It seems like long ago. Thousands of active duty service members applied for religious exemptions from COVID vaccines. Now we know how well the armed services did in processing the exemptions and the discharges of service members from the armed services. For details, the Federal Drive with Tom Temin talked to Project Manager Marie Godwin in the Defense Department’s Office of Inspector General.

Interview Transcript: 

Marie Godwin We wanted to ensure that service members were treated fairly, and that their exemption requests and discharges were processed in accordance with the law and DoD regulations. And we also received a number of hotline complaints alleging that the military services were improperly processing religious accommodation requests. So we wanted to review that process and determine if those allegations had any merit. So specifically, the complaints were alleging that the military services were processing the requests too quickly and not performing individualized review of the requests as required by the law and DoD policy. But in the end, we found the allegations did not jibe with our findings, and our report confirms that those allegations were, in fact, unfounded.

Tom Temin All right. Do the requirements on the DoD specify a timeline or a period of time in which they have to decide these? Usually the problem is the government gets backlogs of things. In this case they were processing them. It sounds like efficiently.

Marie Godwin Yes, the DoD does establish time requirements, and the time requirement depends on if the service requires a waiver of policy for that religious accommodation request or not. So for the Army, Marine Corps and Navy, they had 90 days to process the requests. The Air Force had 30 days to process the requests because they had decentralized decision process that did not require a waiver of policy.

Tom Temin You didn’t look then at whether the discharges or the exemptions were correct or not. It was just simply looking at whether they were processed in a way that was in accordance with their policy for processing them.

Marie Godwin That’s correct.

Tom Temin All right. Let’s go into that a little bit further. You said the Army, Navy, Marine Corps had a 90 day policy and the Air Force 30 days, maybe a little bit more detail on why that was the case, that variance.

Marie Godwin Sure. That’s just an overarching DoD policy that establishes the time requirements. And the DoD policy says that if the religious accommodation request requires a waiver of department policy, then it can be processed within 90 days. And I think the thought behind that is that it takes longer to process that through a central decision authority. If the request does not require a waiver of policy, as is the case with the Air Force, then the time requirement for that processing is only 30 days.

Tom Temin In what’s involved in processing that even takes 30 days?

Marie Godwin Sure. There’s a number of things that happen in the process, and it differs by military service. But generally, the service member submits a request. They have recommendations from their chain of command. They meet with a military chaplain to discuss their request. There’s also medical subject matter expert recommendations, and all these are processed up through the decision authority to consider.

Tom Temin Right. And just to clarify once more. You didn’t look at the quality of the decisions versus, yeah, you can stay or you’re discharged. But again, just whether they were processed in the proper manner.

Marie Godwin Right. So we looked at did they have all of the required recommendations? And was the proper decision authority deciding on their request?

Tom Temin We’re speaking with Marie Godwin. She’s a project manager in the Inspector General’s Office at the Defense Department. So generally, everything went according to each armed service’s policy for getting those things processed. Any exceptions or any outlying issues that you discovered?

Marie Godwin So for religious accommodation requests, we found that the Army and Air Force were taking much longer to process the exemptions than the DoD time requirements. So the Army, as we said before, had 90 days to process those requests, and they were averaging about 192 days to process the requests. The Air Force had 30 days to process those requests, and they were averaging about 168 days.

Tom Temin Yikes. And do we know why it took so long to do those?

Marie Godwin Well, we spoke with the military personnel involved in processing religious accommodation requests, and they told us that in a typical year, they only receive 3 or 4 requests for religious accommodation. So they were just overwhelmed by the sheer number of the requests.

Tom Temin  And could be that the religious exemption has maybe more subtle decision making that’s required. It’s hard to tell, that sounds like a tough one. Maybe they’re afraid to make the call in some cases.

Marie Godwin Well, I think they just wanted to take the time to make the correct decision and make sure that it was an informed decision.

Tom Temin All right. So what recommendations do you have then? Sounds like they would be centering around the religious exemption request because that’s what caused the outlying cases.

Marie Godwin So we had three recommendations. We had one for religious accommodation requests, one for medical and administrative exemptions and one for discharges. So for religious accommodation requests, we recommended that the DoD issued new guidance for periods of high volume request to decrease processing times. Military personnel told us that they only receive a few requests per year, and under those conditions, the existing policies were sufficient, but not in periods of high volume requests. So this recommendation aims to improve the processing time so that service members are not significantly impacted while they’re awaiting a decision.

Tom Temin All right. And what about for the medical and administrative? Recommendations there?

Marie Godwin Sure. We recommended that the DoD require personnel to document exemption approvals in service members personnel records. We had found that they weren’t always being documented in their records, so we anticipate that requirement will reduce the risk of errors and ensure that the service members vaccination status is accurate in the medical readiness systems.

Tom Temin And for the discharge petitions. That means that people want to be released from the military rather than have the vaccine. That’s what that particular application is.

Marie Godwin Correct. So we recommended that the DoD require uniform discharge types and reentry codes for all service members who were discharged for vaccination refusal. And we made that recommendation because of the DoD does not issue uniform discharge types and reentry codes, then service members will experience different impacts to their educational benefits and eligibility to re-enlist.

Tom Temin I was going to say reentry codes. Does that mean that there’s like a revolving door over vaccinations? You can be discharged and then come back?

Marie Godwin Well, when a service member leaves military service, they’re issued a certificate of release from active duty service. And that lists your discharge type and your reentry code. And the reentry code just indicates a service members eligibility to re-enlist in the service later. So we found that some service members received reentry codes that required them to obtain a waiver to re-enlist, while other service members receive codes that banned re-enlistment altogether.

Tom Temin Got it. And so the recommendation there was or did you have any for that particular class of application.

Marie Godwin So we recommended that they have uniform discharge types and uniform reentry codes.

Tom Temin Got it. And did the department say yeah we agree.

Marie Godwin They actually did not agree with that recommendation. But they provided another plan to address the recommendation. So once they provide that plan to us, we’ll reevaluate the recommendation.

Tom Temin This is more than history then. Because should another type of pandemic happen in the country, or we have another one of these situations where mass vaccinations become the general mode of the land, this could come up again.

Marie Godwin You’re absolutely right. And so DoD allows service members to request medical or administrative exemptions from any vaccination, not just COVID 19.

Tom Temin It could be measles, mumps or polio for that matter.

Marie Godwin Right. The military services have a list of ten or so required vaccinations for all service members.

The post Pentagon report card for dealing with vaccine refuseniks first appeared on Federal News Network.

The Reagan Foundation and Institute graded the health and resilience of what it calls the U.S. national security innovation base. This concept includes a wide range of stakeholders, such as national security agencies, research centers, laboratories, universities, traditional defense contractors, startups, venture capital, and allies and partners. 

The report card gave the country a generous A- in innovation leadership; a strong B when it comes to funds available to national security innovation initiatives; and a B when it comes to the willingness of the private sector to work with the federal government.

But the U.S. got a tough grade in customer clarity, or the ability of the government to signal demand not just through communicating innovation priorities and issuing strategies, but also through providing stable funding and utilizing acquisition pathways available to the Defense Department to buy at speed.

While the government communicates its innovation priorities to the industry somewhat well, budget instabilities and limited application of novel acquisition pathways that the Pentagon continues to use as an exception rather than the rule is what lowered the grade.

“For the first 80 yards in the last 10 or 15 years, the clarity from the Pentagon has been 20/20. Whether it be the strategy documents they put out, the national security documents, the war games we are invited to. The red zone — I can understand some of the grades that were given,” Eric DeMarco, the president and CEO of Kratos Defense, said during the National Security Innovation summit Wednesday. “The companies that actually bring a product forward, it might not be 100% of the requirement, but it’ll be 90-95% of the requirements. They get to that red zone and then the traditional process takes over.”

While the Pentagon has signaled through various reforms that it wants to do business with small and non-traditional companies, the majority of contracts still go to the top defense contractors. 

And the top 25 Small Business Innovation Research awardees, some of whom received less than $100 million in funding through the DoD SBIR program, got less than $500 thousand in the subsequent round of awards, indicating that DoD awards companies that don’t transition their technology into production.

“If we do not have more production contracts, if we do not see startups winning programs of record, because you can only require Silicon Valley to be as patient as it can be for a little bit of time before people start saying, ‘Okay, it’s impossible to work with the DoD.’ So we do think there has been an extraordinary change in the way we communicate, extraordinary education on both sides within the DoD on how venture works, within venture capital on how the DoD works and the expectations there, but we have to see some more wins in the next few years or I do think we are going to see capital dry up,” Katherine Boyle, the general partner at Andreessen Horowitz, said. 

Last year, the Pentagon announced Replicator, the department’s program to field thousands of small, cheap drones. Congressional appropriations allocated more than $200 million in 2024 to push the effort forward, which could provide a boost in sales for smaller companies. Assistant Secretary of the Army for Acquisition, Logistics and Technology Doug Bush said the service is the biggest participant in the first round of the initiative so far. One system the service was working on made the cut for the initial round of the Replicator program, and the Army is already proposing several systems for the second round of the program. Air Force Vice Chief of Staff Gen. James Slife said the service has plans to participate in the second round as well.

And the Defense Innovation Unit, designed to connect technology companies with the Pentagon, just got a major funding boost. Congressional appropriators proposed an additional $800 million in the DIU accounts. That’s up from the $191 million enacted last year. 

Additionally, Bush said major reforms, such as Mid-Tier Acquisition and the Software Pathway are making a difference as defense officials are pushing Congress for more contracting flexibilities.  

“It does take time to filter through the system, but it’s becoming more normal to do, for example, a properly structured [Other Transaction Authority acquisitions] versus a FAR-based contract for certain activities. We’re moving away from fixed-price development, except in very exceptional cases; we’re able to go much faster with Middle-Tier Acquisition and Software Pathway, to get programs started, respond to urgent needs, and actually get something up in the field. So I think the loosening of the reins, so to speak, is having an effect, but we’re far from where we want to be,” Bush said.

How can DoD and industry traverse that last 20 yards?

“We are doing all of the things, we’re investing in the innovation base, we’re putting together DIU, we’re increasing SBIR spending, we’re communicating more openly about programs where companies are going to have a real shot, whether it’s Replicator or whatever. But actually transitioning that into real production is virtually impossible,” Trae Stephens, the co-founder and executive chairman at Anduril Industries, said. 

Stephens said that, in the end, it comes down to decision-making. 

