GovWin
B2G is moving!
Blogs posted after May 22, 2015 will be located on Deltek's central blog page at www.deltek.com/blog.
Just select the "B2G Essentials" blog to continue to receive this valuable content.
HHS OIG Hackers Test Health Insurance Exchange Websites

HHS Office of Inspector General (OIG) auditors conducted audits of Healthcare.gov, the Kentucky Health Benefit Exchange, and the New Mexico Health Insurance Exchange during February through June 2014, to include vulnerability scans and simulated attacks.

Auditors praised each marketplace for aspects of their security controls, policies, procedures and testing, while making recommendations for improvements in areas where they spotted vulnerabilities.

Findings and recommendations for each marketplace are specified below:

Healthcare.gov

CMS has taken actions in the last year to lower the security risks associated with Healthcare.gov systems and consumer Personal Identifying Information (PII), including:

  • Establishing a dedicated security team under the CIO to monitor and track corrective action plans for vulnerabilities and ensure they are completed 
  • Performing weekly vulnerability scans 
  • Completing two security control assessments

Suggested areas for improvement are as follows: 

  • Implement a process to use automated tools to test database security configuration settings on all databases 
  • Implement an effective enterprise scanning tool to test for web site vulnerabilities 
  • Maintain adequate documentation to verify that database property files containing user credentials have been closed by encrypting the file 
  • Detect and defend against web site vulnerability scanning and simulated cyber attacks directed at the Healthcare.gov web site 
  • Finish corrective action already underway to remedy a critical vulnerability. The publically available OIG summary did not convey specifics of this vulnerability. However, CMS stated that their scheduled completion date for corrective action was June 30, 2014.

Kentucky Health Benefit Exchange (KHBE)

According to the HHS OIG, the KHBE had sufficiently protected PII in accordance with federal requirements. Using encryption, Kentucky properly secured individual’s PII upon system entry, as well as during storage and transmission. However, the OIG identified the following areas of opportunity for improvement for database access and security control:

  • Sufficiently restrict user and group access to authorized roles and functions 
  • Address federal requirements for system security planning, risk assessment, penetration testing and flaw remediation, POA&M, and incident response capability 

The above deficiencies were mainly due to the fact that Kentucky was transitioning its information technology responsibilities among agencies and had not sufficiently established coordination between them, to date.

New Mexico Health Insurance Exchange (NMHIX)

The HHS OIG found that the NMHIX had implemented security controls, policies, and procedures to prevent vulnerabilities in its website, database, and supporting information systems. However, NMHIX’s IT policies and procedures did not always conform to federal IT requirements and NIST recommendations.

Specifically, the audit identified the following vulnerabilities: 

  • One data encryption vulnerability 
  • Two remote access vulnerabilities 
  • One patch management vulnerability 
  • One Universal Serial Bus port and device vulnerability 
  • 64 web application vulnerabilities, two of which were listed as critical 
  • 74 data base vulnerabilities, one of which were listed as high

In written responses to the HHS OIG, all of the exchanges concurred with most of the findings and recommendations and furnished plans regarding how they planned to address vulnerabilities cited.

 

 

GovWin Recon - September 30, 2014

GovWin Recon, produced by Deltek's Federal Industry Analysis (FIA) team, is designed to support awareness and understanding of the issues impacting the government and the contractors that serve it. Recon highlights key developments surrounding government technology, policy, budget and vendor activities.

Headlines beginning with an * include quotes from Deltek analysts.

Federal IT:

Agency News:

Vendor News:

Cybersecurity:

Cloud Computing / Data Center Consolidation / Virtualization:

Health IT:

Big Data / Analytics:

Transparency and Performance:

Defense / C4ISR / Embedded Technology:

Contracting / Acquisition:

State and Local:

GovWin Recon is Deltek's daily newsletter highlighting federal government contracting news and analysis from around the government contracting world. Get it delivered to your e-mail inbox, free!

TTC’s Big Data for Defense Symposium Offers Insight into Air Force and Army Programs

It’s become a sure sign of autumn for me when the Technology Training Corporation’s annual big data for defense and homeland security symposium rolls around in September.  TTC always manages to get top-notch speakers from both government and industry and this year’s symposium was no exception.  The event takes up two days and is hosted at the Holiday Inn in Rosslyn, VA.  These notes and comments provide a couple of highlights from the symposium.

