The votes are in for the 2025 FedScoop.

See the winners!

Congress to SBA CIO Maria Roat: You’re going to be great

Congress has little reason to put its faith in the Office of the CIO at the Small Business Administration, as it has struggled with a rough road in recent years. But lawmakers Wednesday showed optimism for the agency’s IT operations under its latest leader.

The office has been led by no fewer than eight CIOs since 2005; when current CIO Maria Roat took office in October 2016 she signed on to fill a position that had stood empty for over a year. This rate of turnover has led the Government Accountability Office and SBA inspector general to raise concerns over the extent to which SBA’s OCIO is able “to foster an environment in which information and technology are used to support and enhance business decisions and Agency operations.”

All this set the stage for Wednesday’s House Small Business Committee hearing, somewhat provocatively titled “Help or Hindrance? A Review of SBA’s Office of the Chief Information Officer.”

The hearing represented an opportunity for committee members to quiz Roat on the improvements she’s made and those she is still planning to make. The upshot? Roat’s very presence in the room is an upgrade over the past few years.

Her first order of business, Roat told the committee, was to “stabilize” the office. Next, she began to look for modernization opportunities. “It is necessary to pivot OCIO from a reactive, fire-fighting, technical support operation to a more proactive services organization that is innovative and responsive to the business and technology needs of SBA’s mission,” Roat said in her testimony.

To that end, Roat has focused on improving the architecture of SBA’s network infrastructure, moving data to the cloud, updating the administration’s website, training employees on basic information security and more.

Roat described herself as a “forward-leaning” type of government CIO, one who likes testing new things at a small scale. Her motto, she said, is “turn it on. Let’s try it.”

Another big focus of Roat’s ten months in office has been recruiting and retaining IT talent. Prompted by questions from committee Chairman Rep. Steve Chabot, R-Ohio, and others, Roat admitted that this is not easy.

“People don’t come work for the federal government for the federal government,” she said. “They come for the mission.”

She said her office is “turning over rocks” to find these mission-driven individuals.

Chabot summed up the overall feel of the hearing in his closing remarks. “The office you now hold has obviously struggled in recent years,” he said. But after meeting Roat and hearing about her work, “I am now encouraged.”

Chris Liddell wants a ‘centers of excellence’ model for government innovation

Chris Liddell hopes the future of government services is one where the public sector can put its own spin on the technology advancements of the private sector.

But the White House’s director of strategic initiatives — and a key member of the Office of American Innovation — knows that the difference between innovating at a company and doing it across the entirety of the federal government is akin to pulling a tight corner in a speedboat versus turning an aircraft carrier.

“We have been making some progress,” he said, “but the way I characterize it is the progress we have been making in the government is slower than the progress we have been making in the private sector.

“So even though we have been achieving some things, we’ve been falling further and further behind,” Liddell said.

Speaking Wednesday at the Partnership for Public Service, Liddell outlined what OAI is doing to innovate within government — including modernizing infrastructure, workforce development and government services.

He added that function of government is to develop services that make citizens’ lives easier, and while both parties can agree on the final destination, the challenge is how to get there.

“If we can just do this and make individual people’s lives 5, 10, 15 or 20 percent better, that would be a huge contribution,” he said. Previous administrations have focused on improving specific areas, but for the Trump team, “it’s about the ‘how’ rather than the ‘what,'” he said.

To tackle the “how,” Liddell said OAI has used its power to convene to team up with innovation arms like the U.S. Digital Service, the General Services Administration’s Technology Transformation Service and a number of private sector technology CEOs to develop a “centers of excellence” model for government.

“We are thinking about how we bring together a structure, give it some more resources and really turbocharge it, and have centers of excellence that really push this forward progressively across the government,” he said.

The centers of excellence model revolves around a central hub that develops research and best practices for innovation to develop solutions and jumpstart initiatives across a large sector.

Liddell said the idea is in the conceptual stage at OAI, but it could generate new solutions by pooling expertise from across the executive branch and in collaboration with the private sector.

“We want to create centers of excellence and we are just thinking about where they might be,” he said. “They would start with one agency, implement something and move on to the next agency.

“If you take how we would do this in the private sector, if we were a company, is you would have a central entity which would have the expertise in a particular aspect — whether it’s cloud services or data center consolidation or whatever — and you would literally start with one division and get that done and move on to the next one,” Liddell explained.

There are examples of work that follow the basic “centers of excellence” idea within the federal government right now, including one at the Department of Commerce’s National Technical Information Service.

