Some agencies slip in otherwise stagnant FITARA scorecard
Three agencies have managed to improve compliance with the Federal IT Acquisition Reform Act in the past months, but six somehow got worse. This leaves the majority stagnant once again in the biannual FITARA scorecard.
This fifth scorecard, issued by the House Oversight and Government Reform Committee, shows agency adherence to the component pieces of the 2014 law. Key elements include data center optimization and governmentwide software license usage — it also gives federal chief information officers increased budget authority and accountability. The latest scorecard is linked below.
This is the first scorecard to officially include compliance with FITARA and the MEGABYTE Act for software licensing — and17 agencies received an “F” under that section.
The U.S. Agency for International Development remains the standout of the bunch as the only agency with an “A” grade. USAID became the first agency to get an “A” this past June.
The bulk of the agencies are in the “C” range, with the departments of Homeland Security, Housing and Urban Development and Justice, and the Environmental Protection Agency having fallen there from “B” grades in June. The Department of Energy also slipped — falling from a “C”to a “D.”
And while the Department of Defense was the only “F” last time, the Department of Transportation now joins the bottom of the rankings.
The House Subcommittee on Government Operations and Subcommittee on IT will call a joint hearing on the new scorecard on Wednesday, and the agenda is packed. Max Everett, CIO of the Department of Energy, will appear on a panel along with agency’s acting Chief Financial Officer Alison Doone, Director of Acquisition Management John Bashista, Associate Director of Advanced Scientific Computer Research Barbara Helland and the Government Accountability Office’s Dave Powner.
A second panel will feature Jay Mahanand, CIO of USAID, agency CFO Reginald Mitchell and acting Deputy Administrator Wade Warren. Powner will testify on this panel too.
The third and final panel will include Maria Roat, CIO of the Small Business Administration, with agency CFO Tim Gribben, Deputy Administrator Althea Coetzee Leslie and, again, Powner.
Rep. Will Hurd, R-Texas, said recently that as the chair of the IT Subcommittee, he would continue to call struggling CIOs and their CFO and deputy administrator colleagues to grill them on their failure to adhere to the now three-year-old law.
“FITARA really is a good piece of legislation for giving the CIO powers they need,” Hurd said in September. “But they don’t have complete control over what happens in their organization. So, [we’re going to use the MGT Act] to continue to shine a light on that, and bringing the CFO and the deputy agency head or the agency head to ask these questions is a way to force that the senior leaders of the organization understand modernization.”
DOD wants to improve multi-factor authentication around the world — not just at the Pentagon
The Defense Department has painted a grand picture for the future of biometric-based multi-factor authentication.
The end goal isn’t that the eventual technology will be used just for warfighters and Pentagon personnel. The military wants to the rest of the world to benefit from advances in digital identity assurance, a senior defense IT acquisition official said, and the DOD needs outside help to get there.
“It’s a partnership. We can’t do it ourselves,” Terry Carpenter, service development executive for the Defense Information Services Agency, said at the Juniper Networks Government Innovation Forum. “Industry is leading innovation in a lot of places. How we put it all together for the warfighter is some of our joint challenge.”
DOD’s vision for identity assurance, led by DISA, is something that just a few years ago would’ve seemed possible only in movies. DISA wants authentication that isn’t just multi-factor and biometric-based (goodbye, CAC, the common access card). It wants a continuous process, one relying on a plethora of data from sensors that constantly collect and analyze various user behaviors and context. That unsurprisingly includes commercial facial recognition, iris scans, fingerprints and more, but it could also leverage things like locational patterns, gait, speech and keystroke rate.
The rest of the world can benefit from this push for enhanced authentication, the DOD says, even people who never touch classified information.
“We at DISA view that not as a DOD problem. This is a global problem. This is a U.S. citizen problem,” Carpenter said. “How do we help make sure that innovation is not just DOD buying innovation for DOD but it’s all of us collectively putting our innovative resources together to solve the problem for all of us. I personally would love to not have a password for everything I do at home.”
