ep trends

Recognizing the Need for Innovation in Acquisition

Recognizing the Need for Innovation in Acquisition

The President’s Management Agenda lays out ambitious plans for the federal government to modernize information technology, prepare its future workforce and improve the way it manages major acquisitions.

These are among 14 cross-agency priority goals on which the administration is focused as it seeks to jettison outdated legacy systems and embrace less cumbersome ways of doing business.

Increasingly, federal IT managers are recognizing the need for innovation in acquisition, not just technology modernization. What exactly will it take to modernize an acquisition system bound by the 1,917-page Federal Acquisition Regulation? Federal acquisition experts say the challenges have less to do with changing those rules than with human behavior – the incentives, motivations and fears of people who touch federal acquisition – from the acquisition professionals themselves to mission owners and government executives and overseers.

“If you want a world-class acquisition system that is responsive to customer needs, you have to be able to use the right tool at the right time,” says Mathew Blum, associate administrator in the Office of Federal Procurement Policy at the Office of Management and Budget. The trouble isn’t a lack of options, he said at the American Council for Technology’s ACT/IAC Acquisition Excellence conference March 27. Rather he said, it is lack of bandwidth and fear of failure that conspire to keep acquisition pros from trying different acquisition strategies.

Risk aversion is a critical issue, agreed Greg Capella, deputy director of the National Technology Information Service at the Department of Commerce. “If you look at what contracting officers get evaluated on, it’s the number of protests, or the number of small business awards [they make],” he said. “It’s not how many successful procurements they’ve managed or what were the results for individual customers.”

Yet there are ways to break through the fear of failure, protests and blame that can paralyze acquisition shops and at the same time save time, save money and improve mission outcomes. Here are four:

  1. Outside Help

The General Services Administration’s (GSA) 18F digital services organization focuses on improving public facing services and internal systems using commercial-style development approaches. Its agile software development program employs a multidisciplinary team incentivized to work together and produce results quickly, said Alla Goldman Seifert, acting director of GSA’s Office of Acquisition in the Technology Transformation Service.

Her team helps other federal agencies tackle problems quickly and incrementally using an agile development approach. “We bring in a cross-functional team of human-centered design and technical experts, as well as acquisition professionals — all of whom work together to draft a statement of work and do the performance-based contracting for agile software acquisition,” she said.

Acquisition planning may be the most important part of that process. Seifert said 18F learned a lot since launching its Agile Blanket Purchase Agreement. The group suffered seven protests in three venues. “But since then, every time we iterate, we make sure we right-size the scope and risk we are taking.” She added by approaching projects in a modular way, risks are diminished and outcomes improved. That’s a best practice that can be replicated throughout government.

“We’re really looking at software and legacy IT modernization: How do you get a mission critical program off of a mainframe? How do you take what is probably going to be a five-year modernization effort and program for it, plan for it and budget for it?” Seifert asked.

GSA experiments in other ways, as well. For example, 18F helped agencies leverage the government’s Challenge.gov platform, publishing needs and offering prizes to the best solutions. The Defense Advanced Research Projects Agency (DARPA) currently seeks ideas for more efficient use of the radio frequency spectrum in its Spectrum Collaboration Challenge. DARPA will award up to $3.5 million to the best ideas. “Even [intelligence community components] have really enjoyed this,” Seifert said. “It really is a good way to increase competition and lower barriers to entry.”

  1. Coaching and Assistance

Many program acquisition officers cite time pressure and lack of bandwidth to learn new tools as barriers to innovation. It’s a classic chicken-and-egg problem: How do you find the time to learn and try something new?

The Department of Homeland Security’s Procurement Innovation Lab (PIL) was created to help program offices do just that – and then capture and share their experience so others in DHS can leverage the results. The PIL provides coaching, advice and asks only that the accumulated knowledge is shared by webinars and other internal means.

“How do people find time to do innovative stuff?” asked Eric Cho, project lead for PIL. “Either one: find ways to do less, or two: borrow from someone else’s work.” Having a coach to help is also critical, and that’s where his organization comes in.

In less than 100 days, the PIL recently helped a Customs and Border Protection team acquire a system to locate contraband such as drugs hidden in walls, by using a high-end stud finder, Cho said. The effort was completed in less than half the time of an earlier, unsuccessful effort.

Acquisition cycle time can be saved in many ways, from capturing impressions immediately, via group evaluations after oral presentations, to narrowing the competitive field by means of a down-select before trade-off analyses on qualified finalists. Reusing language from similar solicitations can also save time, he said. “This is not an English class.”

Even so, the successful PIL program still left middle managers in program offices a little uncomfortable, DHS officials acknowledged – the natural result of trying something new. Key to success is having high-level commitment and support for such experiments. DHS’s Chief Procurement Officer Soraya Correa has been an outspoken advocate of experimentation and the PIL. That makes a difference.