NTIS’s Joint Venture Program, for example, provides agencies a conduit where they can request a data solution designed to serve their specific needs. NTIS then reaches out to 35 private sector partners with the request to design custom built data analytic tools for those agencies that can be delivered within 60 to 90 days.

Liddell said that while moving innovation forward in government could take years — even beyond the tenure of the Trump administration — the centers of excellence model should be able to scale up the skills and best practices across the public sector.

“Individual agencies have expertise, but that same basic concept for things which are common across all aspects of the government or enough agencies to make sense, we should basically have the same approach,” he said.

GSA pulls Kaspersky off approved vendors list

The General Services Administration reportedly removed Russia-based Kaspersky Lab from its approved list of vendors Tuesday.

The move will add significant difficulty for federal agencies to buy and use the company’s cybersecurity products.

Kaspersky Lab has come under increasing suspicion for possible connections to Russian intelligence agencies.

As CyberScoop’s Patrick O’Neill reports, the action follows U.S. intelligence officials unanimously slamming Kaspersky during a Senate Intelligence Committee hearing in May. Additionally, a draft Pentagon budget that would ban Kaspersky products was released last month.

In response to the move, a Kaspersky representative told CyberScoop that the company “has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts.”

“Kaspersky Lab, a private company, seems to be caught in the middle of a geopolitical fight where each side is attempting to use the company as a pawn in their political game,” Kaspersky told CyberScoop on Tuesday.

The GSA move was first reported by Politico.

Read more on CyberScoop. 

GSA looks to automate FedRAMP authorizations

The Federal Risk and Authorization Management Program, or FedRAMP, has unveiled a request for information for ways to streamline the process it uses to authorize cloud service providers.

The July 11 request outlines the information FedRAMP is seeking from industry on how to automate the process for granting authority to operate, or ATO, to cloud service providers. The ATO process has been criticized for the length of time it takes for providers to be approved.

GSA, which manages FedRAMP, says it’s been working with two new White House bodies — the Office of American Innovation and American Technology Council — to improve the ATO process. The RFI specifically asks for commercial off-the-shelf solutions.

“Ideally, the government is looking for tools that are already available, rather than conceptual tools, that could be used to automate the process, and support federal priorities already underway like the Continuous Diagnostics and Mitigation (CDM) as well as Ongoing Authorizations priorities managed by the Department of Homeland Security.”

The RFI asks industry stakeholders to answer a series of questions:

Interested stakeholders have until July 25 to submit their responses.

New ONC chief looks to slash document burden for small medical practices

Three months after the Trump administration tapped Donald Rucker to be its National Coordinator for Health Information Technology, the new ONC chief sat down Tuesday to outline the future of health information technology policy.

While ONC’s goal of making electronic health records interoperable remains, former Siemens Chief Medical Officer Rucker and new Deputy Assistant Secretary for Health Technology Reform Dr. John Fleming — the former Louisiana congressman — made it clear that reducing the documentation burden for small practice medical providers will be a key focus of the office.

“I would say in my entire experience in the government over the decades — I’m sure you’ll find a counter-example — but I believe this is the first time that at the highest levels of [the Department of Health and Human Services] that we’ve had somebody to represent the very small practices,” Rucker said of Fleming, a former small practice physician.

“The large practices we all know,” he said. “I think this is the first time we’ve had an explicit call out to somebody who’s had a lifetime of small practice experience as we go about the whole business of HHS.”

New HHS Secretary Tom Price also spoke of this burden at the recent Health Datapalooza in April, saying “we simply have to do a better job of reducing the burden of health IT on physicians and all health care providers.”

“The promise of big data and health IT is so great, absolutely remarkable. But we must not, cannot continue to get this wrong with the sense that sometimes comes out of this town, and that is a one-size-fits-all, inflexible system for our nation’s physicians and patients simply will not work,” Price said then.

ONC’s focus on reducing the documentation burden for small practice doctors is part of a strategy to make EHR use more palatable for a sliver of the health care sector that doesn’t typically have the resources to navigate the tangled jungle of information requirements, often eliciting sensory overload, the officials said.

“We hear more and more complaints from doctors and patients as to the inability for the doctor to focus 100 percent on the patient’s problems,” Fleming said.

He added that ONC would be examining ways to streamline EHRs, including paring down what he called “voluminous” health notes, to make the records more readable and functional, which could also improve health care costs.

“Under the current fee-for-service methodology, doctors are paid for documentation, not necessarily for their level of care,” he said.

Fleming similarly urged for a “single, unified electronic health record system” in June.