He added: “This is important not just for DISA, but it’s important for all of us to solve as we push technology to the next level.”
Part of DOD’s strategy is to bring in more partners that it doesn’t traditionally do business with through the other transactional authority (OTA), which allows the department to more rapidly fund the research and development of innovative prototypes. Thanks to an added enhancement to that authority, the Pentagon can additionally now move prototypes forward with additional funding for larger production for field use, like a recent contract for endpoint security.
Instead of setting rigid requirements for what it thinks it needs, this authority allows the DOD to partner with private innovators to test for and co-create what it really needs in smaller stages before any larger and riskier investments.
“There’s a lot of good stuff coming out of this idea of let’s change the way in which we’re having the dialogue,” Carpenter said. “Let’s talk about the need and then figure out together how to write the scope of work to solve that problem. And let’s change the game.”
FedRAMP wants agencies to speak industry’s language
When it comes to cloud procurement, not everybody speaks the same language.
That’s why the General Services Administration’s Secure Cloud Portfolio team wants to create contract language guidance for agencies to use in their cloud acquisitions through the Federal Risk and Authorization Management Program.
The FedRAMP team at GSA issued a request for information hoping to “identify examples of preferred contract language agencies should incorporate to convey FedRAMP requirements in their solicitations,” according to a blog post. “These examples will be used to generate guidance and education for agencies.”
The problem is that agencies often struggle to “provide clear requirements for cloud services or ascribe legacy requirements to this new paradigm,” the RFI explains. “These discrepancies seem particularly pronounced around things like deployment models, portability, interoperability, data ownership, SLAs, migration requirements, integration requirements with agency systems, etc.”
FedRAMP wants industry to respond with comments to its GitHub page giving “examples of both positive and problematic clauses so that we may develop better guidance that leads to better outcomes for both government and industry.” The team also seeks “new and creative examples of industry suggested contract language that could be leveraged as well.”
The questions in the RFI focus on general cloud contract language, the FedRAMP and authority to operate process, and other specific security requirements — again asking for both positive and negative examples in each case.
The hope is this “partnership with industry would help all of us better scope and scale the adoption of cloud technologies and associated services with even more detailed guidance.”
Responses are due by Dec. 15.
The FedRAMP program office has spent much of the past two years working to improve the cloud acquisition process for both agencies and industry.
FedRAMP Director Matt Goodrich spoke recently about the evolving FedRAMP process and how the Trump administration’s cybersecurity executive order will make it easier for agencies to adhere to the cloud standards. Also, in September, the office released the FedRAMP Tailored baseline, which spotlights low-impact Software-as-a-Service systems offered by cloud services providers to help give agencies options for flexible cloud adoption.
VA moves to digitize health records with $158M contract
The Department of Veterans Affairs tapped CSRA to help its ongoing efforts to digitize veteran health records ahead of the development of its electronic health records system.
The agency awarded the Falls Church, Virginia, IT company a $158 million task order to digitize more than 7 million veteran health records.
The 36-month contract tasks the company’s subsidiary, SRA International LLC, with helping the VA’s Records Management Center in St. Louis convert the health records and convert file information as the department continues to develop its $10 billion electronic health records system with Cerner.
Kamal Narang, head of CSRA’s Federal Health Group, said in a statement Monday that the deal would save taxpayers money.
“More important, this work has the potential to save lives by quickly providing doctors and administrators with key information to inform their decisions,” Narang said. “America’s veterans have made enormous sacrifices for our country and CSRA is honored to serve those who served.”
The announcement follows a 2015 contract for the company to help digitize veterans’ claims at the VA’s Intake Conversion Mail Handling Services that awarded CSRA $234 million.
This comes as Rep. Timothy Walz, D-Minn., introduced the Veterans’ Electronic Health Record Modernization Oversight Act on Nov. 3, which would require the VA to share quarterly updates on its EHR modernization plans with congressional committees.
CSRA also recently received a $163 million contract from the Defense Information Systems Agency for endpoint security.
