Category Archives: Uncategorized

GSA Weighing ‘Multiple Initiatives’ For Government 2019 Centers of Excellence (COE) Projects

Standard

GSA Centers of Excellence.png

“FEDSCOOP”

“The USDA was selected to be the “lighthouse” agency for the rollout of all five CoE teams, but future projects could focus on agencies using individual teams.

Those teams are paired with contractors, as well as personnel at target agencies, to carry out IT modernization projects based on their skill sets.”

___________________________________________________________________________________________

“As the General Services Administration moves forward leading the White House’s Centers of Excellence program to modernize IT operations at the Department of Agriculture, agency officials at the agency’s Technology Transformation Service are already looking toward the next round of projects.

Joanne Collins-Smee, deputy commissioner of the Federal Acquisition Service and TTS director, said Friday that the agency was already looking for what projects it could deploy the CoE teams to in fiscal 2019.

“That’s the vision, that we would have several agencies that the CoEs are in at one time,” she said at ACT-IAC’s Igniting Innovation event. “So, for the first substantiation, we all agreed it’s USDA and USDA alone. But as we look into 2019, we are looking at are there other agencies that we would bring on?”

The CoE program, announced in December, is built on five teams of IT talent specializing in cloud adoption, IT infrastructure optimization, customer experience, contact center services and service delivery analytics.

“So as we are evolving this model, the view is that it doesn’t have to be all five. We are going to be building up the teams also,” she said. “So our vision is that we are going to have similar tiger teams. Obviously, they have a very specific skill, but they would go into the next agency. So it’s not like the same team would do USDA and [another] agency.”

The ongoing USDA modernization project is currently in its assessment phase of what is projected to be a three-year overall project, with each team on a separate timeline.

USDA CIO Gary Washington said he expects the implementation phase to begin this fall after the agency assessment and game-planning by the CoE teams are complete.

“We have set ambitious, but realistic timeframes to accomplish this,” he said.

Collins-Smee added that GSA and USDA would be revealing some of that assessment information, as well as the timeline for the implementation phase, in an industry day next month.”

https://www.fedscoop.com/gsa-weighing-multiple-initiatives-next-coe-projects-2019/

 

Advertisements

SBA Rejects Major Changes in Size Standard Methodology

Standard

SBA Size Standards“SMALLGOVCON.COM”

“The SBA’s commentary accompanied the publication of the SBA’s revised Size Standards Methodology White Paper, which is now available on the SBA’s website

The White Paper explains how the SBA establishes, reviews, and modifies its small business size standards.”

__________________________________________________________________________________________

“In commentary published in the Federal Register last week, the SBA rejected (among other things) recommendations that it use average employee count to evaluate the sizes of construction firms and that other firms’ sizes be measured by profits or net worth instead of average annual receipts.

Way back in October 2009, the SBA solicited commentary on the White Paper in effect at the time.  The SBA also sought comments on various policy questions the SBA must consider when developing size standards, such  as “how high a small business size standard should be, should there be a single measure of business size for all industries (i.e., employee or annual receipts)” and so on.  The SBA accepted comments until the end of the 2015 fiscal year.

Now, some 8 1/2 years after the SBA first sought public comments, the SBA has published its responses to those comments.  If you’re something of a size policy nerd (I’ll admit to it!), the SBA’s Federal Register commentary is worth reading in its entirety.  But for those who may not put themselves in that category, here are some of the highlights:

  • Profit measure rejected.  The SBA rejected a suggestion to establish size standards based on gross profits rather than average annual receipts or employee count.  “If a size standard were established in terms of gross profits,” the SBA wrote, “a company with hundreds of millions in revenues and thousands of employees can qualify as small under a profits-based size standard.”  In fact, the SBA said, “[i]t is not unusual for very larger companies to have little or negative profit over the course of business cycles.”  Plus, “a firm’s profits can be manipulated and thus would be an inconsistent and misleading measure of [a] firm’s size for size standards purposes.”  Probably once a month or so, I hear from a business owner who asks whether size standards are already based on profits.  It’s a rather common misconception.  But not only are profits not the measure of small business size, the SBA has no plans to head in that direction.
  • Employee count for construction rejected.  The SBA also rejected a suggestion to use average employee count, rather than average annual receipts, to measure the sizes of construction companies.  “Under SBA’s prime contractor performance requirements . . . a general construction company needs to perform as little as 15 percent of the value of the work and a specialty trade contractor can perform as little as 25 percent of the work with their own resources,” the SBA wrote.  “SBA is concerned that employee based size standards could encourage construction companies near the size standard to subcontract more work to others to bypass the limitations on subcontracting and remain technically a small business.”  The SBA concluded: “[r]eceipts, as a representative of the overall value of a company’s entire portfolio of work in a given period of time, are a better measure of the size of a construction company to determine its eligibility for Federal assistance.”
  • Net worth limits rejected.  The SBA similarly rejected a proposal to base size standards on net worth, saying that such a measure “is not practicable.”  The SBA explained that “[a] company’s net worth can be affected by a number of things, such as debt, repurchased corporate stock, etc.”  Furthermore, “data on net worth is not available by industry,” which would make it impossible for SBA to fairly establish size standards based on that measure.
  • No mid-tier or “micro” size standards.  The SBA also rejected calls to establish new size standards for “mid-sized” businesses (certain companies that have outgrown the small business size standard) and “micro” businesses (such as those with less than $100,000 in sales or fewer than 20 employees).  In rejecting these proposals, the SBA cited “significant complexity,” a “much more burdensome system and reporting requirements” and the fact that “Congress would need to establish new small business procurement goals for each tier to ensure that small businesses at different tiers have a fair access to Federal contracts.”

The SBA’s commentary is chock-full of interesting information, and not everything is the SBA saying “no.”  The SBA does make some proposed improvements and refinements to its size standards methodology.  The SBA also seeks public commentary on a variety of important size questions, such as whether there would be a uniform maximum size standard, and whether the SBA should consider lowering any size standards.  Public comments are due by June 26, 2018.”

http://smallgovcon.com/statutes-and-regulations/sba-rejects-major-changes-in-size-standard-methodology/

 

The Case For A Deeply Embedded Ethical Culture In Government Contractors

Standard
Case for Imbedded Ethics

Image:  “Jenningswire.com”

“NATIONAL DEFENSE MAGAZINE”

“The government contracting world is a primary example of ethical issues being played out under the public’s and the government’s microscopic eye.  Various studies indicate 40 to 60 percent of a company’s market value is based on its reputation. 

