This week, Jason Miller’s Reporter’s Notebook highlighted a recent GSA Inspector General (IG) Memorandum regarding potential savings under the Multiple Awards Schedule (MAS) program. The article focused in large part on the audit process, scope of data reviewed, and cost elements associated with the MAS pricing and compliance regime. The article also noted that the Federal Acquisition Service (FAS) and the GSA IG had formed a working group to improve the value of pre-award audits under the MAS program. The FAS-IG working group developed new policy and performance metrics. The establishment of the working group is a positive development. It is a recognition and acknowledgement that the policy, process, and structural challenges surrounding the MAS audit process need to be adjusted. These adjustments should reflect the ever-changing commercial market and business practices.
By way of full disclosure, 20 years ago I headed up the Federal Supply Service (FSS) team as part of an FSS-IG Working Group focused on improving the audit process. FSS and the IG worked together, focusing on the mechanics and timing of the audit process. The result was a set of acquisition letters updating the audit process. We did not tackle the bigger questions surrounding the efficacy of the MAS pricing policy and access to the commercial market. In retrospect, we should have.
As noted in previous blogs, the current philosophical underpinnings of the MAS pricing policy date from the early 1980’s. The standard provisions, like the Price Reduction Clause (PRC), in some form or another, are close to 40 years old. That is to say, the fundamental core of the MAS pricing policy dates from a time before the Competition in Contracting Act (CICA), the Federal Acquisition Streamlining Act, the Clinger-Cohen Act, the Services Acquisition Reform Act, and wide-spread use of the Internet and the PC. In the 1980’s, we had no broad use of cell phones; the fax machine was just becoming part of business life; and ubiquitous cloud services and the internet were not what they are today. It is no wonder, then, that we find the current statutory framework for the federal procurement system at odds with the MAS pricing policy.
The basic precepts of the MAS policy have remained static while the commercial market has changed radically. Indeed, the market has embraced technology, and that embrace has altered and continues to alter how business is done and how firms go to market. Further, the IT and services industries are radically different. The MAS pricing policies have become almost anachronistic, as they limit access to the best value tempo of the commercial market, especially when it comes to commercial solutions and services. Although it might be argued that MAS Consolidation will improve the ability of vendors to provide commercial solutions, without real pricing reform, MAS Consolidation’s full potential will remain unmet.
Back to the current FAS-IG working group. It is notable that one of the three critical parties to the process was not included as part of the working group. A lesson learned from my experience is that including the private sector, MAS contractors, in a review of the audit process would be of great value to FAS and the IG. GSA has been very transparent with regard to its Federal Marketplace Strategy. Under Administrator Emily Murphy’s vision for the agency, transparency supports GSA’s values: service, accountability, and innovation. We are hopeful that the ongoing FAS-IG working group will seek contractor input regarding the audit process, and the Coalition stands ready to provide transparent, experience-based feedback on the audit process.
Additionally, to the extent the FAS-IG working group has developed new policy around the audit process and pricing, the public should have an opportunity for review and comment on that policy. For example, if the policy restricts the ability of firms to provide pricing based on how firms offer solutions in the commercial market, such an approach would be inconsistent with the goals of the MAS program and the underlying statutory and regulatory framework for the acquisition of commercial items. Consistent with GSA’s values, just as any such approach should be subject to rule-making and public comment, so to would any formal policy developed to address the scope of information collection pursuant to the audit process.
Finally, it would be interesting to learn whether the FAS-IG working group addressed the apparent organizational conflict of interest (OCI) at the core of the contract audit process. As noted by many stakeholders, the IG’s role providing direct MAS contract audit support, while at the same time conducting oversight reviews of the MAS contracting process, creates an apparent OCI. Under the FAR OCI rules, the government would prohibit a contractor from performing these competing functions. Certainly, the IG’s oversight function plays a positive role in ensuring accountability and transparency in the procurement system. How the IG’s conflicting roles impact GSA, FAS, and the IG’s statutory oversight role, however, is a fair topic of inquiry for all stakeholders in the procurement community.
