How CSRA sees the status of federal cloud adoption
The government is still in the “early innings” of cloud adoption, CSRA CTO Yogesh Khanna said Monday, but the ecosystem is thriving.
In a conference call aimed “to educate the investment community and government IT professionals on the state of cloud technology within the U.S. federal government,” Khanna spoke about CSRA’s cloud offerings and partnerships, and gave an overview of the trends the company is seeing in government cloud adoption.
First, Khanna noted, it’s important to consider the popularity of cloud computing. Since President Barack Obama’s cloud initiative kicked off in 2011, “cloud first” has become a de facto mantra. In other words, there is broad agreement that moving systems to the cloud is the way of the future.
That said, Khanna acknowledged that many federal agencies are struggling to execute the move to the cloud. This is often because agency IT leaders have to answer some tough questions. For example, what’s the right balance between cloud and on-premise data storage?
Khanna sees budget constraints and the expectations of federal employees and citizen customers as major driving forces behind cloud adoption. But there are complications, too. Security and privacy concerns, as well as a perceived loss of control over data, is inhibiting adoption, he said.
These are familiar complaints, but Khanna said the security issue can cut both ways. Microsoft’s Leigh Madden, who joined the call, agreed. “Once the customers begin to experience the security that is available in the cloud … it actually accelerates adoption,” he said.
The upshot of all this, Khanna said, is that hybrid IT environments — those where cloud is utilized for some things and legacy IT systems for others — are status quo. Even as cloud adoption accelerates, he said, this will likely remain the case.
CSRA is an important player in the federal cloud adoption story. The company recently won a Defense Department contract for milCloud 2.0.
NOAA proposes $553M high performance computing contract
The National Oceanic and Atmospheric Administration is proposing a $553 million contract to manage the systems integration of its High Performance Computing program.
The agency first issued its presolicitation for the indefinite-delivery indefinite-quantity contract May 19, seeking support services for its Research and Development High Performance Computing and Communications program, but it reposted the contract July 14, giving industry stakeholders until Sept. 12 to respond with thoughts and concerns on the contract.
The R&D HPCC program tracks weather and climate research modeling for NOAA. The draft request for proposals solicits several services for the program, including systems integration, systems administration, systems operations and support for NOAA’s Environmental Modeling Program.
NOAA operates three high performance R&D computing subsystems.
NOAA officials said in the document that they were seeking to leverage private sector experience to help enhance the system’s architecture and “increase interoperability, compatibility, flexibility and reliability for the continued future evolution of its high performance computing.”
The contract offers nine base years for ordering — in addition to a one-year transition option — with firm-fixed price, time-and-materials, cost-reimbursable and cost-plus-fixed-fee task orders. The contract ceiling is set at $553 million.
NOAA currently receives systems integration for the R&D HPCC program from CSRA, LLC. That $178 million contract is set to expire in May 2018 with a one-year optional extension for transition services.
NOAA said the official request for proposals will likely be issued in October and look very similar to this draft. The agency plans to host an industry day in support of that release.
Citizens express concern about election integrity commission’s data security, only to find their data published online
On Thursday the Presidential Advisory Commission on Election Integrity published more than 100 pages of public comments in response to its work. Unfortunately, the White House panel failed to redact any of the personal information attached to those comments, including full names, email addresses, home addresses and phone numbers.
The commission, created by executive order in May, is set to “study the registration and voting processes used in Federal elections” and submit a report on possible voting system vulnerabilities and voter fraud to President Donald Trump. As part of its work, the panel has requested that states turn over voter data — a move that has generated some controversy and captured the public’s attention.
Many of the public comments submitted to the commission, as other publications have noted, openly poke fun at it. “Hi, I voted in all 50 states,” one email reads. “Just wanted you to know.” Lots include much more colorful language.
But other comments go beyond the jokes to express concern about data privacy if states turn over voter registration information to the commission. If information like voters’ names, birthdates, addresses and Social Security numbers are made public, one letter warns, “many people will get their identity stolen, which will harm the economy.”
It’s ironic, then, that some commenters now find this very information out in public at the hands of the White House. But is the commission’s unredacted publishing of personally identifying information illegal in any way? Or at least ethically dubious? Or just clumsy?
A note on the election integrity commission’s White House webpage does warn potential commenters that their statements may be made public. “Please note that the Commission may post such written comments publicly on our website, including names and contact information that are submitted,” it reads.