Companies must go beyond making statements about doing business ethically and translate those words into action. Leaders must lead. Deeply embedding an ethical culture requires a commitment equal to that which is necessary to attain bottom line success.”

__________________________________________________________________________________________

“In a highly regulated work environment, leadership rarely makes a distinction between compliance and ethics.

Compliance is typically defined as adhering to a specification, policy and required standards. Ethics identifies right and wrong behavior, and in the work environment reflects the culture, the degree of attention paid to it, and how it is strategized, prioritized and enforced.

Despite government contractors’ immeasurable contributions to the country’s safety and security, the sector is consistently targeted for scrutiny by government regulators and agencies around the world for violations related to fraud, waste, financial mismanagement, conflicts of interest and bribery.

Being in compliance and having proper internal controls are critically important, yet many companies who are in compliance do not devote the time, energy and intellectual rigor to a deeply embedded ethical culture. Codes of conduct, ethics policies, compliance measures and articulated values just become boxes to check and words on the wall without efforts to instill an ethical culture in the daily actions of the company.

The government cares. Data from the Interagency Suspension and Debarment Committee’s annual reports to Congress on the status of the federal suspension and debarment system reflects thousands of suspensions and debarments in recent years. The financial, reputational and human pain is enormous, even when people of no intentional ill-will make mistakes resulting in suspended contracts, diminished business, extraordinary legal expenses, layoffs and reputations soiled.

There is another distinct motivation, with significant financial implications, for having a deeply embedded ethical culture. According to Association of Certified Fraud Examiner surveys, fraud is as common in business as coffee cups. Forty-five percent of all companies experience fraud at any given time. The median fraud incident loss is $140,000. One-quarter of the incidents result in losses in excess of $1 million. And a typical company loses 5 percent of its revenue annually to fraud.

Employees in organizations with strong ethical cultures and formal programs are 36 percentage points less likely to observe misconduct than employees in organizations with a weak ethical culture. Leaders who don’t elevate culture to an essential priority risk long-term business and reputational problems, as ethical culture is the single biggest factor determining the amount of misconduct that will take place in a work environment.

Embedding ethical culture can be accomplished by taking concrete, measurable action steps in a number of key areas.

Organizational structure, culture and commitment reflect the company’s overall approach to ethics and compliance. For example, in a contest between upholding principles and seeking profit, how does the business evidence that principles come first? Are ethics and compliance stood up for even if deemed controversial? Are ethical awareness and actions incorporated into the selection of executives and management, and in their performance evaluations and promotion decisions?

Commitment to ethics must be manifested in the responsibilities of leadership in shaping and guiding its ethics and integrity initiatives. Are management pay, bonuses and promotions tied to ethical indicators? Is it clearly articulated that part of senior management’s responsibilities is to be seen as models of ethical conduct and provide leadership in this arena?

Legal and compliance policies must be robust and effectively communicated. Has the business articulated the ethical standards and principles expected of third parties? Is the company knowledgeable of and in compliance with the laws of all the jurisdictions in which it operates?

Discipline and rewards systems reflect how the company sets and enforces its standards for ethical conduct and behaving with integrity — all the way up to the C-suite and Board. Has the company taken disciplinary action against high-performing executives for ethical or compliance breaches? Have leaders and managers consistently taken disciplinary action when necessary with regard to unethical acts?

Ethics communications powerfully articulate and promote the company’s ethics and integrity initiatives, both internally and externally. There should be a clear commitment to ethics as demonstrated by speeches or other correspondence and communications from the CEO or other senior executives, and evidence of business ethics in action as demonstrated by the company’s response to a specific challenge.

Warren Buffett, chairman and CEO of Berkshire Hathaway, famously said, “It takes 20 years to build a reputation and five minutes to lose it.” He also less famously said, “Lose money for the firm and I will be understanding; lose a shred of reputation for the firm and I will be ruthless.”

This is especially germane for government contractors sitting under the glaring spotlight of scrutiny. ”

http://www.nationaldefensemagazine.org/articles/2018/1/30/the-case-for-a-deeply-embedded-ethical-culture

 

Three Rules (‘R’s) For Government Contracting Success

Standard
3 Rules for Govcon success hopokenfitness dot com

Image: Hobokenfitness.com

” WASHINGTON TECHNOLOGY” : By Mark Amtower

Research, Resources, and Relationships. 

These three R’s still remain basic building blocks for newbies and pros. While there are other things that must be done, the three R’s should be at or near the top of your list.”

_____________________________________________________________________________________

“As time permits, I occasionally go back and read my blog posts, LinkedIn posts and my Washington Technology articles. I do this for several reasons: to see if the “rules” are changing, to see if I was right or wrong about something, and to see the evolution of the market and of my thinking.

Back in July 2011, I wrote a column in WashTech on the “Three R’s of Government Contracting

Nearly every week I will get a call from someone with the latest, greatest tool, product or service, something without which the government might not survive.

My first question is always “do you know who the competition is, who the major players are in this category?”

The responses fall largely into two categories: We are so superior it doesn’t matter, or, this is a new category so there are no competitors.

Conversations with online training companies illustrate this well.

In one case the company said the “name” of the company would create the marketshare necessary. The name of the company includes the name of the founder, a player in B2B IT, but not in B2G. They wanted help “getting the word out” but assumed their newly minted GSA Schedule would sell itself once people knew they were here.

Needless to say, when I checked their GSA sales a year later, they were still at $0.

Another company simply told me their IT training was the absolute best, hands down, and that sales would occur. Like the other company, they just wanted help “getting the word out.”

I passed on both gigs because I don’t like to take money when the prospect of marketshare is slim to none. Why?

First, in both cases, they had not done the research, were not going to devote the resources, and neither had the relationships needed to get started — nor did they seem to think they would need them.

The research would have shown that there are entrenched players in the IT training arena (I have advised three of them over the years) and each had more than a GSA Schedule as a sales vehicle.

The research would also have shown that each of the main players had grown incrementally over the past 24 years (it was around 1994 when IT training started to become widespread: see footnote), and that none was an instant success.