DevOps will make the government more efficient. But what actually is it?
The problem with buzzwords is that they tend to accumulate a diversity of definitions depending on the user.
So when Red Hat’s Josh Ranoa opened his “Open Innovation: Make DevOps a Reality” panel at the company’s recent Government Symposium by asking panelists to define DevOps, it seemed an interesting, if basic, starting point. What the audience learned moments later, though, was actually quite intriguing.
That’s because every panelist, each involved in some way in bringing the increasingly popular DevOps practices to their respective agencies, defined the software engineering method differently.
This isn’t to say that the panelists fundamentally disagreed on what DevOps is, but rather that each saw fit to highlight a different element.
And that then begs: What is DevOps, anyway?
Amazon Web Services offers this compact definition: “DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity,” it states.
This definition is useful because it hits on a lot of key points: DevOps is about delivering software products faster. It’s about continuous testing and incremental development and built-in user feedback and bringing an organization’s engineering (Dev) and operations (Ops) teams together to speak the same language.
DevOps is a job and also an organizational mindset, as Steven Grunch, manager of enterprise cloud services at the United States Citizenship and Immigration Services, defined it.
“I define [DevOps] as a culture of collaboration between different groups, whether that is the traditional developers and operations, or whether it’s between the business and IT organization,” he said. “This idea that business and IT are two different things needs to change. We’re all trying to move in the same direction.”
Simmons Lough, a self-described DevOps evangelist at the U.S. Patent and Trademark Office, focused his definition on the “what” rather than the “how” or “why.”
“I like to concentrate on continuous delivery,” he said. “I kind of look at it as fast, frequent deployments to production without taking shortcuts.”
And over at the Department of Homeland Security headquarters, Jennifer Hoover, a digital services expert in the office of the CTO, honed in on the “who” — the people.
“I always think of DevOps mostly as a people-centric focus,” she told the gathered crowd. “So many times I’ve been at conferences and panels and people talk about DevOps in a very technological way, where it’s focused on technology. But DevOps is so much bigger than technology. DevOps is about people, processes, technology — bringing that all together and then looping in innovation as part of that so we can move better and faster so we can deliver the mission for customers.”
In the end, it was Dave Gray, director of the division of infrastructure services at the Social Security Administration, who delivered the most pithy definition. “I wish I could say that I thought of this myself, but one of my coworkers said ‘DevOps is really just another term for common sense,'” he relayed, to a wave of audience clapping.
So what’s DevOps? A lot of things, maybe. Or perhaps just common sense.
For agencies making data center migrations, hybrid cloud is the only cloud
If cloud migration is one of the hottest topics happening in federal IT right now, then lift-and-shift could be quickly becoming its greatest profanity.
The practice of migrating all operations from a legacy system to a single cloud infrastructure can ultimately cost agencies the operational efficiencies their leaders desire, a panel of industry and government experts said Thursday at the Red Hat Government Symposium produced by FedScoop.
Instead, they said federal executives should try to bridge the from legacy systems to a sprawl of services across both private and public cloud networks.
“Lifting-and-shifting does not get you anywhere,” said Jane Circle, senior manager of Red Hat’s Global Cloud Provider and Cloud Access Program. “You really have to look at how you are going to re-architect and take advantage of all of the services you have available to you on Microsoft Azure, on Amazon Web Services, on Hewlett Packard Enterprise — and by the way, they’re all different.
“You really have to take a look at how you can take advantage of every one of those platforms, but not lock yourself in,” she said.
For agency leaders trying to formulate the right mix of a private cloud data center versus a commercially accessible one, Jay Huie, the General Services Administration’s secure cloud portfolio director, said the focus should be on what applications each cloud service provider offers and having the choice of what to deploy.
“If you define a static split [of cloud programs], I guarantee you are wrong,” he said. “The whole point of cloud — what is it — is to expand the elastic capacity. So, by definition, everything you do should be a hybrid cloud. Because if you are locking stuff inside your walls, you are not elastic, you’re not secure and you are not stable. If you are locked in to a commercial provider, you’re locked in.”