Jeff Eggers, Chief Technology Officer in the Office of the Deputy Chief of Staff for Intelligence, Surveillance and Reconnaissance of the US Air Force (AF/A2D) began by providing an excellent overview of the Air Force’s recent efforts to enable the use of big data analytics in operational/tactical environments.  Stating up front that the Air Force is reviewing big data concepts and methods to dramatically change the way it processes and uses sensor intelligence, Eggers assured the audience that the goal of Air Force efforts is standardizing sensor data feeds to make all data discoverable.  The standardized data will pass through automated tools and go to so-called “all source” analysts for the first stage of analysis before it is distributed to warfighters for use on the operational level.  An example of such use would be identifying targets for precision fires.

Processing data quickly, however, is the key to making it usable.  To that end the Air Force is dedicating funds to implement what it calls Sensing-as-a-Service.  SensaaS is the concept of making all data from multiple sensors available via a single delivery platform.  The sensors are embedded in a system of systems, like the Distributed Common Ground System-Air Force, and the data and analysis would be made available to users as a web-based service or via a battlespace network.  SensaaS is currently in the research and development stage, but Eggers’ says he’s been assured the concept is workable.  From an industry perspective this suggests that additional investment is coming from the Air Force to field a proof of concept prototype.  Such an approach would be consistent with defense acquisition initiatives to make greater use of prototyping in procurement phases.

Lisa Shaler-Clark, the Deputy Director in Program Manager – Futures at Army Intelligence and Security Command (INSCOM), followed Mr. Eggers later in the morning with some fascinating comments on work being done to integrate Army intelligence with the Intelligence Community’s IC IT Enterprise, or ICITE program.  Shaler-Clark noted that Army INSCOM has made great strides moving data from stovepiped systems into an enterprise data warehouse.  This warehouse provides analysts with vastly improved data access, but it has also created a deluge of data for them to deal with.  The solution to that problem for INSCOM has been to host a Hadoop-based cloud analytics system to parse the data.  The data is tagged in multiple ways and then made available for analysis via a number of automated tools.  Data is also integrated into the ICITE and INSCOM is leveraging the NSA’s cloud for additional storage.

Finally, from the sound of what’s happening there, INSCOM is one of those places you’ll need to visit if your company sells analytics capabilities.  Be aware, though, that Shaler-Clark’s office isn’t interested in capabilities that duplicate what they already have.  They want new capabilities that enable them to do what they cannot already do today.

TTC is planning to follow up this symposium in November with its first conference on the Internet of Things.  This conference, Internet of Things for Defense and National Security, will be held on November 13-14 in Arlington, Virginia.  The line-up of speakers that I've seen so far looks very interesting.  Hope to see you there.

 

 

GovWin Recon - September 29, 2014

GovWin Recon, produced by Deltek's Federal Industry Analysis (FIA) team, is designed to support awareness and understanding of the issues impacting the government and the contractors that serve it. Recon highlights key developments surrounding government technology, policy, budget and vendor activities.

Headlines beginning with an * include quotes from Deltek analysts.

Federal IT:

Agency News:

Vendor News:

Cybersecurity:

Cloud Computing / Data Center Consolidation / Virtualization:

Health IT:

Big Data / Analytics:

Transparency and Performance:

Defense / C4ISR / Embedded Technology:

Contracting / Acquisition:

Legislation:

Mergers and Acquisitions:

State and Local:

GovWin Recon is Deltek's daily newsletter highlighting federal government contracting news and analysis from around the government contracting world. Get it delivered to your e-mail inbox, free!

GovWin Recon - September 26, 2014

GovWin Recon, produced by Deltek's Federal Industry Analysis (FIA) team, is designed to support awareness and understanding of the issues impacting the government and the contractors that serve it. Recon highlights key developments surrounding government technology, policy, budget and vendor activities.

Headlines beginning with an * include quotes from Deltek analysts.

 

Federal IT:

Agency News:

Vendor News:

Health IT:

Cybersecurity:

Cloud Computing / Data Center Consolidation / Virtualization:

 Big Data / Analytics:

Mobility/Communications:

Defense / C4ISR / Embedded Technology:

Contracting / Acquisition:

State and Local:

GovWin Recon is Deltek's daily newsletter highlighting federal government contracting news and analysis from around the government contracting world. Get it delivered to your e-mail inbox, free!

