Test

testing.

There's been too much talk and not enough action from FedRAMP. Time to cowboy up Mr. Goodric

testing

test 2

FedRAMP is still a massive timesink and costsink. Value not there currently.

Great video with Dan and Dr. David Bray, really enjoyed the comments about the IoT and FCC's Server Lift.

The problem with govie's is that they are always afraid to comment on an issues due to the politics involved and the fact that most are terrified at finding another job due their lack of skills. I have personally commented on this issues several years back directly to Matt Goodrich who responded by saying that Govies demand multiple paths to ATO. Based on my experience the JAB process is the most severe and the right path based on independent assessments. Agency certification are almost always influenced politically or through a perceived influence given the last of IT knowledge and specifically IT Security at Agency senior management positions. If one simply looks at the job requirements for Federal CSO's/CISO's/CIO's you will find very little in regards to Computer Science. To make this point allot simpler for everyone to understand ask yourself the following question how many of the Federal C-Level folks today can troubleshoot/fix their laptop (O/S/Application) issue on their own? Given all of the Federal Agencies/Organizations is there one C-Level person as competent technically as Bill Gates?

While you could be right about the "last of IT knowledge", I think you meant "lack of". And what are the possibilities that someone with the appropriate degree might land in a senior position?

I think the real issue with FedRAMP is making sure the process is transparent. I think you’re hitting the mark on your Fix FedRAMP report, let’s hope GSA plans to follow through with the recommendations. I’m looking forward to the event on the Hill.

From the GSA FedRAMP certified page:

"The Datapipe Government Solutions Federal Community Cloud Platform (FCCP) provides a unique approach to security that allows federal agencies to have more control and flexibility to meet their unique security needs. This platform is one of the first P-ATOs issued to a PaaS cloud service provider covering management through the virtual operating system."

The IMPACT shows Moderate, which I'm assuming is FISMA Moderate, not high. So the statement above can only relate to FISMA moderate, not high. Without that specific statement the import is just a trifle ambiguous, that is, it's open to misinterpretation.

If agencies still don't trust the FedRAMP process, all this time and money spent has no real benefit. GSA needs to take real action to implement the recommendations and change the process, or risk have another failed initiative...and more and more waste

I was looking for something that tied DoD certifications to FedRAMP, like the JITC process. This was on your list...

I think the efforts to enable efficient quality control on the data folks are providing is huge. It will streamline analysis and reduce management time. Big steps.

Glad to hear GSA is recognizing that change needs to be made, and making an effort to do so. Looking forward to see how this pans out -- let's hope the necessary changes are made.

Credit for equivalent testing in rigor and independence is acceptable, self-assessment for continuous monitoring is a conflict of interest. The CSP must be ready to come to the table with transparency if they demand it from GSA. Agencies need to be educated as to how they leverage the ATOs available. I've seen agency ATOs leveraged to authorize in as little as two weeks! I've also seen agencies ATO a cloud provider that didn't even use the FedRamp templates! GSA has every right to slap them for doing such! GSA is doing a great job, we know this because the industry is saying "this is hard"... that's what we want, that means they are being forced to mature from their old models that left us all vulnerable in the past!

Not entirely surprised by this announcement. Think it's a good decision - unfortunately, the pressure and expectations are quite high (or arguably - low?) for NBIB... Look forward to seeing what happens next.

Fantastic idea... so often in the workforce, employees are left to their own devices with professional development

18Fs silly political correctness is precisely the kind of thing that's putting wind to Trump's sails. Many Federal employees would cheer if we stopped the tom foolery and focused on getting really work done.

Every contractor working for the Federal government is required to track their time and 18F is no different. If this were are true private contractor they could end up with significant fines. Time will tell if this is just the tip of the iceberg in 18F transgressions of the law.

Nobody knows the requirement for increased professional training investment in Federal IT better than Richard Spires. Thank you for the insights and we all hope that the Hill appropriates additional funding to allow the Federal IT workforce to remain relevant.

Better, more consistent data is the best way to get to better government. This is much broader than a Federal IT discussion. The question, if only SBA and DoJ are playing ball, how do get other agencies to sit up and pay attention? And the logical follow on, if only two agencies are getting it right how do we map data across the government to affect any real change?

We've been talking and fretting about SCADA and power cyber vulnerabilities for more than 15 years. Good to see some progress on standards, but serious flash drives? Did we learn nothing from StuxNet? It's time for the utilities and other critical infrastructures to spark real change. We've been very lucky so far, it's dangerous to build defense on a wing and a prayer.

The Fix FedRAMP paper is to be commended for having the courage to point out that the FedRAMP emperor is naked. Delighted to see new blood at GSA admitting that there's a problem and taking steps to change the game. We need FedRAMP, but not if its the FedRAMP we've seen so far. We're all excited to hear about FedRAMP 2.0 on March 3.

Nice tie in here to the piece in this issue on the Data Act.

Hmm that is really very nice of you thanks a lot for this.!

Deck chairs on a particularly noted large ship come to mind...

Soltani doesn't sound very sorry with his Twitter announcement

Glad to hear that GAO is cracking down on more specific definitions of spending reports. However, it is not enough to just be aware; must take tangible steps to fix.

Guessing there are some red faces in the whitehouse right now and that Megan Smith must be on shaky ground.

what a surpise the government isnt complying with a law thats desiged to provide meaningful transparency into where they spend taxpayers dollars. In order to make a real difference we need penalties and its not fair to blame IT for the failure as agency leadership wants to ability to hide the real data from public view. If something doesnt change and fast the data act is doomed

Not surprised... always seems that Feds take one step forward and five steps back

Good reporting! Keeping pushing and asking the tough questions of everyone involved in Snowden's betrayal, Dan

Not surprised to hear about Soltani being pushed out and understand why, but sorry to hear it. Think having people who aren't afraid to notice flaws in our agencies working in government is important. How can our Federal systems improve without its critics and by getting rid of the people who can help create real solutions? Especially with such a strong background and understanding for big data and cybersecurity.

It's great to see the FBI leveraging data this way - this is how big data should be used. Hopefully, there are additional initiatives like this one going on as well, to eventually help prevent more major crimes and terrorism. Of course, there will always need to be a balance to protect civil liberties - no one wants to go full Minority Report.

If the IG's office thought this was significant enough for investigation into criminal charges, then his job status should not even be up for debate -- regardless of recent improvement in his agency's cybersecurity performance.

No different than what goes on throughout government. The waste and fraud is know by everyone. Yet, nothing is ever done about it. And people wonder why we are nearly $20 trillion in debt...

Sounds like quite the initiative...look forward to learning more on the 11th.

This is an important and innovative way to implement data collection and truly put it to good use. And in all honesty, a little shocked this is something the FBI has only started tracking now. Keeping an eye on animal cruelty offenders has the potential to reveal a lot of human-to-human abuse cases that otherwise would be missed due to lack of evidence or no one filing charges.

Interesting on the clash between today and tomorrow's IT govvies - especially coming from Lisa Schlosser who is certainly one of those who has been an entrenched government IT executive for many years. Maybe it proves you can be career IT in the Federal space and still move with the times?

We all want animals to be safe, but this kind of data collection costs a lot of money - taxpayer dollars at work? Hmmmm...wonder how much of this is generated by Pitbulls and Paroles type popular cultural?

Seems like more than a bump....

The candidates seem to be ignoring technology. Agree we need to step up our innovation to remain competitive. Look forward to reading these recommendations.

Interesting that we are this close to the Primary elections and the candidates have not introduced any type of tech policy. Excited about the event on the 11th, look forward to learning more about the recommendations and am curious to see how it will influence the 2016 candidates.

Glad to hear someone is stepping up and taking the reins on the tech front. Looking forward to the event on the 11th.

As an animal lover, I am happy to hear that those abusing animals will be brought some justice. Good point that those abusing animals could likely be involved in larger crimes as well.