The Coalition looks forward to future dialogue with FAS and the IG.
On Thursday, Ellen M. Lord, Undersecretary of Defense for Acquisition and Sustainment, updated the news media on the Defense Department’s COVID-19 acquisition policy at a Pentagon briefing. According to Lord, the Department of Defense (DoD) has had more than 8,000 contracting actions related to COVID-19 totaling approximately $1.7 billion. She expects that this total will likely reach $2 billion by the end of this week, including $700 million in medical construction. Lord emphasized that medical equipment, lab equipment and testing remain high priorities.
The lead acquisition team supporting the Government-wide response to COVID-19 is the Joint Acquisition Task Force (JATF) led by Principal Deputy Assistant Secretary of Defense for Acquisition, Ms. Stacy Cummings. The JATF team includes acquisition professionals from the Military Departments and DoD Agencies, and is synchronizing and supporting the acquisition execution of DoD’s COVID-19 response to interagency FEMA and HHS requirements for medical resources. The JATF is organized based on 6 product lines and 3 functional areas. The product lines are ventilators, N95 masks, screening and diagnostics, pharmaceuticals, personal protective equipment (PPE) and syringes. The 3 functional areas are supply chain visibility, additive manufacturing and the industry portal.
Since February 1, the Defense Logistics Agency (DLA) has executed over 5,000 contract actions totaling $837 million dedicated to COVID-19 with $688 million for FEMA and Department of Health and Human Services (HHS) requirements. According to Lord, DoD and HHS have signed an interagency agreement establishing a framework for DoD to provide acquisition assistance to HHS under the CARES Act authorities.
A top priority of DoD during the pandemic is to ensure the stability of its defense industrial base. However, given the nature of the current national emergency, the strength of the U.S. medical industrial base has also come into the spotlight.
In response to questions from reporters, Lord indicated that the U.S. has become overly dependent on foreign sources for medical supplies and there is a need to have greater security and resiliency in our medical industrial base. She also said that the U.S. should have the capacity and throughput to “take care of ourselves” in times of need, and that our dependency on China is more than it should be given national security issues with China.
Amidst COVID-19, Navy Contract Spending Rises Significantly in April
Federal News Network reported that Navy contract spending has risen 30% compared to the same period a year ago. The Navy has increased its spending as a response to the COVID-19 pandemic and to keep its supply chain afloat. The Navy has been working, for the last two and a half years, on reform efforts that has helped the Navy get funding out the door more quickly. James Geurts, Assistant Secretary of the Navy for Research, Development and Acquisition, said that a lot of the acquisition changes came out of necessity due to the pandemic, but that the changes should be easy to sustain after the pandemic is over. While the Navy had already been working through steps to speed up the contracting process and its cash outlays, the pandemic has accelerated the policies to be implemented immediately. Geurts believes that the Navy has been able to adjust to the current pandemic due to the “Four Ds:” Decentralized execution, Differentiation of work, Digitization of operations, and Development of talent.
House Armed Services Leadership Committed to Passing FY21 NDAA
According to Inside Defense, House Armed Services Committee Chairman Adam Smith (D-WA) and Ranking Member Mac Thornberry (R-TX) are committed to passing a FY2021 National Defense Authorization bill despite the House not returning to session until May 4th. The lawmakers issued a joint press statement on Tuesday clarifying that, “[t]he COVID-19 pandemic will certainly affect how the Committee marks up the FY21 NDAA and how the House considers it on the floor. We are discussing those details and consulting with the Leadership of both parties. At the same time, we remain committed to the principles that have guided the bill in the past – regular order through the committee, transparency, and bipartisanship.”
The Department of Veterans Affairs (VA) Office of Inspector General (OIG) has published a report evaluating the challenges the VA has had implementing a new electronic health record (EHR) system. The OIG found that the critical physical and IT infrastructure upgrades have not been finished, as of January 8, 2020. These infrastructure changes are necessary to properly prepare for the launch of the new health record system. The VA also lacks an initial comprehensive assessment to determine a realistic go-live date and lacks adequate staffing for the rollout. The OIG made the following recommendations:
- Establish an infrastructure-readiness schedule for future deployment sites that incorporates lessons learned from DoD.