 

GovWin Recon - September 25, 2014

GovWin Recon, produced by Deltek's Federal Industry Analysis (FIA) team, is designed to support awareness and understanding of the issues impacting the government and the contractors that serve it. Recon highlights key developments surrounding government technology, policy, budget and vendor activities.

Headlines beginning with an * include quotes from Deltek analysts.

Federal IT:

Agency News:

Vendor News:

Cybersecurity:

Cloud Computing / Data Center Consolidation / Virtualization:

Health IT:

Big Data / Analytics:

Mobility:

Defense / C4ISR / Embedded Technology:

Contracting / Acquisition:

AEC News:

GovWin Recon is Deltek's daily newsletter highlighting federal government contracting news and analysis from around the government contracting world. Get it delivered to your e-mail inbox, free!

GovWin Recon - September 24, 2014

GovWin Recon, produced by Deltek's Federal Industry Analysis (FIA) team, is designed to support awareness and understanding of the issues impacting the government and the contractors that serve it. Recon highlights key developments surrounding government technology, policy, budget and vendor activities.

Headlines beginning with an * include quotes from Deltek analysts.

Federal IT:

Agency News:

Vendor News:

Cloud Computing / Data Center Consolidation / Virtualization:

Mobility:

Defense / C4ISR / Embedded Technology:

Contracting / Acquisition:

State and Local:

GovWin Recon is Deltek's daily newsletter highlighting federal government contracting news and analysis from around the government contracting world. Get it delivered to your e-mail inbox, free!

VA to Accept Advice from Technology Task Force on Scheduling System

Part of the recently enacted Veterans Access, Choice, and Accountability Act of 2014 requires VA to listen to advice from a technology task force regarding their medical appointment scheduling system.

In June, a bipartisan group of senators supported the idea of allowing contractors to perform pro bono work for VA on the scheduling system.  Similar efforts were successful for work at Arlington National Cemetery where a consortium of Northern Virginia Technology Council (NVTC) companies banded together to modernize records processing.  

Another NVTC team, including Booz Allen Hamilton, HP, IBM, MITRE Corporation and SAIC, will assess VA’s scheduling system and offer findings by late September.  The legislation requires a review within 45 days of the law’s enactment on August 7th.

VA is in the process of replacing its current scheduling system with a COTS solution.   The RFP for the Medical Appointment Scheduling System (MASS) is expected out later this month with proposals due 30 days following.  A draft Performance Work Statement (PWS) was released on Sept. 17th with responses due Sept. 26th.

Due to the pending scheduling system procurement, the technology task force plans to concentrate on medical facility patient scheduling processes and systems rather than software.  “Our assessment will not include recommendations about specific technology products,” stated NVTC President Bobbie Kilberg in an interview with FCW. 

VA will not be required to adopt all of the task force recommendations.  The law stipulates that the VA implement recommendations they consider “feasible, advisable, and cost effective.”

 

Spending on DISA’s Encore II Contract Vehicle

Officials from the Defense Information Systems Agency confirmed at their recent Forecast to Industry that the competition for the Encore III contract vehicle will begin in fiscal year 2015.  Encore III’s predecessor, Encore II, has been heavily used by defense customers, with about $5.8 in contract dollars going through it since fiscal year 2008.  Encore III is expected to receive even heavier use, particularly since DISA officials have emphasized the coming consolidation of services contracts that are deemed duplicative.  Given the agency’s shrinking budget, it is not beyond the realm of possibility that in the years to come the overwhelming majority of contract spending on information technology services at DISA will go through Encore III.  This implies that the available pool of competitive opportunities at DISA will be much smaller in the future, necessitating that interested vendors win a spot on Encore III.  Laying the groundwork for bids includes understanding the customer base using Encore II and the top vendors on the vehicle, as all of these will probably be bidding on the follow-on.

Top Customers

Looking first at the top customers using Encore II we can see, not surprisingly, that DISA spends the most contract dollars through the vehicle.

This said there are a number of other defense community users putting millions of dollars through Encore II.  Of these, the Army comes in second with $233 million in obligations.  This is a trend I would expect to continue as the Army also narrows the number of contracts it uses for IT services and as it continues to look to “DISA-first.”  With $87 million in obligations, the Bureau of Alcohol, Tobacco, and Firearms stands out as the lone civilian customer among those listed.

Top DISA Customers

Narrowing the analysis to DISA customers only, we arrive at the following results.