Rucker added that he and his team are looking at ONC regulations and collaborating with the Centers for Medicare and Medicaid Services to examine the quality framework around value-based purchasing

“For a lot of practices, this has become a challenge,” he said. “We just have to think about what’s the win? At some point, the expense of complying with the quality measures is a much greater expense of the innate value of the quality measures.”

ONC will also attempt to finish the guidance for the 21st Century Cures Act, which requires the office to tackle issues ranging from establishing a Health IT Advisory Committee and outlining interoperability standards to defining how information blocking inhibits interoperability efforts, among others.

But that’s only if Congress passes a budget come September.

“Some of this we are not actually legally able to work on until Congress starts its handling of the budget,” Rucker said.

Former U.S. CISO Touhill lands as president of Cyxtera federal division

Greg Touhill, the first U.S. chief information security officer, has taken over as president of Cyxtera Federal Group, the newly formed federal contracting arm of secure infrastructure company Cyxtera Technologies.

An Obama appointee, Touhill was not asked to stay as U.S. CISO when President Donald Trump assumed office in January.  Now he will oversee Cyxtera Federal Group, launched as a means to connect public sector agencies with technology already being used in the private sector.

As Ryan Johnston reports on CyberScoop, Touhill developed a five-step strategic plan for shoring up federal cybersecurity efforts. The CISO position he occupied was created by the Office of Management and Budget through the Cybersecurity National Action Plan and left Touhill in charge of developing cyber practices across the federal government.

Prior to his CISO nomination, he served as a deputy assistant secretary at the Department of Homeland Security.

“The ways that the federal government can improve are codified in the strategic plan that I put together — the strategic goals while I was the Federal CISO,” Touhill told CyberScoop. “Harden the workforce, treat information as an asset, do the right things the right way, continually innovate and invest wisely, and then finally, make informed cyber risk decisions at the right level.”

Read more about Touhill’s appointment on CyberScoop. 

Audit: OPM still faces information security weaknesses 2 years after breaches

Two years after the breaches that exposed the data of 22.1 million people, the Office of Personnel Management is still struggling to properly test its information security.

A new audit by the agency’s inspector general found “significant problems” in OPM’s security assessment and authorization methodology.

Specifically, the audit found weaknesses in the way OPM is testing the security of its local area networks and wide area networks, or LAN/WAN.

The issue stems from April 2015 when then-OPM CIO Donna Seymour decided to extend authorizations for systems that had expired and those that were set to expire through fiscal 2016. At the time Seymour argued this would streamline the authorization process after a big IT modernization project. The move effectively stopped authorization activity at the agency, the IG report states, and placed the agency at “extreme risk associated with neglecting the IT security controls of its information systems.”

The move effectively stopped authorization activity at the agency, the IG report states, and placed the agency at “extreme risk associated with neglecting the IT security controls of its information systems.”

Indeed, the IT modernization project was soon scrapped and this left systems included in the extension operating “in the same legacy environment without a valid Authorization.”

After this, in fiscal 2016, OPM started an “authorization sprint” designed to get all systems compliant with authorization guidelines. While this improved the security situation, the IG found, there remain possible vulnerabilities.

“We acknowledge that the lack of a valid Authorization does not necessarily mean that a system is insecure,” the report states. “However, it does mean that a system is at a significantly higher risk of containing unidentified security vulnerabilities.”

While the audit concludes that OPM’s management of authorizations still constitute a “material weakness” in the agency’s IT security, it ends on a hopeful note.

“It is our understanding that the agency acknowledges this weakness and has a plan in place to address it,” the report acknowledges. “We will continue to monitor this activity closely.”

OPM is also working to develop a “comprehensive security control continuous monitoring program that will eventually replace the need for periodic system Authorizations,” but first it must update its authorizations, the IG found.

OMB fiscal 2019 budget guidance calls for ‘bold reform’

The fiscal 2019 budget may be more than a year away, but the Office of Management and Budget already has a forecast: a chance of more reorganization.

OMB released budget guidance July 7 for fiscal 2019, calling on the executive branch to push for even more efficiency cuts and restructuring while agencies are currently crafting reorganization plans ahead of fiscal 2018’s Sept. 30 deadline.

“These plans should include proposals in four categories: eliminate activities; restructure or merge; improve organizational efficiency and effectiveness; and workforce management,” the OMB document said. “The FY 2019 budget process will give special consideration to bold reform or reorganization proposals that have the potential to dramatically improve effectiveness and efficiency of government operations.”