- Reassess the enterprise-wide deployment schedule to ensure projected milestones are realistic and achievable, considering the time needed for facilities to complete infrastructure upgrades.
- Implement tools to comprehensively monitor the status and progress of medical devices at the enterprise level.
- Standardize infrastructure requirements in conjunction with VHA and the OIT and ensure those requirements are disseminated to all necessary staff.
- Evaluate physical infrastructure for consistency with OEHRM requirements and monitor completion of those evaluations.
- Fill infrastructure-readiness team vacancies until optimal staffing levels are attained
- Ensure physical security assessments are completed and addressed at future electronic health record deployment sites.
- Ensure all access points to physical infrastructure are secured and inaccessible to unauthorized individuals.
Another VA OIG report reviewed the transition to the new EHR at Mann-Grandstaff VA Medical Center in Spokane and its impact on access to care. The Spokane location was scheduled to be the first Veterans Health Administration medical center to implement the new EHR on March 28, 2020. However, the launch was delayed in early February.
The OIG found that as of January 9, 2020, there was a backlog of 21,155 care in the community consults. This backlog was the result of a lack of new staff, not hired due to budget concerns. The OIG made several recommendations:
- Evaluate the impact of the new EHR implementation on productivity and provide operational guidance and required resources to facilities prior to go-live.
- Identify the impact of the mitigation strategies on user and patient experiences at go-live and take the necessary action(s).
- Ensure that clear guidance is given to facility staff on what EHR capabilities will be available at go-live.
- Reevaluate the EHR modernization deployment timeline to minimize the number of required mitigation strategies at go-live.
- Implement VA-provided operational guidance and support required resources needed throughout the transition to the new EHR.
- Ensure that positions required for the transition to the new EHR are staffed and trained prior to go-live.
- Ensure that the community care consults are managed through go-live to ensure accuracy, completeness, and to avoid the need for manual reentry after go-live.
- Ensure that patients receive medication refills in a timely manner throughout the transition to the new EHR.
On April 23, Federal News Network interviewed GSA Federal Acquisition Services (FAS) Commissioner Julie Dunne about the agency’s COVID-19 emergency acquisition response. Dunne stated that contracting officers and other acquisition employees are meeting all current demands, largely due to the agency’s teleworking capabilities. In particular, GSA is seeing a high demand for medical equipment, hand sanitizer, and masks. GSA initiated an emergency acquisitions group to bring more agility and speed when meeting agency demands. Dunne explained that by bringing experts together in each of the critical product areas, GSA can better ensure that acquisition processes are as agile as possible for customers.
Over the last month, GSA has issued several memos including a Trade Agreements Act (TAA) waiver, expedited payments for small contractors, raising the simplified and micro purchase thresholds, and guidance for onboarding and off boarding industry employees. Dunne stated that the MAS consolidation allowed FAS to quickly acquire a 3D printer vendor, who could make masks, face shields, and hands-free door opening aids, for agencies to purchase on Schedule. She also said that she is not currently concerned about the pandemic’s impact on FAS’ sales and operating model, adding that while some areas will see lower sales, others will see increases.
Federal News Network reported that Laura Stanton, who is currently the Deputy Assistant Commissioner of the Information Technology Category (ITC) for GSA’s Federal Acquisition Services (FAS), will take over the role of Acting Assistant Commissioner of ITC on June 5. Bill Zielinksi, who is currently the Assistant Commissioner of ITC, has accepted a new role as the CIO of a Western city. It was also announced that Vera Ashworth will start as the new ITC Deputy Assistant Commissioner on May 26.
Stanton has been with GSA for more than 22 years. She led the effort to create the Acquisition Gateway for agencies and vendors, and most recently led GSA’s e-commerce platform initiative and category management initiatives. The Coalition would like to thank Bill for his service and congratulate Laura on her new role – we look forward to working with her and the team!