Readers will notice right off the bat that the total amount of dollars represented here does not equal the total amount listed as “DISA” in the first chart above.  This is because of vagaries in the reporting.  Often “DISA” is listed as the major spending agency in the available data, but when one gets down to the level of the office requesting the funding there will not be a customer given, or the customer will actually belong to one of the Services (e.g., Navy’s Space and Naval Warfare Systems Command).  Where the DISA-specific customer is available I have listed them here.

It is most informative when looking at this chart to zero in on the specific customers rather than the general categories, like “DISA” which sits at the top of the chart.  Similarly, the spending listed under the various entities of the Defense IT Contracting Organization (DITCO) doesn’t reveal much.  Digging deeper we find that several organizations now under Chief Technology Officer Dave Bennett’s Enterprise Information Services business unit use Encore II the most.  These organizations include the former Computing Services Directorate, the Systems Management Centers, and the Infrastructure Services Center San Antonio.  I would anticipate this trend to continue in the years ahead as DISA consolidates core data center support contracts and funnels more contract dollars through Encore III.

One other thing worth observing is the relative absence of spending related to the Defense Information Systems Network (DISN), now known as the Defense Information Network (DoDIN).  I suspect there is spending here related to DISA’s transport services, but it cannot be parsed out due to the lack of granularity in the data.

Top Vendors

Lastly, let’s examine the top earning vendors on Encore II.  The chart below shows the top ten highest earning companies by obligations from DISA alone. 

The gap between companies number 2 (Raytheon - $402M) through 5 (HP Enterprise Services - $359M) is relatively slim.  The earnings by Northrop Grumman, however, tower above them all, with $1.4 billion representing almost 4x the next closest competitor.  Noteworthy too is DSA, which the data says has been awarded $271 million in contracts as a small business (partial).  Presumably, DSA will not be able to compete for Encore III as a small business, which should make the competition for large business slots that much more competitive.

 

Federal Shared Services Marketplace Goes Public

Since the spring of 2013, government agencies have been able to find and buy shared service offerings through an online database called Uncle Sam’s List. The site was launched by the Chief Information Officers Council as part of a strategy to promote use of shared services. By August 2013, over 100 shared services were listed, and the total number was still growing. Now, those shared service listings are being made public to improve government-industry collaboration. 

The Office of Management and Budget (OMB) issued its Shared Services Strategy in 2012. The plan outlined steps for agencies to take toward reducing over $46 billion in duplicative IT investments, focusing on commodity IT purchases as well as government-wide and intra-agency shared services. In the four months following the strategy release, agencies faced a series of deadlines to advance enterprise planning and the Shared-First approach. Since the initiative launched, agency adoption of shared services through Uncle Sam’s List has simplified acquisition and delivered cost savings. For example, by consolidating computer buying contracts, the Department of Commerce was able to cut its spending on desktop computers by 35 percent and achieve over $200 million annually in administrative costs. 

The information-gathering phase of promoting shared services involved collecting data about what agencies are paying for different products and services. Gathering that data proved valuable early on by highlighting the broad range in prices the government has paid for the same capability. Different agencies were paying anywhere from $21 to $98 per month for identical cellphone plans. That knowledge allows agencies to identify the lower end of the spectrum and target moving toward that price point. To date, Uncle Sam’s List has been maintained within the MAX.gov internal government collaboration site. Initially, the community was entirely maintained by the CIO Council’s Shared Services subcommittee, who determined which service areas, providers, and contracts got listed. That, however, is about to change. 

On September 16, 2014, Federal Computer Week reported that Uncle Sam’s List will be going public. Over the next weeks, version 1.2 of Uncle Sam’s List will get updated with an XML feed. Once the database is public, federal and commercial providers will be able to feed into the list. Building on interview comments from the co-chairman of the CIO Council’s Shared Services Task Force, the article suggests that the move is expected to encourage “a balanced and competitive environment.” 

Vendor Implications 

Easier access to data about federal and commercial commodity IT and service offerings will undoubtedly impact market competition. The ability for industry to access and add to the database will create new opportunities for vendors to provide IT services to agencies targeting agile delivery. The move could also provide vendors with greater visibility into competition within the federal commodity IT and service marketplace. The clearinghouse of services could allow greater insight into the business opportunities around shared services and reframe how vendors characterize markets for their products and services, raising vendor profiles as well as making it easier to identify common requirements being met through shared services.

----------------------------------

Originally published in the GovWin FIA Analysts Perspectives Blog. Follow me on Twitter @FIAGovWin.

 

More Entries