OMB first rolled out its reorganization plan in April, with Director Mick Mulvaney calling on agencies to effectively rebuild the structure of the executive branch in a more effective and efficient form. It’s very likely that in addition to organizational shifts and cuts, these changes will also result in executive branch agencies leaning on more shared services and commonly bought technologies through strategically sourced acquisition practices, like category management.

Agencies were required to submit reorganization plans to OMB by June 30 — barring approved waivers — to later be finalized by the budget office Sept. 30 and put into effect during fiscal 2019.

The new fiscal 2019 guidance calls on agencies to continue those plans, while also requiring mandatory spending to be revenue-neutral with offsets.

Agencies are also directed to develop new programs that can drive efficiencies — OMB requires leaders to invest no more than five percent above their budget submission levels for the projects, which will be ranked by priority.

While agencies will be driving for more efficiency through reorganization, the guidance forbids them from across-the-board cuts, cost shifts to other parts of the budget, reclassifying discretionary spending to mandatory, increasing user fees or reducing mandatory spending through appropriations, unless directed by OMB.

Agencies must submit their fiscal 2019 plans — along with a draft strategic plan covering fiscal 2018-2022, a fiscal 2019 agency performance plan and priority goals for the fiscal 2018-2019 cycle — by Sept. 11.

DIUx procuring mobile endpoint security software on behalf of Pentagon

The Defense Department is looking to procure a mobile endpoint solution that can scale to millions of users’ devices globally to protect against threats on iOS and Android devices.

On behalf of the Pentagon, the Defense Innovation Unit-Experimental listed a solicitation for a commercially available solution that can “actively vet applications to standards on DoD mobile devices, limiting downloads of certain applications, and stopping malicious activities.”

The Defense Innovation Unit-Experimental, or DIUx, partners with various DOD entities to help them contract for commercial, innovative national defense solutions in a fraction of the time — usually within 60 days of first contact — using what it calls commercial solutions openings.

Though it doesn’t explicitly require them, the language of the solicitation suggests the Pentagon is pursuing something automated —with the potential for next generation machine learning or behavioral analysis capabilities. The technology must proactively update to reflect “[t]rends and signatures of cutting edge ransomware or other kinds of malicious activities” and automatically detect “[a]bnormalities and unusual account behavior…prior to granting users access to sensitive information,” the solicitation says.

Proposed technologies must also integrate with MobileIron, the Pentagon’s existing mobile device management software, and give users “the flexibility to isolate, wipe, blacklist, patch, and perform other security actions when responding to an identified threat.”

DIUx will invite selected companies to show their endpoint security software during a “PlugTest,” which will be used in part to evaluate which vendor — or possibly vendors — the Pentagon will award a prototype contract to.

“DoD is considering the possibility of awarding more than one contract should multiple solutions meet the evaluation criteria,” the opening says.

The solicitation is open until July 19; the PlugTests will begin July 24.

GSA to make veteran-owned small businesses more accessible on supply schedules

The General Services Administration has partnered with the Department of Veterans Affairs to make it easier to for the agencies to find veteran-owned vendors on acquisition supply schedules.

The pair signed a memorandum of understanding July 10 to provide verified service-disabled veteran-owned small businesses and veteran-owned small businesses listed in VA’s verified vendor database more clear designations on GSA’s VA Advantage list.

VA Advantage catalogs GSA-approved veteran contractors offering services on the agency’s supply schedules. The new MOU will provide VOSBs with a special icon to designate their verified status on VA Advantage.

“Gaining verified VA VIP status provides access to important resources for Veteran-owned businesses,” acting Deputy Commissioner of GSA’s Federal Acquisition Service Mary Davie said in a statement. “The MOU provides VIP Veteran contractors with valuable increased visibility to vendors through GSA’s VA Advantage.”

Per a 2016 department procurement policy, the VA must reserve procurements for competition “if a contracting officer has a reasonable expectation that two or more small businesses owned and controlled by veterans will submit offers,” which can be made for a fair and reasonable price, also known as the Rule of Two.

Officials said the goal of the MOU was to make it easier for VA contracting officers to identify two veteran-owned small businesses that could potentially fulfill those procurement requirements.

“The VA and GSA have a longstanding partnership working on improving acquisitions,” Jan Frye, VA deputy assistant secretary for acquisition and logistics, said in a statement. “This new icon program enhances the collaboration between our agencies and makes it easier for the VA workforce to meet their mission and make sound purchasing decisions.”

Veteran-owned businesses will only be eligible for the designation if they have been verified through the agency’s Vets First Verification Program.