“It all comes back to the culture of rewarding compliance, rather than creativity,” said OMB’s Blum. “We need to figure out how we build incentives to encourage the workforce to test and adopt new and better ways to do business.”

  1. Outsourcing for Innovation

Another approach is to outsource the heavy-lifting to another better skilled or better experienced government entity to execute on a specialized need, such as hiring GSA’s 18F to manage agile software development.

Similarly, outsourcing to GSA’s FEDSIM is a proven strategy for efficiently managing and executing complex, enterprise-scale programs with price tags approaching $1 billion or more. FEDSIM combines both acquisition and technical expertise to manage such large-scale projects, and execute quickly by leveraging government-wide acquisition vehicles such as Alliant or OASIS, which have already narrowed the field of viable competitors.

“The advantage of FEDSIM is that they have experience executing these large-scale complex IT programs — projects that they’ve done dozens of times — but that others may only face once in a decade,” says Michael McHugh, staff vice president within General Dynamics IT’s Government Wide Acquisition Contract (GWAC) Center. The company supports Alliant and OASIS among other GWACs. “They understand that these programs shouldn’t be just about price, but in identifying the superior technical solution within a predetermined reasonable price range. There’s a difference.”

For program offices looking for guidance rather than to outsource procurement, FEDSIM is developing an “Express Platform” with pre-defined acquisition paths that depend on the need and acquisition templates designed. These streamline and accelerate processes, reduce costs and enable innovation. It’s another example of sharing best practices across government agencies.

  1. Minimizing Risk

OMB’s Blum said he doesn’t blame program managers for feeling anxious. He gets that while they like the concept of innovation, they’d rather someone else take the risk. He also believes the risks are lower than they think.

“If you’re talking about testing something new, the downside risk is much less than the upside gain,” Blum said. “Testing shouldn’t entail any more risk than a normal acquisition if you’re applying good acquisition practices — if you’re scoping it carefully, sharing information readily with potential sources so they understand your goals, and by giving participants a robust debrief,” he added. Risks can be managed.

Properly defining the scope, sounding out experts, defining goals and sharing information cannot happen in a vacuum, of course. Richard Spires, former chief information officer at DHS, and now president of Learning Tree International, said he could tell early if projects were likely to succeed or fail based on the level of teamwork exhibited by stakeholders.

“If we had a solid programmatic team that worked well with the procurement organization and you could ask those probing questions, I’ll tell you what: That’s how you spawn innovation,” Spires said. “I think we need to focus more on how to build the right team with all the right stakeholders: legal, security, the programmatic folks, the IT people running the operations.”

Tony Cothron, vice president with General Dynamics IT’s Intelligence portfolio agreed, saying it takes a combination of teamwork and experience to produce results.

“Contracting and mission need to go hand-in-hand,” Cothron said. “But in this community, mission is paramount. The things everyone should be asking are what other ways are there to get the job done? How do you create more capacity? Deliver analytics to help the mission? Improve continuity of operations? Get more for each dollar? These are hard questions, and they require imaginative solutions.”

For example, Cothron said, bundling services may help reduce costs. Likewise, contractors might accept lower prices in exchange for a longer term. “You need to develop a strategy going in that’s focused on the mission, and then set specific goals for what you want to accomplish,” he added. “There are ways to improve quality. How you contract is one of them.”

Risk of failure doesn’t have to be a disincentive to innovation. Like any risk, it can be managed – and savvy government professionals are discovering they can mitigate risks by leveraging experienced teams, sharing best practices and building on lessons learned. When they do those things, risk decreases – and the odds of success improve.

Related Articles

GDIT Recruitment 600×300
GDIT HCSD SCM 5 250×250 Truck
NPR Morning Edition 250×250
AFCEA/GMU Critical Issues in  C4I Symposium 250×250
GDIT Recruitment 250×250
USNI News: 250×250
Vago 250×250
Nextgov Newsletter 250×250
CDM Program Starts to Tackle Complexities of Cloud

CDM Program Starts to Tackle Complexities of Cloud

The Trump administration’s twin priorities for federal information technology – improved cybersecurity and modernized federal systems – impose a natural tension: How to protect a federal architecture that is rapidly changing as agencies push more and more systems into the cloud.

The Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program’s early phases focus on understanding what systems are connected to federal networks and who has access to those systems. The next phases – understanding network activity and protecting federal data itself – will pose stiffer challenges for program managers, chief information security officers and systems integrators developing CDM solutions.

Figuring out how to monitor systems in the cloud – and how to examine and protect data there – is a major challenge that is still being worked out, even as more and more federal systems head that way.

