The votes are in for the 2025 FedScoop.

See the winners!

IT modernization efforts increase cybersecurity challenges, survey says

The fervent push to update the federal government’s IT has tech professionals facing more cybersecurity challenges on their networks, according to a new report.

A survey of 200 federal IT executives — conducted by Unisys Corporation and research company Market Connections — found that 59 percent of respondents felt IT modernization efforts have increased the cybersecurity challenges they face.

Of those respondents, 53 percent cited the difficulty IT staff have supporting numerous transitions as their leading concern, while 42 percent cited increased compliance reporting as a key hurdle.

The survey, which was presented Wednesday at the IT Modernization Conference @930gov, highlights the challenges facing IT professionals, said Unisys Federal president Venkatapathi “PV” Puvvada.

“I think that not having enough skill sets and not having the right kind of skill sets is hampering them,” he said. “So there is a journey they have to go through as part of the digital transformation. It requires a cultural transformation to get the right skills, both the technical, governance, management and cultural skills.”

Puvvada added: “How do you — in your overall environment, between government, contractor staff and the other service providers that are supporting you — get that right skill set at the right time with the expectations from the business side or the mission side and expectation that they don’t have a whole lot of time? How you do that would be one call-out of the challenges that people have.”

Despite the challenges, 38 percent of respondents said that the security enhancements were the greatest benefit of the IT modernization efforts for agencies, followed by 35 percent who identified the potential of boosting operational efficiency as the greatest asset. So while the challenge of updating IT systems remains, once they are in place, the benefits were starting to be realized.

The survey sheds a light on the challenges agencies face in meeting increased security, technology performance and talent management requirements in the light of continued budget tightening.

Alongside funding, having skilled technical staff and aligning projects with an agency’s mission were two critical factors that respondents ranked as important in carrying out modernization efforts.

There are efforts in the works that could ease both of those tensions: the Modernizing Government Technology Act currently in the Senate, which proposed a Tech Modernization Fund housed within the General Services Administration, and the anticipated Office of Management and Budget agency reorganization plans.

Puvvada said the funding initiatives could provide agencies more flexibility in developing their modernization strategies.

“I think the MGT Act would be very helpful for a couple things,” he said. “It’s going demonstrate that [Capitol] Hill is focused on the modernization of the IT systems. It’s just not tenable to maintain legacy systems; it’s just too expensive. When it comes to the appropriations, when agencies go forward, even outside the rotational working capital funds, I think there’s going to be more investments and that’s positive.”

The GSA tech fund, Puvvada said, “is going to allow for a more creative way for the agencies to plan for their longer-term modernization, as opposed to traditionally you would have to [manage] your own costs and pay for the efficiency to get the modernization, which is very hard to sequence. I think that’s very positive.”

One thing that Puvvada said surprised him about the survey was that 33 percent of respondents cited unanticipated cloud adoption challenges as a reason for increased IT security challenges, which was compounded by 41 percent of respondents who graded their agency’s modernization efforts with an A or B.

“What that says is that people are not planning on doing the change management that’s required,” he said. “We’ve been on that cloud journey for a number of years, and we’re still not there — that’s the surprising part.”

Seeing those numbers, Puvvada said that it shows that agencies still have work to do to align their IT management goals and demonstrating the benefits. Once those strategies are aligned, agencies can quickly learn the benefits, he said.

 

The Technology Transformation Service’s bug bounty is a civilian agency first

Over the past two weeks, hackers have been welcome to probe the 18F-built Federalist website publishing service, and so far the government has paid out $1,400 for their efforts.

It’s the first time a civilian agency has used a bug bounty platform to let members of the general public find website vulnerabilities. The program, which began Aug. 25, is part of a broader effort by the General Service Administration’s Technology Transformation Service to draw upon outside expertise to increase the security of a variety of services. Bug bounty platform HackerOne, which has handled similar projects for the military, is managing the effort.

Although TTS has plans to expand the bug bounty, Federalist is getting all the attention for now. (It has no relationship to the media site The Federalist.)