“We can certainly offer hundreds, if not thousands of policy suggestions, authorities that need to be changed, ways that oversight can play into the process in more effective ways. But at the end of the day, I think it’s primarily just decision-making. If you assume you have all the policies, you need to make the right decisions; can we make the right decisions or not?” he said.

The post Limited application of novel acquisition pathways hinders defense innovation first appeared on Federal News Network.

The Defense Information Systems Agency’s data strategy is less than two years old, but it’s already ripe for an update.

The next version, under development, will put an even sharper focus on data quality and advanced analytics to improve how DISA uses artificial intelligence and other tools.

Steve Wallace, the director of emerging technology and chief technology officer at DISA, said a new tool, called Concierge AI, embodies the agency’s plans for integrating data with AI today and in the future.

“How do we augment our staff, leveraging large language models, and bring the sheer amount of data that we have, whether it be unstructured documents or structured documents, and deliver that to the user in a user friendly sort of manner?” Wallace said in an interview with Federal News Network. “Almost like a chat bot that you’re seeing in many different places, but how do we make that specific around the DISA mission, sometimes focused on the back office features, but then also with an eye on how do we do defense cyber operations (DCO) and help an analyst better do their job to dissect an attack and what have we seen before, based on after action reports and that type of thing.”

The overarching goal is to reduce the friction to the user to find and analyze data to drive better decisions. And doing all it in a way that uses natural language to make it easier on the employees, Wallace said.

That idea of reducing friction, making data easier to understand and use is central to the update to the DISA data strategy.

DISA wrote in a LinkedIn post on March 13 that the agency has made progress around setting up data governance and a data architecture as part of its implementation plan.

“The evolution of quality data and advanced analytics within the DISA community is the sole focus of the chief data office and will empower the agency to harness AI technology and AI situational awareness, predictive intelligence and decision-making agility, thereby enhancing national security and organizational readiness,” DISA wrote.

The updated DISA Data Strategy for 2025-2027 will focus on these mechanisms as part of the modernization and maturation of the agency’s data efforts.

DISA’s lessons in using AI

Concierge AI is part of how DISA is demonstrating the modernization and maturation. Wallace said the initial pilot is giving security folks and users a level of comfort in using the LLMs in a government-cloud Impact Level 5 environment.

“Some of the lessons we’ve learned is really around how do we secure these [LLM] environments? The concept of these vector databases is generally new, how do we secure them? How do we make sure that we’re doing the right thing by the data that we’re ultimately storing,” Wallace said. “I think we’re going to learn a lot as well as we start to ingest a large document set, which we haven’t necessarily done yet in the lab. It’s been very small dribs and drabs, but I’ve been encouraged by what I’ve seen just with the limited amount of what we have been able to do. In the first half of this calendar year, we expect to have something out to the digital workforce to start experimenting with, and from there, we’ll gather information about the user’s experience, and then, potentially, make it go more wide scale.”

One big opportunity to take better advantage of LLMs and AI tools is for defensive cybersecurity actions. Wallace said some of DISA’s cyber analysts already are modeling an attack, decomposing an attack and understanding exactly what happened by applying AI and LLMs.

“Any way that we can augment them by taking the datasets and feeding them into some sort of model to provide some sort of output so that they can have a one stop shop, if you will, to understand the dynamics of things that we’re seeing is probably one of the biggest ones that that’s out there in front of us,” he said.

Other priorities: Quantum, mobile devices

Aside from AI, Wallace is also focused on several other priorities, including quantum encryption and rolling out classified mobile devices.

DISA awarded an Other Transaction Agreement to Sandbox AQ to figure out how to build a quantum resistant infrastructure in 2023. The prototype under development is for quantum resistant cryptography public key infrastructure.

“We’re in the phase right now of doing some crypto discovery. The OTA has, I think, eight different deliverables. We’re approximately halfway through it right now,” Wallace said. “This is about an education for us, and how we’re equipping the workforce to actually understand how some of these things work and the differences and, and watching as all of this evolves a lot more to come.”

The classified mobile device effort is further along. Wallace said he expects DISA to start rolling out the next generation devices in the coming months.

The post DISA sets the table for better AI with data management first appeared on Federal News Network.

This simple, but real-life example is helping the Army, and the Defense Department more broadly, fill the communications gulch that can exist in organizations, especially as agencies continue to adjust to a hybrid workforce.

“What we are most excited about is actually seeing these collaboration technologies that have been so successful in the private sector make their way into the public sector,” said Rob Seaman, senior vice president of platform product at Slack, during Federal News Network’s DoD Cloud Exchange 2024.

In addition to the productivity benefits from leveraging a collaboration platform, GovSlack’s recent FedRAMP High authorization means security conscious public sector agencies can rest assured their data is well protected, Seaman said.

“There are a few key aspects of these collaboration technologies that can help with some of the larger agencies that are interconnected and geographically dispersed or may have people that are working both in the office and at home,” he said. “Some of the primary benefits we see from these collaboration technologies are alignment and speed, as well as the ability to get people together and aligned around a particular initiative or topic where they can work faster than you ever have been able to do before.”

How to stay connected without meetings

Seaman said employees can work together or asynchronously without missing a beat or feeling like they were left out of a discussion.

He said executives at Slack, for example, encourage employees to write documents or record an audio or video clip in lieu of a meeting.

“We do this all the time, where instead of scheduling an all-hands call for the company, every other all hands we will actually do asynchronously, and our executives will just record clips, and then people can go in and watch them at two times speed whenever they like,” he said. “They can actually just read the transcripts instead of watching it if they aren’t in a place where they can listen to audio or it might be interruptive to what they have going on at home.”

Another benefit is the integration with third-party applications that collaboration and productivity tools bring, Seaman said.

How to reduce friction, increase agency speed

At Salesforce, Slack’s parent company, executives manage all of their approvals — from expenses to leave requests — right in Slack using the platform’s integration and automation capabilities.

“We’ve seen a reduction in the median time it takes to approve expense reports from 2.4 days to 1.7 hours  — across 80,000 employees,” Seaman said. “We see a ton of value in actually bringing the systems that your people need to use into where the communication is happening. When somebody needs to approve an expense report or somebody needs to approve a project brief or creative brief or something like that, just bring it to where they’re communicating. It’s also like a notification that may spark a conversation or requires a human to take an action.”

That integration with other software as a service applications is something any large organization in the public or private sector can take advantage of, he suggested. Too often organizations force employees to “context switch” between applications that don’t talk to one another, causing frustration and friction in their daily work, Seaman added. Slack has 2,700 apps that are integrated out of the box.

Seaman said authorizations like FedRAMP High and additional compliance features like application programming interfaces  for e-discovery and data loss prevention tools help engender confidence in the tools.

“The fact that using tools like this — that allow you to achieve a higher level of alignment across your organization, and all of your initiatives will ultimately make you as an agency faster — it allows you to embrace hybrid work,” he said.

“One of the ways that you can achieve that is by bringing more and more of your systems into where the communication is happening. Don’t make people go search for tasks. Bring tasks they need to do to them, and allow them to quickly act on them. You’re going to be faster, you’re going to save money, and, ultimately, they’re going to be happier and more productive.”

Discover more articles and videos now on Federal News Network’s DoD Cloud Exchange event page.

The post DoD Cloud Exchange 2024: Slack’s Rob Seaman on powering productivity, collaboration first appeared on Federal News Network.

The Defense Department’s IT modernization journey is as complicated as it is long. There is plenty of progress but even more opportunity to take advantage of cloud services capabilities — current and still to come. In 2024, DoD asked for more than $58 billion for technology and cyber funding, which is $13 billion more than what it asked for in 2023.

Andrew Churchill, vice president of public sector at Qlik, said while the funding is important, the Pentagon still is working to overcome policy hurdles, such as those around cyber authorization to move systems and data outside of its on-premise data centers and networks and to the cloud.

“One of the things that’s really important is now creating an enterprise of enterprises. DoD has made awards to Microsoft, Google, AWS and other cloud providers, and they now need to make sure that those systems and data environments are interconnected and operate just as they did when it was all behind their firewall,” Churchill said on Federal News Network’s DoD Cloud Exchange 2024. “One of the big things that needs to happen is a cultural shift around how they are going to bring all of those people that manage these platforms together and begin to break down some of those silos now that they’re in the cloud so they can take advantage of what the cloud is designed to make possible.”

Churchill, of course, is referring to the data that lives in each of the cloud instances. Military and civilian employees from across the department must share information and communicate in bigger and more immediate ways than ever before.

Available, trusted and ready DoD cloud presences

He said this is why DoD must rationalize the policies and access to those systems to better support coordination — to create agility within the processes that integrate and govern data.

“We reimagined the way that those cloud services were going to be consumed and deployed, and therefore how we architected those systems. What we really see as the potential is the idea that you are not going to simply deliver that same application that you had on-premise. You are going to have a set of services from ServiceNow, AWS and Salesforce, and build a set of capabilities that does benefits enrollment or does personnel readiness in the DoD,” Churchill said. “So how am I going to make those things available, trusted and ready to be able to support what obviously is going to become the most important thing in terms of strategic advantage going forward?”

This integration of different software as a service applications is starting to pick up steam across DoD.

The Navy’s big data platform, Jupiter, and the Army’s enterprise resource planning system, the Enterprise Business Systems – Convergence, are two examples of  such one-stop-shop platforms for cloud services.

Churchill said in the end, for both DoD and civilian agencies, these technologies all must lead to improved mission outcomes. In that vein, agencies need to rethink the path they take to IT modernization, he said.

“With low-code, no-code types of capabilities, the level of effort that you previously needed to deliver new capabilities is very different,” Churchill said. “When you start talking about artificial intelligence and analytics, it is more and everywhere. That should be the goal if you’re going to deliver financial management data that belongs everywhere in personnel decisions, supply chain decisions and in tactical execution. It’s about pervasively embedding decision support capability in business processes, in mission process workflows and everywhere you go.”

Discover more articles and videos now on Federal News Network’s DoD Cloud Exchange event page.

The post DoD Cloud Exchange 2024: Qlik’s Andrew Churchill on unifying DoD’s cloud enterprise first appeared on Federal News Network.

Teixeira, of North Dighton, Massachusetts, pleaded guilty to six counts of willful retention and transmission of national defense information under the Espionage Act nearly a year after he was arrested in the most consequential national security leak in years.

The 22-year-old admitted illegally collecting some of the nation’s most sensitive secrets and sharing them with other users on Discord, a social media platform popular with people playing online games.

