GovWin
B2G is moving!
Blogs posted after May 22, 2015 will be located on Deltek's central blog page at www.deltek.com/blog.
Just select the "B2G Essentials" blog to continue to receive this valuable content.
GAO: Federal Agencies are Falling Short in Overseeing IT Contractors

Federal agencies need to improve at overseeing the IT contractors that operate their computer systems and process their information, according to a study by the Government Accountability Office (GAO). Agencies are legally required to ensure that contractors adequately protect these assets, but GAO shows that there are inconsistencies among agencies’ handling of this responsibility.

GAO set out to assess how well certain agencies oversee the security and privacy controls for systems that are operated by contractors and how well the agencies with government-wide security and privacy guidance and oversight responsibilities were doing in helping them. In their audit, GAO reviewed the implementation of security and privacy controls for selected contractor-operated systems across six federal agencies, based on their reported number of contractor-operated systems. These were the Departments of Energy (DOE), Homeland Security (DHS), State, and Transportation (DOT), the Environmental Protection Agency (EPA) and the Office of Personnel Management (OPM). 

GAO found that the agencies generally had established security and privacy requirements for contractors to follow and prepared for assessments to determine the effectiveness of contractor implementation of controls. However, all but DHS were inconsistent in overseeing the execution and review of those assessments. One frequent area of inconsistency was in executing test plans that would identify potential security and privacy risks. In one example, GAO found that the DOT officials did not have evidence that 44 of 133 contractor employees operating one particular system had undergone a current background investigation.

A contributing reason for shortfalls that GAO identified in agency oversight of contractors was that agencies had not effectively documented procedures to direct officials in performing such oversight activities. None of the agencies had procedures in place to direct officials in how to conduct such oversight and that led to inconsistencies.

Another area mentioned by GAO is inconsistently-applied or unclear guidance. OMB FISMA reporting instructions to agencies state that systems operated by contractors are to be reported as part of the agency’s system inventory. But GAO found that agencies are interpreting and applying the guidance differently because the guidance for categorizing and reporting contractor-operated systems does not clearly define what constitutes a contractor-operated system. The difference in application causes many systems that are contractor-operated to not be classified as such.  This has resulted in incomplete information on the number of contractor-operated systems within the government.

Potential Cost Implications

Given the areas of shortfall within agencies it is possible that renewed efforts could have cost and administrative implications in several areas:

  • Personnel Security – Scrutiny of contractor background investigations is at an all-time high and inconsistencies discovered by GAO may result in direct costs and/or delays to companies and agencies while sufficient background investigations are completed. Similar implications may result if required agency-specific training in security or contingency planning has not been consistently administered.
  • Compliance Efforts – Given GAO’s spotlight on inconsistencies in how systems are evaluated, assessments of systems and personnel for compliance with agency requirements will likely increase, adding short-term burden until processes are in place and efforts are routine.
  • FISMA Assessment – Increased clarity or education from OMB on applying their FISMA reporting standards for contractor-operated systems could increase scrutiny on some systems – both government-owned, contractor-operated and contractor-owned, contractor-operated.  Many of these systems may have been previously overlooked or mis-categorized, which could spur deeper scrutiny and increased costs.

Potential Contractor Opportunities

As agencies strive to improve they may look to industry experts for assistance in the following areas:

  • Procedure Development – Agencies will need to document the procedures for their officials to follow in order to perform effective oversight of contractors. While these efforts may be considered inherently governmental in nature, some agencies may seek the help of contracted experts to aid in solidifying such procedures. Expect agencies to maintain directive control over this process.
  • Independent Assessments – GAO found that five of the six agencies they studied used independent assessors for system reviews, as required by NIST, and this included contracting for these assessment services. There may be continued opportunities for contractors to find work in this area. Expect agency officials to verify that the selected assessor is independent.
  • Test Plan Development and Execution – While most agencies that GAO audited had developed test plans, almost none of them had effectively executed test plans. Here is another area where independent contracted services may be in demand.

Considering GAO’s recommendations focus on both procedures and policies – that agencies develop procedures for contractor oversight and that OMB clarify reporting instructions to agencies – it will take some time for agencies to fully address the concerns raised in the report.