The funny thing here is that Science Fiction writers have been from both sides for nearly a century. And now that's it's coming to pass no one wants to talk about it. One of the common answers was what amounts to equitable taxation and funding for those who have been relieved of work through modernization, the Utopian side. The Dystopian side was, of course, well covered by Orwell, amongst others who feared what the increased use of technology would bring about. Or consider Coma, or The Stepford Wives, to say nothing of WestWorld.

Is there any question that Big Business abhors the thought that someone might figure out what shenanigans they're up to through transparency of data?

Savvy writing . I am thankful for the facts . Does anyone know if I might grab a fillable a form version to fill in ?

Contractors working under a time and materials contract are required to track their time. If it's a firm fixed price contract their employer is under no obligation to report his or her employees' time to the government.

As for CIO Richard McKinney's LinkedIn request for a profile endorsement, if there are federal CIOs who aren't keeping their options open (particularly politically appointed ones) they either have their heads in the sand or are somehow independently wealthy. One never knows when the hatchet may fall in that position as you're always one cyber breach from being hauled in front of Congress to cite just one risk.

Interested to see how this reorganization impacts efforts moving forward. Hoping quality of work isn't sacrificed for the sake of consolidating.

Glad NSA is looking ahead as an organization instead of staying stuck in their ways. Is the agency providing their landmark goals after the 2 year mark?

Interesting read...where do we draw the line? Allowing the NSA to oversee defensive info leads to inevitable conflicts of interest.

Awesome! Mr. Kingsberry is brilliant!

I think it is important to not only have a tech policy, but also to raise awareness of the fact we need one. Politicians drive the government and media drives the politicians. If more farmers, welders, cab drivers, non-techies, etc. become aware of the need for a tech policy and make it a talking point the candidates will speak to it. I think it is important to make, and to promote those recommendations to all those who will be touched by the technology. If the people demand something loud enough it starts to stand a chance of becoming a reality.

Thank you for pointing out powerful women in the STEM field. There should be more than a day dedicated to this

Really enjoyed this article, think our schools and government should encourage more women to pursue STEM careers!

Many observers believe that the Edgar Snowden case has caused such an irreversible damage to his agency that might take a lot more monies to fix it. Here, people are not talking about replicable system(s) that he has assisted to create in his host country, but his time in Hong Kong gave away the vulnerability of many other systems. It might make both Congress and the White House to re-fathom the damages.
The questions are that "can NSA21 fully overcome the past Snowden case?" , and "how many other agencies will need their op overhauls as results of the case?" Also, Hacking and Intrusion are two separate cyber behaviors from the practices of the cyber rouge.

Thanks for sharing. These are definitely bold recommendations that the next President can utilize to help serve the people. Will be interesting to see these proposed changes in action.

Great idea! I applaud the effort. From a marketing (and patriotism) perspective, I would never use the lower case for any letter in USA, even if part of another name.
Also, it is unclear what .USA2020 is and where I can find a copy.
Lastly, put a hyperlink to: "“Tech Iconoclasts – Voting for America’s Success in a Network World,” an open letter to the candidates that outlines five key needs ...."

Curious how Tony Scott has changed his mind on the CISO role, especially considering how long it's taken agencies to figure out the role of the CIO. It is poor timing that Obama will be leaving office soon -- hopefully the next President finds tech policy and cyber security to be of the same importance.

Just ask John Brennan what keeps him up at night as he revealed in his 60 minutes interview on Sunday evening. Cybersecurity needs to be the number one priority.

Love the proactive approach. Interested to see the impact this report makes.

No matter what party, the next President needs to realize the importance of beefing up Federal IT and bringing in young talent - otherwise information security will continue to be a headache for all Federal CIOs.

Wow, horribly disingenuous title. GSA has made it's share of mistakes with the program, but does your title inflame things more or less than they were yesterday?

Sounds like a couple of CSPs got their FedRAMP ATOs in the last couple of weeks which is great news. Understand that it took some of them more than two years.

Poke the bear baby seems everybody else is afraid to say the emperors naked.

It'll be interesting to see how Apple's competitors line up on this issue. Believe Google's lining up with Apple. Difficult to have a conversation about secret matters out in the open. Guessing that the real solution to this issue will not play out on the front page. Let's hope it doesn't play out in the obits.

Interesting data, but how does this help us improve government efficiency and accountability and do we need to publish it to the public. Aren't there more pressing challenges in government on which we should be spending our scarce budgets?

well if it comes down to who has more power and money I'll take Apple and Google for the win!

" tech students ages 18-25 said they trust the government more than they trust private companies "
total morons, I guess they never heard the story of Ohio State.
Sure trust them all you want and you will pay for it.....

Yeah, this title is ridiculous. Having dealt with government security/compliance for a while, FedRAMP is probably the best idea in a long time, even if it's far, far from perfect.

The title is clickbait, pure and simple.

Also, the FedRAMP logo you used is also over a year out of date at this point.

GSA is opting out of your event, not FedRAMP. This is just Mr. O'Keefe trying to be relevant but sounding like a petulant child.

I saw the headline and thought I must have missed a breaking news story. No, it's just a deliberately inaccurate click-bait title, promoting MeriTalk's FedRAMP event. But it worked. (Hangs head in shame, goes to room for a time-out.)

Does the author even follow government cloud efforts or understand the authorization process. This article neither informs nor helps the process. FedRAMP works to get industry and government to approve once and re-use many. Great idea I say.

What is interesting to me is that the phone is OWNED BY THE COUNTY. I assume that the user had no right to or expectation of privacy and that the OWNER may want to get in to its own phone.

Apple is setting itself up as the final authority but in this country, the legal system will have a lot to say about that.

I am a retired Army officer having had a Top Secret SCI clearance and currently work in the information technology (IT) industry (not for Apple or Google). I support national security and am strongly against leaking US capabilities as Edward Snowden did. However, I must take the side of Apple/Google in this issue. The US government should not force the IT industry to create back doors to break encryption and get to customer data.

Retired Army Officer & IT Professional - Continued.... Once back doors are created for US government, then every country we sell our products into will require IT industry to provide that capability to the host country. If US can require it, why not China or Iran or Venezuela or Russia? We all know that there are already state-sponsors of hackers like China that steals people's financial and other private information. No IT company should be forced to insert bugs or back doors to gift countries ways for them to get into private data. Instead, the US government (NSA, CIA, etc.) should use their supercomputers to break the code themselves. Once the US government with its vast resources breaks the encryption, they can keep that code breaking method to themselves and not be forced to provide it to bad state actors like China, Iran, Venezuela, etc. Besides do you trust that once Apple creates this back door, that ex-Apple employees won't later try to sell this capability to the highest bidder? This is nothing but trouble. The FBI can ask NSA to help break the encryption and keep that code-break information in-house. Stop trying to hurt IT business and customer trust.

I think this is a strong start to this committee. Glad the government is taking action on our current cybersecurity state.

Having problems getting people to your event Steve?

Quite the big push for 4 million devices. Hopefully this does help streamline IT operations.

Speaking of shortcomings...this article falls way short of being informative. Gasoline anyone?

Dan Verton

Having sat through the candid discussions that took place during the working sessions of the FedRAMP Fast Forward Industry group meetings, it is no surprise that this paper and this poor decision by GSA not to engage the CSPs who feel the program is failing are getting so much attention.

I only wish the anonymous government officials and media competitors would put their name to their opinions so we can have a real discussion.

No matter where you fall on this discussion I think everyone can agree that it would be good to have a public discussion with GSA playing an active role in the dialogue. Running away from the conversation makes it seem like you have something to hide or nothing to say.

Dan Verton

Thanks for the comments folks. If you're interested in how I really feel about this issue, here's the latest: Why You Should Side With the FBI, Not Apple, in the San Bernardino iPhone Case https://www.meritalk.com/why-you-should-side-with-the-fbi-not-apple-in-the-san-bernardino-iphone-case/

I'm looking forward to the event and the discussion on how to improve FedRAMP. It would have been an interesting opportunity to hear more about GSA’s FedRAMP 2.0 plan.