VA Guidance on Advanced Payments for COVID-Related Supplies
The Department of Veterans Affairs (VA) has issued guidance allowing for advanced payments when acquiring commercial items in response to COVID-19. The authority is available for the purchases of:
- Personal Protective Equipment (PPE)
- Ventilators, ventilator consumables and ventilator repair parts
- Dialysis equipment, consumables, and repair parts
- Critical care equipment and consumables, to include pharmaceuticals (e.g., EKG machines, paralytics)
- Others may be added, approval from the AUSH, Support Services is required
Fedscoop reported that the Cybersecurity Maturity Model Certification (CMMC) accreditation board is in the “final stages” of working out its training system. Ty Schieber, chairman of the accreditation board, stated that the body is working to create a pipeline for third-party assessors to become trained and certified within the next 30 days. CMMC requirements are set to begin appearing in requests for proposals this fall and will gradually be rolled into all DoD contracts over the next five years.
Additionally, Federal News Network reported that DoD officials see CMMC as a way to monitor certain aspects of the supply chain not related to cybersecurity. CMMC certification will require in-person visits with third party assessors to verify that companies have implemented the required security practices, and to ensure that firms are not fraudulently seeking work. Katie Arrington, DoD’s Chief Information Security Officer for Acquisition, says that these meetings will also reduce the risk of foreign ownership and shell companies.
GSA Announces Plans to Implement Catalog Management Reform
The General Services Administration (GSA) has provided several updates on their Catalog Management initiative on GSA Interact. GSA intends to create a Common Catalog Platform (CCP) which will be more readily accessible and provide higher quality data than is currently available on GSA Advantage. GSA plans to stand-up and begin a phased implementation of the CCP by FY2021 and fully implement the CCP after FY2022.
Senate Returns to Session, House Delayed Another Week
Politico reported that the Senate will return on May 4 to begin working on another COVID-19 relief bill. However, the House, which was originally schedule for May 4, delayed its return from recess for another week. House Majority Leader Steny Hoyer (D-MD) stated that the session will resume when the House is ready to consider the next COVID relief bill.
DoD Requests Input on CARES Act Implementation
The Department of Defense (DoD) announced an opportunity for early engagement regarding implementation of the Coronavirus Aid, Relief, and Economic Security Act (CARES) within its acquisition regulations. Among the CARES Act regulations DoD is implementing is Section 3610, which allows for contractors to receive equitable adjustment to keep their workforce in a ready state. The early input should be submitted in writing. The written input can be submitted via email to email@example.com with the reference “Early Engagement Opportunity: CARES Act” in the subject line. There is no specific deadline for when the input must be submitted, but DoD will be better able to consider input submitted earlier in the process.
Legal Corner: Defense Production Act Update: FEMA Exercises Control over PPE Exports
By Mayer Brown: David F. Dowd; Marcia G. Madsen; Sydney H. Mintzer; and Tamer A. Soliman
The Legal Corner provides the legal community with an opportunity to share insights and comments on legal issues of the day. The comments herein do not necessarily reflect the views of the Coalition for Government Procurement.
The Federal Emergency Management Agency (“FEMA”) has issued a temporary rule that enables FEMA to regulate exports over shipments of certain personal protective equipment (“the PPE Export Rule” or “the Rule”).
FEMA promulgated the PPE Export Rule under the authority of the Defense Production Act, 50 U.S.C. § 4501 et seq. (the “DPA”), specifically sections 101 (50 USC § 4511) and 704 (50 U.S.C. § 4554), and the Executive Orders of March 23 and 26, 2020, and April 1, 2020, regarding the COVID-19 pandemic.
The DPA gives the US president authority to prioritize federal government orders for products and services (ahead of other customers) and to allocate resources as necessary to promote the national defense. Multiple agencies have been delegated authority to implement the DPA.
The rule is effective upon publication in the Federal Register (which is scheduled for April 10, 2020) and will remain in effect for 120 days.
The PPE Export Rule
The stated purpose of the Rule is to aid the response of the United States to the spread of COVID-19 by ensuring that scarce or threatened health and medical resources (referred to as “covered materials”) are appropriately allocated for domestic use. All shipments of covered materials are allocated for domestic use and may not be exported from the United States without explicit approval by FEMA.