However, the Washington Post is reporting that this warning does not appear to have been made public before many of the comments were submitted. The Federal Register notice that includes the due diligence language was published July 5, but “approximately half of the emails published by the White House were dated prior to July 5,” the newspaper reports. The White House webpage where the comments were released, the Post also notes, wasn’t published until July 13.
Other federal entities have different approaches to collecting and publishing the identifying information that comes with public commentary. The Federal Trade Commission website, for example, provides this guideline: “Published comments include the commenter’s last name and state/country as well as the entire text of the comment. Please do not include any sensitive or confidential information.”
Even in the event that the election integrity commission’s commenters were sufficiently aware of what they were signing up for, Alex Howard, deputy director at the Sunlight Foundation, is concerned about the ethics.
“I’m not convinced about the public interest value [of releasing this kind of personal information],” he told FedScoop. As a transparency advocate he’s concerned about the impact this kind of incident has on public discourse. “This creates a disincentive for people to meaningfully participate,” he said. “We should expect better.”
The White House did not respond to a request for comment.
FedScoop reached out to several people whose email addresses were published to understand whether they expected personal information to be made public.
“I submitted my letter with that information because that information is required when I write a letter to the editor or to my elected representatives in the state or federal government,” Julie Pease, whose email address and home address is now public, responded. “That information does not appear when a letter to the editor is printed and I have never seen it posted on any of my elected officials websites. Unfortunately, I assumed a competence that is missing from this White House and I am not happy that this information, as well as the contact information for several others, is posted.”
Another individual, who did not want to be named in this story, said the unredacted publishing was surprising. “Illegal? Likely not,” the person wrote in an email. “Improper, most assuredly.”
The commission holds its first official meeting Wednesday, July 19.
CDW-G wins $238M contract for 2020 census mobile testing and field operations
CDW-G has won a $238 million contract to support the Census Bureau’s use of mobile devices in testing for and operating the 2020 decennial census.
Through the Decennial Device-as-a-Service contract, Census will receive 75,000 mobile devices prior to an August 2019 test and a total of 400,000 in February 2020 for actual enumeration and for nonresponse followup. The agency will also receive the necessary wireless service, accessories and other provisioning in one set of services.
Census, however, will configure its own mobile device management, it said last year. It is also developing supporting applications in-house.
Verizon will serve as the subcontractor to provide wireless service under the contract, FedScoop has learned.
Census wanted to replace the old-school, pencil-and-paper canvassing with smartphone technologies to help enumerators in the field during the upcoming survey, and it weighed several options, including a bring-your-own-device model. Ultimately, the bureau decided on a device-as-a-service model “in which the Census Bureau would award a contract to a telecommunications company that would provide devices and the accompanying service contract on behalf of the Census Bureau to enumerators.”
Census said it is open to both Android and iOS devices for field enumeration.
“This contract vehicle will ensure the best local telecommunication carrier when available, and will cover the mobile device provisioning, shipping, storage, and disposition,” Director John Thompson’s written testimony to the House Oversight and Government Reform Committee’s Subcommittee on Government Operations last November reads.
“These devices have software that enumerators will use to securely collect households’ information and transmit those data, their daily assignments, updates, and timesheets,” the testimony says.
FedRAMP Tailored issues another baseline for public comment
The Federal Risk and Authorization Management Program released a new baseline for its anticipated Tailored service for public comment on Thursday, following an evaluation period of previous comments in March.
The proposed software-as-a-service cloud solution would provide agencies with lower-risk options that can be applied on the new baseline, generating a faster approval process.
FedRAMP, the governmentwide program for authorizing and assessing cloud services, debuted the initial Tailored baseline in February and received 330 public comments, which were later reviewed by its Program Management Office and Joint Authorization Board.
The new baseline includes refined standards for Personally Identifiable Information logins and authentications. Providers are now encouraged to apply “pre-existing government directory services or an external authentication directory.”
Officials said the updated baseline also includes a more detailed policy statement on Continuous Monitoring requirements and more clarity on the attestation process companies use to report that they’re meeting standards. FedRAMP officials said they hope to launch a finalized baseline by the end of summer, after reviewing this round of comments.
FedRAMP has been actively developing options to speed up the authorization process for cloud service providers looking to sell to federal agencies, including releasing a request for information this week on how to automate a portion of its authority to operate, or ATO, process.
FedRAMP Tailored is intended to provide agencies with low-impact SaaS cloud solutions with minimum security control requirements that can clear the ATO process faster.