Good piece on a very complicated issue. I'm all for any steps that will keep me and all Americans safe - even if it means there are some folks "sitting in the basement at NSA headquarters in Fort Meade, Md., right now trying to read your emails and text messages."

Thinking some of the anonymous authors may not have read the paper, or even the blog. Neither indicate FedRAMP is a bad idea. Quite the opposite. From the paper: "FedRAMP needs to succeed if the government is to realize the myriad benefits of cloud computing. We’re all heavily invested in the program’s future." What it says - is that there are challenges: "However, the real promise of FedRAMP — embodied in the “certify once, use many times” framework — has been
jeopardized by what has become a costly and time-consuming process that lacks transparency and accountability." Read the report - https://www.meritalk.com/study/fix-fedramp/.

If anyone wants a better idea of what GSA is doing, here's a REAL look: http://federalnewsradio.com/technology/2016/02/jab-redesign-bring-faster-approval-better-alignment-resources/

Looking at these comments, it looks like a pillow fight to me. I would echo some of the sentiments above, people need to read the Fix FedRAMP report. I plan to attend the March 3 meeting and wish GSA would show up and explain the new process. I just read Matt's article above and it's long on promises and very short on real details. Everybody wants to know what concrete steps GSAs going to take to improve the process and to get agencies to play better together. I would say drawing on the recommendations from the industry paper would be a good start.

The good things about Fedramp are that the CSPs are tested by qualified 3PAOs against a consistent set of security standards. There are some issues that can be overcome: packages with embedded document references to files not included; ATOs of specific government implementations of little value to others; packages not up to date; packages with adjustments to finding ratings not explained; POA&Ms which are not POA&Ms but Nessus scans; etc. however; these can be overcome with some Q&A and are typically corrected when asked. So, all in all, a good base program that is still young, but growing in the right direction. 🙂

Only took the administration 7 years to estabilish. Quite an accomplishment :).

Always two steps forward, five steps back with things like this..

A massive undertaking, but it must be done. Unacceptable for such an important agency to not have the most up to date software

How could the FedRAMP PMO ever live with itself if it allowed a package to get through where every Nessus vulnerability was not called out as its own line item on the POA&M? Shudder at the thought of grouping things sensibly.

I too would like to hear what GSA has to say, particularly to the question "how do you run a program overseeing cloud authorizations when you don't understand the cloud or authorizations?" I mean, they're great at chiding CSPs and 3PAOs for column widths, but that's not really what CSPs, the government, our our taxpayers need.

love this comment by dr. bray, a true leader: "It really is a much larger team than me. Our success really is because of the entire team we’ve got. It is a team of tens, if not hundreds."

Really is a #changeagent !

The messenger is just such a toxic bomb thrower that that nothing will be corrected with him chairing these discussions. He fills his pockets by making more controversy.

THis is clearly a difficult question but I agree with you Dan. The real question here is are Americans in control of America? Are we committed to a Republican democracy :-0

Are Tim Cook and Hillary Clinton friends? 🙂

This is an excellent write up of the issue - very well done.

thank you for an inspiring story of leadership in challenging circumstances

Sounds like he has the right vision and path forward to meaningful change in the IT space

Very scary that companies have a breach and don't know for an average of 256 days...

"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety." --Benjamin Franklin

"Big Brother in the form of an increasingly powerful government and in an increasingly powerful private sector will pile the records high with reasons why privacy should give way to national security, to law and order, to efficiency of operation, to scientific advancement and the like." --William O. Douglas 1898-1980), U. S. Supreme Court Justice

The presentation of your views is simplistic, skewed, severely flawed, and demeaning. There will always be people who want to harm and take advantage of others no matter the technology. Your proposed approach is addressing a symptom not the root cause, and you demean the intelligence and integrity of those that may have an opposing view.

Any access, backdoor, or work around that compromises privacy in technology will be abused by criminals, companies, "unfriendly" regimes, and our own federal, state, and local governments - just look at the abuse of “Stingrays” (cell tower simulators) at all levels of government in the U.S. for an example. Be careful not to pursue “quick or easy” at the expense civil liberties and privacy.

Because of the reporting done to uncover the truth about Stingray use, we know that we cannot completely trust our government to operate by the letter or spirit of the law. Our laws should be changed to protect our privacy by default (yes the internet economy is abusive), and to give it away as individuals to companies if we choose to. The Government is an entirely different entity, and it has abused the trust the citizens (and judges) give it. Our government is based on checks-and-balances, but we are way out of balance with shifting technology.

Your assumption that the courts and judges, including the FISA Court, are able to fully understand the scope, technical capability, and implications relating to the requests they receive - which may or may not contain full disclosure information- is not valid. Again, look at the evidence that law enforcement deceived and mislead judges about their use of Stingrays and how they work. People who don’t understand the implications of a technology are easily mislead by those requesting approval to use it. The government is bringing this case against Apple BECAUSE it wants a precedent to be set. With the entire process with respect to Stingrays, and other operations, covered in secrecy, checks-and-balance is undermined - it is not possible to prevent situations of abuse.

If the government wants a way to access, or a back door into, all of my communications, then I should have a legal back door and insight into theirs.

Could not disagree more. I am not "for" or "against" either our government or Silicon Valley. The government's case has less merit in this instance. The court order was unnecessary as the government knows there are other ways to get key data besides cracking the phone. And frankly, why does the vendor have to do this? Is it easier to strong-arm the manufacturer than to get a court to agree that, in the interest of national security, the government itself must hack the device to get the data? Way too many holes in the government's argument and they have been less then forthcoming on the entire issue, instead choosing to frame the argument such that the public must choose between them and Apple.

Love the new feature. Interesting insight from David Bray; glad to hear it straight from him. Looking forward to hear more from other IT leaders.

Sad to see him go. Mr. Gonzalez has been a strong supporter of VA's modernization efforts.

Great article. Loved what David Bray had to say about the importance of having a strong team to combine vision with tactical ideas to move forward.

Thanks for sharing the update. Will be interesting to see this unfold.

Excellent article. Dr. Bray is a role model for the second generation of Federal CIOs: visionary, articulate, accessible, pragmatic, balanced, and transparent. Federal CIOs need to be communicative not only with their team, but also listening and learning from industry, academia, and peers.

Meritalk is a cancerous parasite looking for any angle to be relevant. Just go away already.

Interesting that the biggest problem in government IT (culture and leadership) is one that money can't fix

Just another example of government mismanagement of funds. If a corporation had 14 projects with "unknown" completion dates, heads would roll

It's time for a change agent to be in a leadership position -- after they re-establish trust within OPM.

Interesting to look back at the reaction to NSA/Snowden and the lack of responses. Also, lots of questionable actions going on, especially if the government starts competing with industry.

Interesting to hear what the protesters have to say. Thanks for the update. Wondering how this will pan out.

Thanks for the insight. I have heard compelling arguments from both sides and am interested to see the outcome

OPM needs to have strong leadership from the Director through critical business lines and the CIO. With clear business strategies driven by their customer's needs and expectations, OPM has the ability to transform government through an improved workforce. If we can't get it right, maybe contracting the entire organization out would work.

"GSA’s shiny new tech innovators need to tread carefully. There’s a long history dating back to 1955 that clearly states “the Federal Government…will not start or carry on any commercial activity to provide a service or product for its own use if such product or service can be procured from private enterprise through ordinary business channels.”

Nothing new here - they just pulled one from OPM's playbook. They have a $1.X Billion a year business doing consulting and developing/selling their SaaS HR solutions...

With social media playing such a huge role in today's society, it's good to know that the real Federal accounts are being verified. I can only imagine this registry will grow moving forward.

Scary to think of the misinformation that could be spread from unverified Federal accounts - great forward-thinking move on the part of the registry

While it would be helpful for agencies and industry organizations to share cyber breaching incidents, I doubt that will happen. Not sure if a single government agency for cybersecurity is the answer either.

Definitely a smart move to verify these Federal accounts. Now we need to protect these accounts from hackers.