U.S. District Judge Indira Talwani scheduled sentencing for September in Boston’s federal court and said she would decide then whether to formally accept the agreement, which calls for a prison sentence between 11 and nearly 17 years. Prosecutors said they plan to seek the high end of that range.

“Mr. Teixeira callously disregarded the national security of the United States and he betrayed his solemn oath to defend the country and the trust of the American people he swore to protect,” Matt Olsen, assistant attorney general for national security, told reporters after the hearing.

The stunning security breach raised alarm over America’s ability to protect its most closely guarded secrets and forced the Biden administration to scramble to try to contain diplomatic and military fallout. The leaks embarrassed the Pentagon, which tightened controls to safeguard classified information and disciplined members found to have intentionally failed to take required action about Teixeira’s suspicious behavior.

Teixeira smiled at his father before being led out of the courtroom with his hands and legs shackled, wearing orange jail garb and black rosary beads around his neck. He stood flanked by defense attorneys through much of the hearing and occasionally leaned down to speak into the microphone to answer questions from the judge.

Michael Bachrach, an attorney for Teixeira, told reporters they will push for a sentence of 11 years. Bachrach described Teixeira as a “kid,” adding that the defense will show at sentencing that his youth played a significant role in his conduct.

“He is significantly remorseful for his conduct. He has accepted full responsibility for his conduct,” Bachrach said.

In an emailed statement, Teixeira’s family said: “It is unfathomable to think your child would ever be involved in something so serious, but he has taken responsibility for his part in this, and here we are.”

“Our focus now remains on Jack – his protection, health, and well-being, and taking care of whatever is in his best interest,” they said.

Teixeira, who was part of the 102nd Intelligence Wing at Otis Air National Guard Base in Massachusetts, worked as a cyber transport systems specialist, essentially an information technology specialist responsible for military communications networks. He remains in the Air National Guard in an unpaid status, an Air Force official said.

Authorities said he first typed out classified documents he accessed and then began sharing photographs of files that bore SECRET and TOP SECRET markings. Prosecutors also said he tried to cover his tracks before his arrest, and authorities found a smashed tablet, laptop and Xbox gaming console in a dumpster at his house.

The leak exposed to the world unvarnished secret assessments of Russia’s war in Ukraine, including information about troop movements in Ukraine and the provision of supplies and equipment to Ukrainian troops. Teixeira also admitted posting information about a U.S. adversary’s plans to harm U.S. forces serving overseas.

Acting Massachusetts U.S. Attorney Josh Levy told reporters Monday he would not speculate on Teixeira’s motive. But members of the Discord group described Teixeira as someone looking to show off, rather than being motivated by a desire to inform the public about U.S. military operations or to influence American policy.

In exchange for Teixeira’s guilty plea, prosecutors agreed not to charge him with further Espionage Act violations. As part of the deal, Teixeira must participate in a debrief with members of the intelligence community, the Defense Department and the Justice Department about the leaks.

Teixeira has been behind bars since his April arrest. The judge denied his request for release from jail last year after prosecutors revealed he had a history of violent rhetoric and warned that U.S. adversaries who might be interested in mining Teixeira for information could facilitate his escape.

Prosecutors have said Teixeira continued to leak government secrets even after he was warned by superiors about mishandling and improper viewing of classified information. In one instance, Teixeira was seen taking notes on intelligence information and putting them in his pocket.

The Air Force inspector general found that members “intentionally failed to report the full details” of Teixeira’s unauthorized intelligence-seeking because they thought security officials might overreact. For example, while Teixeira was confronted about the notes, there was no follow-up to ensure the notes had been shredded and the incident was not reported to security officers.

It was not until a January 2023 incident that the appropriate security officials were notified, but even then security officials were not briefed on the full scope of the violations.

___

Associated Press reporter Tara Copp in Washington contributed to this report.

The post Pentagon leaker Jack Teixeira pleads guilty under a deal that calls for at least 11 years in prison first appeared on Federal News Network.

Zero trust cybersecurity is on everyone’s mind these days, who is responsible for an information system. For an update on what is going on at the Defense Department,  the Federal Drive with Tom Temin talked with Randy Resnick, Director of the Zero Trust Portfolio Management Office in the DoD’s office of the chief information officer.

Interview Transcript: 

Tom Temin And maybe just help us by telling us how the office that you run fits into the whole DoD CIO structure. And there is a DoD wide zero trust strategy that’s going to take a couple of years, 3 or 4 more years till they get it done. Tell us how this all works from an apparatus standpoint.

Randy Resnick Ok, so mechanically this is good timing for this interview because we are two years at the end of January as a formed portfolio office, a zero trust portfolio office. Prior to the fornation of the Zero Trust Portfolio Office in the DoD CIO, there was no integrated, synchronized place in the Department of Defense that actually made sure that the topic of zero trust was being worked or synchronized across the services. So what senior leadership in the DoD three years ago was concerned about is that everybody would go their own way, and they would start building and installing potential zero trust solutions, and then you would have interoperability problems. And so they predicted that issue immediately and started working towards a synchronization office, which ultimately turned out to be a zero trust portfolio office. It was placed inside the DoD CIO and it reports directly to the DoD CISO, who currently is Mr. Dave McEwan. I report directly to him and he reports directly to Honorable chairman, the CIO.

Tom Temin And I imagine that there is some cost consideration here, too. If you don’t have to buy tens of thousands of different tools, it may not show up in any one place. But if every component is chasing its own zero trust toolset, I know they say zero trust is not a product, but it’s also not free.

Randy Resnick Two years ago, there was no definition of what zero trust meant for the Department of Defense, let alone the rest of the world. There were numerous confusing, vendors that were saying they had zero trust solutions, and then they were trying to sell these solutions to folks in the Department of Defense. And people were extremely confused because they didn’t know what they were buying and what outcome really was being achieved by buying a one off. So when we came on board and was formed as a portfolio office, that was one of the main things, the first things that we worked on is let’s define what zero trust needs to be and do, what outcome do we want to achieve, etc. So you’ll see, in the first year that we were formed, we produced a lot of foundational documentation in everything that we’re doing right now in the second year and forward is building on that foundation and actually executing on it now.

Tom Temin And of course, the Defense Department likes to talk in terms of milestones. And I think the end goal, I think is something like 26 or 27 for full zero trust. What are your milestones for 24? What do you hope to accomplish in this 11 months left of this year?

Randy Resnick So when we started out, two years ago, we tried to determine how long would it take an enterprise the size of the Department of Defense, which is very large, to move to a zero trust cybersecurity, configuration. It’s never been done before at the scale. And for many reasons. I’ll summarize it. We settled on five fiscal years, so that wound up for us to be the end of fiscal 27. So we set the deadline or a goal, the strategy that we had to achieve target level zero trust by the end of 27. So with the definition that we created for zero trust, which was 91 activities for target and 152 activities total for advanced zero trust, it would take five. We set five years to achieve target ZT. Target ZT for us was defined as the ability to stop and adversary lateral movement and exploitation of data. So that was a key outcome that we sought to achieve in our definition of the 91 activities we believe get you there. So in terms of what we are doing in 24, and 23 what we did is we worked to achieve and get a lot of resources, funding priority within department, a lot of outreach and most importantly, the Department of Defense’s implementation plans, which came to us at the end of October 2023, just a few months ago.

Randy Resnick Those implementation plans described at a granular, great detail, exactly how each component was going to achieve target level zero trust before or on the end 27. We have that right now and we evaluated all of it. I’m extremely pleased about what we received in the end. I can’t say better things about it. We are really in a good shape in terms of the plan. So what are we going to do in the remainder of fiscal 24 or calendar 24? It’s all about execution. In order to do execution, we have to experiment on configurations that could achieve target level zero trust. It’s easier said than done. What it requires is a number of vendors coming together, teaming and integrating their products together to achieve the 91 or the close to 91 activities. Not any single vendor is going to be able to achieve it on their own, that’s why I’m saying that. So we need to pilot or test these configurations to actually see if it hits target level zero trust. So that’s our plan. As a portfolio office is to demonstrate multiple multiple pilots across each one of our courses of action. So we could present to the components DoD at large many, many options that they could think about procuring or choosing in any configuration. So it reduces their risk of guessing whether or not something achieves target or not. And that accelerates zero trust implementation and gets us to end to 27 faster. That’s what we’re doing this year, is trying to orchestrate as many as maybe 12 to 15 pilots for the remainder of the year.

Tom Temin We are speaking with Randy Resnick, director of the Zero Trust Portfolio Management Office in the DoD’s office of the Chief Information Officer. And how do you prioritize where you begin with those 12 pilots? Is there a risk management type of flavor that comes into this, such that this is what we need to do most critically, this is the most important network that we have to protect.

Randy Resnick So we’re not looking necessarily at the networks. We’re looking more about the technologies. And something like that could only work if you already have like the solutions in front of you and then you could prioritize. The reality is that there’s not too many vendor configurations that have come our way in the numbers that would allow us to do it. So if we want to do 12 or 15 pilots, maybe there’s we’re aware of 20 configurations of partnerships amongst vendors that we’re aware of. So instead what we’re saying is that course of action one is installing zero trust equipment on the existing infrastructure that’s already laid down in the DoD. So we call that course of action one. Course of action two is a complete green field solution, where you going with a commercial vendor, a cloud vendor, a CSP cloud service provider to implement ZT for you in the cloud. And you would move your users, your applications, your data, your workloads into that new cloud, and you would inherit zero trust. There’s more to it, but basically that’s it.

Tom Temin Well, how does that tie into the big, you know, multiple award contract that the DoD just awarded? You know, I guess it was last year now.

Randy Resnick Right, [Joint Warfighting Cloud Capability (JWCC)]. So the four cloud computing vendors that won that award, those are the four vendors that we are engaging with to see whether or not they could hit target level or higher within a JWCC cloud. We’re not tied to the JWCC directly, but if you have a deadline of fiscal 27 to achieve zero trust, it’s obvious that anything that’s going on in the JWCC when we start approaching 27, it’s going to have to be zero trust compliant. And so those four vendors are aware of that today. And so that’s why we’re working with them and they’re working with us to start putting together the ideas and the functionality and the testing to actually assert or to assess whether or not they could achieve target or even advanced. And so that’s that’s what we mean by COA Two. COA three is an on prem cloud, there’s a number of examples of that like [Defense Information Systems Agency (DISA)] has their private clouds. Stratus is a perfect example of a private cloud. You could have an on prem private cloud anywhere in the DoD. There are benefits and use cases for on prem clouds. There could be some data and mission that simply can’t go on a commercial cloud, regardless of whether or not it’s JWCC or not. So in our strategy, we’ve asked the components to choose any combination of the three. So we have received in the implementation plans essentially a hybrid solution amongst COAs one, two and three that the services and the components are choosing to achieve target ZT across their entire domain. We’re very pleased by that. So getting back to the question, we want to do at least three pilots for COA one, three pilots for COA two and three pilots for COA three. So that we could present a smorgasbord that’s even that the services and components could choose from without leaving anyone out or prioritizing one over the other. And this will continue in fiscal 25 and beyond. So this list will grow over time. In fiscal 25 we’ll do another 12 to 15. So then you have 30 answers. Industry is starting to pick up on this pace the starting to get it. And we’re seeing very positive partnerships being formed now between multiple vendors to try to map out to the 91 activities.