Federalist’s domain and its source code are currently the only TTS projects in the scope of the competition, but organizers plan to introduce additional targets “at regular intervals,” HackerOne’s program page says, including parts of login.gov, data.gov, vote.gov and more.

TTS is offering “competitive” bounties for vulnerabilities — $150 for the lowest level and up to $2,000 for critical level.

The military pioneered this kind of program in government. In April 2016 the Department of Defense launched Hack the Pentagon, the first federal bug bounty program. The pilot was quickly expanded to include Hack the Army and Hack the Air Force.

TTS isn’t just looking for help with Federalist’s code. It’s also hoping to use this initial bug bounty program to take constructive criticism about how to improve the overall process.

“As the first program of its kind, we expect to evolve its structure over time and welcome feedback on areas for improvement,” the HackerOne description reads.

Cerner taps former VA CIO, ONC head to advisory group

Health care IT company Cerner has brought in some big guns to help advise on its work to build a new electronic health records system for the Department of Veterans Affairs.

The Kansas City-based company tapped former Democratic Sen. and Nebraska Gov. Bob Kerrey to head a nine-person panel that includes former VA and Commerce Department CIO Roger Baker and former head of the Office of the National Coordinator for Health IT within the Department of Health and Human Services Karen DeSalvo.

The group offers a bevy of both health care and IT professionals with private and public sector experience. In addition to Baker, former VA Chief Technology Officer Marina Martin and former VA Secretary Lt. Gen. James Peake are also members of the advisory group.

Travis Dalton, a senior vice president at Cerner, said in a statement that the panel provides depth of knowledge that can help inform the company’s approach to the developing a records system for the $167 billion agency.

“As we work with VA to modernize its health record system, the incredibly accomplished members of this group will provide advice and guidance on our approach to improving every veterans’ experience across the system of care – both within VA and with community providers,” he said.

The move comes in the wake of a lawsuit filed by San Diego-based CliniComp International, Inc. last month that alleges the VA violated federal law by awarding Cerner a sole-source contract to build an EHR system interoperable with the Department of Defense’s Military Health System Genesis, which is also operated by Cerner.

VA Secretary David Shulkin announced the contract with Cerner in June after the agency had previously attempted to develop its own update to the Veterans Information Systems and Technology Architecture, or VistA, system.

CliniComp alleges that the agency should have openly bid for the contract.

New tools help agencies gain total visibility of data

The federal government produces or collects petabytes of information daily, including mission and operation data, agency and employee records, social media and basic business documents. Without strategic guidance, agencies tend to save everything, adding unnecessarily to storage, data management and protection costs. Compounding that challenge is the growing need to manage data in the cloud, and across hyper-converged infrastructure environments.

As more and more information is generated, decisions must be made about where it goes, who gets access, whether it’s formatted or unformatted, if it has been cleaned, whether it should be encrypted at rest, encrypted in transit and how to make better decisions with it.

FedScoop report on total visibility of data

Download the full report.

A new FedScoop report explores the current challenges of data management and protection in a changing technology landscape, making key recommendations for what to look for in new data management tools that maximize the value of data while minimizing risk and cost.

New data management tools can help provide a real-time, 360-degree view of the data residing across an agency’s IT ecosystem, ultimately driving efficiencies, lowering costs and mitigating risks. This new generation of data management tools can help federal agencies automate the processes of classifying, archiving and discovering data, as well as ensuring that data is protected, regardless of where it resides or where it travels.

According to Veritas, which provides data and information management solutions for government, decisions about data management may be more difficult than many agency executives appreciate. Agencies are juggling federal mandates from both the current and former administrations regarding security, moves to electronic records by 2019 and data center consolidation. Security is about more than guarding against intrusions — it is about protecting the integrity of the data and making sure it only gets into appropriate hands.

There is also the challenge of “dark data” — information that organizations collect but don’t contribute to business activities — where the “owner” of the data really can’t be determined. Veritas estimates that organizations spend 52 percent of their storage budget on dark data. Another aspect of dark data is duplicated data – information that may be in multiple locations. Identifying which information is the original and most current, and which are duplicates, also dictates what should be stored, what should be moved to the cloud and what should be cleaned.