Second, neither company was going to devote much in the way resources to this effort, assuming that either the company name or the (alleged) quality of the training would carry the day. No real dedicated sales or BD staff, no inclination to partner on other contractual vehicles, no real understanding of how to get traction.

Third, when I looked up the key people from each company on LinkedIn I could see that they were not connected to this community. While it may seem arbitrary, I rate someone’s connectedness in our market by how many connections we share. With these two companies, it was minimal at best.

Management Concepts is a major player in B2G training, and while I have not worked with them, I share 199 connections with the president, Steve Maier. I have 7 first degree connections at Management Concepts and share 1,331 connections with those 7 people. As a company they are well-connected with the government contracting community, feds and contractors alike.

Can a company successfully enter the IT training space today? Certainly, but there will be no immediate traction. They have to be prepared for the long haul.

The two companies seeking a quick, lucrative entry into this market faced a rude awakening.

I told them what they were facing, but neither believed.

Research, resources and relationships- don’t go to market without them.

(Footnote: In 1994, CompUSA had the first IT training offering on GSA. They had classroom training for things like WordPerfect, Lotus 1-2-3, basically shrink-wrapped products. Learning Tree International followed around 1995 offering higher level, certificate-based training. Global Knowledge soon followed. I am not sure when Management Concepts got their first contract but it was certainly there at that time.)”

https://washingtontechnology.com/articles/2018/04/25/insights-amtower-3-rs-revisited.aspx

Mark Amtower

About the Author

Mark Amtower advises government contractors on all facets of business-to-government (B2G) marketing and leveraging LinkedIn. Find Mark on LinkedIn at http://www.linkedin.com/in/markamtower. 

Defending Hospitals Against Life-Threatening Cyber Attacks

Standard
Defending Hospitals Against Cyber Attack phys.org

Image:  phys.org

“FIFTH DOMAIN”

“Hospitals are unlike other companies in two important ways. They keep medical records, which are among the most sensitive data about people.

And many hospital electronics help keep patients alive, monitoring vital signs, administering medications, and even breathing and pumping blood for those in the most dire conditions.”

__________________________________________________________________________________________

“A 2013 data breach at the University of Washington Medicine medical group compromised about 90,000 patients’ records and resulted in a US$750,000 fine from federal regulators. In 2015, the UCLA Health system, which includes a number of hospitals, revealed that attackers accessed a part of its network that handled information for 4.5 million patients. Cyberattacks can interrupt medical devices, close emergency rooms and cancel surgeries. The WannaCry attack, for instance, disrupted a third of the UK’s National Health Service organizations, resulting in canceled appointments and operations. These sorts of problems are a growing threat in the health care industry.

Protecting hospitals’ computer networks is crucial to preserving patient privacy – and even life itself. Yet recent research shows that the health care industry lags behind other industries in securing its data.

I’m a systems scientist at MIT Sloan School of Management, interested in understanding complex socio-technical systems such as cybersecurity in health care. A former student, Jessica Kaiser, and I interviewed hospital officials in charge of cybersecurity and industry experts, to identify how hospitals manage cybersecurity issues. We found that despite widespread concern about lack of funding for cybersecurity, two surprising factors more directly determine whether a hospital is well protected against a cyberattack: the number and varied range of electronic devices in use and how employees’ roles line up with cybersecurity efforts.

A wide range of devices

A major challenge in hospitals’ cybersecurity is the enormous number of devices with access to a facility’s network. As with many businesses, these include mobile phones, tablets, desktop computers and servers. But they also have large numbers of patients and visitors who come with their own devices, too – including networked medical devices to monitor their health and communicate with medical staff. Each of these items is a potential on-ramp for injecting malware into the hospital network.

Hospital officials could use software to ensure only authorized devices can connect. But even then, their systems would remain vulnerable to software updates and new devices. Another key weakness comes from medical equipment offered as free samples by device manufacturers who operate in a competitive market. They’re often not tested for proper security before being connected to the hospital network. One of our interviewees mentioned:

”In hospitals … there’s a whole underground procurement process whereby medical device vendors approach clinicians and give them lots of stuff for free that eventually makes its way on to our floors, and then a year later we get a bill for it.”

When new technologies bypass regular processes for purchase and risk assessment, they aren’t checked for vulnerabilities, so they introduce even more opportunities for attack. Of course, hospital administrators should balance these concerns against the improvements in patient care that new systems can bring. Our research suggests that hospitals need stronger processes and procedures for managing all these devices.

Staff buy-in

Getting hospital administrators to understand the importance of cybersecurity is fairly straightforward: They told us they’re worried about costs, institutional reputation and regulatory penalties. Getting medical staff on board can be much more difficult: They said they’re focused on patient care and don’t have time to worry about cybersecurity.

People typically treat cybersecurity protections as secondary to what they’re trying to get done. One person we interviewed described why some staff committed the cardinal cybersecurity sin of sharing a password:

“To use an ultrasound machine [you need a password, which] has to change every 90 days. [Staff] just want to use the ultrasound machine. It’s not holding a lot of patient data … so they create a shared login so that they can provide patient care.”

The needs can vary widely across a hospital, in ways that can be surprising – such as access to sites likely to carry malicious software. A chief information officer at a research hospital told us,

“I personally believe that hardcore pornography has no purpose on hospital supported devices. What did I do five years ago? I put up internet content filters that prevented people from navigating to pornography. Within five minutes, the director of psychiatry calls to tell me that we have a grant to study pornography in a medical context [so we had to modify our filters].”

These experiences are why we concluded that budget limitations are not as crucial to hospital cybersecurity as employee involvement. A hospital can buy as many pieces of hardware and software as it wants. If workers aren’t following organizational procedures, the technology won’t keep hospitals safe. Our research suggests that cybersecurity is as much about managing people as it is about technology.

Compliance is not security

The threat is nationwide, and keeps getting harder to defend against, as one chief information security officer told us:

“The nature of attacks is increasingly sophisticated. It used to be my biggest threat was … students. Today, it’s state-sponsored attacks, terrorism and organized crime. It’s more threats than ever before of a more serious nature.”

Unfortunately, many hospital administrators seem to believe that protecting data is as simple as meeting state and federal regulations. But those are minimum standards that don’t adequately address the threat. As one of our interviewees said,

“Compliance is a low bar. I guarantee that little health care organizations and hospitals would do nothing (without regulation). They would have a piece of paper on a shelf called their security policy. It’s needed as a backstop to get companies at least thinking about it. But being compliant does not solve the greater risk management problem.”