Tom Temin And is there any way this maps over to the other big DoD wide effort, and that is the development of JADC2 and each Armed Forces component that will help make up the JADC2, giant network of networks and so forth. I would think zero trust is a huge consideration there too.

Randy Resnick I wouldn’t say zero trust is a critical path for [Joint All Domain Command and Control (JADC2)]. The term they use is it’s an enabler of JADC2. So it’s probably the number one amongst other equals for enablers of JADC2. It is extremely closely tied. So the success that we have in zero trust is going to enable the success of CJADC2. There’s other subtleties in our success of zero Trust, which JADC2 will benefit from. Data tags and labels is an example of that. That is critical for CJADC2. You need to be able to understand the data packets or the data that’s going across. So you could do your analytics, your visibility things. So there are commonalities between both programs that we are tackling in our program. That is laying the groundwork for an easier path forward for JADC2. And we’re working very closely with the Joint Staff and others to keep them up to date. They’re very tied with us and vice versa, and we are very aware of what’s happening in JADC2, it’s critical.

Tom Temin And that gets to the idea 2 in zero trust that you are not simply thinking about human users of any network or system, ultimately, but also automated users and all the things happening on micro segments and bots, whether they’re your bots or the bad guys bots.

Randy Resnick Yes.

Tom Temin So maybe discuss the thinking there.

Randy Resnick Beyond the user, which everybody typically says, of course, you have to identify and have have an identification of a user. Zero trust goes much further than that. You have to actually identify a device. So it’s the user and the devices that need to be authorized and authenticated before you could even get onto the network. So these are much more advanced concepts than we’re implementing today on the doted on the nipper and the zipper. So the implementation of zero trust is really it’s a forcing function for implementing the absolute best practices in cybersecurity that we have been talking about for 20, 30 years, that for one reason or another, we’ve had very hard difficulties to implement individually within the Department of Defense. So finally, there’s a program that can do that. But there’s a concept in zero trust called policy information point, a policy enforcement point. So these these policies and these points of decision would look at the flow of data that’s happening across the network. And if they don’t like what they see, or if something violates a policy that is not allowed, it will automatically essentially stop that transmission. So a lot of what I would say is the noise that’s in existing networks that are going across the DoD, they would cease to exist in a in a zero trust world in the future. So the the networks will be kind of quieter. You’ll have higher bandwidth, but the noise floor will be significantly cleaned up. And the traffic that’s only going across the networks would be traffic that’s only allowed. And any traffic that’s not allowed would be blocked as quickly and as early as possible.

Tom Temin We were speaking with Randy Resnick, director of the Zero Trust Portfolio Management Office in the DoD’s office of the Chief Information Officer. And it sounds like that would have a big effect on the way you approach security operations centers and network operations centers, where there is less noise and therefore less engagement of people on.

Randy Resnick So it’s interesting that you bring that up because that’s actually, a huge current subject that we are entertaining now with [Joint Force Headquarters – Department of Defense Information Network (JFHQ-DODIN)], which is attached to us Cyber comm, because the question is in a future zero trust infrastructure, what signals do they need to receive in order to command and control activity to stop adversary maneuvers? So in the event that an adversary is moving around, the noise on the network would be a lot lower. They would be able to see and detect needles in haystacks, visibility and analytics due to technology that is, exploded just in the last two years. AI, for example. In LLMS. So we’re entering a phase now where the planets are lining up where I believe and I’ve said this, we’re going through almost a renaissance or a new phase in cybersecurity defense. Folks have been very focused on offense for quite a while, but defense has always lagged in terms of actual implementation on the ground. And now I believe I see it is we’re playing significant catch up and putting down true defenses for cybersecurity via zero trust. But also technology is coming to bear now that didn’t exist a few years ago to allow us to get past the human in the loop. And we can automate a lot of the things that have been problems in our past.

Tom Temin But you would probably want to have some kind of, let’s call it meta noise as you reduce the noise in the network and therefore free up operators to do other things. You would still need to know, I would think, the trends in what it is that’s being blocked, because somehow those have a way of developing something that will be trouble.

Randy Resnick So that information gets logged and those logs would be analyzed. So what gets blocked would be logged in, analyze and captured. But also the good traffic is also of interest. Because it’s not only what’s happening and what’s flowing, but from an identity point of view it would be nice to know what Tom looks like on a particular day, so that if something unusual is happening at your desktop or your log on, that is way off Tom’s, let’s say, biometric or your daily activity that actually will get flagged. So zero trust has those subtleties too. And that is part of the implementation of target is modeling some of these things as part of a multifactor authentication and the continuing authentication throughout the day.

Tom Temin That means you need to keep up. Getting back to the people aspect of this, keep up with where people, especially those that are uniformed, that are moving around a lot and may end up transferred to another base, another camp, whatever city. That wait a minute he was in Fort Hood or whatever they call it now last. And now he’s on the West Coast or something, or she’s on the West Coast.

Randy Resnick And there there are unique pieces of information on our Cathcart as the example for the DoD or the military, where we can track a user at least from one perspective, wherever they are or wherever they’re signing on. If they’re using that device, they are uniquely identified. And so that would be one way that we would do that.

Tom Temin And finally, how are you getting the continued buy in of the many, many quasi independent components, both within the armed services, other large DoD agencies, to listen to what’s happening from the CIO’s office? I guess that’s an eternal question.

Randy Resnick Yeah. So I’ve been very lucky in the sense that I have leadership above me that has, without question and in synchronous and synchronicity, have been championing the need to move to zero trust. It starts from the secdef on down, at least in the DoD, and it’s repeated numerous times. All the time. It’s in everything. But if you recall, there was an EO 14028 which came out from the president, which signed out the need to move to zero trust. So the zero trust is much more than a DoD thing. It’s an all of government, all of US federal government thing. And so we are partnering purposely with the fed safe community to make sure that they know the direction that we’re going, how we define zero trust, what our strategies are. And they have mimicked to the extent that they are doing so. They’re mimicking our path, our definition, our way of thinking about zero trust. The IC community is also thinking of that surprising to me. The Five Eyes, NATO and other allied partners are also looking at the Department of Defense because not only have we been really first maneuver in zero trust in defining all of it, but we’re moving out much faster in industry. We are really lucky to have a leadership position, and everybody is adopting our work because our work is so expensive. It just saves them years of eventually getting to the same place. So it’s a quick way for them to catch up and then to decide what they want to do. So getting back to DoD CIO, Honorable Sherman, has been a tremendous champion of zero trust. Everywhere we go, we talk about in conferences, ZT, we have agencies talking about it. And so essentially, it’s an absolute mandate that everybody recognizes and they don’t question it. So it’s like I’m using one finger to open up 1,000 pound door. It swings open. It’s really not been a challenge, which has been a huge help for the portfolio office, because that’s allowed us to move out extremely quickly. So you would think that we would have these challenges since the DoD is so large that has not been the case. What has been challenging is resources and funds, but that is just an annual cycle, and it’s to be expected.

Tom Temin An annual cycle that could begin any given random month of the year, the way things operate.

Randy Resnick Every month of the year, there’s always a phase.

The post Defense Department dead serious about cybersecurity first appeared on Federal News Network.

The rate of change in the technology market can make anyone’s head spin.

The continued growth and acceptance of artificial intelligence, machine learning and predictive analytics is something the technology community hasn’t seen before.

Add to that, the developments in pushing compute to the edge and the technology sector will continue its whirlwind of change.

The Defense Department and the Intelligence Community must do more to take advantage of all the innovation happening.

One key piece to that preparation is the budget. The Defense Department’s proposed budget for fiscal 2024 includes $145 billion for research and development and $170 billion for procurement. It’s what DoD called a clear indication of its commitment to stay on the cutting edge.

The IC mapped out a four-year investment strategy for emerging technologies in 2022. Its plan shifts how the IC tracks research and development to ensure there is more of a connection to mission goals across the IC.

Barry Leffew, the vice president of the government platform accelerator at In-Q-Tel, also known as IQT, said for DoD, the IC and all national security agencies to take even more advantage of emerging technologies and position their missions for the future, they must be prepared for the impact of artificial intelligence and machine learning.

“We’re seeing a cross connection between AI and ML that is driving advances in other areas such as energy and battery technology, helping enable advances in biotechnology as well as cyber,” Leffew said on Innovation in Government sponsored by Carahsoft. “Together they’re creating an even more flywheel effect to help accelerate the growth of innovation.”

Of course, it’s not all about AI and ML. IQT, which has played a key role over the last 25 years to bring innovative technologies to the national security space through directed investments, is paying close attention to other areas like cybersecurity, enterprise technology, space and the whole trend toward commercializing space as well as more lightweight energy sources and biotechnology.

AI as the enabler

Leffew said that there is so much focus on AI/ML, however, because of how these emerging technologies are acting as strong enablers for cyber or energy or biotechnology innovations.

“Take enterprise technology, for example, it’s advancing in terms of our ability to process and store massive amounts of data and information, being able to then layer AI enables us to do faster and analysis, support decision making and actually identify new ways of solving problems,” he said. “Then AI also becomes a key enabler of cyber because of its ability to rapidly detect and respond to cyber threats.”

DoD already is investing heavily in new cyber tools through its zero trust architecture, but with the ever-changing cyber landscape, the Pentagon is always seeking better and faster tools.

Leffew said one area IQT is seeing a lot of interest in is using cyber tools to fully understand what devices are connected to the network, how they’re connected, what versions of software and firmware those tools are using. That way, Leffew said, if there is a deficiency, DoD can, through the AI tool, rapidly address vulnerabilities.

“Another area is basically what’s called the software bill of materials (SBOM) and really identifying what components are in either government-off-the-shelf (GOTS) or commercial-off-the-shelf (COTS) software, so the government can have a firm understanding of any underlying vulnerabilities,” he said. “Finally, another area is really leveraging AI right to be more reactive, and proactively identify threats that are incoming to help accelerate the ability to respond.”