Data management platforms have evolved significantly beyond single business intelligence tools. The best of breed offerings today provide a combination of capabilities, delivered “as-a-service,” allowing agency CIOs to move away from capital investments to more flexible, controllable operating expenditures.

Download the report for details on how data management platforms help agencies:

The report also explores how data management platforms tie back to three core elements of information governance: Information availability, information protection and information insight.

Putting data to work effectively involves knowing what data agencies have, where it’s located, who’s using it and how it can drive better decision making. Having a 360-degree view on the scope, sprawl and condition of data can making moving data to the cloud significantly easier, and give agencies greater control.

Read more on what a 360-degree view of data management looks like, and how to improve data insights and security.

This article was produced by FedScoop for, and sponsored by, Veritas.

Gov Actually Episode 17: Meet the 2017 Sammies Finalists pt. 2

Gov Actually continues its special series celebrating the Partnership for Public Service’s Service to America Medals awards nominees.

Dubbed the Sammies — named for PPS founder Samuel J. Heyman — the awards are frequently called the Oscars of government service.

In this episode, the Gov Actually team speaks with Brenda Smith, the executive assistant commissioner of the Office of International Trade at U.S. Customs and Border Protection. Smith was nominated for a Sammie for her work on the Single Window system, which “has eliminated nearly 200 paper forms and hundreds of redundant data requests, greatly reduced wait times for import and export decisions, and will save the government and businesses tens of millions of dollars,” according the PPS.

Hear more about Smith’s work on the latest episode of Gov Actually, and catch all of the episodes on iTunes and SoundCloud.

Let us know what you think in the comments on iTunes.

18F begins work on centralized FOIA website

The General Services Administration’s 18F digital services team has begun work to build a modern, centralized “portal” for Freedom of Information Act requests.

The FOIA Improvement Act of 2016 directs the Department of Justice to create a “consolidated online request portal that allows a member of the public to submit a request for records under subsection (a) to any agency from a single website.” DOJ, which received $1.3 million to fund the project, hired the agile-based 18F team to develop the site.

So far, 18F has done research by way of user interviews to develop recommendations for the Justice Department that will eventually inform the build of a minimum viable product, 18F members explain in a GitHub post.

18F stresses that the portal may not and probably won’t solve all of the FOIA process’ glaring problems. There are several policy concerns, like the “release to one, release to all” policy for instance, that it has no control over. But the team is aiming to, at a minimum, “let a user submit a FOIA request in one place to any and all parts of the federal government covered by the FOIA,” the GitHub project says. “We’re striving to understand how this can be done in a way that improves the system as a whole.”

18F generally grouped its recommendations for the eventual site around four qualities: interoperability, status tracking, the request and agency selection process, and searchability.

“In short, we found that while a request platform alone cannot address the most significant challenges with FOIA, a single collection point for requests represents a unique opportunity to make significant improvements to the FOIA requesting system overall,” 18F members explain. “Given limited time and resources, we recommend addressing the public’s lack of confidence and understanding of the FOIA system in the short term by improving the usability of the request submission process and better preparing requesters for what to expect from the long and complicated process of fulfilling requests.”

However, in the long term, the team recommends that “the portal seek to provide requesters with status updates and continuously improve the request submission process through usability testing and by working with agencies to identify opportunities for helping requesters create more easily fulfillable requests.”

There’s more to be done before 18F can begin work on the minimum viable product, such as gathering public feedback, prioritizing user stories, prioritizing steps in the FOIA process, coming up with product features, and then again prioritizing those features.

“Finally, we will start building features. As we build, we’ll continue to gather public feedback through regular usability testing,” 18F says. “Then, we’ll work with DOJ to prioritize making crucial usability improvements against building new features.”

Trump administration taps new OPM, GSA nominees

The White House kicked off the Labor Day weekend by announcing two nominees to head up the Office of Personnel Management and General Services Administration.

The Trump administration tapped Jeff Tien Han Pon and Emily Webster Murphy amongst a raft of nominations Sept. 2 to serve as OPM director and GSA administrator, respectively.

