Weekly Roundup: Week of April 25-29, 2016
Post-Award Management of Agile Contracts. What happens after a contract is awarded? Steve Kelman writes in Federal Computer Week that there is “fear that some principles of agile cannot be reconciled with existing procurement regulations. I argued that good practice suggests, and the procurement regulations allow, issuing a solicitation for an agile contract, or a task order under an umbrella IDIQ contract, without specifying requirements at the beginning, which would violate the whole idea of agile. The government should give only a very general description of the work, but be specific about the process the government will use to develop and refine requirements during agile sprints.” GAO Duplication and Overlap Report – 5th Edition. GAO has testified on its fifth annual report. “The 2016 report identifies 92 new actions that Congress or executive branch agencies could take across 37 new areas of government. GAO flags fragmentation, overlap, or duplication among federal programs in 12 new areas, including defense, economic development, health, homeland security, and information technology. The latest report also highlights 25 areas to reduce the cost of government operations or boost revenue collections for the Treasury. Government Reform Legislation. Federal News Radio reports that a package of reform bills that Sen. Ron Johnson (R-Wis.) plans to introduce “covers a variety of federal programs and payments, with the singular goal of government reform. ’We haven’t given it a name yet, we don’t have the right acronym, but it’s really a group of 15, maybe 16 pieces of legislation that implement the recommendations of the [Government Accountability Office],’ Drowning in Mandates. According to NextGov: “Earlier this month, a group of lawmakers announced efforts to make all federal data sets open to the public, under forthcoming legislation known as the Open, Public, Electronic and Necessary Government Data Act, or the OPEN Government DATA Act. But during a recent House oversight committee hearing, an official from the Office of Management and Budget said agencies might miss their deadline to implement another mandate requiring them to make spending public by May 2017: the Digital Accountability and Transparency, or DATA Act.” National Internet of Things Strategy. According to NextGov: “A Senate commerce committee on Wednesday passed the DIGIT Act, which would require the Federal Communications Commission to report on the spectrum required to support a network of billions of devices. It would also convene working groups, composed of public and private sector representatives, to advise Congress on Internet of Things-related policy.” Missing the Slow Train. The Wilson Center has released a report on “Slow Problems,” where “small, hardly noticeable changes add up to produce large effects. Slow Problems all involve some form of deterioration occurring over a period of decades, generations or even centuries – time periods that historians regularly deal with but that stretch out beyond the timeframe in which governments make budgets or do strategic planning. In the U.S. government, where political appointees remain on average for two years, problems of this kind are typically treated as low priority or politically irrelevant, if they are noticed at all. . . . Many Slow Problems could have grave consequences not that far beyond our normal planning horizons.” John Lainhart Protecting physical infrastructure with cyber. The Department of Homeland Security's cyber division has a clear sense of mission, and a clear message to agencies and companies preparing for cyber threats -- the way to minimize physical consequences to critical infrastructure is by prioritizing a "holistic" view of cybersecurity. Suzanne Spaulding said that preventing "devastating" physical consequences to America's most critical infrastructure relies on a strong cyber front. Spaulding cited the hacking of the Ukrainian electrical grid as a "watershed" real-world example of cyber threats posing physical consequences for infrastructure. "We saw for the very first time a cyber attack that brought down critical infrastructure upon which civilian populations depend," she said of the attack, which resulted in power outages for over 225,000 Ukrainians. "But the methods used were not all that sophisticated. We know how to mitigate those." Spaulding estimated that "90 to 95 percent" of malicious cyber activity, mostly stemming from social engineering and spear phishing, could be solved by basic cyber hygiene, and quickly resolved by being prepared for the "what if" in the event of a cyber attack. She applauded the preparations in place that allowed Ukraine to restore power "in six hours," despite the widespread effects of the grid hacking. NIST looks to reengineer thinking about cyber. The National Institute of Standards and Technology is set to release an overhauled systems security engineering document it hopes will change the way software and computer designers think about cybersecurity. An updated draft of NIST's 800-160 document will be released for public comment on May 4. According to its lead author, Dr. Ron Ross, the new 800-160 will kick off a difficult discussion over not only how federal agencies approach cybersecurity, but also how U.S. business and general population should think about it -- not just as an add-on, but as an foundational component of any technology that touches the Internet. Government CIOs Lean Toward Cloud for Security. Cloud computing offers the most security for government data, argued the speakers at the Akamai Government Forum on April 21. “There has to be a culture change,” said Capt. Arlene Gray, deputy director for the Department of the Navy and the Navy’s CIO. “We have to trust that industry is able to take care of that for us.” “You need to have standards that can be applied consistently so that you can feel comfortable with the cloud provider,” cautioned Col. John Rozsnyai, chief enterprise architect and cloud transition trail boss at the Department of the Army. “I cannot trust anything without verifying,” said Michaela Iorga, senior security technical lead for cloud computing at the National Institute of Standards and Technology (NIST). Her department is beginning work on an Open Security Controls Assessment Language (OSCAL), which would standardize the language around controls and enable agencies to process and verify providers faster. * * * * * The Business of Government Radio Show. What has the Federal Communications Commission (FCC) done to transform its IT infrastructure? How has the FCC chief information officer cultivated a network of change agents? What is the FCC doing to cultivate a culture of risk taking and experimentation? Join host Michael J. Keegan as he explores these questions and so much more with Dr. David Bray, Chief Information Officer, the Federal Communications Commission next week on The Business of Government Hour. Broadcast Schedule: The show airs Monday at 11 a.m., and Friday at 1 p.m. on Federal News Radio 1500AM WFED. If you can't wait, though, you can listen to (or download) this week's program and all our previous interviews at businessofgovernment.org.