Quantum is on the horizon

Leffew said IQT’s main focus is to find “dual use technologies,” where advances in commercial technology can be applied to the DoD and national security agencies.

“I think DoD is doing an excellent job of communicating their requirements. We can always do more, but what we’re really positioned to do is to be that bridge between the national security community and the startups,” he said. “There’s sometimes a translation challenge. We are taking the Federal Acquisition Regulations and Defense FARs and converting those to the world of venture capital. IQT is in a very unique position to help translate or help explain to each side how to how to best work with each other.”

One area where IQT, which the CIA created in the 1990s is trying to help with that translation is with quantum computing.

Leffew said IQT understands that quantum represents what could be a very fundamental and incredible change to public and private infrastructure.

“It really could change the way that encryption is done, and will require potentially dramatic changes to the way that we encrypt and protect information,” he said. “Another is material science, using AI to create new and improved materials. And then another area is biotechnology. Luckily, COVID is pretty much in the rearview mirror, but we, as a country, want to be prepared, that if another crisis emerges that we’re better prepared to deal with it in the future.”

Leffew said IQT believes the government is on the cusp of using quantum in limited ways.

“One of the most important things for us is to really address what’s called post quantum encryption, which is to be able to make sure that our encryption devices can’t be broken by our adversaries quantum computers,” he said. “That’s a really big area of focus right now. We are seeing the testing and development of quantum computers, not only very specialized computers, but figuring out how to miniaturize them how to bring a quantum computer so that it can be stored in a standard data center and processed in a regular type of data center environment.”

Listen to the full show:

The post In-Q-Tel: The translator between DoD, start-ups first appeared on Federal News Network.

The Defense Department’s zero trust portfolio management office is going on the road. Over the next few months, DoD leaders will meet with combatant commands to further press the importance of this new cybersecurity approach.

The road show is just one way the portfolio management office is leading the effort to meet the Pentagon’s 2027 deadline to implement zero trust.

Randy Resnick, the director of the Zero Trust Portfolio Management Office at DoD, said training, education and listening are huge factors in ensuring this program’s success.

“There can’t be enough training for zero trust. We are working with Defense Acquisition University to come up with training courses, which they have done. I believe we have five courses already that anybody in the Department of Defense with a common access card (CAC) can get to and take,” Resnick said during the FCW Zero Trust Summit on Tuesday. “It’s not mandatory for anybody to take the zero trust courses, but we’re working toward that model where it would actually either be mandatory to take the ZT 101 or thereabouts or roll it into the existing cyber courses and essentially update the cyber course to include zero trust. This is how we’re going to get the workforce upskilled.”

He said the other way to upskill the workforce around zero trust is by hiring employees right out of college, who already have been initially trained on the zero trust concepts.

DoD also will be hosting their second annual ZTA training event in early April and expects to have over 1,200 people as another opportunity to promote the why of zero trust.

The training and education extends beyond courses. Resnick and his team have two trips planned over the next month. One is to Colorado Springs to Space Command and Northern Command, and then they also will go to Africa Command in the coming weeks. He said PMO leaders in January went to European Command.

“What we’re trying to do is to talk about zero trust, the importance of it and talk live about what their requirements are, and talk about their implementation plans,” he said. “This is an opportunity for us to get face-to-face and create those relationships.”

DoD to brief Congress

Those relationships become more important as the PMO continues to analyze the implementation plans each military service, defense agency and combatant command sent in last October.

Resnick said his team and 35 others from across the department are in the middle of a deep dive of the 39 implementation plans now, looking for trends and trying to understand where the challenges and opportunities lie.

The military services and defense agencies have to hit the target zero trust architecture, which includes 91 separate actions, by 2027.

“Even though this was the first implementation plan to be delivered to us in October, we’ve mandated that there’s going to be annual updates. Every single October, there’s going to be an update to their implementation plans, providing more granular detail on exactly how they’re going to get the target,” Resnick said. “Next time, we want to see product names, specific courses of action and scheduling. We want to really dive deep on what they need in terms of dollars and resources. One year, for me, is too long so we’re contemplating getting mid-year updates. For example, we might get an update on half the plan the first six months, and break it up, and then the other half of the plan the next six months, so, at least, we’re keeping to some updates to modernization with the implementation plans.”

Resnick said a few trends already have emerged including the need for extra funding and resources to meet the 2027 deadline. He said that wasn’t surprising, but his team can help the services and defense organizations make a case for moving money or resources around through the existing Pentagon process to fulfill these zero trust plans.

Along with the deep dive, DoD is preparing a report and briefing for Congress to happen in March.

“We have to brief Congress on how the Department of Defense is going to [meet ZTA requirements], and whether or not we’re going to hit target by the end of 2027,” Resnick said. “Specifically, which component and organization are doing what. We don’t know how long that’s going to be, but we’re expecting it to be a pretty extensive detailed briefing because officially, even though I’ve talked to many, many staffers, they’ve not gotten a real deep dive on zero trust in over a year. So I’m imagining they would want a nice update.”

Zero trust products pilots on tap

Helping DoD move toward zero trust is more than just reviews and meetings. Resnick said over the next year DoD CIO’s office will lead an effort to look at products.

“We’re essentially going about installing products right now in the system. This year, we are focusing on performing pilots. We’re going to be performing more than 12 or 15 pilots, that is assuming the continuing resolution (CR) gets lifted,” he said. “We plan on accelerating our pilot development and finding those that we could provide to the services and the COCOMs, so that it lowers their risk for them to procure these devices.”

Resnick said he hopes to get the pilots completed by the fourth quarter of 2024 or the first quarter of 2025 to help DoD keep to its schedule to meet the 2027 deadline.

Additionally, Resnick said DoD is expecting companies providing these products to actively team together to integrate their products. He said this is critical for DoD to be successful with zero trust.

“We need to have companies working together to integrate their products, instead of competing against each other on an individual product, in order for us to really get to this zero trust destination that we want,” he said. “The whole vision is essentially to transform the DoD Information Network (DoDIN). There is a lot of work ahead of us, and a lot of new products may have to be purchased and implemented in order for the DoD to get there.”

DoD likely to update strategy

The DoD PMO also is starting to consider how to expand zero trust beyond traditional IT. Resnick said there is some concern that DoD is missing a number of other attack vectors in its strategy like weapons systems or operational technology.

“Those other vectors that we need to apply zero trust to have not been addressed in the fan chart or in the strategy that’s out there right now. The ZT-PMO is now thinking about coming up with additional fan charts for very specific technologies because these very specific technologies don’t necessarily overlay perfectly with the 91 activities or the 152 for advanced zero trust target,” Resnick said. “For example, when it comes to defense critical infrastructure or operational technology or internet of things, these are vectors which could be attacked, theoretically, and bad things could happen. We’re thinking about doing a ZTA overlay for defense critical infrastructure. Another one is weapons and weapon systems. Those need to be secured as well. They’re different. We need to have perhaps a ZTA overlay for that. The last thing is the environment of a disconnected or marginally connected environment. We need a fan chart for that.”

A fan chart is just a way to show the alignment between the zero trust pillars and the technologies needed to secure them in each of these vectors.

Resnick added he’s not sure when the PMO will begin working on these overlays, but it’s on their longer-term radar.

The post DoD to evaluate zero trust products as part of run up to 2027 deadline first appeared on Federal News Network.

Investing in the development and education of the acquisitions community, specifically focusing on educating contracting officers who make the public sector more accessible for startups, is crucial to addressing the issue.

“We definitely have a communication gap right now. We speak one language on the DoD side, the [Defense Industrial Base] pretty much understands it, but the startup culture — not so much. There’s a lot of just talking past each other,” Melissa A. Johnson, U.S. Special Operations Command acquisition executive, said at the Potomac Officers Club Defense R&D summit last week.

“What I’m focused on is how to close that communication gap. So it’s really a lot of investment in building relationships. And that might seem a little trite and almost overly simplistic, but it is where I’m putting a lot of my energy.”

Johnson said her goal is to bring in venture capitalists for round tables on a regular basis to educate the government on the types of questions that the Pentagon should be asking the startup community.

“I think the more you see of going in and helping the startups in the VC community to speak the language, whether it’s from an operational or from an acquisition side, I think we’re gonna start seeing this converge a little bit more. But it’s a journey; this is not going to change overnight,” Johnson said.

“What I’m seeing is the amount of VCs and startups is rising exponentially. So it’s going to take some time. Just keep coming to the table asking the questions, put the government in the hot seat, ask us the hard questions so it forces us to do the critical thinking to come back and give clear and concise answers.”

In fiscal 2023, VC-backed companies had less than 1% of the $411 billion DoD contracts awarded.

While the DoD acquisition process is designed for procuring complex platforms and startups have to navigate a complex procurement environment, the tools such as Federal Acquisition Regulations (FAR) and Defense Federal Acquisition Regulation Supplements (DFAR) contracting, including Other Transaction Agreements (OTAs) are already there for DoD to move quicker and adopt emerging technologies more rapidly.

“We utilize those other transactional agreements, which is a great venue. I don’t think it’s a panacea, but it does allow us to do some things very rapidly. I still believe you can use FAR-based contracting and do it very quickly. The commands have done it; we’ve done source selections on FAR-based in six months or less. So I don’t think it’s one or the other,” Johnson said.

The leadership, however, needs to educate and empower the acquisitions and program offices to use all the acquisition options and tools available to them under current regulations to expedite the adoption of new technology.

“Every time that I’ve seen a tool coming to light, there’s always a propensity for the institution to come in and want to put more attention on it and maybe put a little bit of chokehold on it. I don’t think we should be doing that either. I think if we have a tool that’s available to us, we ought to be able to utilize it and empower the teams at the lowest appropriate level, let the PMs go do that without a lot of the oversight,” Johnson said.

The post SOCOM will bring VCs for roundtables to better understand startup culture first appeared on Federal News Network.

Part of that sigh of relief that you may have heard coming from the Pentagon when Congress passed the 2024 defense authorization bill was for no major new requirements for managing other transaction agreements (OTA) authority.

The two provisions in the NDAA around OTAs were minimal, including asking the Government Accountability Office to report on the Defense Department’s spending through this process.

The fact Congress left OTAs mostly alone is a good thing as DoD recently updated its guidance for using this tool.

MaryKathryn Robinson, the director for contract policy in the Office of Defense Pricing and Contracting, said the growth of OTAs over the last seven years truly precipitated the new how-to guide.