Pon comes from the Society for Human Resource Management, where he was chief human resources and strategy officer. He previously served as chief human capital officer at the Department of Energy and served within OPM as deputy director of e-government.

Pon’s time in government and the private sector featured experience that could inform Trump-administration initiatives, including developing shared services and information technology management.

His OPM tenure focused on the agency’s shared service operations for human resources, payroll modernization and the introduction of the federal jobs site, USAJobs.gov.

Following his federal service, Pon was a principal at Booz Allen Hamilton, Inc. focusing on human resources, IT and change management, and he was recently the chief operating officer for Futures Inc., which leverages innovation to help veterans transition to private sector job opportunities.

The agency hasn’t had a permanent director since Kathleen Archuleta, who resigned from her role in 2015 after the agency suffered a series of catastrophic cyberattacks. Beth Cobert served as acting director in the wake of the 2015 hacks and was nominated to serve as the permanent director, but she was not confirmed before the end of the Obama administration.

The Trump administration had previously nominated OPM veteran George Nesterczuk to the director role in May, but he withdrew in August. Kathleen McGettigan has been acting director since January.

Likewise, Murphy is not new to the agency she has been nominated to lead. She had previously served as GSA’s chief acquisition officer from 2005 to 2007, when she helped standardize the agency’s acquisition rules and negotiated a new memorandum-of-understanding with the Department of Defense, the agency’s largest customer.

She also served as a senior advisor to the Small Business Administration’s Government Contracts and Business Development Office, where she oversaw the automation and reorganization of the 8(a) and Small Disadvantaged Business Certification process.

Murphy was serving as a counsel to the House Armed Services Committee and will lead an agency that has become the center of the federal government’s acquisition and innovation efforts.

Timothy Horne has been serving as acting GSA director since January.

Both Pon and Murphy will face Senate confirmation before assuming their roles.

Veterans Affairs IT team takes principled approach to driving customer service

When it comes to customer service, every interaction matters for the Department of Veterans Affairs’ Office of Information and Technology.

For Susan McHugh-Polley, OI&T’s Deputy Assistant Secretary, for IT Operations and Services (ITOPS), that means providing de facto support to two customer bases—VA employees who use the department’s systems and the veterans served by those systems.

As the largest federal civilian agency, the VA employs more than 377,000 people who provide health care services to eligible military veterans at medical centers and outpatient clinics around the country. Supporting those employees requires the efforts of OI&T’s team of 16,000 employees and contractors, who manage all of VA’s IT assets and resources—including 1 million IT and medical devices and leading-edge technologies that connect veterans to healthcare.

Main Entrance

“What’s driving our effort to ramp up customer service is to make sure that we’re giving unlimited support to the end users who are ultimately providing the services to our veterans,” said McHugh-Polley.

That includes a deepening focus on customers’ experience through the efforts of OI&T’s Veteran Experience team. The team specializes in listening to veterans and their families to foster positive customer experiences and adapt programs to better support them. It also works with VA employees to identify obstacles to achieving excellence on the job.

“Employee empowerment is an essential part of the equation,” McHugh-Polley said. But so is taking “a user-centered design” approach, putting “veterans and employees who serve them at the forefront.”

Beyond that is a strategy based on four key principles: transparency, accountability, innovation and teamwork. The bottom line in customer service, she said, is about focusing “not only on why you serve, but how you serve.”

Making customer feedback more transparent
One catalyst for improving customer engagement has been MyVA. Beginning in 2015, the program set out to give veterans a seamless, unified experience across the entire organization and throughout the country. That led to redrawing VA’s many organizational maps into a single map with five districts, and merging disparate organizational boundaries into a single regional framework with the aim of increasing internal coordination and improving customer experience.

OI&T followed suit, developing an enterprise-wide model that provides a “big picture” view that identifies specific customer needs and vulnerabilities across the organization and streamlines support. The IT department also developed IT Operations and Services, or ITOPS, to furnish more efficient and effective service delivery and promote greater accountability and transparency in order to help VA employees better care for veterans.