Our research shows that hospitals need to think beyond compliance. Also, with so few hospitals well defended against cyberattacks, all hospitals appear more attractive as potential targets. In our view, it’s not enough for hospitals to improve their own defenses – nor for regulators to raise standards. They should manage, and evaluate the security of, the devices on their networks and ensure medical staff understand how good cyber-hygiene can support good patient care. Further, policymakers, health care leaders and hospitals themselves should work together to make the industry as a whole less susceptible to attacks that threaten people’s privacy and their very lives.”

https://www.fifthdomain.com/opinion/2018/04/25/defending-hospitals-against-life-threatening-cyberattacks/

Forthcoming Changes to Federal Government Contract Bid Protest Regulations

Standard

law & justice

“NATIONAL DEFENSE MAGAZINE”

“The National Defense Authorization Act for fiscal year 2018 includes some significant changes affecting contractors with regard to challenges to requests for proposals and contract awards, otherwise known as “bid protests.”

The introduction of a new pilot program under which large defense contractors will be required to pay the Defense Department’s costs where a protest is denied; and the enhancement of post-award debriefing rights.”

_________________________________________________________________________________________

“While Congress passed the former with the intent of reducing frivolous protests, it is likely the latter — which will give contractors greater insight into the rationale behind procurement decisions — that will have a greater impact on the number of protests filed.

Section 827 of the act requires that the department establish and implement a three-year pilot program under which “large” defense contractors will be required to reimburse the department for “costs incurred in processing covered protests” for protests “denied in an opinion” by the Government Accountability Office.

A large contractor is defined as one with revenues in excess of $250 million, and the pilot program will apply to protests filed at the GAO between Oct. 1, 2019, and Sept. 30, 2022.

By limiting the scope of this loser-pays provision to those protests that are “denied in an opinion” by the GAO, this reimbursement provision will potentially only apply to a small number of protests. A recent study by the RAND Corp. examined defense protests at the GAO from fiscal years 2008 through 2016. This study found that less than 0.3 percent of such procurements are protested at the GAO, and that small business protests make up more than half of those.

While a protest sustain rate of 2.6 percent for fiscal years 2008 through 2016, or approximately 300 out of 11,459 protests, appears to suggest there is a great number of frivolous protests, deeper analysis of GAO’s statistics shows that is simply not the case. Approximately 21 percent of the bid protests filed were resolved by a decision on the merits. Of those 2,429 defense protests that reached the merits, nearly 300 were sustained. In other words, only 2,133, or approximately 20 percent of all the protests filed over eight years, were denied in an opinion.

With regard to the 79 percent of protests resolved without an opinion, a significant number — approximately 40 percent — were dismissed as a result of the government voluntarily correcting procurement errors noted in a bid protest. In addition, a number of protests were voluntarily withdrawn after protestor’s counsel had the opportunity to review the confidential record underlying the agency’s procurement decision.

In other words, this legislation will impact a relatively small number of protests. The 2,133 Defense Department bid protests denied in an opinion over an eight-year period equates to approximately 267 per year. Of those protests, the reimbursement provision will only affect protests filed by large contractors. If the percentage of protests filed by small businesses — over half — holds, even if adjusted to account for the lower effective rate of protests filed by small businesses reported by RAND, that number is likely under 200.

While this provision will impact a relatively small number of protests, the financial impact for those few may be significant. Congress did not define or elaborate on what costs are considered “incurred in processing covered protests” or how those costs will be quantified. Considering the amount of time legal and contract administration staff spend working on bid protests, these costs could easily exceed six figures.

But until the department issues guidance on how this provision will be implemented, it will be difficult for large defense contractors subject to this provision to evaluate the risks involved in filing a bid protest at GAO.

Finally, it is unclear how contractors will be determined to meet the large contractor threshold outlined in the new NDAA. The statutory definition: a contractor with revenues in excess of $250 million “during the previous year,” does not clarify whether this means the contractor’s fiscal year, government’s fiscal year or calendar year.

This also raises the question of whether contractors are expected to opt-in to be considered as a contractor to which this provision applies. Contractors will have to await department guidance as to whether they will be required to implement additional accounting measures to determine applicability or whether it will consider existing financial information, such as the revenues reported in the System for Award Management. Thankfully, the pilot program does not apply to protests filed before Oct. 1, 2019, so the department has time to issue regulations filling in these gaps.

Once the Defense Department has issued guidance on what costs will be included, large contractors may consider filing bid protests at the Court of Federal Claims instead of GAO, as this loser-pays provision does not apply to protests filed there. Once GAO implements its online filing system, a $350 filing fee will be required for bid protests. The court’s filing fee is currently $400; thus, the cost of filing is unlikely to influence a contractor’s decision where to file, particularly those large contractors affected by the provision. Although a bid protest filed at the court does not result in an automatic stay of performance of the protested contract pursuant to the Competition in Contracting Act, it does have the authority to issue an injunction, and the government often voluntarily stays performance pending the resolution of the protest.

One of Congress’ goals in implementing the loser-pays provision is to discourage the filing of frivolous GAO protests. However, most government contractors, particularly the large contractors affected by this provision, understand the protest process and engage experienced protest counsel. As a result, these government contractors are cognizant of the potential harm to their reputation by filing a frivolous protest and are reluctant to do so.

Further, GAO’s bid protest regulations provide for mechanisms to dismiss frivolous protests. Those that are deemed untimely or meritless are often resolved early in the protest process, prior to an agency incurring significant costs in processing these protests. It is likely that measures for the deterrence of frivolous protests will have a greater impact if implemented at this stage of the protest process, rather than this fee-shifting provision for protests denied in an opinion.

In addition, GAO already has authority to discipline contractors that file frivolous protests, recently holding that a contractor that “routinely and repeatedly” filed protests “that are not legally sound” had abused the GAO process, wasted tax-payer dollars and, as a result, would be suspended from filing protests at the GAO for two years. See Latvian Connection LLC – Reconsideration, B-415043.3, Nov. 29, 2017, where GAO also dismissed all pending protests filed by the contractor.