The items covered by the PPE Export Rule are N95 filtering facepiece respirators, certain other filtering facepiece respirators that cover the user’s airway (nose and mouth) and offer protection from particulate materials at an N95 filtration efficiency level, elastomeric air-purifying respirators and filters/cartridges, PPE surgical masks, and PPE gloves and surgical gloves.
The Rule contemplates that additional materials may be added to the covered materials list.
Under the Rule, before any shipments of covered materials may leave the United States, Customs and Border Protection (“CBP”) will notify FEMA of an intended shipment and detain the shipment temporarily, during which time FEMA will determine whether to return for domestic use, issue a rated order for, or allow the export of part or all of the shipment. In making such determinations, FEMA may consult other agencies and will consider factors such as (1) the need to ensure that scarce or threatened items are appropriately allocated for domestic use; (2) minimization of disruption to the supply chain, both domestically and abroad; (3) the circumstances surrounding the distribution of the materials and potential hoarding or price-gouging concerns; (4) the quantity and quality of the materials; (5) humanitarian considerations; and (6) international relations and diplomatic considerations.
The Rule contains an exemption to address certain pre-existing commercial relationships. FEMA will not purchase covered materials from shipments made by or on behalf of a US manufacturer with continuous export agreements with customers in other countries since at least January 1, 2020, provided that at least 80 percent of such manufacturer’s domestic production of covered materials, on a per item basis, was distributed in the United States in the preceding 12 months. If FEMA determines that a shipment of covered materials falls within this exemption, such materials may be transferred out of the United States without further review by FEMA. This exemption, however, is not unlimited as FEMA may waive it and fully review shipments of covered material if necessary or appropriate to promote the national defense.
Timing and Process: The PPE Export Rule makes clear FEMA will rely on CBP for immediate detentions of covered exports at the border, effective April 10, 2020. As a result, there will be detentions at ports across the country, pending a FEMA decision. The Rule does not mandate a specific time for FEMA to decide whether export will be permitted. The Rule only provides that FEMA will make determination “within a reasonable time of being notified” of a detention. Exporters may be in limbo, facing potential breach claims from customers abroad.
Exemption: The exemption is critical as it will enable certain exporters to meet customer requirements. Unfortunately, the exemption is limited to companies that can show 80 percent of their production of covered material is for the domestic market. Exporters may need to engage FEMA to get a determination that they are covered by the exemption and (presumably) obtain documentation to prove to CBP officials’ satisfaction at the point of export that the exemption covers the shipment. The Rule does not clarify what evidence is needed for presentation to CBP.
Impact on Foreign Parties: The Rule also has implications for certain foreign companies. Foreign buyers who have contractual commitments with US PPE suppliers will face uncertainty as to whether and when products will be supplied. The Rule does not address foreign shipments transiting the United States for supply to a third country. The Rule says only “shipments” will be detained at the border. It is unclear if such transiting shipments will be detained.
Other Ramifications: In terms of predictability, the PPE Export Rule may be more problematic than a simple and direct ban. For example, if a shipment is detained for two weeks and then the decision is made to release the goods (or some of the shipment while the remainder is kept), it may be more difficult for the shipper to establish force majeure or to address the prospect of a breach and damages. The Rule does not address the application of the DPA liability protections for US businesses if a rated order is not issued and export is permitted but materially delayed. Finally, it is possible that the Rule may result in foreign retaliation or countermeasures.
Suppliers, brokers, and buyers of covered materials should carefully review the Rule to assess its impact on their supply chain planning, contractual obligations, and mitigation strategies. DPA requirements flow through the supply chain, and suppliers for manufacturers of covered materials must be attendant to the Rule’s ramifications and raise questions promptly. Parties who believe an exemption may apply should engage with FEMA as soon as possible in order to minimize potential commercial uncertainty and disruption.