Thanks for sharing. Great news for ServiceNow's Federal customers.

Looks like the fedramp pmo is in crisis mode

I agree with the first comment (culture and leadership) . I would also add lack of technical knowledge and analytical skill among top leader and managers. I was disturbed by the statement "It is not feasible to implement [security] on networks that are too old."

Why "think" Kate Beckinsale in the "Total Recall" remake? The brilliant 1967 movie "The President's Analyst" has "The Phone Company" (TPC) wanting to implant phones in everyone's head (it will save money on infrastructure). Yes, that's 1967.

Who at OMB is leading the charge for the consolidation?

Thanks

Geoff Stilley

I can't understand why GSA wasn't at this meeting to give their side. CSPs fear speaking up because of the possibility of being blacklisted. Maybe it's for new FedRAMP leadership at GSA.

There were GSA members present, but not from the FedRAMP PMO. To be honest, some of the frustration is misdirected at FedRAMP and really belongs with FISMA and how agencies must authorize information systems. FedRAMP did not change those fundamentals to the extent that some outside the government believe it did - or should.

Having had the opportunity to attend in person, it was stated multiple times that it took 14 months to gather and compile the information in the report. This information was provided to the GSA and feedback was given over that time period. My guess would be that the GSA did not attend for the simple reason that the facts are not being accurately portrayed. Their are some valid points being made, but when it comes to the timeline disputes, they missed the mark. Whether we are talking about DIACAP, FISMA, RMF or FedRAMP, it takes time to get through any of these processes. If the vendors have not done their due diligence, created a secure architecture or their documentation is "effed up" , then it will take longer than designed. If they try to do this without experienced security personnel, then it will take even longer. What I got out of yesterday's meeting was that agencies and the private sector still do not understand the process or requirements. This is nothing new when it comes to Certification and Accreditation or in FedRAMP terms, Assessment and Authorization. Until they are educated we will continue to see these types of complaints.

All organizations should be aggressively educating and regularly 'testing' employees to raise awareness and identify those who need further education/reminders - this training and testing is as important as the firewall.

Dan,
Thank you for helping me spread the word on our two leadership positions in the Department of Commerce. Those interested in learning more about these positions may contact me at scooper@doc.gov.
Steve Cooper, CIO, US Department of Commerce

It's not FedRAMP's fault that a large portion of those costs and delays are internal on the vendor side to achieve compliance with the technical and policy requirements. It would be a real shame -- and destroy FedRAMP's credibility with the security community -- if political pressure leads to a watering down of the security controls. That would send us back to square one, with each agency insisting on applying its own overlay entirely. At least now there is some common ground, although, as noted above, individual organizations do (and likely always will) have the right to demand higher levels of security for themselves.

I would also suggest that the real challenge with FedRAMP lies not with GSA, but with DISA and FedRAMP+. That process is still very immature, despite the fact that DoD has more money available to spend on cloud than the rest of the government combined.

FedRAMP's job is accreditation not teaching. Having to teach proper security to CPSs who don't come in with the knowledge of how to secure their systems to FISMA baselines slows FedRAMP down. The process is suppose to be challenging, a movement to whitewash this challenge makes no one a winner, especially agencies and missions who count on a proper vetting process. I see the same CSPs complaining about the process, the same ones that protest cloud awards on the basis that they couldn't understand how to respond to cloud services questions. Perhaps their time is better spent on investing in their people, systems, and processes than attending complaint rallies.

Attended the event, and it was clear there was a lot of concern about FedRAMP, and confusion on clarifications. Was great to have such a collaborative discussion about how to fix FedRAMP - just wish GSA was there to give their side

Note: the policy was released for public comment on March 2nd. It is not yet official policy.

Definitely important to inform staff of the risks here - everyone should know what subject lines, link types, etc... to look out for to avoid a data breach like this

It's painfully obvious that the current iteration of FedRAMP was authored and being implemented to accommodate those with deep pockets, not learning, laziness or poor execution espoused by supporters . It is complex by design to prohibit competition. The dynamic nature of the standard in general is driving up costs and this latest exercise supports that fact. FedRAMP needs to be simplified dramatically and leverage and/or build on other certifications. Due to its current complexity there is more mis-information than concrete paths to achievement, exactly what it was "supposedly" designed to avoid. Other authors are correct in that it isn't only FedRAMP, as there are a multitude of autonomous agency diversions pervasive in the context of Federal standards, particularly from those Federal entities which stand to benefit the most from the process, such as the IRS, SoS, etc. In failing to address the clooge of agency interpretation and deviations FedRAMP is all but useless. It is important to note that this consideration is a step in the right direction, however, failure to address those agencies run amok seals its fate. Perhaps government isn't the answer here as the bullying implies. Since GSA was apparently absent nothing will improve as the problems remain insulated and isolated in their own bureaucratic towers of self-interest.

This is quite a goal. Definitely necessary, so will be interesting to see how it pans out.

Government Acq Professional here... comment at 1:17 fits my experience. The people writing the standards are often either a) ignorant on what is actually required to be "secure" and/or b) just doing what industry (industry to them is big defense IT contractors) tell them they should do. They seek input from "industry", and build their plans from that input. That input is almost always self interested. Big defense IT isn't stupid. They've played this game for a long time. If they get 15-20% of their recommendations put in they'll be more able to maintain control of competition. The people that ALWAYS win are the people good at manipulating Government cogs, not the people good at building smart solutions. Further, it's ALWAYS a better decision for Government organizations (groups of individuals with jobs) to "cover all your bases" than it is write lean, "risky" or "smart" regs. Just write 1000 pages and at least if something goes wrong and some system gets hacked you'll have some section to blame, not someone to fire. Round and round we go.

Another example of how automating tasks can save money for government agencies. The number of data centers they have closed due to cloud computing is impressive.

Seems that since the motions to create attention and sponsor fees hasn't worked, why not tie the government up with baseless complaints and see if that negative attention works out better.

I agree with the above comment. It's important to continually educate employees on phishing scams. 400 percent increase is mighty high.

Think this is a great idea (glad they are vetting the hackers first). It's helpful to have hackers on our side when possible.

Agencies are talking about charging industry fees to process ATOs, this could turn into a free for all OMB needs to do something GSA has clearly lost control of this program.

I was part of the crush at the caucus meeting last week and it was revealing to hear that AT&T representative tell us that they had an agency refuse to accept their JAB cert. This is chaos and if GSA has the answers why wasn't goodrich in the room? Connolly hit the nail on the head this many folks woudnt be here if there were big problems with Fedramp. Everybodys looking for congress and OMB to provide real leadership. Steve you need to get a bigger room for the next session a lot of folks were grumbling about having to stand.

The 3PAOs are the culprit in my opinion. They grossly overcharge, drag their feet to charge more $$ per hour, deliver 2nd-rate documents that don't pass muster and have to be redone, and fail to assist companies through the process. I've done many assessments under FISMA. Yes, they aretedious and burdensome and too centered on documentation over real security. But two years and $4 million? GSA isn't charging that money, and although they could move faster on evaluating documents, the real delays lie in the assessments-- done by 3PAOs.

What would make this whole process much easier on the CSPs is if FedRAMP had some sort of advisory branch that CSPs could use to advise on the correct implementations. Right now, the PMO won't look at any package until it's completed; however, cloud providers are often guilty of misinterpreting the NIST guidance or have basic questions about if a certain approach will meet FedRAMP requirements. As of now, CSPs can just send questions to the FedRAMP e-mail address, but the responders often state that it's the opinion of the 3PAO as to whether the control is compliant. This doesn't work for the CSPs - most want to go in with a solid offering, but they're working in the dark. And the PMO is ridiculously slow - they deserve a lot of blame in the amount of time this process takes. They hold both CSPs AND 3PAO's feet to the fire with respect to the schedule, kicking them back with the most minor schedule transgression, without thinking that it applies to them in the slightest. Security assessment plans, which should be the agreement between the CSP, the PMO, and the 3PAO on how testing should be conducted, are often the very last things to be approved - often after the testing is completed. The PMO is working to get more educational material out for CSPs, but in general, it's not enough. As a result, the PMO is slow as they work through reviewing the system security plans because they're delivering a lot of bad news to the CSPs - bad news that often takes time and money to fix. I would love to see them appoint a CSP-advisor type similar to the Federal advisory Ashley Mahan so CSPs can go in with cleaner offerings. And the PMO really needs to get its processes down better - the security assessment plan should be agreed on prior to the commencement of the testing.