While Congress’ goal is admirable, the loser-pays provision is unlikely to have the desired effect. As noted above, this provision applies to the small percentage of bid protests that survive the GAO’s preliminary dismissal measures for frivolous protests or other resolution procedures. Even without the introduction of this loser-pays provision, approximately 21 percent of GAO bid protests of DoD procurements reach the merits.

When it is effective, protestors subject to the provision may well decide to voluntarily dismiss a higher percentage of protests after review of the record, further decreasing the percentage of GAO protests that are resolved by decision.

Finally, it should be noted that a bid protest that reaches the merits and is then denied by the GAO does not equate to a frivolous protest. Some issues are simply close calls. And for those cases, after the effective date of the pilot program contractors will have the ability to avoid the loser-pays provision by filing protests at the Court of Federal Claims.

Meanwhile, for the past five years, the Air Force has provided unsuccessful offerors an opportunity to request an “extended debriefing,” which permits the unsuccessful offeror’s outside counsel to review the agency’s redacted source selection documents and ask questions. This information is typically only provided to the protestor’s counsel under a protective order following the filing of a bid protest at the GAO. By allowing the protestor’s counsel to obtain as part of the debriefing more complete information about whether the Air Force made the correct procurement decision, the hope was to avoid protests filed in part to obtain the more complete record.

Wisely, in the new NDAA Congress chose to expand the Air Force’s innovative program. Section 818 enhances that existing pilot program for “extended debriefings” by requiring a revision of the Defense Federal Acquisition Regulation Supplement to apply certain debriefing requirements across the department.

First, contractors are entitled to a debriefing for all contracts and task orders valued at $10 million or higher. Second, the agency is required to disclose its redacted source selection determination for contracts in excess of $100 million. Third, contractors are provided an opportunity to ask follow-up questions after a debriefing.

The deputy director of defense procurement and acquisition policy tasked the DFARS Contract Administration Committee to draft the proposed rule implementing Section 818. The report is due in March. Congress has provided a deadline of six months from the date of enactment to implement these changes.

Under the new rules, a debriefing — oral or written — is required for all awards in excess of $10 million, regardless of whether it was a negotiated procurement conducted under FAR Part 15. Not only does this affect contractors’ rights with respect to debriefing, but it also affects the deadline for filing a timely bid protest where debriefings were not previously required. Even if the information was known prior to the debriefing, a bid protest may only be filed after the debriefing, and no later than 10 days after the debriefing if filed at the GAO. But note that a protest must be filed within five days of the debriefing to trigger the Competition in Contracting Act’s automatic stay of performance.

The most significant change is the requirement to disclose a redacted source selection determination for awards in excess of $100 million.

In addition, small business contractors and nontraditional contractors are provided an option to request the same redacted disclosure for awards in excess of $10 million. The successful awardee is also entitled to the same debriefing and disclosure rights as the unsuccessful offerors.

Unsuccessful offerors are provided an opportunity to submit follow-up questions related to the debriefing within two business days following a post-award debriefing. The agency is then required to answer in writing within five business days after receipt of the follow-up questions. The debriefing is then considered complete when the agency responds to the unsuccessful offeror’s questions.

While these deadlines may appear short, it is in line with the deadline for filing a timely bid protest at GAO, which is 10 days after a required debriefing. Offerors will still have an opportunity to file a timely bid protest even after the post-debriefing Q&A process.

The ultimate impact of these changes will depend on the regulations issued to implement the NDAA provisions, so contractors should carefully monitor developments over the coming year.”

http://www.nationaldefensemagazine.org/articles/2018/3/6/contractors-face-changes-to-bid-protest-strategies

 

Atlanta Was Not Prepared To Respond To A Ransomware Attack

Standard
Atlanta Ransomware

Image: Dan X. O’Neil

“STATESCOOP”

“A month after the SamSam ransomware virus infected its computer systems, Atlanta’s city government still struggles to provide several services to its residents.

The city is scrambling to dig out from arguably the highest-profile ransomware incident on U.S. soil yet, shelling out nearly $2.7 million in emergency contracts to IT consultants and crisis managers.”

________________________________________________________________________________________

“Water and sewer bills can’t be paid online or over the phone, and business licenses can only be obtained in person. Public Wi-Fi at Hartsfield-Jackson International Airport, the country’s busiest airport, was down for two weeks. City council members reported losingdecades’ worth of correspondence. The municipal courthouse only regained the ability to schedule traffic-ticket hearings on April 16.

Atlanta officials may eventually give full accounting of how the March 22 ransomware attack was allowed to happen, and why the recovery process has been so slow and out of the public view. (The city last issued an official update on March 30.) But the hack hit just the right conditions to sow mayhem: In the weeks since officials were locked out of their systems for a $51,000 ransom demand, it’s been revealed that Atlanta’s municipal IT was woefully disorganized and outdated. Couple that with the recent swearing-in of Mayor Keisha Lance Bottoms, who by her own admission had not devoted much attention toward cybersecurity, and Atlanta became a ripe target for digital bedlam.

As recently as January, the city auditor was excoriating officials for a lax approach toward cybersecurity that left the government with obvious vulnerabilities, obsolete software and an IT culture driven by “ad hoc or undocumented” processes, according to a report published that month by the auditor’s office.

Not everyone is looking for someone to blame, though. Amid all the frustration that the cyberattack has caused, there’s one push for Atlanta to conduct a “blameless” review of the episode. But that seems like something that’s still a long way off from happening. Whatever the case, the attack was not surprising to cybersecurity experts.

“Atlanta is a fairly typical path,” said Max Kilger, a business professor who specializes in cybersecurity at the University of Texas at San Antonio. “These guys seem to be targeting organizations that work for the public good. There’s an urgency when a city gets taken down. The ransomware people are basically counting on that to leverage a payment out of these targets.”

Better to spend now than pay later

By all known accounts, Atlanta hasn’t paid up, though the mayor’s public remarks about it have been inconclusive. “Everything is up for discussion,” Bottoms said six days into the hack. The involvement of the FBI, which recommends ransomware victims refuse their attackers’ demands, suggests Atlanta hasn’t given in.

Kilger said a city as large as Atlanta, with a $2.1 billion budget, is a tempting target for ransomware operators because the ransom demand is so paltry compared the city’s pocketbook. Even if Atlanta won’t pay, the hackers behind the SamSam ransomware are still running a tidy operation — collecting nearly $850,000 since their first attack in late 2015, according to analyses of the SamSam group’s bitcoin wallet. That includes payments from ransomware victims that did pay the bounties to recover their data, including Hancock Regional Hospital in Indiana and Yarrow Point, Washington, an affluent town of 1,000 residents just east of Seattle.