“We hope FedRAMP Tailored will provide a way in which FedRAMP can support the need government authorizing officials have for a standardized approach to determining the risks associated with authorizing specific low-impact cloud applications — for example, small scale cloud applications that assist the government in doing business, but that do not directly impact the government’s mission needs,” officials said in a Feb. 17 post announcing the service.
The next comment period for the FedRAMP Tailored baseline is open until July 28, with public comment available on the office’s GitHub page.
The government needs agile contracting officers too, DHS officials say
While agile development is driving innovation in the federal tech and citizen services realms, two Department of Homeland Security officials see another arena where it should be applied: contracting.
Continuous Diagnostic and Mitigation Program Manager Kevin Cox and U.S. Citizenship and Immigration Services Deputy CISO Shane Barney said their offices have been able to draft and execute contracts quickly by applying agile principles to their procurements.
“I think we need to have a conversation and help with the training of the contracting professionals where they learn the techniques to do agile contracting and are able to overcome the fear of protests,” Cox said during a FedInsider panel Thursday
“If everything is well written and you’ve done the due diligence with the fair and openness and the discovery ahead of time, it potentially might help to minimize some of the protests that might occur,” he said.
Contract protests are a much-discussed wrinkle in the acquisition reform debate, mostly because of the time they add to the procurement process.
The Government Accountability Office, which tracks and often adjudicates contract protests, reported that 2,789 protests were filed in fiscal 2016, of which 139 were sustained.
But protests can be costly. The Department of Homeland Security recently abandoned its $1.5 billion Flexible Agile Support for the Homeland, or FLASH, contract vehicle in May after facing several protests.
Barney said by applying agile principles to contracting, USCIS was able to leverage its industry days to communicate with private sector stakeholders about upcoming projects and get valuable feedback without running afoul of the Federal Acquisition Regulation.
“USCIS just held an industry day two weeks ago where we literally sat and said, ‘Hey guys, here are all the contract vehicles we are going to put out in the next year. Ask us questions, tell us what we are missing,’” he said. “But the agile contract that we have been doing has been based on conversations with the industry so that we know when we put that contract out there, we can get a rapid return.”
Barney added that the ability to apply a quick turnaround procurement “will be one of the biggest risk factors for cybersecurity,” especially when contracts are needed to respond to a cyberattack.
House adds cybersecurity amendments to its version of defense bill
Debate on the fiscal 2018 National Defense Authorization Act included the addition of several amendments intended to improve cybersecurity at the Pentagon and elsewhere in the government technology community.
Chris Bing of CyberScoop has more on the provisions, which include proposals to develop a stronger cybersecurity workforce, revisit the Pentagon’s policies on the use of offensive cyber capabilities and report on the Army’s cybersecurity training.
Passage of the bill is expected before the weekend. The House-passed and Senate-passed versions are likely to head to a conference committee before further action this fall.
The House’s defense bill also contains extensions of key provisions of the Federal IT Acquisition Reform Act that are set to expire soon.
Commerce wants to move its cybersecurity to the cloud
The Commerce Department is reaching out to industry stakeholders to find out the best way to move its cybersecurity operations to the cloud.
In a July 11 request for information posted on FedBizOpps, agency officials solicit details from industry vendors on shifting a series of Commerce cybersecurity operations to a cloud service provider approved by the Federal Risk and Authorization Management Program.
Specifically, Commerce wants to move its Enterprise Security Operations Center, Enterprise Cybersecurity Monitoring and Operations, and Continuous Diagnostic and Mitigation systems to the cloud.
“This acquisition will consolidate the functionality and capabilities of these programs under unified management within the DOC [Office of the Chief Information Officer] organization,” the RFI said.
ESOC handles Commerce’s cyber analytics and incident response operations, in addition to coordinating communication with the Department of Homeland Security, the U.S. Computer Emergency Readiness Team, the Office of Management and Budget, and other agencies. ECMO provides continuous monitoring of security-related information for the agency and works along with DHS’s CDM program.
Consolidating the ESOC and ECMO operations — which are located separately at a National Oceanic and Atmospheric Administration site in West Virginia and at the National Institute of Standards and Technology in Germantown, Md. — will facilitate system configurations and functionality updates, Commerce says in the RFI. The separate locations have historically led to “delays in configuration requests and in implementing new functionality,” among other challenges.