I am very puzzled at what Meritalk is doing stirring up this controversy, it appears they are attempting to take a page from the old WWF / now WWE wrestling entertainment industry to get people talking about FedRAMP. As a person who led certification of one of the first SaaS through JAB authorization a year ago, I found the program remarkably brilliant in its design using the FISMA / NIST 800-53 standards as a base and additional FedRAMP controls applied to cloud services. It just made sense, I followed the directions and phases and was able to get a complex, multi-service SaaS properly authorized in 12 months from kickoff to p-ATO. Not really sure why these (very few) other CSP's are complaining, but if they cannot meet the rigorous requirements of securing a cloud service for Federal Government use then maybe they should not be in the business of providing a cloud service for Government use. Even my non-technical business friend understands the importance of this stating "Our nations infrastructure depends on strong security controls on its cloud systems". I am quite a bit ashamed at the position Meritalk has put themselves in. I attended one of their conferences a year ago and they appeared to be in support of the program back then but now it looks like they have some personal beef and want to sabotage the leadership of FedRAMP and possibly the entire program. Very unprofessional and people that know can see right through it. I would advise a different course for your publication.

Dan Verton

Very glad we were able to facilitate such an important IT policy discussion. And to correct the commentator above, that is all MeriTalk has done. The report is a product of the industry and government members of the FedRAMP Fast Forward Industry Advisory Council. We facilitated the meetings and put their recommendations on paper. This is not an official position of MeriTalk as a publication. The participants (government and industry) in each of the standing room only working group sessions had to remain off the record for what are now obvious reasons. I don't know anybody who doesn't support the program. What I learned from putting their recommendations into the report is that they simply want it to cost less, and work more efficiently and fairly for all. Nobody ever said kill the program. Far from it.

Speaking to the costs and wanting to cost less, can you comment Dan on which costs? There is an initial 3PAO third party auditor to procure to audit the system to its documented controls at around $120k for the first year, and then an annual assessment there after at about half that cost every year. This one seems to stand out the most, as the other costs seem to be to close gaps in security controls in the system security plan (SSP) which are required. However if this were not a cloud solution but at a government IT location, closing FISMA security gaps would still require very similar costs? Can you tell me a breakdown of these costs they are looking to reduce?

Thanks.

Regarding the previous post about costs -- I work for a CSP and have the responsibility of initiating the FedRamp process. We are a small business with 2 applications utilizing similar environments within AWS. Our process started by speaking with several leading 3PAO's - each of which gave us estimates of $250-300k just to get ready for the eventual certification assessment. They also said we should expect the annual audit to cost about $120k per year due to the enhanced assessment criteria.

FedRamp is currently a very long and expensive process.

Unfortunately, GAO's one trick pony is to move federal data to the cloud in order to reduce the data center footprint. We have all seen how well "the cloud" secures data. What constituency are they really working for?

The VA is already short data center space across all regions, again there seems to be this "the cloud saves all" strategy. Until the work load is changed or data is moved outside VA control I just don't see this happening

Sounds like a great program. Looking forward to hearing more about it as it starts up

Great idea! Love seeing programs like this come to the forefront

Dan Verton

Thank you for your insight - that is exactly what I heard at the conference on Capitol Hill. Small business has pretty much been told you can compete as long as you're comfortable with a certification price tag that could amount to 1/2 or more of your company's entire capitalization. How does a $4 million small business come up with $2 million just to become FedRAMP certified?

It's a good goal that will save the government a lot of money. But how will these agencies get all of those data centers consolidated and closed?

This makes sense on the $250-300k just to get ready, and I can understand for a small business to meet the additional security technical requirements and personnel roles to provide this can be a big undertaking, either in cloud for Federal or for building an onsite system to FISMA requirements. I think this is where the disconnect is in understanding these cost allocations. They are different for large, medium, and small companies. The good thing FedRAMP provides for SaaS/PaaS authorization is that the previously accredited IaaS can be leveraged and thus keeping controls to infrastructure down to focus on just the SaaS or PaaS controls.

It's concerning that consumers have no idea how their information is being shared. Hopefully this sheds more light on the issue of consumer privacy.

Who reads this stuff?

"Some are now privately calling for [Matt Goodrich's] removal from that position." That's complete BS. Who? No one can lead this as effectively as Matt Goodrich. It's complicated technically, it's political, and he has to deal with the DoD. His salary should be doubled because he's irreplaceable.

What is Meritalk looking to get out of "Fix FedRAMP"? Is it purely a money/attention stunt?

I am very late to post this, but I think that this is a fantastic blog entry. I am not going to provide details here, but I know of at least two examples where 18-F took credit for the success of others. I agree with their intent and vision and support it (my paraphrasing is high quality UX and Agile delivery that delivers better results to the mission). However, like all Agile/transformational initiatives, it is fair for you and anyone to ask for specific details related to their accomplishments. For example, for each engagement, what was 118-F directly responsible for (as opposed to the agency and their other IT partners), what were the goals of their engagement, what specifically did they do themselves to meet those goals, what did they learn, and how are they applying that learning going forward? 18-F could easily summarize and post those accomplishments, but I suspect as you and others have that there isn't much there. If they have the details that I documented in my reply, then they should post them, and it would help them continue to gain support. Thanks for probing and keep asking fair questions!!!

Agreed with Anonymous | Mar 9, 2016 at 12:18 am - Have not heard this ANYWHERE except here.

I think bringing public and private stakeholders together is definitely important to create a plan for our future national cybersecurity.

Great idea - how can the private sector know what the public sector needs if there isn't an open forum for conversation?

I'm not seeing anything to suggest the VA is aggressively advocating Cloud or enterprise solutions. Instead, VA OIT factions and local IT services keep doing their own thing and getting away with it. Nobody is really driving home a clear vision of VA Enterprise Operations, consolidation, etc. Instead all the little fiefdoms are clutching their data like goblins with treasure, or trying to sink money into making their local data patch bigger and more relevant.

Tony Summerlin had nothing to do with the launch of FedRAMP. He was never a part of the team of people who worked on FedRAMP.

$250-300K is a normal price to ready a CSP for FedRAMP. There are almost 1,000 pages of documentation required. Getting a CSP ready for FedRAMP is entirely different than doing an assessment. Assessments are much quicker.

Unfortunately, most CSPs do not take the time to put in the security controls correctly the first time. They don't follow the guidance. Many have never read the Guide to Understanding FedRAMP. Most of them want to try to short-cut the process by not putting in place the security controls, and not describing how they work correctly. Clearly FedRAMP is working or there would not be so many authorizations.

I worked at FedRAMP developing the program before it launched and Tony Summerlin had nothing to do with FedRAMP. IEEE Cloud Computing magazine has an excellent historical story of FedRAMP that is accurate.

Interesting article. Has Obama seen your Iconcolasts report? Perhaps you could send it to his iPhone:-)

I thought Obama mad a very compelling case and took a lot of the heat out of this argument. I'm now clear on my position that Apple should comply with th e governments cooperation order

We seem to be stuggling with important leaps forward in Federal IT right at the end of an administration. Why didn't the administration get these ideas out of the barn earlier? Let's hope the next administration picks up the best of whats on the table and continues to drive real change. What happens to 18F really depends on what real results they can show, a lot of chatter on both sides would be good to get some real proof points into the open so folks can properly understand the value digital services and 18F have delivered to the government and the tax payer.