But in those cases, the targets went against the FBI’s advice. The bureau recommends against acceding to ransom demands for the simple reason that a ransomware victim has no guarantee that its attacker won’t “shoot the hostage” anyway. “Paying a ransom doesn’t guarantee an organization that it will get its data back — we’ve seen cases where organizations never got a decryption key after having paid the ransom,” the FBI advises.

If there’s money going anywhere, it’s to consultants. In the month since the hack, Atlanta has doled out more than half a dozen emergency contracts to cybersecurity firms like Secureworks, Fyrsoft, and CDW, and consulting services from Ernst & Young and Edelman to manage the public response. In Colorado, where a SamSam attack in February took out internal systems at the state’s transportation department, officials have spent between $1 million and $1.5 million on recovery so far.

Government IT officials might find it’s better to spend more money up front hardening their cybersecurity, rather than shelling out after a hack.

“If I were an executive, I would look at the risk equation,” said Walter Tong, a security architect at the Georgia Technology Authority, which manages the state’s IT infrastructure. ”Is it worth spending the money or paying the ransom? I would not like to be in that kind of position.”

IT complacency

Tong’s office is not working on Atlanta’s recovery; he said it doesn’t offer the kinds of recovery services the city needs right now. But he said he knows the job of rebuilding the city’s computer systems will be a long one.

“It takes a while to rebuild and reconstruct applications and network devices,” Tong said. “Hackers choose targets and they find ways of getting there, whether it’s to cause a disruption of service or destruction of data, or both.”

Unlike other ransomware programs that take over networks when a user opens a phishing email or inadvertently runs a malignant program, SamSam infiltrates systems with brute-force attacks like guessing weak or default passwords until one breaks through. SamSam often targets Java-based application servers or Microsoft’s Remote Desktop Protocol.

Tong said his office often looks for those kinds vulnerabilities in network settings and older devices. Had Tong’s team examined Atlanta’s systems, they would’ve found those conditions in abundance. The city auditor’s January report found nearly 100 government servers running on Windows Server 2003, which Microsoft stopped supporting in 2015.

“You can spend a lot of time on educating, making sure your network devices are patched and secure,” Tong said. “But once it happens, you have to have an instant response plan.”

The January audit report suggests Atlanta was nowhere near ready to deal with a cyberattack. Monthly scans conducted over the course of the audit, found between 1,500 and 2,000 security vulnerabilities in Atlanta’s systems. In fact, the number of IT security flaws grew so large, that city agencies slid into a habit of inaction, the audit stated.

“The large number of severe and critical vulnerabilities identified by the monthly vulnerability scan results metric has existed for so long the organizations responsible for this area have essentially become complacent and no longer take action other than to update the monthly report,” the document reads. “The significance of such a backlog of severe and critical vulnerabilities without corrective actions is evidence of procedural, technical or administrative failures in the risk management and security management processes.”

Don’t play the blame game

Whether the hackers who hit Atlanta knew it at the time, the ransomware arrived less than three months into the term of a new mayor who admitted after the hack that cybersecurity had not been one of her administration’s priorities. That was a shift from her predecessor, Kasim Reed, who often played up Atlanta’s emergence as a hub for the cybersecurity industry: The city is home to companies like SecureWorks and Bastille, and Reed went on trade missions to Israel to get that country’s cybersecurity firms to investin Atlanta. Internally, Reed’s chief information officer, Samir Saini oversaw some IT upgrades, like moving city employees from Microsoft Exchange servers to Microsoft’s cloud services.

Saini was snatched away by New York Mayor Bill de Blasio in January, leaving Saini’s former deputy, Daphne Rackley, as the interim CIO. Then on April 9, Bottoms shook up the city’s leadership by asking everyone in her 35-member cabinet, which is still comprised mostly of holdovers from Reed’s administration, to submit letters of resignation. Bottoms hasn’t announced who she’ll be keeping and who she’ll be replacing, but the ransomware attack has made the CIO job a crucial one to watch.

“Just as much as we focus on our physical infrastructure, we need to focus on the security of our digital infrastructure,” Bottoms said a few days after the hack.

But blame for the ransomware attack and responsibility for making sure it doesn’t happen again aren’t necessarily synonymous. Code for Atlanta, a Code for America brigade that advocates for better technology in municipal government, wants Bottoms to eventually order a report that avoids assigning blame.

The idea of a “blameless post-mortem” is widely attributed to developers at the craft site Etsy. In a 2012 post on Etsy’s developer blog, John Allspaw, then a senior vice president at the company, wrote that software engineers respond better to errors and accidents when they know there’s not an overt threat of punishment.

“[A]n engineer who thinks they’re going to be reprimanded are disincentivized to give the details necessary to get an understanding of the mechanism, pathology, and operation of the failure,” Allspaw wrote. “This lack of understanding of how the accident occurred all but guarantees that it will repeat. If not with the original engineer, another one in the future.”

Other companies, including Google, have since adopted that model of review after things go wrong. Code for Atlanta believes that model could work in the public sector, too.

“We want folks in city government to be accountable, but for us it’s more about a culture change,” the group’s leader, Luigi Ray-Montanez, told StateScoop. “When I was at city hall I saw this poster warning people to be wary of cyberattacks. It seems like they were aware of internet culture, but obviously mistakes were made.”

Atlanta City Auditor Amanda Noble told reporters when the audit was first publicized that city officials had started to upgrade their IT security when the ransomware attack hit. But the majority of recommendations the audit made are unlikely to be completed until the third and fourth quarters of 2018.

Despite a recent push to make her government more transparent — including plans to create websites on which the public can track city contracts and municipal data — Bottoms hasn’t given an official statement on the ransomware recovery in weeks. Her office has not responded to requests for an update. Rackley, the acting CIO, has not responded to requests for an interview.

Tong, the security architect for the Georgia Technology Authority, said the city’s current silence might be at the behest of the investigators.

“It’s an active investigation and they likely can’t disclose what’s going on,” he said.