---
Originally published in the GovWin FIA Analysts Perspectives Blog. Follow me on Twitter @GovWinSlye.

Federal Busy Season – Which Agencies are Ramping Up to Spend in September?

August is here and that puts us right at the mid-point of the fourth and final quarter of the fiscal year – the federal “busy season.” But that doesn’t mean that half of this business is already accounted for. In fact, historical spending trends suggest that things are just ramping up for its climax in September and several agencies will have billions of dollars to spend on IT before they face expiring funds.

Recently, I showed how federal agency spending trends in Q4 accounted for an average of 39% of agency contracted IT spending for the year, translating into an average of $30 billion in IT products and services contracted during the fourth quarter. Yet, the spending is even more concentrated than that. Upon further analysis, we can see that federal contract spending is disproportionately large in September, the final month of the fiscal year. Agencies obligate 18% of their total contract dollars across all goods and services and 23% of their yearly contracted information technology spending in September alone. That works out to nearly 60% of Q4 IT contract spending and means that about $17.3 billion in IT is likely to be contracted in the month of September.

Twenty five federal departments and agencies account for about 99% of this IT spending. So which of these biggest spending departments and agencies will have the largest percentage of their IT dollars likely to go out next month? See the chart below.


Twelve of the 25 highest spending departments – roughly half – will obligate 25% or more of their FY 2014 IT contract dollars in September, based on a 5-year average. State and AID will obligate more than a third!  The FY 2009-2013 average September contract spending for these 12 agencies is provided below.


Again, we are looking at an average of over $17 billion in IT spending at these agencies in September. Not all of these funds will necessarily expire at the end of the fiscal year, but the historical spending data averaged over the last five years still supports the trend that these agencies will spend at or near these levels, as it reflects some of the spending impacts of recent trends like shifting and tightening budgets, program delays, and sequestration.

---
Originally published in the GovWin FIA Analysts Perspectives Blog. Follow me on Twitter @GovWinSlye.

Have Federal Agencies Adopted Cloud Solutions Too Fast?

Recently the Office of the Inspector General at the Environmental Protection Agency released an audit reportthat highlighted a lack of coordination and clarity in the agency’s cloud computing investments.  The results of the audit were based on a survey designed by the Council of the Inspectors General on Integrity and Efficiency (CIGIE), which provides a matrix for collecting information about cloud projects.  When the EPA OIG conducted the survey it focused primarily on the lack of clarity surrounding a single contract awarded by the Office of Water for cloud hosting of its Permit Management Oversight System (PMOS).  During its survey, however, the OIG discovered significantly wider problems, leading them to conclude that the EPA “did not know when its offices were using cloud computing.”

This statement surprised me at first.  After all, in the age of OMB’s “Stat” initiatives (i.e., PortfolioStat, TechStat, and AcquisitionStat) one would think that a smaller agency like the EPA had developed a solid handle on its investments, especially those made within the last four years.  Alas, this is not the case.  Perhaps the methodology used by EPA program offices to discover cloud investments was the problem.  According to the OIG, “the Office of Acquisition Management (OAM) indicated that the Cloud Survey was completed by performing a search for the word ‘cloud’ in the procurement description.”

At first I could only shake my head when I read this.  Then it dawned on me that the OIG had provided some real and valuable insight into the current state of federal IT.

The reality is that despite multiple inventory efforts, agencies simply don’t know what assets they possess, and when it comes to cloud computing the challenge is particularly acute.  Cloud solutions come in a large number of diverse forms and the solutions often have multiple pieces.  Industry partners seeking to make sales further add to the confusion by touting solutions “as-a-Service” when they really aren’t and by throwing around the term “cloud” when it doesn’t technically apply.