“We want to be able to help the DoD acquisition community as well as our partners in industry, academia and nonprofits to help define what an OTA is, and help them create the best OTAs that they can,” Robinson said in an interview with Federal News Network. “We made those updates based on changes in statute and regulation, and recommendations that we received from the DoD inspector general and from the Government Accountability Office. But then we also added administrative guidance and best practices for things like reporting funding, participation and validation of those non-traditional defense contractors, protest procedures, agreements, contract officer warranting and training, and then other considerations for folks to take into account as they move forward with their OTAs.”

DoD hadn’t updated its OTA guide in about five years and a lot has changed since then both in the use of these approaches as well as concerns about them.

Between 2016 and 2022, Robinson said DoD has taken about 15,000 OTA actions, which includes both new agreements and modifications. Those 15,000 actions were worth about $70 billion.

The real push for OTAs, however, came after 2018. In 2016, for example DoD took about 333 OTA actions worth $1.3 billion. By 2020, and that includes the use of OTAs as part of the response to COVID-19, DoD took 3,200 OTA actions worth $16 billion.

“We’ve come down a little bit in our dollar spend. But right now in 2022, our last year of full data, we had about 4,400 actions for about $10.7 billion. Right now we’re thinking that, and I don’t have the final 2023 numbers, but I think that 2023 is going to come in around that,” Robinson said. “I know that about 80% is for research and development. Then, we have a couple OTAs for weapons and ammunition, electronic and communication equipment or professional services.”

While 2023 data isn’t finalized, HigherGov, a government market intelligence company, estimated that in 2023, DoD had more than 1,200 active OTAs worth more than $23.6 billion.

During those growth years, Congress has paid close attention to DoD’s use of OTAs. In the 2020 NDAA, for example, Congress required a report from the Pentagon on the use of OTAs for prototype projects.

In the 2024 NDAA, Congress told GAO to submit a report by Feb. 1, 2025 on the use of OTAs with a focus on:

• The extent to which such transactions are used in accordance with policy and guidance related to the use of such transactions;
• The total number of transactions for each fiscal year made to nontraditional defense contractors;
• A summary of such transactions to which DoD is a participant for which performance has not been completed on the date of submission of such report, including— (a) a description of the entity or agency responsible for any consortium; (b) the number of members in each consortium, including the percentage of such members who are nontraditional defense contractors for each such consortium; (c) the total amount awarded under such transactions to each consortium manager for fiscal years 2022 and 2023; (d) the total amount awarded under such transactions to members who are nontraditional defense contractors for each such consortium for fiscal years 2022 and 2023; and (e) a list of contractors who have been awarded more than $20.0 million under such transactions, including a brief description of each such award, the number of awards made, and the total dollar amount awarded for fiscal years 2022 and 2023.

The second OTA related provision in the 2024 NDAA focused on clarifying the use of OTAs for installation or facility prototyping. Congress also increased the amount of the agreement to $300 million from $200 million.

Non-traditional vs. traditional contractors

Despite the growth, concerns and myths about how DoD is using OTAs continue to survive.

Robinson said one key feature of the guide is to dispel many of those myths.

One big one is “traditional” defense contractors get many of these awards. Robinson said while it may look like the big defense contractors are winning many of the OTA agreements, DoD measures participation by non-traditionals differently than just by who signed the agreement.

“The requirement is for a non-traditional defense contractor to be part of the team in a significant way. In fiscal 2022, 92% of our OTAs were awarded to those OTA contractors or performers that had a non-traditional defense contractor performer on they’re doing something and in a significant way,” she said. “What does it mean to say ‘in a significant way?’ The agreements officers are actually held to figure that out and make that determination and make that independent judgment. Significant is not necessarily dollars. Significant could be specifically a key technology or a specific cost reduction. Some of the things that we look at is does the non-traditional defense contractor supply a new key technology, product or process? Do they have a novel application or approach to technology? Do they have material increase in the performance efficiency of a key technology? Do they result in a material reduction in cost and schedule a project or to provide a material increase in the performance of the prototype project? So again, that does not necessarily mean that they’re the prime contractor on something. But it does mean that they’re doing some heavy lifting on the actual project itself.”

Another big myth DoD tries to dispel is that OTAs aren’t, or don’t need to be, competitive.

Robinson said DoD not only encourages competition for OTAs, but actually benefits the military service or defense organization in the long run.

“The other benefit of a competitive prototype OTA is that you can go to a non-competitive follow on production award out of that,” she said. “Another myth that we continually hear is that OTAs can only be awarded through consortium. In 2022, 50% of our OTA actions were awarded through or to a consortium. But again, it’s only 50%. OTAs can be awarded to a single company. They can be awarded to a joint venture. They can be awarded through partnerships.”

In addition to mythbusting, DoD included uses cases, a step-by-step approach to executing OTAs, legal considerations and definitions of the different types of agreements.

Robinson said there is a lot of training and other tools to help DoD use OTAs.

“OTAs are an opportunity for agreements officers to be flexible and to be innovative and to work with their partners in industry, academia, to come up with something terrific, novel and inventive for the warfighter,” she said. “Hopefully they recognize the guide is not here to prescribe any approaches, but it’s here to help them figure out how to use that OTAs appropriately so we can meet the warfighter needs.”

The post Growth of OTAs, corresponding myths gave DoD plenty of reason to update its guide first appeared on Federal News Network.

It is no secret the the U.S. armed forces are dealing with a recruitment shortfall. And they often cannot retain the experienced people they need. Maybe it is because of a changing military culture. The Federal Drive with Tom Temin  spoke with someone who has documented what is going on in a book called, “Military Culture Shift.” Corie Weathers is a licensed counselor and military spouse, who has visited troops throughout the world.

Interview Transcript: 

Tom Temin And so what is the military culture and how is it shifting? Let’s start at the beginning.

Corie Weathers Yeah. So first of all, we would define culture as what are the traditions, what are the dynamics, the patterns, the behavioral patterns that even happen within a culture. And so we have an American culture, and then we have subcultures underneath that. And the military is definitely a subculture of America, meaning we have a lot of the same behaviors, a lot of the same impacts, such as we’re going to talk here probably in a few minutes, about even just the impact of social media, how that’s changed America. But when you look at the military as a subculture, we see some very interesting dynamics of maybe how it changes and shapes the military culture a little bit differently from the American culture.

Tom Temin And what are some of the big shifts in military culture that you’ve documented in recent years?

Corie Weathers There’s a lot of them. So I mean, they’re so hard to write a book on it, but I will cover a couple of the big ones. We have been talking about for a long time how even if we look at the American culture, how things have shaped politically, how things have shaped educationally. The military is very similar in that, this has been a culture that has largely been shaped by tradition and values and to be a part of something bigger than themselves. And we have definitely, especially in media, been talking about what is changed in the military culture. Are we lowering standards? Are we different? Is there a struggle that’s happening? So in the book, I basically cover how it has social media impacted things in the culture. We used to be one that really was a very much in person. We relied on in-person support, and there was a lot of that camaraderie. There was a lot of that neighborhood support to get us through deployments. That has definitely changed. But with the incoming generations, millennials and Gen Z have definitely changed. And it doesn’t have to be in a bad way, but changed our culture to become more of an online culture, one that has shifting values of why people are coming in to serve. And we see a lot of shifts in how we view authority, how we view training and information. And that is really causing a lot of conflict within the military culture as we have older generations trying to lead younger generations.

Tom Temin Right. Is there at least still the shared understanding that at some point in the military, you might be called on to wreck things and kill people? And that’s ultimately lethality is the ultimate objective because what a General Patton say in that movie. General Patton exhorted the troops that says nobody ever won a war by dying for your country. You win the war by making the other poor S.O.B. die for his country. And it sounds harsh, but that’s what military is all about. Is that still essential in there?

Corie Weathers That’s such a great question. And it’s been a long part of our, I guess, our culture and the reasons for serving or some of the passion. We have so many people that honestly, troops are trained and they want to go do what they’re trained to do. Everybody wants to have most want to have that opportunity to deploy and do this thing that they’ve trained to do. However, we have incoming generations that are coming in, having never experienced at least war time the way that we experienced it in the two decade war. We’re kind of in a gray zone right now. It’s not necessarily peacetime, but when you have generations that are coming in that don’t remember 911, and maybe you’re coming in after that Afghanistan withdrawal, we have a different kind of purpose and a desire for why we are serving. And so even that conversation that you just brought up has changed. Where how do you have a older generation, an older cohort that is leading, that has that memory of what it means to serve, what it means to be in combat, serving and leading a generation that has no understanding of that at all.

Tom Temin Yeah. And we’ve shown as a nation that can be learned if necessary. But sometimes that comes at great cost. And in looking at then the changing culture and the social media impact and so forth, what in your opinion, how does that back up to the recruitment challenge that the military is having?

Corie Weathers I personally find this fascinating, because as a clinician, I’m a clinician by trade. I’ve served and I’ve lived with and worked with this culture for more than 15 years. And so this has been fascinating for me to watch the behavioral shifts that have happened over time. So basically, as we saw especially millennials coming into the military, about the same time social media came on the scene for all of us, really, we took all of our conversations. We all know this, but we took all of our conversations online. And so really what’s happened is as we have kind of got out of chain of command and that really disrupted our culture. That’s really based on a hierarchy, chain of command, style of getting things done. Millennials really introduced like, maybe we don’t have to go through the chain of command. I can tweet my congressmen. I can take things all the way to the top if I need to. And so over time, as social media has really become a main way of communication, a main way of getting things done, changing things, advocating all of that. Gen Z has been seeing this, if you want to call it the man behind the curtain, they’re seeing the internal disruption, the toxic leadership, the sexual harassment. And maybe that’s not widespread across the board in every facet of our military culture. But when that’s what they’re seeing online, as everybody’s trying to work on things and advocating for things, that’s really created this snowball effect, where it is become another reason why our institutions are less trustworthy than they were before, at least according to that generation.

Tom Temin Yes, that new generation has very little tolerance for something occurring, even if it doesn’t affect them directly.

Corie Weathers Yeah, for sure it does. And a lot of our institutions military, government, churches, education systems have a low trust historically by Gallup is saying that there’s lower trust in those institutions than ever. So a lot of institutions are struggling with that. The difference, though, I think, is that some of these other institutions are really doing a little bit better of a job trying to figure out how to be more transparent and authentic to win that trust back.