The recovery time for a ransomware victim that doesn’t pay off its attacker can be long. The Colorado Department of Transportation was only 80 percent back online six weeks after it was hit by the SamSam virus. Atlanta’s systems have been flickering back on in spurts, with many public services still rolled back to the pen-and-paper era.

Atlanta’s IT professionals and the contractors it’s hired in the wake of attack are scrambling to patch the holes and upgrade to more secure systems. But lingering out there now, for Atlanta and everywhere else, is the threat of more ransomware attempts to come.

“This is one of many ransomware attacks, and there will be many more,” Kilger, the Texas professor, said. “It’s going to get worse.”

https://statescoop.com/atlanta-was-not-prepared-to-respond-to-a-ransomware-attack

The 37 Year Tax-Day Impact Of The Project on Government Oversight (POGO)

Standard

POGO and Your Taxes

“POGO”

“POGO exposed the fact that the Pentagon was buying $7,600 coffee makers and $435 hammers.  [POGO works] with government insiders in order to sound the alarm on wrongdoing by government contractors and workers and to save taxpayer dollars—all on behalf of the public.

[POGO] investigations have found billions of dollars in actual and potential savings. Here are some of the highlights.”

__________________________________________________________________________________________

“In a 1999 report, POGO pointed out that if contractors could inflate the price of everyday items like coffee makers and hammers, how much were they overcharging for things taxpayers didn’t understand, like high-tech weapon systems? Our investigations have found billions of dollars in actual and potential savings. Here are some of the highlights.

POGO publicized over $893 billion in improper payments.

The American taxpayers lose hundreds of billions of dollars every year because the federal government makes payments to the wrong people or institutions, or in the wrong amount. For example, the government sometimes sends benefits to individuals who are deceased, or FEMA pays fraudulent claims following disasters like hurricanes. Unfortunately, the government doesn’t do enough to address the problem. In 2016, POGO completed a set of reports that publicized $893 billion in improper payments between FY 2008 and 2015. In our reports, we provided recommendations to identify and recover improper payments that potentially could save the government billions of dollars. Currently, POGO is advocating for a bipartisan bill, the Stopping Improper Payments to Dead People Act. This act would allow the Social Security Administration to share its database of deceased people with many other government agencies to reduce inaccurate payments to dead people.

In 2001, POGO’s reporting causes military to stop two wasteful weapons projects, saving $49 billion.

In a blistering set of reports sent to the White House in 2001 on the defense weapon acquisition process, POGO exposed how multiple weapon systems wasted taxpayer money and ultimately made us less safe. One example was the Crusader howitzer cannon, which entered into the acquisitions phase before United Defense finished its preliminary design. Our analysis cited a Government Accountability Office report that found the Crusader weighed too much, underwent shortcuts in testing, and was behind schedule. Another example was the RAH-66 Comanche helicopter, which suffered from many of the same problems. While military planners designed the helicopter to be inexpensive, the cost quickly ballooned from $12.1 million to $58.9 million a copy as the development cost increased and the testing schedule was delayed.

POGO investigation into F-35 leads to $21 billion to $40 billion in taxpayer savings.

Multiple POGO investigations have found serious problems in the F-35 program. In one report last year, we discovered that the Air Force wanted to leave several older F-35s unfinished because paying to update them would make it harder to buy new fighters. The Air Force bought the F-35s while still designing and testing the aircraft—a decision POGOand the Government Accountability Office have independently labeled as a major driver of increased cost. After POGO published its report, the Air Force decided to stop the plan, preventing between $21 billion and $40 billion in waste.

POGO investigations help get the Deepwater contract cancelled, saving $24 billion.

In 2007, POGO investigated a $24 billion Lockheed Martin and Northrop Grumman project to update the U.S. Coast Guard’s equipment that resulted in millions of wasted dollars. To save money, the Coast Guard initially allowed the two private contractors to oversee and manage the project. Relying on private contractors to conduct inherently governmental functions ultimately cost the Coast Guard millions, because the contractors made numerous design and technical mistakes. After POGO’s investigation, media attention, and several high-profile disasters, the Coast Guard took back management of the project, and later asked for a $96 million refund.

POGO reporting helps shut down the wasteful Superconducting Super Collider, saving $11 billion.

POGO led the way in campaigning to cancel the Superconducting Super Collider, a grossly over budget project run by contractors that took advantage of weak oversight and permissive spending guidelines to overcharge the federal government. According to invoices obtained by POGO, the principal subcontractor charged the government $21,369 for office plants in a year and $1,107 dollars for Christmas cards, among other waste. POGO’s investigation turned the Super Collider into the largest government project ever cancelled at that time, saving taxpayers roughly $11 billion dollars.

Our investigation into Boston’s “Big Dig” helps save taxpayers roughly $11 billion.

Even before Boston’s Harbor Tunnel Project, known as the Big Dig, became a national embarrassment, POGO investigated the devastating impact of private contractors spending billions of tax dollars to build a highway project with little federal or state oversight. The Big Dig started with a $2.3 billion budget but, with contractors given a free rein, it ballooned to around $24.3 billion as the project suffered from delays, bad planning, and mismanagement. Initially, federal taxpayers were on the hook for 80% of the funding, but POGO’s investigation helped reduce losses by getting Congress to freeze federal spending at $8.6 billion, saving federal taxpayers roughly $11 billion.

POGO helps cancel the F-22, saving $4.268 billion in one year.

Much like the F-35, the F-22 cost much more than advertised and drained resources from other critical Air Force priorities—like training pilots. Also like the F-35, POGO campaigned heavily to end the program. After almost a decade’s worth of reportspress releases, and conversations with Members of Congress and their staff, POGO finally succeeded in helping get the program shut down—thanks in large part to Senators Carl Levin (D-MI) and John McCain (R-AZ). Cancelling the production of 240 F-22s saved taxpayers $4.268 billion that year alone.

POGO helps the government collect over $1 billion in additional oil royalties to date.

During the late 1990s, POGO investigators uncovered how the Interior Department ignored the fact that several oil companies chronically underpaid the Federal Treasuryon royalties they owed for oil they extracted from public lands. In 1997, POGO filed a False Claims Act lawsuit against 16 major oil companies. By 2001, the companies settled the lawsuit. The U.S. Treasury recovered nearly half a billion dollars in unpaid royalty revenue, and began collecting $67 million more per year in royalties owed to the public.