All these connections at Veterans Affairs come on top of the questionable connectiosn between Roger Baker and Agilex.

"through our proprietary data analytics system"....You mean google, right? That's some serious reporting you're doing with this article. If you did a bit more research, you'd know that TISTA let Art Gonzalez go and the relationship never rebounded.

As for the other folks mentioned, maybe you should reach out to them and get their opinion or reason for leaving the VA.

Wondering if there will be real changes made to improve FedRAMP. Looking forward to March 28

I'm interested to see what changes Matt Goodrich plans to implement on March 28th. I hope they take some of the recommendations into consideration, it would be great to have a quicker and more transparent process in place.

Love that USDS has over 50% female employees despite being a tech-focused team

"The PMO opted out of the Cloud Caucus meeting, refused to comment on Fix FedRAMP." This, in a nutshell, sums up what is wrong with FedRAMP. It's all about them, they know what they're doing, everybody else just needs to do things their way or they will take their ball and go home.

It's time leadership at GSA wakes up and smells the coffee. FedRAMP impacts all of government IT. The stink off the PMO is smelling up GSA and making other agencies and industry run away holding their noses.

Who's going to compensate the CSPs that already crawled naked across broken glass in the old system? When was GSA going to tell industry about these changes? Isn't it time for some adult supervision over there?

I'd like to stick up for Matt Goodrich in this difficult situation. I don't think we should be disappointed in Matt, we should be disappointed in ourselves for thinking that somebody with his level of experience was capable of doing this job.

kudos to dr. david bray for being named a young global leader by the world economic forum, keep up the great work!

I see GSA/18F announced that it will soon be accepting proposals for a contractor to build the FedRAMP Dashboard, which seems to have already been built and is up and running through the FedRAMP OnRAMP. https://github.com/18F/bpa-fedramp-dashboard

I appreciate that the FedRAMP office is pushing greater transparency, but if one of the program goals is to cut down on on duplicative, wasteful gov spending then why not use the tools that already exist?

I'd like to echo the point above. If you wonder why Trump is rolling to the White House its precisely because of this blatant disregard for how "civil servants" spend our hard earned tax dollars. Why is GSA issuing an RFP for stuff it can get for free if they just get off their high horse and partner with industry. I'm sick and tired of this pigheadedness and privilege and it has to stop. Who do these government people think they are anyway, you're supposed to be serving our country not spending your money. I have news for you its not your money. Here's a hard truth for you Matt Goodrich if you want to know whats wrong with your program and whats wrong with our government take a good hard look at yourself. GSA leadership you need to get this situation under control, after the beating on the hill what will it take to get you to wake up. If you dont youll make very different decisions with Trumps size 13 in your rear.

"Government Tech Rivals Silicon Valley for Innovation." I don't think so. The federal government lacks the the drive that true competition creates. The rules that govern what they can and cannot do adds a structure that inhibits creativity. A company's debt is real debt with consequences that drive innovation and rewards winning innovation with the spoils being first, not only credit but also revenue.

Agencies need to learn from this and start moving forward with solutions, instead of arguing over what's happened in the past.

Interesting results from the survey. While FITARA gives CIOs the power they need, it really is up to the individual to step up as a leader and change-agent for their agency.

The problem with this proposal is at least twofold:

1) It sounds good to have fewer code stacks for 'similar' functions, however it often isn't compatible. For example, "grant management" sounds like it should have a great deal of overlap. However, convergence of code denies the differences in what 'grant management' means both within and across agencies(e.g., managing to give out grant funds without pre-planning and/or observation of use/outcomes, making grants based on pre-planned qualification guidelines/preparation, making grants and tracking funds usage, making grants/tracking funds usage/identifying outcomes, or advance planning based on historical funding/planning/granting/tracking usage/measuring outcomes/holding grantees responsible). Each of those activities require different data, processes and metrics. Even within agencies (e.g. FAA vs. NHTSA), the functions can be quite different.

2) Making the Federal code-base public increases vulnerability to attack. Black-hat hackers abound.

This is not saying that there aren't redundancies that should be mitigated across the Federal IT space. It is just a comment that it really isn't as easy as it sounds, nor as redundant as it might seem at first blush.

You need to do a "lessons learned" analysis and then focus on promulgating and implementing the lessons. One HUGE lesson from the initial HealthCare.gov site should be that a project of that size is doomed to stumble or outright fail when significant requirements are changed (by the government) one month prior to launch, as they did with HealthCare.gov.

Regarding the above comment about costs. There is always going to be a cost. If you are working to deliver a cloud solution in order to "secure" - it costs money. Let's put FedRAMP aside for a moment. If a firm has it's eye on the Fed space - in order to play you are going to have to pay. The $250-300K "to get ready" - sounds reasonable - as you will need to invest in technologies and documentation development. Your SOC 2 is not going to cut it. Most CSP's that have interest in playing have SSP's that - either do not exist - or very weak.

There is clearly much to be learned from this situation - hard to believe the rollout was bungled so badly when they knew there would be a lot of attention

Great to see government agencies expand outside the typical CIO role

Susie? Are you not aware that both AWS and ARC-P have been in the pilot since the start with Microsoft? Has Goodrich said your ATO will be first as opposed to the plan that he will release ATOs for the 3 at the same time? Seems either you are misinformed and/or disingenuous. You pick

Wasn't the rollout plagued by government furlough due to political wrangling and the failure of Congress to pass a budget? Let me know when Congress pays attention to a "Lessons Learned" analysis.

Don't let facts get in the way of marketing. With all this talk, you would think Azure already have Level 4 provisional authorization, NOT yet. Lean back on those ski's a bit.

Is Azure working towards authorization or some forked off version(s) that is out of alignment with their commercial cloud? Does a cage of gear equal "cloud"?

Level 4/5 does not require a physically separated data center for DoD. You are allowed to share with other federal government data stores, and even then, the data center itself does not need to be separated. You are allowed to have a separate physical segment within an existing commercial data center, as long as you meet the connectivity, CND, and DR/COOP requirements.

To the Azure question ... yes, that is how all of these product offerings work in DoD. The big challenges are the BCAP connectivity requirements, which simply can't realistically be extended to multiple facilities, and the fact that you're not allowed to share facilities with commercial service offerings at these impact levels.

Perhaps the reason FITARA has made little progress is because only 6% of Feds believe the law will enact any major improvements. To close the gap, we first need to change mindsets

GSA is not issuing an RFP for anything it can get for free. Some of the people making posts in this forum are very uninformed.

The article seems to be contradictory. On one hand you start by saying the VA is moving away from Agile, but then again you state the following: "In a blog posted late Monday, Council said the change is about making VA “truly agile” in its IT development.”

Centralization of IT Security is not the problem, rather incompetence at the senior management level is the reason.

I'm sure we could both learn a lot from each other. Looking forward to hearing the outcomes of these meetings

PMAS was far from agile.

The title of the article is misleading.

https://playbook.cio.gov

The unfortunate reality is that companies like Google will always attract better talent then the Feds - no matter how hard the Federal government tries to compete, they can't offer the same salary and perks. Need to try and approach this issue a different way...

I really was hoping for more substance. Q&A was tightly controlled via note cards (!) and they seemed to stay away from the more challenging queries that I know several people asked. To make the timeline shorter, just cull out the part that often takes the longest and make that "customer time" and voila! 6-month ATOs! At least the 3PAOs got more billable time so it wasn't a total loss.

How does this address concerns about agencies not accepting one another's ATOs?

A lot of fluff!

How does this address the SMB cost issues? Now potential CSPs have to "pay to play" with an increase in up-front costs. No guarantee at all for any savings on the back end. 3PAOs came out on top on this deal!

I hope Meritalk is going to have follow up interviews with Congressmen Connolly and Lieu! I'd love to hear their take on this...

The low numbers from the survey are quite alarming. Just 11% are confident their data centers are fully equipped to meet their agency’s current mission demands, and less than 5% have the security, speed, or capacity they’ll need in 2021? Hope these numbers rise

Definitely some concerning statistics. 2021 will be here before agencies know it, and less than 5% have the security, speed, or capacity needed? This doesn't look good for data center consolidation.