All of this points to the absolute and desperate need for agencies to invest in some kind of cloud broker or asset management program.  Such a program could take the form of automated tools for tracking cloud investments or end-to-end brokerage/management services.  These services could be provided by a vendor or, as in the case of the Defense Information Systems Agency, a formal program office.  In this day and age it is simply astounding that any agency seeking to use cloud computing would jump into the deep end without having a handle on what it is they are buying.  The EPA in particular set ambitious goals for migrating 80% of its computing environment to the cloud by 2015.  Clearly they aren’t going to make that deadline.  More importantly, as the OIG audit demonstrates, the EPA appears to have set this goal without putting a proper management infrastructure into place.  Implementing a cloud broker solution would have helped.

Maybe Congress has a solution.  If the Federal IT and Acquisition Reform Act (FITARA) passes, budgetary and oversight authority will be centralized in CIO shops, providing the means by which cloud investments could be cataloged, especially since they would be tied to Cloud Computing Working Capital Funds.

Whatever happens with FITARA the example of the EPA is clear – the agency jumped into cloud computing faster than it should have.  NASA had its hand slapped for doing something similar in connection with FedRAMP compliance and I’m guessing other agencies face challenges in this area.  Ironic, isn’t it?  We read all the time that agencies aren’t adopting cloud-based solutions fast enough.  The lesson of the EPA shows, however, that maybe the opposite is really the case.  The agency actually adopted cloud solutions faster than it was prepared to handle.  Where’s Alanis Morissette when you need her?

 

Federal Fourth Quarter FY 2014, Part 2 – $30B in IT Contracts Likely

The last two months of fiscal year (FY) 2014 are nearly upon us and that puts us on the cusp of the height of the 4th quarter (Q4) “federal IT busy season.” Even with several disruptions that have marked the first half of FY 2014, agencies do have budgets in place and are spending. If historical averages hold, several agencies will spend more than 50% of their FY 2014 contracted IT dollars in Q4.

Last week, I looked at potential total fourth quarter spending for the top 25 departments and agencies across all categories of contracted products and services, based on their reported historical contracted spending over the last several years. This week, I will focus on the Information Technology (IT) category in a similar fashion. (See last week’s entry for more detail on my approach.)

From FY 2009-2013 federal departments reported spending an average of 32% of their yearly contract dollars in the fourth quarter across all spending categories. However, the percentage of Q4 IT contract spending was 39% among the same departments for that period. Agencies tend to buy more of their IT in Q4 compared to other products and services, on average. Translating that into dollars, over the last five fiscal years federal agencies spent an average aggregate of nearly $30 billion on IT hardware, software, and services in Q4 alone. This is the case based on historical spending data, even in the era of sequestration and other budget constraints.

Which departments are the best targets for a firm’s Q4 IT capture efforts? Over the last five fiscal years the following 25 departments or agencies reported the largest overall contracted IT spending and make up 99% of the federal market. The chart below shows their average contracted IT spending in Q4 over the last five years.


Sixteen of the 25 top-spending departments will spend an average of 40% or more of their yearly contracted IT dollars in Q4 (and several more departments are not far behind in percentage points.) Those 16 departments account for an average of $20 billion in combined Q4 IT contracts from FY 2009-2013.

Three departments or agencies historically obligate more than half of their yearly IT contract dollars in the final fiscal quarter: AID (55%), State (56%) and HUD (70%).  Their 5-year average Q4 IT contracted spending is:

  • AID = $141.5 million
  • State = $690.5 million
  • HUD = $181.9 million

Not far behind, the departments that spend between 45% and 48% of their yearly IT contract dollars in Q4 – like HHS, DOJ, SSA, Energy, and DOI – tend to have even larger IT budgets. These five departments account for a combined average of $3.2 billion in Q4 IT contracts over the last 5 fiscal years.

Much of these contract dollars will flow to commodity IT products like software and peripherals, but significant dollars will also go toward IT services. Proposals that were submitted weeks or months ago may come back to the foreground for potential action and companies that can quickly turn around competitive quotes for their federal customers may have a chance at stealing business from incumbents. 

With FY 2014 getting a bit of a slow start due to delayed budgets and agency shutdowns, the rebounding we are seeing in the second half of the year may result in a record-breaking Q4. We will have to wait and see.

---
Originally published in the GovWin FIA Analysts Perspectives Blog. Follow me on Twitter @GovWinSlye.