Tom Temin We’re speaking with Corie Weathers. She’s a clinician and author of Military Culture Shift. And so what action would you recommend then the military do to again, focusing on the recruitment problem, because that’s the feedstock for the future readiness and defense of the nation, not to put it overly dramatically, but it is. Since we have a volunteer force, what should they do differently?

Corie Weathers We have a significant issue, we all know that with the recruitment crisis. And so, number one, I would say there’s a lot of lessons learned that the DoD can get from these other institutions and some of these other corporations who experienced cancel culture, who experience making mistakes. What can we learn from other businesses and institutions on how to build that authenticity and transparency? We kind of have this underlying fear that we can’t be honest and transparent, almost as if it’s because our adversaries are watching or because it affects that confidence level. But honestly, it’s the opposite. The more authentic we can be, especially with the force and those thinking about coming in, the more they will feel like this is a genuine relationship, a business relationship that they can get into. So that’s number one. What lessons learned can we get from other institutions that maybe are getting it right or trying to get it right? I do believe the DoD is doing the best that they can to resolve some of these bigger issues. But really, what Gen Z is looking for millennials to is, and I’m sorry, and maybe it’s kind of like any other relationship. Like I’m sorry is just the beginning. Sometimes it takes multiple I’m sorries, and then following that up with transparent action going forward. But the biggest thing to me, the thing that I think I’m most passionate about, is retention. I honestly believe retention is a huge solution to the recruitment crisis. Gen X is really experiencing the moral injury and the stress, the compounded stress that happened over those two decades. I would say older millennials too. And so those of us that have Gen Z kids, we’re hearing to Gen X is discouraging their Gen Z kids from joining. And considering 83% of the force has traditionally been within the family passed down, that is hugely affecting our recruitment crisis. So I believe, how do we heal that relationship with the current cohort through respite, through again that transparency and addressing some of the big issues we have of them getting the care and respite that they need?

Tom Temin It strikes me this phenomenon is not totally unlike the phenomenon the military had in the immediate post-Vietnam era.

Corie Weathers Yes, it is. And that’s one of the things that I’m hearing from both sides. I’m hearing from boomers, especially, that this feels a lot like Vietnam. And Gen X is asking, is this what boomers were feeling after Silent Generation two after Vietnam? And that is a lot of what I’m hearing. I’m hearing so many that are kind of waiting out the rest of their years to retire because they feel like they can’t leave until they’re 20, but they’re kind of hanging on with that moral injury. And I’m seeing a lot of millennials are leaving because, I literally had someone say to me this past week, I can find more purpose and make a bigger difference outside the military than staying in. And that was shocking and sad to me.

Tom Temin And this strikes me that perhaps the Veterans Affairs Department, which picks up where the military left off in some large sense, will need to adjust how it delivers services and how it generally deals with its constituency. Once this new generation washes through to VA.

Corie Weathers Yeah, that’s such a great question and so important. And there’s some things that the VA is doing really right. They’ve led the way, and those are some lessons learned we can get from them too, on leading the way on telehealth. And finding out how to get mental health to veterans in remote locations. But absolutely, the VA is really going to be taking on not only just the medical issues that are not being treated because of a provider shortage that we currently have, but I think the big question is, how can the VA and the American culture, because this is really going to be an all hands on deck if you want to tie it to very much like post-Vietnam, what can we learn from the Vietnam veterans that came home where the VA can’t be the only entity or institution that takes care of some of these issues? We’ve really got to heal those who have served our nation in some very creative ways. Their mental health, they’re looking for holistic care, not just that mental health and medical care, but can they reintegrate into a society that even if they forgot that we are at war, that you can show that you haven’t forgotten that you’re still there? And I think that’s going to be important for the VA to partner up with their communities to do that.

The post How and why the U.S. military culture is changing and why it matters first appeared on Federal News Network.

It looks like Congress has managed to get the National Defense Authorization law done before December 31. As always, the bill is chock full of items federal contractors should pay attention to. For five of them, the Federal Drive with Tom Temin turned to President and CEO of the Professional Services Council David Berteau.

Interview transcript:

Tom Temin And let’s begin, David, by saying this has been as close to the wire as I think Congress has come.

David Berteau We came close a few times before, but Tom, it’s sixty years in a row that we’ve passed the National Defense Authorization Act. And so it has two factors. One is it’s essential for defense. But the second is because it’s one of the few bills that you think will pass. It has a magnetic attraction for other legislation which may or may not actually matter to DoD, but matters to Congress. So it’s got a lot in it.

Tom Temin Right? And so we are usually concerned with the 800 series of provisions. That’s where they put procurement. And the first one you have pointed out is preventing conflicts of interest for entities that provide certain consulting services for the Department of Defense. That’s the title of it. What’s in there that we need to know about?

David Berteau Well, first of all, consulting services is defined differently in the statute than it is in regulation. And so that’s a big question of what constitutes consulting services. And the bill’s not abundantly clear there. So that’ll have to be worked out in the implementation. But the basic idea is DoD should not be doing business with companies that are also doing business with China, with Russia, with individuals who are on the watch list, the terrorist watch list, and other entities. That’s kind of a good idea. The question is how do you implement it in such a way that it actually hurts them more than it hurts us? And so there were earlier provisions that were proposed that clearly would have ended up hurting both DoD and government contractors more than it hurt China. But now I think it’s been revised and PSC certainly helped helped along those lines to something that is probably manageable. First of all, you don’t want to do business with somebody who’s also doing business with China. But companies are big and they may have multiple entities across the board that aren’t doing business with DoD. So it’s possible under this provision to have a mitigation plan that says nobody working on the DoD work will be working on the China or the Russia or the other entity work as well. That’s a reasonable thing. And then if all else fails, there’s a waiver provision so that DoD can, in fact, get what it needs. We are pretty comfortable with this final outcome.

Tom Temin Right. And there are companies that have European origins, for example, that work for federal entities, including Defense, that have that provision where they have a separate board of directors and a firewall between them and the European or Canadian entity that would keep them working for the government. Even if the European part, say, is doing business with Russia.

David Berteau That’s exactly the case. And you could end up with that being part of the mitigation plan. In addition, Tom, it’s important to recognize that if you ban U.S. companies from doing business, that doesn’t necessarily mean the business won’t get done. It’ll just get done by another company in another country. So China ends up better off and we end up worse off. That’s not necessarily a good thing. So this is a reasonable outcome for everybody.

Tom Temin All right. And then there’s Section 824 modification and extension of temporary authority to modify certain contracts and options based on — here it comes — the impacts of inflation. That is, can they shell out more if the contractor is experiencing inflation?

David Berteau Well, this has been a problem, obviously, for the last couple of years when inflation rates hit 8% or 9% last year. Companies are saying, ‘hey, we bid based upon 0.25% Fed rate and inflation that was in the low ones and twos. And now we’re having to perform.’ It’s not only the impact of inflation, there’s an added impact from the cost of workers. Right? Because we’re still in America. We have one and a half vacant jobs for every person looking for work. So it’s kind of a seller’s market, right? You’ve seen this across the board. No company — by the way, I do this every meeting we have with PSC members — I say raise your hand if you have all the workers you need. I have yet to see a hand go up. Tom, I mean, this is a very competitive environment. So costs have gone up, whether it’s directly from inflation or whether it’s indirectly from the shortage of workers. And that wasn’t in your bid. And so the tendency for the government to say, ‘hey, you bid it, you perform it, you suck it up.’ Well, eventually there is no up to suck here. And you’ve got to.

Tom Temin Love to patent that phrase: “There’s no up to suck here.”

David Berteau No up to suck anymore. So there’s a provision that was in last year’s bill. Technically, the provision requires a separate appropriation, which hasn’t happened yet and may not happen. That’s a subject of another conversation on this show. But what we found was that just the existence of the authority made it possible for programs, if they wanted to accommodate the increased costs that the company had as part of the deliverables within available funds, it gave them the flexibility to do so. So we’re really pleased to see this provision back in the bill this year.

Tom Temin We were speaking with David Berteau, CEO and president of the Professional Services Council. And there’s still one other, a pilot program, and this is under Section 874 to incentivize progress payments. So that’s again, not a full blown program, but they’re going to try out something here.

David Berteau They’re going to try it out. So basically the idea is that because a company can’t get reimbursed for the interest costs on loans and it has to finance its work before that, it delivers the products or the end results to the government. The government sometimes issues progress payments. You’ve made 80% of the progress. So you get a certain percentage of the costs you’ve had up to that point reimbursed along the way. But periodically, DoD will try to tie those progress payments to something other than progress; that is, other than delivering on the contract, like maybe the eligibility of your business systems, or your cost proposals being accurate, etc., or being complete. And those are what I would call input measures. So we’ve resisted at PSC the idea of tying progress payments to input. We want to tie progress payments to progress on the actual performance of the work, right? So the bill previously proposed something that would essentially allow contractors to make more in progress payments if they had more of those inputs lined up. We objected to that and said, ‘no, it’s fine to increase progress payments, but do it based upon actual results.’ This pilot program actually has some preambles it needs to set out. It’s based on criteria that DoD hasn’t yet developed and they’re going to have to develop. So it’ll be a while before we see the pilot. But it’s certainly better than tying everything to inputs rather than results.

Tom Temin And given DoD’s movement on some of these provisions and vendors, pilot programs, new rules, it could be four or five years, realistically.

David Berteau We have seen pilots come and go, not on my list here, but we’ve had a pilot — presumably they let losers pay in the event of a frivolous protest. That pilot never got off the ground, in part because nobody could figure out who pays what and have that be consistently applied without it automatically inflating costs that you would know you get reimbursed for. Now, there was an attempt to try to do that again. Everyone agrees that protests need to be managed, right? And they can get in the way of successful performance. But they’re also, Tom, the best way we have of holding the government accountable for following its own procedures. And so there’s a balance off that needs to be played out there.

Tom Temin Right. And so that provision did not make it in. That was in the House provision. The loser pays for frivolous protests, but not in there.

David Berteau Right. But we have agreed with the committee staff that we’ll bring some ideas to them before they start marking up the FY25 bill — imagine that: we’re a quarter of the way through the century here — before they start marking up the FY25 bill next spring.

Tom Temin Okay. It’s the Roaring 20s in some ways, more than one. And then a final provision that did not get in there: Senate section 868 — tech data rights. And what was proposed and what did not make it on that one?