Interesting comparison. Technology is advancing too quickly to remain in the "Do Your Best" stage.

Dan - You seem to think that Meritalks complaint paper had something to do with this- it didn't. Perhaps Meritalk should reconsider it's charter and stop acting like a angry young child.

TO ANONYMOUS 3/22 8:32AM: don't get off the elevator on the wrong floor at certain DCs, you may unfortunately find out how correct that statement is in reality.

Good work never goes unnoticed. Can't please all of the 3PAOs all of the time. But this was an industry and government-sourced product, not a MeriTalk OP-ED.

Dan Verton

Thank you. Yes, anybody who participated in the months of working group meetings knows that this was a product driven by industry and a not insignificant number of federal government IT professionals. There is no editorializing here at all. It also speaks volumes that GSA was briefed on the work many weeks prior to the final report being released, and pulled out of the Cloud Caucus meeting on Capitol Hill. I've been working in Federal technology journalism for 20 years, and this was as good as it gets -- candid input from sources with direct knowledge of what is happening and in-person acknowledgement from lawmakers that the final product got it right.

The meeting on Capitol Hill was packed - standing room only. That speaks directly to the quality of the work that went into the report.

Good story - really important information from Dave Powner that has not been discussed during the last round of public hearings.

This is a common mantra among feds "29 agency and staff offices and they all had their own IT governance process on top of the department’s governance process" so can the USDA share this secrets of success with other agency CIOs, CFOs,and CxOs?

Judi, please lose your prejudicial blinders. People of color are hardly the only victims of unjust police execution.

http://www.azcentral.com/story/news/local/mesa/2016/03/30/judge-body-camera-videos-texas-mans-shooting-mesa-police-officer-wont-released/82423656/

Definitely a leadership issue - too much turnover at the top of VA's OIT.
Running a close second is a top-heavy organization. Too many Chief of this, assistant chief of that, division chief of the other thing, supervisor of something else. Not enough hands-on workers to do the work.
And the latest move is to move all of IT to a national organization, with, yup, more levels of management.
Why was VA allowed to create supervisory jobs with only 3 direct reports? And dozens of this, across the country. Every few months, there is a new initiative, new direction, new focus, new action item, or whatever, and EVERYTHING comes from Council as a drop-what-you-are-doing-and-do-this priority.
Way to kill what little morale may have existed.

This is an impressive undertaking by USDA. However, I think each agency needs their own director of FITARA in order to reach this level of understanding and alignment to the act.

I think this is great to help out small businesses with technology platforms. Thanks for sharing.

I'm glad to see a discussion that's encouraging women to step up in Federal leadership.

Great to see momentum for Health Interoperability. My concern is that i am not seeing any reference to human services interoperability - and Social Determinants. Isn't it time to think holistically and more specifically about interoperability including social and human services - since we know their critical importance?

Great concept. Interested to see if other agencies start to do this as well.

This is exactly what the Federal government needs, a young, fresh mind willing to dive in and make a wave of change

Great message from Van Dyck. Hopefully the government starts to listen to their citizens and closing that technology gap.

This what I've been waiting for

Nice to hear the the feds are working to streamline the access to medical documents and make life for the ill easier. However, placing everything under two logins and relying on the federal government to watch it has its own issues. After all, our government is always on top of it, and best hackers in the world are on top our federal government.

Sounds like a great lineup at the Forum. And, cyber security is always relevant. Looking forward to attending.

I’m interested to hear the panel’s thoughts and recommendations for smarter cyber security. Seems like a great line up of speakers. I'm looking forward to the event.

Nice mix of speakers across all levels of government. Will be good to get a variety of perspectives on such a pervasive problem.

I am not sure what the goal is for this new service. You say, "Others say Chrousos deserves much of the credit for getting GSA and 18F this close to a goal that many have been trying to achieve for the better part of a decade—closer integration to improve the customer experience." Who is the customer in this transaction? What does this have to do with GSA directly competing with industry? And what is "18F’s critical mission" being protected?

The people at 18F turn away work because they do not have the resources, as is not well known they have had difficulty hiring actual engineers and back-end coders. They are flush with front end designers and researchers who are idle because they cannot do end-end development. They also turn away work because they disagree with the potential client or demand that they have access to a Department Secretary before they will take a job of an operating entity.

It is curious that I have yet to see an article in any press that quotes an agency client. The success stories are always from 18F staff, GSA leadership and, sometimes, White House personnel. There is a discussion by 18F about their success with USCIS, but has USCIS said that their engagement was a success?

There has not been any rigorous review of 18F progress. How many actual deployments via cloud.gov? How many acquisitions were successful from their consultancy? How many task orders on the agile BPA? How many clients? What is the impact of the work, that is what happened post-launch of a project? What were their challenges and successes? It is not clear that this experiment of an internal body shop is not falling to the standard government IT investment problem: lack of rigor in review and saying everything is great and blindly continuing the investment.

Has it been reported how many millions have been spent on 18F, what have they billed out, and what are the results? This is the way that one evaluates a business. I would appreciate some reporting that addresses this, rather than uncritical praise.

I did not think it was legal for government agencies to lobby congress. 18F is a powder keg and its personnel are running around flicking matches everywhere. How do they have the stones to ask for expanded power when there is no evidence that they have delivered any value? How many times does GSA have to get it tragically wrong and get in trouble with the law before it learns from its absurd mistakes? And the sad part here, the tax payer always picks up the tab for the stupidity.

GSA should be applauded for their initiative once again. They can't operationalize anything. Can anybody spell FedRAMP? Maybe its time to rethink the whole idea of GSA? Can't wait to see those IG and GAO reports.

Draining money? They're paid by federal departments who hire their services, and who report being happy with the work they get. This source you have has a distorted perspective. The quote doesn't reflect their business structure in any way.

Folks react to the article based on their positions. Those for 18F think the articles unfair to the newbies. Those against it think it does not go far enough. Dan, I think you did a nice job reporting on what's happening and tip toing through the minefield. What we have here is one of the most polarizing issues in our marketplace.

Agree that the 18F employees take liberal leave to the extreme. Speaking to several consulting team members, they take pride to say they work throughout the night so they are allowed to start work when they start work. Under the guise of failing small and failing early, they waste money trying to reinvent the wheel. Not sure if it is possible to track all their behind the scene expenses to tinker with acquisitions, 18F isn't recuperating their costs. 18F was a good idea but lacked controls. Their leadership needs overhauling.

Great insight from Jeff. Cloud technology has definitely improved and will hopefully encourage Feds to move in order to reach data center consolidation goals.

Love the videos. Please keep them coming.

I think this is great that agencies can vet their mobile security now. Everyone is using their phones regardless, so need to make sure the apps are secure.

Interesting that agencies weren't setting these boundaries to begin with. Wonder what the plan will be for agencies who already have existing SLAs without these points written in?

Also 18F staff are starting to leave, and the products they build are abandoned. Clearly a ROI problem.

Tax payers are going to pick up the tab for this 18F experiment. 18F is an organization that is looking for a REAL mission. Cost controls and results don't seem to be in their vocabulary.

This just hides 18F in a new organization and gives that new organization $3 billions. How is that better? Agree with previous poster: "Tax payers are going to pick up the tab for this 18F" which never succeeded at getting stellar results. GSA is a support agency, too far removed from the mission of agencies. Any new venture should not be housed at GSA because GSA does NOT know how to provide value to the mission, let alone to customers. Show me one poll in which GSA is loved?

This is bullsh$t, what has this group done that has provided value? This is also ironic, given recent reports and an upcoming GAO report that will show 18F hasn't provided value. It's been the two "new" IT efforts that have not worked at all, namely 18F and USDS, that need to get their sh$t together. Van Dyck doesn't know what she is talking about and doesn't have any examples to point to either...

How is this different from the IC CIO that ODNI has had for a while?

