Seven policies to watch in 2007

The Office of Federal Procurement Policy, Congress and agencies inspectors general all are expected to apply more pressure on acquisition professionals and contractors than they have in the last five years.

Rep. Henry Waxman (D-Calif.), the new chairman of the Government Reform Committee, will be less contractor friendly than former chairman and now ranking member Tom Davis (R-Va.) was, according to Neal Fox, a former General Services Administration procurement official.

And Waxman is not alone in pushing for more oversight, said Larry Allen, executive vice president of the Coalition for Government Procurement, an industry association in Washington.

Allen said procurement changes also could come from the Armed Services Committee, where staff members are closely watching the recommendations of the Services Acquisition Reform Act panel.

The SARA panel released its draft report late last month (go to GCN.com, Quickfind 725, to read the report) that called for more competition. It will collect comments before submitting its final report to OFPP.

In the meantime, OFPP administrator Paul Denett will try to figure out how to deal with the proliferation of multiple-award contracts, and increase the oversight of those vehicles.

“MACs have become a poor man’s governmentwide acquisition contract and it escapes the oversight of OFPP,” Fox said. “You end up with MACs that don’t make any sense, like the Navy’s Seaport-e.”

Allen also sees a series of potential new regulations that could slow the procurement process.

For example, he said, the Defense Department’s new rule on the use of time and materials contracts is stricter than the Federal Acquisition Regulations rule.
Additionally, Allen said there are questions about whether agencies will use GSA’s newest IT governmentwide contract, Alliant, and how much agencies will come back to use the agency’s procurement services. GSA officials said assisted acquisition services declined yet again in 2006.

Data standards

Impact in ’07: Agencies will take steps to advance standards in health IT, security and intelligence sharing, although actual data sharing still is a far-off goal. Standards provide the foundation on which agencies can exchange data to become more effective and efficient.

There’s a tremendous push toward information sharing, but that depends more on trust among agencies than on standards, said Ron Ross, the National Institute of Standards and Technology’s senior computer scientist.

“If I’m going to give you important information, I’d like to have confidence that you’ll be able to protect it once it leaves my boundary,” he said.

He foresees a common framework for security controls across government, including the Defense Department and the intelligence community.

NIST has given these constituencies visibility as it has developed its FISMA standards and guidelines, including a common language for security controls and assessments, he said. (See data security capsule, below.)

For intelligence data, standards for the Information Sharing Environment, designed to let federal, state, local and other organizations access terrorism information, likely will get a foothold this year.

Participants on the Information Sharing Council are expected to agree on initial standards early this year while the next set of standards should be ready by August, according to plans set by national intelligence director John Negroponte.

The information-sharing project is a collaboration of his office and the departments of Justice, Homeland Security, Defense and State, and the FBI.

Standards should make headway in other areas, too. Agencies will begin to act on the presidential executive order issued last year to use health IT interoperability standards when they acquire and update systems for health data exchange.

They must develop plans this month for the Office of Management and Budget about how they will incorporate those standards in their contracts.

Data Mining

Impact in ’07: Data-mining software will continue its trajectory deep into the core of federal IT managers’ portfolios, even though the tools pose privacy risks and functional drawbacks.

As privacy advocates cite instances of data-mining abuses, federal IT managers will seek to defuse those concerns by citing their adherence to privacy laws and filing privacy impact statements—except when they grant themselves a waiver of that requirement.

The Government Accountability Office found 131 data-mining projects across 52 agencies in a May 2004 study. And that number is only increasing around the government, particularly in the Defense, Homeland Security and Justice departments, and elsewhere in the intelligence community. In 2006, it was revealed that the National Security Agency was buying phone call records. GAO also reported that agencies spent $30 million with companies that provide data analysis services in 2005.

The lure of the software is that the tools can detect valuable information in agencies’ vast data troves, and possibly even help forecast future events by methods known as predictive analytics.

But one incisive warning about the limits of data mining came from Jeff Jonas, a distinguished engineer and chief scientist with IBM’s Entity Analytic Solutions Group, and Jim Harper, director of information policy studies at the Cato Institute in Washington.

Jonas and Harper condemned data mining as a means of pinpointing terrorists because it “would waste taxpayer dollars, needlessly infringe on privacy and civil liberties, and misdirect the valuable time and energy of the men and women in the national security community.”

“I would agree with that,” said Bob Daugherty of Flagstaff, Ariz., a consultant, statistician and data-mining practitioner. Like Jonas and Harper, Daugherty said the number of terrorist incidents was too small to form the basis for a useful model of the threat.

Data security

Impact in 2007: Agencies can expect more support this year from the National Institute of Standards and Technology to help assess the effectiveness of IT security controls.

NIST will publish procedures in a document, 800-53A, which will be a companion piece to updated guidelines published last month for selecting and specifying security controls to comply with the Federal Information Security Management Act, said Ron Ross, NIST’s senior computer scientist.