VA officials also sought to make the outcomes of its efforts more transparent. Earlier this year, OI&T launched a website for veterans and their families to view the current wait times at local VA facilities. It also posts the ratings of VA hospitals and comparisons with private hospitals in their area. The site, called VA Access to Care, empowers veterans to choose the time and place they receive their care.

Improving self-service platforms
To propel the use of customer self-service applications, OI&T has deployed a Veteran Appointment Request system at 100 sites, so that veterans can self-schedule primary care appointments. The system is aimed at reducing wait times and providing more timely services. While VA officials have acknowledged the need to narrow service gaps, department figures published in July note that out of 5 million appointments completed in the month of June across VA, 96.52 percent were scheduled for care within 30 days of the clinically indicated or Veteran’s preferred date.

Sarah McHugh-Polley

For internal users, OI&T has launched the VistA Scheduling Enhancement tool, which improves the application’s front-end graphic user interface so that VA staff personnel can view appointment times more efficiently and spot potential scheduling problems.

Additionally, as part of VA’s overall long-term strategy to provide leading-edge electronic health record, scheduling, workflow management and analytics capabilities, VA is currently developing a modern and sophisticated Medical Appointment Scheduling System, or MASS, for frontline caregivers.

Using available tools to measure progress
Gauging customer satisfaction also means assessing employee satisfaction—and making sure VA’s partners are doing their part. Among other tools, the Veteran Experience program taps into the annual Federal Employee Viewpoint Survey, which gathers feedback from staff on a battery of performance and job satisfaction measures. OI&T also utilizes the quarterly Employee Engagement Survey, which helps OI&T leaders assess and track progress toward OI&T’s goals of improving organizational effectiveness.

OI&T established the Account Management Organization responsible for managing the IT needs of business partners and ensuring a seamless engagement within OI&T. Management teams oversee operations of customer relationships across organizations within VA, including VA medical centers, benefit offices, IT facilities and cemeteries.

“Being proactively transparent by discussing the hard truths and being candid in our conversations will often result in positive change and a successful experience,” McHugh-Polley said.

Read more about how Accenture is helping agencies deliver superior customer experiences.

This article was written and produced by FedScoop for, and sponsored by, Accenture.

Report: IRS’s cyber response team lacks FISMA-required training

A number of federal employees and contractors on IRS’s cyber incident response team don’t have specialized training required by law, a recent audit by Treasury Inspector General for Tax Administration found.

The audit, which examined IRS’s cyber incident reporting and cyber training between fiscal 2015 and 2016, found that a majority of the agency employees and contractors working at its Computer Security Incident Response Center had failed to take required specialized training courses.

CSIRC staff and contractors “who have a significant information technology security role” are required by the Federal Information Security Management Act to take eight hours of specialized role-based training each year and report it to the agency, or face sanctions and loss of access.

The IRS initially reported that 10 employees had completed the training in 2015 and seven in 2016, but TIGTA disagreed, saying several employees did not meet the threshold for specialized certification.

“As a result, for the FISMA 2015 yearly cycle, four of the 10 CSIRC employees met the specialized training requirement and the remaining six did not,” the report said. “For the FISMA 2016 yearly cycle, five of the seven employees did not meet the specialized security training requirements.”

TIGTA also flagged 34 courses it considered as containing general security curriculum that CSIRC had designated as specialized. The IRS agreed with the assessment for only seven of the courses.

Likewise, investigators could find no training record for 11 CSIRC contractors in fiscal 2015. And in fiscal 2016, 14 of 15 CSIRC contractors failed to meet the FISMA specialized training requirements. Though agency officials provided training documentation for the contractors, the training occurred in the 2017 FISMA cycle and did not include the number of hours attained. Contractors were also allowed to retain system access despite agency policy requiring it being revoked.

Agency personnel said that there were several obstacles to obtaining the specialized training, including a lack of funding and difficulty getting approval to attend trainings.

The report noted that funding for the IRS’s cybersecurity training is allocated to all agency cybersecurity operations rather than to individual components like the CSIRC. Therefore, investigators were unable to determine how much of the training funds was allocated to the response center.