By Sheppard Mullin’s Keeley A. McCarty
The Healthcare Spotlight provides the healthcare community with an opportunity to share insights and comments on healthcare issues of the day. The comments herein do not necessarily reflect the views of the Coalition for Government Procurement
The novel coronavirus (“COVID-19”) pandemic has given Department of Veterans Affairs (“VA”) contractors several powerful new tools in their toolbelts, and VA contractors should not leave available protections on the table. VA contractors, including those supplying medical devices under the MSPV-NG bridge contract and pharmaceuticals on a VA Federal Supply Schedule (“FSS”), now can negotiate for extraordinary limitations on liability (in addition to some provided by statute), among other opportunities. Particularly for contractors providing goods and services used in the COVID-19 pandemic response, it is crucial to understand both new protections available and other changes to the rules of VA contracting.
Public Law 85-804 Indemnity
Most recently, the President granted the VA authority to extend to vendors the extraordinary indemnity provided by Public Law 85-804, which typically is reserved for nuclear power-related contracts or contracts involving unusually hazardous work. The Memorandum on Authorizing the Exercise of Authority under Public Law 85-804, issued April 10, 2020, allows the VA to indemnify contractors against the following risks of performance, as detailed in FAR 52.250-1:
- Claims (including reasonable expenses of litigation or settlement) by third persons (including employees of the Contractor) for death; personal injury; or loss of, damage to, or loss of use of property;
- Loss of, damage to, or loss of use of Contractor property, excluding loss of profit; and
- Loss of, damage to, or loss of use of Government property, excluding loss of profit.
This means that the Government itself will shield vendors from such claims. To receive indemnity, the FAR clause must be included in the contract, so contractors should make sure to negotiate for its inclusion. The contract must also define the unusually hazardous risk being covered, so contractors should give careful thought to the definition and scope of potential COVID-19-related damages.
PREP Act Immunity
VA vendors may also be protected from liability under the Public Readiness and Emergency Preparedness (“PREP”) Act provisions of the Public Health Service Act. Manufacturers and distributors of drugs, biological products, medical devices, and certain respiratory protection devices are immune from liability for losses like personal injury and death related to administration and use of those products in the COVID-19 emergency response effort.
While PREP Act immunity does not require the inclusion of any FAR or VAAR contract clauses, vendors may want to include some reference to PREP Act immunity or otherwise create a record with the contracting officer if they believe they are covered. The covered countermeasures eligible for protection under COVID-19 PREP Act immunity are changing almost weekly as the country’s emergency response develops. For further information on PREP Act immunity, see our other blog postings here and here.
VA COVID-19 Contracting
Vendors also should be aware of additional flexibilities VA contracting officers now have in awarding COVID-19 related contracts. On March 15, 2020, the VA temporarily increased the micro-purchase threshold to $20,000 and the simplified acquisition threshold to $750,000 through June 30, 2020, under authority granted by the President’s declaration of a national emergency under section 501(b) of the Robert T. Stafford Disaster Relief and Emergency Assistance Act, 42 U.S.C. §§ 5121-5207 (the “Stafford Act”). The Stafford Act declaration also allowed the VA to increase the threshold for simplified procedures for the acquisition of certain commercial items to $13 million. The VA Memorandum setting forth these emergency acquisition flexibilities emphasized they apply only to contracts in support of the COVID-19 emergency response. The Veterans First Contracting Program preferences still apply to all contracting determinations.
Finally, the Stafford Act declaration opened the door to state and local governments to purchase from the VA FSS through the GSA Disaster Recovery Purchasing program. Vendors may participate, or not, regardless of whether they elected to participate at the time they entered the Schedule contract. The VA issued guidance to contractors regarding state and local government purchasing on March 20, 2020.
The Department of Homeland Security (DHS) issued the following announcement this week and requested that the Coalition share it members:
New Credential in Lieu of a PIV Card Offered Virtually During COVID-19 Pandemic
To protect the Department’s workforce and ensure the continuity of the mission during the COVID-19 pandemic, the DHS Office of the Chief Security Officer (OCSO) is now offering a DHS credential that can be obtained virtually to new and current employees and contractors in lieu of a DHS personal identity verification (PIV) card.
