor, the National Imagery and Mapping Agency) for the past 30 years.
The National Park Service wants to use mobile data to help shape its future
The National Park Service wants to use the data coming from mobile devices on federal lands to help improve its long-range transportation and visitor experience plans.
The agency is asking for industry insight on a system it can deploy to collect and analyze location-based services data, navigation-GPS data, contextual data and wireless network signaling data.
The move is part of the agency’s efforts to improve visitor experience while preserving federal lands in the face of growing popularity and to maintain accurate transportation records across the parks.
NPS officials said they have seen expansive growth in national park visitation, particularly in the agency’s Intermountain Region, which runs from Montana to Texas and Oklahoma. Since 1997, annual visitation in the IMR has increased roughly 30 percent, with more than 16.4 million visitors in the past decade.
“Balancing visitor access with the preservation of resources and visitor experience is likely the most important issue facing the NPS in the coming decades,” the RFI said. “Increasing visitation creates a fair amount of urgency for many park units to collect data regarding visitor use patterns. The Intermountain Regional Office (IMRO) provides guidance and support to parks regarding collection, monitoring and assessment of data.”
NPS officials hope to use the data to identify visitor use patterns and coordinate resource condition and visitor experience strategies. They also want to leverage the analysis to help develop NPS’s long-range transportation planning over the next 20 years.
Interested stakeholders have until Aug. 27 to respond.
Marines get historic new CIO, Lorna Mahlock
The Marine Corps has quietly named a historic new CIO.
Lorna Mahlock — the first African-American woman nominated to serve as a brigadier general in the Marine Corps — is now also the service’s director of command, control, communications and computers (C4), and CIO.
Mahlock is also the Corps’ first female CIO, taking over the role in late May, her office confirmed to FedScoop.
Mahlock’s story received national coverage in the media in April after she was nominated for the promotion to brigadier general. Since then, the Senate confirmed her, but news of her appointment as Marine Corps CIO has gone uncovered.
Mahlock’s official promotion date is set for Aug. 3, and until then, her official title is brigadier general “select.”
Prior to taking over the Marines C4/CIO role, which sits under the leadership of the recently consolidated Department of the Navy CIO, Mahlock served as deputy director of plans, policy and operations, and commanding officer of the Marine Air Control Group 18 in Okinawa, Japan.
Mahlock, a native of Jamaica, was commissioned into the Marines in 1991 after immigrating to Brooklyn, New York.
She replaces Brig. Gen. Dennis Crall, who left the CIO role in February to serve in the Office of the Secretary of Defense as principal deputy cyber adviser at the Pentagon. Since then, Ken Bible, the deputy CIO, has been serving in an acting capacity.