“Getting that visibility into the cloud is critical,” says DHS’s CDM Program Manager Kevin Cox. Establishing a Master Device Record, which recognizes all network systems, and establishing a Master User Record, which identifies all network users, were essentially first steps, he told a gathering of government security experts at the ATARC Chief Information Security Officer Summit Jan. 25. “Where we’re headed is to expand out of the on-premise network and go out to the boundary.”

As federal systems move into the cloud, DHS wants CDM to follow – and to have just as much visibility and understanding of that part of the federal Information technology ecosystem as it has for systems in government data centers. “We need to make sure we know where that data is, and understand how it is protected,” Cox says.

Eric White, cybersecurity program director at General Dynamics Information Technology (GDIT) Health and Civilian Solutions Division, has been involved with CDM almost from its inception. “As agencies move their data and infrastructures from on premise into these virtualized cloud environments, frequently what we see is the complexity of managing IT services and capabilities increasing between on-premise legacy systems and the new cloud solutions. It creates additional challenges for cybersecurity writ large, but also specifically, CDM.”

Combining virtualized and conventional legacy systems is an integration challenge, “not just to get the two to interact effectively, but also to achieve the situational awareness you want in both environments,” White says. “That complexity is something that can impact an organization.”

The next phase of CDM, starts with monitoring network of sensors to identify “what is happening on the network,” including monitoring for defects between a “desired state” and the “actual state” of the device configurations that monitor network health and security. In a closed, on-premise environment, it’s relatively easy to monitor all those activities, because a network manager controls all the settings.

But as agencies incorporate virtualized services, such as cloud-based email or office productivity software, new complexities are introduced. Those services can incorporate their own set of security and communications standards and protocols. They may be housed in multi-tenant environments and implemented with proprietary security capabilities and tools. In some cases, these implementations may not be readily compatible with federal continuous monitoring solutions.

The Report to the President on Federal IT Modernization, describes the challenges faced in trying to combine existing cyber defenses with new cloud and mobile architectures. DHS’s National Cybersecurity Protection System (NCPS), which includes both the EINSTEIN cyber sensors and a range of cyber analytic tools and protection technologies, provide value, the report said, “but are not enough to combat the full spectrum of advanced persistent threats that rapidly change the attack vectors, tactics, techniques and procedures.”

DHS began a cybersecurity architectural review of federal systems last year, building on a similar Defense Department effort by the Defense Information Systems Agency, which conducted the NIPRNET/SIPRNET Cybersecurity Architecture Review (NSCSAR) in 2016 and 2017. Like NSCSAR, the new .Gov Cybersecurity Architecture Review (.GovCAR) intends to take an adversary’s-eye-view of federal networks in order to identify and fix exploitable weaknesses in the overall architecture. In a massively federated arrangement like the federal government’s IT system, that will be a monumental effort.

Cox says the .GovCAR review will also “layer in threat intelligence, so we can evaluate the techniques and technologies we use to see how those technologies are helping us respond to the threat.”

“Ultimately, if the analysis shows our current approach is not optimal, they will look at proposing more optimal approaches,” he says. “We’re looking to be nimble with the CDM program to support that effort.”

The rush to implement CDM as a centrally funded but locally deployed system of systems means the technology varies from agency to agency and implementation to implementation. Meanwhile, agencies have also proceeded with their own modernization and consolidation efforts. So among the pressing challenges is figuring out how to get those sensors and protection technologies to look at federal networks holistically. The government’s network perimeter is no longer a contiguous line. Cloud-based systems are still part of the network, but the security architecture may be completely different, with complex encryption that presents challenges to CDM monitoring technologies almost as effectively as it blocks adversaries.

“Some of these sensors on the network don’t operate too well when they see data in the wrong format,” White explains. “If you’re encrypting data and the sensors aren’t able to decipher it, those sensors won’t return value.”

There won’t be a single answer to solving that riddle. “What you’re trying to do is gather visibility in the cloud, and this requires that you be proactive in working with your cloud service providers,” White says. “You have to understand what they provide, what you are responsible for, what you will have a view of and what you might not be able to see. You’re going to have to negotiate to be compliant with federal FISMA requirements and local security risk thresholds and governance.”

Indeed, Cox points out, “There’s a big push to move more federal data out to the cloud; we need to make sure we know where that data is, and understand how it is protected.” Lapses do occur.
“There have been cases where users have moved data out to the cloud, there was uncertainty as to who is configuring the protections on that data, whether the cloud service provider or the user, and because of that uncertainty, the data was left open for others – or adversaries – to view it,” Cox says.

Addressing that issue will be a critical piece of CDM’s Phase 3 and Phase 4 will go further in data protection, Cox says: “It gets into technologies like digital rights management, data loss prevention, architecturally looking at things like microsegmentation, to ensure that – if there is a compromise –we can keep it isolated.”