David Berteau The proposal — and it may well have come from the Defense Department itself — but the proposal in the Senate bill was that would give the Pentagon broad authority to essentially grab technical data and intellectual property from companies in a time of conflict or contingency operation without really specifying exactly what the need for that would be. And so this seemed like a problem that was not well enough to find that you knew this solution was mandated. And how would you bound the application of it? The Pentagon could — there’s always a contingency operation going somewhere. It might even be hurricane response. Or a fire response. And so those are the kinds of things that we thought needed a lot more clarification. So this is another area for discussion as we go into FY25. You certainly want DoD to be able to get what it needs in time of conflict. So that’s not an issue. So it’s a question that we’ll tackle in next year’s bill.

Tom Temin David Berto is president and CEO of the Professional Services Council. As always, thanks so much.

David Berteau Thanks, Tom. We’ll see you on the other side of legislation.

The post Five things contractors need to know about the Defense authorization bill first appeared on Federal News Network.

• A senior leader at the Genderal Services Administration is returning to the private sector. Sonny Hashmi, commissioner of the Federal Acquisition Service at GSA, is leaving after three years. Hashmi’s last day will be December 29. FAS Deputy Commissioner Tom Howder will serve as acting commissioner until a new one is named. Hashmi will be heading back to the private sector, but it is unclear where he will land. In an email to staff, obtained by Federal News Network, Hashmi said that the timing is right to make the move as FAS made significant progress with several initiatives over the last several years.
  (GSA's Hashmi leaving at end of the month - Federal News Network)
• Feds teleworking overseas got a pay raise. Now the State Department is honoring an employee who made it happen. Domestic Employees Teleworking Overseas (DETOs) missed out on locality pay, but saw a pay boost to correct for that in the National Defense Authorization Act. Most DETOs are the spouses of military and Foreign Service officers. Michelle Neyland, a congressional adviser for the department’s Bureau of International Affairs, won this year’s Eleanor Dodson Tragen Award for her work bringing this pay issue to Congress. “Everybody who I introduced this pay inequity to across State Department, as soon as they learned more about it, immediately said, ‘Well, how can we fix that?'" she said.
  (Feds teleworking overseas got a pay raise. State Dept. honors an employee who made it happen - Federal News Network)
• The Air Force has disciplined 15 people for a massive leak of classified information by a member of the Massachusetts National Guard. Airman Jack Teixeira is already in custody awaiting trial for sharing secrets in online chat forums. But Air Force officials said more than a dozen other personnel – from staff sergeants to a colonel – failed to deal with suspicious behavior leading up to those illegal disclosures. An IG investigation also found members of Teixeira’s unit had wide latitude to access and print classified documents without any oversight.
  (Air Force disciplines 15 as IG finds security failures led to massive classified documents leak - Associated Press)
• The Cybersecurity and Infrastructure Security Agency is rolling out a new cybersecurity tool for agencies. CISA today unveiled new security standards for Gmail and other Google Workspace products. The idea is to prevent security incidents by using common configurations across widely used services. CISA has already published configurations for Microsoft 365 products. “With the addition of these baselines, we cover the vast majority of business collaboration suite of software as a service offerings that everyone uses and relies on to conduct their work every single day,” said Chad Poland, director of cyber shared services at CISA.
  (CISA releases new tools to help agencies secure Gmail, other Google applications - Federal News Network)
• Federal agencies saw real progress in fiscal 2023 in their goal to achieve zero emissions by 2030. The White House said agencies ordered over 54,000 zero-emission vehicles and began installing more than 26,000 charging ports last year. The 26,000 ports will add to the 7,000 already in use across government. With agreements in 16 states for federal facilities to use clean energy, the Energy Department began implementing a new clean electricity grid on 700,000 acres of agency land. The administration also said federal buildings have already cut emissions by more than 7% since 2020 and, as of 2022, have achieved a 39% overall reduction from 2008 levels.
  (Council on Environmental Quality updates progress on sustainability - White House)
• The Department of Health and Human Services is responding to an increase in cyber attacks targeting hospitals and healthcare systems. Under a new cybersecurity strategy, HHS will establish voluntary cybersecurity performance goals for the healthcare sector. The agency will also consider how to incorporate those goals into existing regulations and programs that will help inform the creation of enforceable cybersecurity standards. The agency also plans to work with Congress to increase funding to help hospitals adopt stronger cybersecurity measures.
  (Healthcare sector cybersecurity strategy - HHS)
• A thriving lunar economy might be landing over the next decade. The Defense Advanced Research Projects Agency has a new study and is seeking input from 14 companies on what investments would be needed to have a booming economy on the Moon. Over the next seven months, DARPA and selected companies will work together to design new integrated system-level solutions, including communications, navigation and timing. The agency said the program will change how the civil space community thinks about commercial activity on and around the Moon.
  (DARPA selects 14 companies to study infrastructure needed for thriving lunar economy - DARPA)
• Agency chief data officers are getting more personnel to tackle their work. That is one of the takeaways from a survey led by a governmentwide council of federal CDOs. More than a quarter of respondents said their agency in 2023 had a central data team with up to five full-time employees. Less than a third of respondents said they had that kind of staffing in 2022. A majority of agency CDOs who took the survey said they have been in government for 10 years or longer.
  (2023 CDO Council survey results - CDO Council )
• The Small Business Administration is changing the way it decides which businesses qualify as small. SBA is proposing a new size standard methodology that plans to make two major changes. The first is using a disparity ratio between small business contract obligations and industry receipts to calculate the size standard. The second change would use data from the federal procurement data system to determine percentage industry factors as part of the size evaluations. SBA said these changes will refine and improve its analysis of federal contracting data used in the evaluation of industry size standards. Comments on the proposed changes are due by February 9.
  (SBA proposes new small business size standards - SBA)

The post DARPA kicks off its 10-year plan to create a ‘thriving lunar economy’ first appeared on Federal News Network.

When it comes to data on bid protests, the data is lacking to say the least.

Beyond the annual bid protest report to Congress from the Government Accountability Office, agencies track few other outcomes from protests.

David Drabkin, a fellow at the Stevens Institute of Technology Acquisition Innovation Research Center and a former senior procurement executive for the General Services Administration, said by not collecting and understanding this data, agencies are missing a host of opportunities to improve the acquisition process, the contracting workforce and industry response to solicitations.

“The protest process is important to manage the procurement process. But we don’t take advantage of access to the data, which allows us to understand whether there’s a place in our process that needs our immediate attention, whether it’s training, whether one of our rules is defective and needs to be rewritten. We don’t have that ability to do that from our desktops. The only time your attention really gets drawn there is when there’s a big case that makes the news or Congress gets upset and starts summoning you or your boss to the Hill to explain why something happened,” Drabkin said in an interview with Federal News Network. “So instead of being able to manage on a proactive basis using the data, which by the way they already collect, they just don’t put it in a place where they can use it. They just don’t have a way to proactively manage when there are trends in problems that manifest themselves in the protest process.”

Drabkin and Chris Yukins, a professor at the George Washington University law school and a fellow with Acquisition Innovation Research Center, led a research effort over the last year, which Congress required in the 2022 Defense authorization act, to review and analyze what Defense Department protest data is available, specifically around agency-level protests, and how the Pentagon is using it to improve acquisition processes.

Drabkin, Yukins and their team issued a report earlier this year outlining six major findings and made eight recommendations to improve the agency-level bid protest process.

But while the report’s findings focus only on DoD, the lack of data, the minimal use of agency-level protests and the ability for all parties involved to improve is a universal theme that emerged from this research.

“When we looked at the whole process, we also talked to the procurement executives within the department. I think it’s important to know that all of them thought that having a bid protest process was really important, and they liked the idea of an agency level bid protest process because it looked less expensive and faster in terms of allowing the purchase to proceed,” Drabkin said. “But they, too, didn’t have the data on what was really going on with protests at any level. They get a report about how many GAO cases there were. They might get that report once a year. GAO publishes its statistics in the beginning of the new fiscal year, normally, but they don’t have a complete view of the protest system from the Court of Federal Claims down to the agency level bid protest process. They also don’t have the current data provided to them to allow them to identify problems in the procurement process, which are manifesting themselves, and contractors who are unhappy with how the government is managing the acquisition process. They pay a lot of money for the protest process in terms of what comes out of salaries and budget and time to take delivering products and services to their customers internally. But what they don’t have is right now available to them at their fingertips on their computers, the ability to see trends where there may be a problem with a part of the procurement process. Did they did they identify the requirement correctly? Did they have good performance measures for both for evaluating offers before they make the award and post award for measuring whether they actually got what the government paid for?”

The most recent GAO bid protest report to Congress for fiscal 2023 shows a 22% increase in the number of cases filed. GAO acknowledged a big reason for the increase is the large number of complaints challenging a single procurement, the Chief Information Officer-Solutions and Partners 4 (CIO-SP4) from the National IT Acquisition and Assessment Center (NITAAC).

In addition to GAO, obtaining data from the Court of Federal Claims isn’t easy. While the court captures bid protest data, it doesn’t necessarily make it easy to find or analyze, and there is no centralized data on agency-level protests.

Drabkin said the data from GAO, however, doesn’t tell the entire story about protests.

“GAO considers ‘winning’ when the government either awards a contract to the protester or takes corrective action resulting from the protest. When you ask them, ‘well, how many protesters actually wind up getting the contract they filed a protest on?’ The number is, I don’t know, 6% or 10%. It’s not the 40-plus percent, they quote as winning because they count the corrective action as winning,” he said. “If you’re a protester, and you’re trying to figure out whether it’s worth your investment and your money to file a protest, I think it’s pretty important to know what the likelihood is that you will actually get a contract because you may spend a lot of money. You may wind up getting a decision that the government didn’t follow on its rules, but you may not get the contract. I think it’s pretty important to understand what it means to file a protest and when. And that’s true for whether it’s at the agency level, GAO level and with a Court of Federal Claims level.”

The research group’s recommendations mostly focused on how to improve the agency-level protest process, including formalizing the role of the “agency protest official,” and to publish data on agency-level protests, including, potentially, the decisions themselves to reinforce regularity and confidence in the acquisition system.

Drabkin said agency-level protests would gain more traction if it was a one-and-done type of complaint, meaning the vendor couldn’t also file with GAO or the Court of Federal Claims if they lost. Additionally, departments would see benefits from agency-level protests as long as the internal procedures don’t weigh down the process with several levels of approvals.

Yukins added agencies and vendors must look at a bid protest as both a risk mitigation measure and management tool. He said formalizing that structure and process would go a long way to improving not only the agency-level protest procedures, but improving acquisition more broadly.

The post Better data protests could benefit, agencies, vendors alike first appeared on Federal News Network.