TIGTA offered three recommendations related to the specialized training:

The IRS agreed with the training recommendation and partially agreed with the contractor recommendation, saying that it implemented systemic de-provisioning on March 6. This approach, the agency said, would deny all access to contractors not in compliance on a weekly basis, rather than relying on individual system owners to carry out the process.

The report also detailed CSIRC incident response, finding that office properly responded, but could improve its reporting procedures.

3 ways Congress can pass an IT modernization bill (and what’s most likely)

Though Congress and the White House have expressed public support for current legislation to change the way the federal government buys information technology, one powerful adversary remains: the congressional calendar.

The Modernizing Government Technology Act has been waiting in the Senate Homeland Security and Governmental Affairs Committee since it passed the House by voice vote in May. But with an upcoming session that includes budget negotiations, debt ceiling negotiations, possible tax reform proposals and the threat of a sequester, there may be little time for the bipartisan bill.

In an effort to speed MGT’s ride through the Senate, Sens. Jerry Moran, R-Kan., and Tom Udall, D-N.M., proposed the bill as an amendment to the 2018 National Defense Authorization Act in August — a move used several times in the past to enact technology legislation as part of the annual defense bill.

But officials at the Professional Services Council said that congressional debate could stall that plan as well.

With the clock ticking on the legislative calendar, here are three ways MGT can become law this year, plus which is most likely:

Option 1: Pass the House bill

MGT has always had strong support in the House, where it passed unanimously in 2016 and again by a voice vote in the spring. That support ebbed late last year in the Senate, thanks in part to a Congressional Budget Office ruling that it would cost $9 billion to implement.

House co-sponsors Rep. Will Hurd, R-Texas, and Rep. Gerry Connolly, D-Va., retooled the bill in 2017, trimming costs to $500 million, but Alan Chvotkin, PSC executive vice president and counsel, said that while a straight up-and-down vote in the Senate would be the path of least resistance to making MGT law, don’t hold your breath.

“I think the fastest route to enactment is for the Senate to pass the House-passed bill without change. I don’t think that’s likely, because they’ve had that opportunity for months,” he said at an Aug. 30 event at the for the contractor trade association’s headquarters. Senate leaders do sometimes call up noncontroversial House bills for quick voice-votes, but it’s tough to predict when any bill might get that treatment.

He added that though the Senate committee is weighing whether to add amendments to the MGT bill, most of the changes could be done through administrative guidance after it’s enacted. The committee has yet to set a markup for the legislation.

Option 2: Pass the Senate bill

Moran and Udall introduced their version of the bill on April 28 and it was subsequently referred to the Homeland Security and Governmental Affairs panel. It has not been heard from since.

This option is very similar to the House bill route, except that if it emerged from committee and passed the Senate, it would still have to go back to the House for a vote.

Option 3: Pass the NDAA

This was the favored route for landmark technology bills like the Federal Information Technology Acquisition Reform Act, or FITARA, in 2015 and the Clinger–Cohen Act of 1996, mostly because the NDAA is almost guaranteed to pass each year.

But it’s not without its downside.

“That’s only slower because you then have to wait for the conference on the NDAA to occur,” Chvotkin said. The NDAA almost always goes to a House-Senate conference committee, where amendments get a hard second look from negotiators, who tend to be from the Armed Services panels in each chamber. The House version, completed this summer, does not include MGT language.

“Because MGT is outside the jurisdiction of the House Armed Services Committee, they would have to get approval from relevant committee jurisdiction — in this case the House Oversight and Government Reform Committee — either as additional conferees or they would wave jurisdiction on the final conference version,” Chvotkin said.

It’s worth noting that Senate leaders haven’t even announced when they might make time to consider the NDAA. And it’s possible that an amendment like the MGT legislation might need 60 votes to be added to the bill.

Because of the complexity of the NDAA process, Chvotkin said that PSC anticipates it will pass in November or December.

While this route will take the longest, it remains the most likely at the moment, given the Senate’s lack of movement on the stand-alone MGT bill. But the fortunes of legislation on Capitol Hill are frequently subject to change. Stay tuned.