Critics have questioned the federal government’s approach, focusing on the network first rather than the data. But Cox defends the strategy: “There was such a need to get some of these foundational capabilities in place – to get the basic visibility – that we had to start with Phase 1 and Phase 2, we had to understand what the landscape looked like, what the user base looked like, so we would then know how to protect the data wherever it was.”

“Now we’re really working to get additional protections to make sure that we will have better understanding if there is an incident and we need to respond, and better yet, keep the adversary off the network completely.”

The CDM program changed its approach last year, rolling out a new acquisition vehicle dubbed CDM DEFEND, which leverages task orders under the Alliant government-wide acquisition contract (GWAC), rather than the original “peanut butter spread” concept. “Before, we had to do the full scope of all the deployments everywhere in a short window,” he says, adding that now, “We can turn new capabilities much more quickly.”

Integrators are an essential partner in all of this, White says, because they have experience with the tools, experience with multiple agencies and the technical experience, skills and knowledge to help ensure a successful deployment. “The central tenet of CDM is to standardize how vulnerabilities are managed across the federal government, how they’re prioritized and remediated, how we manage the configuration of an enterprise,” he says. “It’s important to not only have a strategy at the enterprise level, but also at the government level, and to have an understanding of the complexity beyond your local situation.”

Ultimately, a point solution is always easier than an enterprise solution, and an enterprise solution is always easier than a multi-enterprise solution. Installing cyber defense tools for an installation of 5,000 people is relatively easy – until you have to make that work with a government-wide system that aims to collect and share threat data in a standardized way, as CDM aims to do.

“You have to take a wider, broader view,” says Stan Tyliszczak, chief engineer at GDIT. “You can’t ignore the complex interfaces with other government entities because when you do, you risk opening up a whole lot of back doors into sensitive networks. It’s not that hard to protect the core of the network – the challenge is in making sure the seams are sewn shut. It’s the interfaces between the disparate systems that pose great risk. Agencies have been trying to solve this thing piece by piece, but when you do that you’re going to have cracks and gaps. And cracks and gaps lead to vulnerabilities. You need to take a holistic approach.”

Agency cyber defenders are all in. Mittal Desai, CISO at the Federal Energy Regulatory Commission (FERC), says his agency is in the process of implementing CDM Phase 2, and looks forward to the results. “We’re confident that once we implement those dashboards,” he says, “it’s going to help us reduce our meantime to detect and our meantime to respond to threats.”

Related Articles

GDIT Recruitment 600×300
GDIT HCSD SCM 5 250×250 Truck
NPR Morning Edition 250×250
AFCEA/GMU Critical Issues in  C4I Symposium 250×250
GDIT Recruitment 250×250
USNI News: 250×250
Vago 250×250
Nextgov Newsletter 250×250
Technology for Border and Perimeter Security

Technology for Border and Perimeter Security

Related Articles

GDIT Recruitment 600×300
GDIT HCSD SCM 5 250×250 Truck
NPR Morning Edition 250×250
AFCEA/GMU Critical Issues in  C4I Symposium 250×250
GDIT Recruitment 250×250
USNI News: 250×250
Vago 250×250
Nextgov Newsletter 250×250
Pentagon Considering Push to Software-Defined Networking

Pentagon Considering Push to Software-Defined Networking

Pentagon

Related Articles

GDIT Recruitment 600×300
GDIT HCSD SCM 5 250×250 Truck
NPR Morning Edition 250×250
AFCEA/GMU Critical Issues in  C4I Symposium 250×250
GDIT Recruitment 250×250
USNI News: 250×250
Vago 250×250
Nextgov Newsletter 250×250
In Quest to Replace Common Access Card, DoD Starts Testing Behavior-Based Authentication

In Quest to Replace Common Access Card, DoD Starts Testing Behavior-Based Authentication

Related Articles

GDIT Recruitment 600×300
GDIT HCSD SCM 5 250×250 Truck
NPR Morning Edition 250×250
AFCEA/GMU Critical Issues in  C4I Symposium 250×250
GDIT Recruitment 250×250
USNI News: 250×250
Vago 250×250
Nextgov Newsletter 250×250
How Many Times Has Your Personal Information Been Exposed to Hackers?

How Many Times Has Your Personal Information Been Exposed to Hackers?

At least 500 million Yahoo users had their information stolen in 2014, the company said on Thursday — a year when half of American adults had their personal information exposed to hackers. Several more big names have been attacked since.

Related Articles

GDIT Recruitment 600×300
GDIT HCSD SCM 5 250×250 Truck
NPR Morning Edition 250×250
AFCEA/GMU Critical Issues in  C4I Symposium 250×250
GDIT Recruitment 250×250
USNI News: 250×250
Vago 250×250
Nextgov Newsletter 250×250