So the question then becomes not simply which cloud service to use, but how those services work together and with existing legacy systems until they can be decommissioned.
“This homogeneous world that we live in… There is not going to be one, single cloud, period,” said Susie Adams, Microsoft chief technology officer for federal. “What we all recognize is that interoperability is key and standardization is key. That’s why you are seeing folks support things like open source, DevOps and agile compute, and being able to run almost anything on any enterprise.”
Ultimately, the panel said CIOs searching for both security and efficiency will best find them in multiple, integrated solutions with a strong focus on user access control.
“It’s about granularity,” Huie said. “I want this cloud of clouds. Every app should be in its own cloud. You go rob banks because that’s where the money is. I’d rather have a dollar in 100 banks than $100 in one bank, from a security perspective.”
Anthony Robbins joins NVIDIA
Anthony Robbins, a longtime government IT industry executive, joined NVIDIA as vice president of the artificial intelligence-focused company’s public sector practice.
In his new role, Robbins will lead NVIDIA’s federal and defense businesses in the U.S. and Canada, and oversee its higher education and research businesses. Ultimately, with NVIDIA he’ll be helping agencies make the leap into adoption of artificial intelligence “for a variety of applications, including analytics, geospatial intelligence, healthcare, defense and video analytics,” according to a release.
Prior to this, Robbins served as vice president of global defense at AT&T and in various roles with Brocade, Oracle, Sun Microsystems and Silicon Graphics.
He was a FedScoop 50 winner of the Industry Leadership award this year.
Future DATA Act data submissions could be more complete, GAO says
The Digital Accountability and Transparency Act of 2014 has already made an impact on government spending transparency, but there remain some kinks to be worked out to ensure that data reported to USAspending.gov is complete and accurate.
The DATA Act requires that federal agencies submit “accessible, consistent, reliable, and searchable data” for publication and use by policy makers and the public. It also requires that the Government Accountability Office independently assess the “timeliness, completeness, accuracy, and quality” of that data in a report to Congress.
So that’s precisely what the watchdog did — and while the data submitted was broadly found to be timely, there were some weaknesses in its completeness and accuracy.
For example the investigation found that, within the data submitted for the second quarter of fiscal year 2017, 160 financial assistance programs (an estimated $80 billion in spending) were not included in the data. Additionally, while budgetary data was found to be reasonably accurate, less that 1 percent of award data was accurate when comparing reported data with other “authoritative agency sources.”
GAO also found that while the Office of Management and Budget provides guidelines for agencies on how to define different data elements, agencies can and do interpret these guidelines differently. Further specification is needed, GAO said, to ensure “data consistency and comparability.”
Finally, the report argues that the Department of the Treasury website where all this spending data is displayed, Beta.USAspending.gov (which is currently under development but is supposed to become the sole source for this data this fall), “does not sufficiently disclose known limitations affecting data quality.”
“Without the transparent disclosure of known limitations, users may view, download, or use data made available on the site without full knowledge of the extent to which the data are timely, complete, or accurate, and therefore, could inadvertently draw inaccurate conclusions from the data,” the report states. “Disclosing data limitations does not detract from the value of the data reported under the DATA Act. Instead, it enhances its value by providing users with the information that they need to interpret and use the data appropriately to inform future decision making.”
So while the report acknowledges the “significant strides” that OMB, Treasury and the rest of the government has made in implementing the DATA Act, it concludes that there is still work ahead.
“Our audit of the initial data submitted by agencies and made available to the public on Treasury’s Beta.USAspending.gov website shows that much more needs to be done if the DATA Act’s promise of improving the accuracy and transparency of federal spending data is to be fully realized,” the report states.
The report concludes with six recommendations — two for OMB on clarifying agency guidelines, and four for Treasury on improved oversight and display of the data.