The guidance documents build on mandates from the Office of Management and Budget in the wake of a wave of lost and stolen notebook PCs that put personal data at risk at a number of agencies, most spectacularly at the Veterans Affairs and Commerce departments.

NIST will release a draft of the procedures in March and finalize it by July, Ross said.

“We’re trying to deal with the security problem by establishing a common language for specifying and assessing security. It provides enough structure so we’re all focusing in the same direction, but it doesn’t lock you in so tightly that agencies can’t have flexibility to deploy the controls and assess them in accordance with their own operational environment,” he said.

Agencies this year should expect an increased emphasis on two-factor authentication at key locations within the IT infrastructure, such as at network boundaries.

Agencies also can expect more attention to building trust relationships to assure security controls at vendors; restrictions on systems that federal employees can access or use when telecommuting or traveling; and greater boundary protection, such as cordoning off some critical data into subnets, Ross said.

Homeland Security Presidential Directive-12

Impact in ’07: While the Office of Management and Budget will remind everyone this is a presidential directive, the reality of what the mandate really means will hit home over the next 12 months. Will agencies continue to produce cards and upgrade their infrastructure, or has HSPD-12 lost its momentum? That is the real question 2007 will answer.

Meanwhile, the only real deadline agencies face is Oct. 27, when they and contractors must complete a background investigation for every employee, especially those with fewer than 15 years of experience with their company or agency. One agency started with more than 5,000 employees who needed new investigations; over the past year, they reduced it to about 1,000.

Some agency officials believe HSPD-12’s momentum has been lost for a number of reasons: the General Services Administration’s lack of action on a new managed- services-office contract, the pressure of operating under a continuing resolution until at least February, and the ongoing challenge of integrating physical security with the card.

“HSPD-12 is dead in the water right now,” said one senior IT manager, who requested anonymity. “Agencies are not issuing cards because there still is some question about how to gear up to issue cards to hundreds of thousands of federal workers.”

Certain agencies also are under pressure to explain to OMB why they are going at it alone instead of through GSA or the Interior Department’s National Business Center, said another agency senior IT manager. OMB’s request for justification does not include transitional agencies, including the Defense and the Homeland Security departments.

Spectrum Management

Impact for ’07: The Pentagon’s Exedrin headache No. 7—trying to manage the availability of a very finite resource, the radio frequency spectrum, to allow the maximum number of users at one time, and without knocking other users off the air.

Network-centric operations, collaboration among the branches of the military, and cooperation with allies and coalition partners all place demands on the allocation of frequencies. Yet the Defense Department also has to coordinate its needs with the requirements in the private sector, where demand is going through a similar growth spurt.

As a result, spectrum management is one hot new field in military circles. At a recent conference on Defense spectrum issues, Brig. Gen. Jeffrey Foley, director of architecture, operations and space for the Army, said the service is developing a primary “military occupational specialty” for spectrum managers. The Navy also is establishing it as a career path, and the Marine Corps has already done so, he said.

There are two distinct areas of concern DOD will attempt to address this year. In warfighting operations, spectrum managers have to “deconflict” the use of particular frequencies to make sure that one group of devices doesn’t disable another.

DOD CIO John Grimes told conference attendees that commercial Global Positioning System receivers in a class of inexpensive unmanned aerial vehicles used in Iraq were being knocked out by other devices emitting their own RF signals.

Longer term, all the services have to revise procurement and systems development processes to incorporate spectrum requirements much earlier in the process.

E-Government/Lines of Business

Impact in ’07: E-Government, year five. The Office of Management and Budget continues to push agencies and the 25 projects to produce results. But will this be the year when the so-called “rubber meets the road”?

Many observers believe OMB missed its opportunity to gain congressional support for e-government when Republicans held the Hill.

“The process to get approval to spend money will get harder,” said one agency CIO, who asked not to be named. “In some ways, OMB is painted into a corner. They can’t shut down systems that match cross-agency systems unless they match perfectly. Most agencies built more encompassing systems so they could shut down a module, but not the entire system.”

Still, the Hill’s influence over e-government is secondary. OMB’s push for using outcome-oriented metrics and its gentle prodding of agencies to hire shared-services providers, mean its expectations remain high.

One senior IT manager, who requested anonymity, said the greatest hope should be on the IT Infrastructure LOB. The manager said the potential to find real savings is greater than in any other e-government or LOB project. The rest of the initiatives, the manager said, will continue to toddle along.

Under the Human Resources LOB, the Office of Personnel Management, through the General Services Administration, will issue an open schedule for private-sector companies to act as service providers.

OMB also will name the new Security LOB providers and expects agencies to begin using their services for training and Federal Information Security Management Act reporting.

“This is a transition year in many ways,” said another senior IT manager, who also requested anonymity.