This new credential, called a derived alternate credential, was created so that new employees and contractors who need a credential, and current employees and contractors who have a PIV card that has expired or will expire soon, can gain logical access to the DHS network without having to visit a DHS credentialing facility in person.
Employees and contractors who obtain the new credential will still need to get a DHS PIV card at a later time.
For additional information about the new credential, please see the OCSO Enterprise Security Services Division Connect FAQ page and then click on “What is the impact of COVID-19?” That will take you to three links that provide information on the steps that:
- New employees and contractors need to take to obtain a derived alternate credential;
- Current employees and contractors with an expiring or expired PIV card need to take to obtain the credential; and
- Current employees and contractors who need to update the PIN on their PIV cards need to take.
If you have any questions about the derived alternate credential, please contact OneCardSSD@hq.dhs.gov.
New Leadership for Coronavirus Inspectors General Committee
Politico reported that Robert Westbrooks, former Inspector General for the Pension Benefit Guaranty Corporation, has been named as the executive director of the Pandemic Response Accountability Committee (PARC). The panel consists of more than 20 Federal inspectors general coordinating COVID-related investigations. Additionally, Michael Horowitz, the Inspector General for the Department of Justice, will serve as the acting chairman of the PARC. The Committee also launched a public website to track COVID-related spending.
CISA Named Cybersecurity Shared Services Provider
Federal Computer Week reported that on April 27, the Office of Management and Budget (OMB) named the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) as the first shared services provider under its Quality Service Management Office (QSMO) program. CISA’s QSMO will serve as the cybersecurity shared services provider for the Federal Government, covering security operation center standardization, vulnerability management standardization, and DNS resolution services.
CISA’s designation to the program is the first under a plan laid out by OMB last April to optimize shared services across the government. The plan identified cybersecurity, financial management, grants management, and human resources as their main shared services. CISA plans to use programs like Continuous Diagnostics and Mitigation, and the National Cybersecurity Protection System to bring effective shared services to the Federal Government.
The Government Accountability Office (GAO) released a report on April 23, that analyzed existing Federal reform efforts and where those reforms could be strengthened, including the proposed merger of the General Services Administration (GSA) and the Office of Personnel Management (OPM). In May 2019, GAO testified that neither GSA nor OPM satisfied the best practices and planning requirements to ensure viability of a major reorganization effort. During the ensuing year, GAO found that GSA and OPM have not yet fulfilled those best practices. The two agencies have not finalized certain metrics and targets associated with the moves. The report also found that OPM did not have enough employee and stakeholder outreach.
In the same GAO report, there is an assessment of OPM’s transfer of the National Background Investigations Bureau (NBIB) to the Department of Defense (DoD). DoD has the Personnel Vetting Transformation Office (PVTO). The PVTO is currently managing future changes to the clearance process. GAO found that the NBIB workforce felt somewhat informed about the transfer. The transfer has been successful, so GAO recommends that the remaining investigations be moved to DoD.
FedScoop reported that amid the current pandemic, the Small Business Administration (SBA) still has more work to do to improve its information security program. The cybersecurity of SBA’s websites are especially critical as it works to implement COVID-19 relief efforts like the Paycheck Protection Program (PPP) and the Economic Injury Disaster Loan (EIDL) program to support small businesses during this pandemic.
In a report released on March 30, the SBA’s Office of Inspector General (OIG) found that the SBA’s information security program was generally “not effective” in addressing specific areas covered by the Federal Information Security Modernization Act (FISMA) like risk management and data privacy and protection.
Since the COVID-19 national emergency was announced, the SBA and other Federal agencies have experienced external threats to their information systems. For example, the SBA has reported identifying eight websites and Twitter accounts imitating the agency’s Administrator, which were all taken down in the last few weeks.
The SBA’s security team is currently working on penetration testing and applying new capabilities to the SBA Connect authentication according to Chief Information Officer (CIO) Maria Roat. SBA is working to upgrade the information security program, while supporting loan portals and handling the shift to teleworking.