As another requirement of the law, agency inspector generals recently released their mandated audits of each agency’s DATA Act compliance. As the contents of the GAO report might suggests, the results are mixed. The data submitted by the Consumer Financial Protection Bureau, for example, was found to be “complete, timely, accurate, and of good quality.” Meanwhile, over at the Department of Housing and Urban Development, the IG “found widespread errors, inconsistencies, omissions and false values.”
Agency IT architects seeking API ‘developer nirvana’
As the federal government plows forward on innovating the way it provides citizen services, at least one agency is looking to provide fertile ground for API developers to design new solutions.
To make that happen, Rob Brown, division chief of enterprise infrastructure of the U.S. Citizenship and Immigration Services’ Office of Information Technology, is tapping a mix of standardization and customization within his agencies walls with a concept known as inner-sourcing.
Speaking at the Red Hat Government Symposium produced by FedScoop, Brown outlined the practice, which uses open source code and a centralized platform as its bedrock, encouraging developers to build customized tool sets for individual agency components, but on a grounded code that shares a commonality throughout the agency.
“As we move forward and we are aggregating all of these disparate teams, we start to leverage one version control system for configuration management, and one of our thoughts moving forward was promoting the use of code reuse,” he said. “Having a common sort of tool set where we could to start to collaborate on issues across different portfolios, as well as sections of a division. Ultimately, across all of the OIT.”
To move USCIS in a direction that could capitalize on the benefits of inner-sourcing, the agency utilized GitHub as its software development platform and encouraged innovation from there.
But in order to avoid the disparate solutions that can’t integrate and have plagued federal information technology, Brown added that agencies must draw the sidelines in which developers can operate by laying down good governance.
“Because this is a highly-regulated, compliant-driven environment, ensuring that we have some level of governance, we are trying to minimize a lot of the rogue actors, the rogue systems,” he said. “So the goal was let’s do a complete value stream, impact analysis, let’s look at what we can to really build a dev factory.”
The result is a system that can encourage innovation but within the structure of a shared platform. To make it work across the enterprise — achieving what Red Hat chief architect Adam Clater called a “developer nirvana” — Brown said that the DevOpsSec of developers, operations and security professionals collaborating has to take place.
“As we move forward with a lot of these platforms, we actually made sure we partnered with security and security engineers at the outset,” he said. “So when we had these ideas, we went through looking at the right contracts, looking at the right tooling, they were riding shotgun and sometimes driving.”
While the inner-sourcing process continues to develop at USCIS, Brown said it affords the agency both the collaboration of component teams and the environment for developers to experiment with.
“I think that the digital asset of tomorrow, or even today, is API and not [user interface],” he said. “Moving forward from a developer nirvana perspective, ensuring those developers have the right tools in place, again with a little governance, so they could essentially have a portal they could all work in, that there’s a marketplace to promote that kind of dry principle.”
18F founder takes new private sector digital government role
Greg Godbout, one of a handful of founding 18F members, has joined TechFlow, Inc. as chief digital officer, he told FedScoop.
Godbout noted in an email the importance of the work companies like TechFlow do helping government agencies move to modern technologies and agile software development, calling the transformation “both impressive and daunting.”
“I will be working with the TechFlow team to continue my efforts to help the US Government with its digital transformation,” he wrote to FedScoop. “I have had the privilege of working with TechFlow over the last 6 months and I have found their team to be deeply knowledgeable, efficiently practical, and highly innovative.”
After founding and leading the General Services Administration’s 18F digital team, Godbout moved to the Environmental Protection Agency as CTO. From there, he’d leave government service in 2016, but his work with government didn’t end. He joined Danish tech company cBrain, serving on the company’s international team, primarily working to make sure its F2 software platform fits the needs of U.S. government customers.
In joining TechFlow, Godbout won’t completely separate from cBrain, he said. He’ll remain as the chair of the company’s board.
“I look forward to continued advisement of cBrain North America as they continue to expand their efforts in the US and Canada,” he said. “There is much we can learn from the Danish Model and their successes with Digital Government.”