“The cloud hosting environment would have the flexibility to easily scale in order to accommodate additional functionality and data log feeds as needed, and would offer a transparent pricing model to make costs predictable,” the RFI explains.
Interested industry stakeholders will need to answer a series of questions about the risk level of the cloud migration, the feasibility of a single vendor to handle the move, data backup resources and more.
Vendors have until July 31 to respond to the RFI.
GSA’s telecom contract award ‘weeks’ away, Zielinski says
With the award of the General Services Administration’s eagerly anticipated, $50 billion telecommunications contract on the horizon, officials want agencies to start planning for it now.
Bill Zielinski, GSA’s assistant commissioner for category management, said at a FedInsider event Thursday that the agency would award the Enterprise Infrastructure Solutions contract — which will manage the federal government’s telecommunications services and infrastructure — in a matter of weeks.
“I am very excited because we are very close to award on EIS,” he said. “I’m just itching to talk about it at some point, but we are still a couple of weeks off from announcing the award and what’s going to be involved.”
While Zielinski was quiet on the details of the award, he did say that agencies would be best served to inventory everything on their networks now and start planning for the shift to EIS, which aims to supply all federal telecommunications by 2020 after the current Networx contract expires. Some of the nation’s largest telecom companies are expected to win bids under EIS.
“We’ve been working on this for over a year now,” he said. “So, whether you are an agency who’s working on their transition plans or you are one of our industry partners, the idea of being able to have a transition plan in place is very, very important.”
He added that GSA would roll out education and information sessions about EIS, and that the contract would provide fair opportunities for agencies to partner with industry stakeholders on how to apply it to their operations.
“With this contract, our ability to move from those kinds of hard-coded, backboned sorts of network services to a converged sort of network services are significant,” Zielinski said.
Stakeholders have eagerly awaited the EIS award ever since a request for proposal for the contract emerged in 2015. GSA released subsequent requests for information on how to transition small agencies to the contract in April and aims to have all agencies transitioned to the contract by May 2020.
Zielinski said that GSA is collaborating with the Department of Homeland Security and the National Security Council to inventory the shared services options available for converging telecommunications networks and providing a smaller cyberattack surface.
That’s why providing network inventory will play an important role for agencies transitioning to EIS. Zielinski added that the inventories compiled when the Networx contract debuted more than a decade ago will help inform agencies this go around, but they also have other tools to help them manage their inventories, such as GSA’s Software License Management Service and an inventory program baked into EIS, called Connexus.
But while agencies wait to see who will be awarded the contract, there’s no time to sleep on the preparations for it.
“The answer is: Start early, leverage the things that you have,” Zielinski said.
FITARA extensions proposed for House’s 2018 NDAA
A new measure proposed for addition to the House version of the fiscal 2018 National Defense Authorization Act would extend key provisions of the Federal IT Acquisition Reform Act that are set to expire soon.
The bipartisan amendment, proposed by original FITARA co-author Gerry Connolly, D-Va., and adopted by the House on Wednesday, would extend three provisions of the original law: data center consolidation; transparency and risk management of major IT systems using the IT Dashboard; and IT portfolio, program, and resource reviews using PortfolioStat.
Those provisions are set to sunset in late 2018 and 2019. FITARA, initially introduced in 2013, was signed into law by President Barack Obama as part of the 2015 NDAA.
“We are committed to the successful implementation and oversight of FITARA,” Connolly said in a statement. “Previous major IT reform efforts have fallen short of their potential because of a lack of congressional oversight. I will not let that happen with FITARA.”
The IT Dashboard and PortfolioStat provisions would be made permanent if the NDAA is signed into law with the amendment. The data center consolidation provision would be extended by two years to sunset Oct. 1, 2020.
“In working with GAO and OMB on FITARA implementation, we have found that there are areas of FITARA that would benefit from an extension of their original sunset date,” Connolly said.
He added: “Very simply, the federal data center problem is bigger than we initially thought. In 2009, the government estimated it had roughly 1,100 data centers. In reality, by 2015 we found we had more than 11,700. We are potentially leaving money on the table when it comes to data center consolidation if we allow FITARA’s data center reporting and planning requirements to expire in 2018.”
Darrell Issa, R-Calif., a co-sponsor of the original law, also co-sponsored this amendment.
Connolly’s office said it expects passage of the House’s 2018 NDAA on Friday. The annual defense authorization bill typically carries many non-defense provisions.
If passed, the Senate would still need to come to an agreement with the House on its version of the bill before presenting it to the president for signature.