POGO reporting causes Air Force to suspend bad Hamilton Sundstrand contract, saving $664 million.

Every year, POGO warns the government about no-bid contracts fleecing American taxpayers. In 2006, POGO investigators published a previously not-public Department of Defense Inspector General report finding that defense and aviation contractor Hamilton Sundstrand raised the price of several mechanical parts by nearly 900 percent with no reasonable justification. We wrote to Congress showing how contractors were taking advantage of acquisition regulation loopholes to reduce oversight. Our work led the Air Force to suspend the 9-year, $860 million dollar contract, saving taxpayers $664 million dollars.

POGO advocates for bipartisan compromise to reduce contractor compensation, saving $200 million per year.

Prior to 2013, an outdated law that was used to determine contractor compensation packages allowed some companies to receive excessively high executive salaries and benefits—at the expense of taxpayers. This system allowed contractors to receive more money than comparable employees in the federal government. After years of work by POGO, a bipartisan group of legislators voted to reduce the cap from $952,308 to $487,000, saving taxpayers $200 million per year.

POGO investigation helps Air Force save $168 million on C-130J military airlift contract.

The C-130J was a mechanically flawed cargo plane that cost more than expected and the Pentagon didn’t want. A 2005 POGO report highlighted that the Air Force dubiously labeled the C-130J a “commercial” item in order to decrease oversight, a decision that ultimately led to many of the C-130J’s problems. After the Pentagon said they didn’t need the plane, a group of influential military contractors and U.S. Senators lobbied hard to preserve the unnecessary aircraft. POGO worked with Senator McCain and other Members of Congress to restructure the C-130J contract and save taxpayers $168 million.

POGO helps publicize $100 million in fraud by Northrop Grumman.

In 2014, POGO investigators made public a Defense Department Inspector General report that found Northrop Grumman knowingly overcharged the federal government around $100 million for an anti-terrorism program. The U.S. Army contracting agency tasked with overseeing the contract was not conducting proper oversight—until whistleblowers, POGO, and the Defense Department Inspector General got involved. We highlighted how Northrop Grumman and its subcontractor DynCorp defrauded the government in multiple ways. They billed the government for more labor hours than there are in a day and for employees who lacked required education qualifications. They also classified one employee for seven different positions including “depot aircraft mechanic, a senior general engineer, an integrated logistics manager, a quality assurance manager, a program manager, a senior pilot, and a senior technical writer.”

POGO’s investigations into waste, fraud, and abuse of power by the federal government are a core part of the organization’s mission.”

http://www.pogo.org/blog/2018/04/pogos-outsized-tax-day-impact.html

 

 

 

 

 

 

What’s Impeding the Department of Defense Push For Innovation?

Standard

 

Innovation in Government

“FEDSCOOP”

“Greater speed in translating technology into fielded capability is where we can achieve and maintain our technological edge. To increase speed the Pentagon needs to streamline the way it approaches innovation from both inside and out.

We are in a constant competition in a world that now has equal access to technology, said Griffin. Innovation will remain important always, but speed becomes the differentiating factor.”

___________________________________________________________________________________

“As the pressure builds for the Defense Department to develop better, faster solutions in an arms race with Russia and China, officials said that a top-down bureaucracy is stymieing the pace.

Testifying at a House Armed Services Committee hearing Tuesday on innovation within the DOD, Under Secretary of Defense for Research and Engineering Michael Griffin and former Google CEO Eric Schmidt — currently chair of the Defense Innovation Board — said that constrictive acquisition, appropriation and human capital policies have hamstrung pockets of agile transformation within the agency and need to be remedied.

“Greater speed in translating technology into fielded capability is where we can achieve and maintain our technological edge.”

To increase speed, Griffin and Schmidt said the Pentagon needs to streamline the way it approaches innovation from both inside and out.

“We have fantastic people who are trapped in a very bad system,” Schmidt said. “I’m concerned that [Congress] is not going to get what you think you are going to get because of the deficiencies of the system.”

Throughout the hearing, Griffin and Schmidt pointed to several problems limiting DOD’s innovation and possible solutions, including:

The acquisition process

Schmidt said that the DIB — a collection of private sector and academic leaders tasked with providing recommendations on how to make the DOD more agile and innovative — found plenty of innovators within the agency but no mechanism to foster it and little incentive to scale it up. That, coupled with a complex acquisition process, means that when the DOD does pursue new technology, it’s often outdated by the time it develops or acquires it.

“The DOD violates pretty much every rule in modern product development,” Schmidt said. “The [specification] is developed and finalized before production starts. The way you really do it is you start it iteratively and you learn from your mistakes and so forth — that’s called agile development. It’s essentially impossible to do because of the way the rules are set.”

The result, he said, is dozens of examples where military personnel were working with severely outdated software, including a Navy minesweeper that was just recently updated to Windows XP.

Schmidt added that the DIB has to date offered several recommendations to improve innovation in the DOD, such as developing a system that would promote people to take risks, collecting more data to fuel potential artificial intelligence gains and the establishment of an AI center.

The appropriations process

Griffin said because DOD appropriations are only authorized to be spent on a purpose defined in the National Defense Authorization Act, there is little room in the budget to promote innovation for projects like studying defenses against drone swarms.

“Unless I can find money appropriated for that purpose and authorized for that purpose, I don’t have a documentable chain of permission going to the very top of the government that allows me to do these things,” he said.

The solution, Griffin and Schmidt argued, is more partnerships with public universities to leverage laboratories and research facilities to foster technology development.

“This is what got us where we are,” Griffin said, citing research successes at the Jet Propulsion Laboratory, Los Alamos National Laboratory and others. “One of my goals is to make sure those partnerships are strengthened —and reaffirmed into the future.”

The compliance cost

Both Griffin and Schmidt said that small businesses are often the source for innovation in the defense marketplace, but the current compliance structure often prices them out of government contracting opportunities.

Schmidt said the Defense Innovation Unit Experimental, or DIUx, and the Strategic Capabilities Office are “central to solving this problem” because of their focus on supporting small disruptive businesses and prototyping new technologies.

“Everything that the DOD can do to encourage more choices for innovation is a good thing,” he said. “Whether it’s individual contracting — it’s possible, for example, to hire small teams of software people through special consulting arrangements — all of that should be tried.”

https://www.fedscoop.com/whats-impeding-dods-push-innovation-turns-lot/