It's interesting to see these 10 key practices defined by the government... they are "open-end practices" that will help to promote the IT business in both government and private sectors. In other non-civilian agencies, it's similarly called Operational Requirements that also help to grow IT business significantly also. One of the key deals in the Operational Requirements is the Interoperability...God blesses the government over these 10 key deals!
It's a god's bless to have an open-minded government to make the IT business growth marvelously!

The "GSA's plan" seems like a part of "govy-to-govy" business model. Whichever agency has access to manage the monies for the gov IT modernization fund should advise the congress to revise the FISMA of 2002 Act. The act needs some new IT security measures (to focus on "prevention" more than "reaction") as rouge sources have been gradually catching up with the latest technology (clouds vulnerability) evolution. The NIST SP 800s could implement the FISMA better if changes were made. In light of such thoughts, the DOC should have a big part in this new funding to help NIST to upgrade its IS implementation beyond the FISMA.

Nice vauge reference here... Ohhh all the naysayers are totally convinced now!

But sources who have been critical of 18F—particularly those who say it has not yet proven its worth—said in interviews that their thinking has evolved and they no longer believe getting rid of 18F is the answer.

“It’s the right way to go. But what needs to happen to make it really work is you need good leadership, you need to make sure that 18F is doing what they need to do and that they manage customer expectations properly.” said a source with close ties to senior GSA leaders. “You need a well-run customer organization with metrics that runs like a business.”

Congratulations

Unfortunately, the $600 million scheduling systems from Epic is also based on outdated technology. In fact, the owner of Epic started out as a developer at the VA and derived her own EHR from what she took from the VA. It's not a coincidence that both systems are written in mumps and use the cache database. One difference is that Epic's client software (Epic is an old style client-server system) is written in Microsoft Visual Basic - a technology that was discontinued by Microsoft in 2005. It's no wonder that the VA is hesitant to spend the huge amount required to replace their old scheduling system with another outdated system. The best option would be a complete replacement of VistA (including its scheduling component) with a modern, cloud based enterprise class EHR. None of the legacy EHR vendors offer such a system, but there is at least one such new system available today and several more coming in the next few years.

Maybe instead of spending that kind of money on a worthless computer program they should use it to hire more Doctors and Nurses, not to mention Mental Health professionals. $600 million would go a long way to help with the short fall. It is not the scheduling in the computer it is the availability of the services, that is where the shortfall is.

I think it's great to actively encourage more women to get into the STEM field, especially at a young age. It's impressive to see the work these young students have already created.

It's concerning that state governments didn't have a cyber disruption response strategy in place already. Hopefully this wake up call works and they start developing a plan of their own.

Interesting report on the Future of Federal Data Centers. I’m curious what will come out of the OGR hearing this summer.

The ancient Greek technology is fascinating – learn something new every day.

Comment above brings up a good point. But, we need both. You need the computer system to understand the demand and shortfall. And of course the doctors/nurses/facilities to meet the needs. We also need one EHR across DoD and VA. While in theory the Defense Healthcare Management System Modernization (DHMSM) program will mean a new EHR for DoD that can share information with VA systems - wondering if this will really pan out.

So many of the important utilities that communities depend are the product of a state and or local network not not a federal one. One tends to think federal when contemplating the results of a cyber attack. The electricity grid, street lights, parts water and sewer. One only has to think about Katrina to remember when a federal response was far too slow in responding. If these state cyber safe guards are not put in place the victims of an attack may be left waiting for a fix or help that is slow in coming.

this is great. even greater if like a cooperative, small businesses can avail of value pricing for such services so these can be afforded.

the team of change agents at the FCC have boldly tackled their legacy systems head-on and had great results

Good to see that Congress admits culpability on this issue - hopefully it leads to action

Fantastic ideas coming out of these students

Interesting findings. However, if consumers are so concerned about the security of their data, and feel they aren't adequately protected, what are their plans to change that?

Great to see - maybe success at the state and local level will push the Federal government to catch up

I agree with the above comment. People of all ages continue to be concerned with the security of their personal data, but how are the tech companies planning to address these concerns?

Based on the number of data centers closed, it's good OMB is revamping the program with DCOI. This ties in nicely with FITARA, so hopefully agencies keep moving forward with FITARA and DCOI together.

it is not the system was flawed, it was the way it was used. Any system can be abused.

It was Randy Ledsome, not Randy Jackson.

Burns was bounced for his abusive and increasingly bizarre behavior towards his staff who were moving as one group to file a hostile work environment complaint. Under his "leadership" over 100 ATOs have been allowed to lapse with no realistic plan in place to address the problem in the foreseeable future. all this on the verge of the FISMA audit. oops.....

I think it's important for communication and automation to be as fast as cyber, but think it will be difficult to remove the human component. Agencies won't want to give up that additional step of human verification if it's leading to increased protection.

It's good to see this push for the cloud on the agency side. However, I think Michaela phrased it perfectly, the need to verify a program (or organization) before trusting it fully with sensitive information.

The presidential candidates need to listen to this young filmmaker and start addressing cybersecurity sooner, rather than later.

great job, CDC is pushing cloud computing

Very interesting. This should open the eyes of the candidates; if a middle school student can figure this out, they should be able to as well

Don't blame Burns for the ATO issue. The ATO is the responsibility of the system owner. If the system owner does not do their job it's their fault.

The SO had them ready and he refused to sign demanding 100% perfection with zero risk acceptance total abdication of his role and jeopardize mission when DoD was cutting its feed off because he was too afraid

If VA ever wants to turn around its security posture it needs a person like Burns who is supported by the top to bring change. Yes Burns does demand perfection and explanation for variance and he may not be the AO VA wants, but he's the AO VA needs and deserves. How many CISOs has VA been through in the past 10 years... clearly the issue is more systemic than just Burns.... Jerry Davis claimed he was forced to sign ATOs "under duress." Lets not kid ourselves, VA is in bad shape and until the organization is willing to embrace a goal of excellence it will never change.

Great perspective - while the social and economic issues are also important, it seems as though candidates forget to lump in cybersecurity with the larger national security conversation. We need to be just as concerned with cyber attacks as we are with an attack on the ground.

Tom talks about exfiltration at the close of the interview. Does Akamai have a solution for insider threats? How do you deal with exfiltration with portable media devices?

Maybe the right approach is to shift completely to an insurance model? Rather than speculating about who the 3PAOs should be afraid of, the PMO should worry about its credibility? ;-0

Mr. Burns

Mr. Burns is not a leader. He has no Business being an SES for any Federal Agency let alone VA. He had no ability other than to throw tantrums and sit in his office all day with the door closed. He had very good SMEs reporting to him, but refused to listen to them correctly or seek their advice on their area of expertise.
I am sure if you look at his past work history at the other agencies in which he was employed, his record will show the same behaviors. Just a bad person all the way around. The moral in OIS was so low during his short tenure. He has no ability to be introspective. He wasn't moved because he did a good job. I feel bad for the folks that will be working for him now.

This article points to the broader issues with FedRAMP in as much as the PMO is out of touch with all communities from the agencies to the CSPs to the 3PAOs. I think you'll find that the 3PAOs are not interested in taking out the trash and assuming the liability. Its time for GSA to stop talking and listen and get practical about how to fix this messed up process or cloud computing will remain marginal in the government. OMB needs to step in to make something happen.

Tantrum is the perfect word to describe his "management" style and the previous poster is spot-on that he's got a long history of being run out of several other agencies with a foot up his ass. If Brian Burns is the "answer" it has to be a pretty stupid question...

Good for the FDA for thinking ahead - reducing redundancy now will save time and dollars later

The tech innovation lab is a great idea. People are already using their own devices, so might as well find which one works best for their specific agency.

We must fix this soon

Liabilility concerns are over-blown. One of the problems with the current process is the PMO has to do all document reviews prior to issuing a "Ready" status. What the PMO wants from the 3PAO attestation is the assurance that the CSP has done most of the required prep work. With all the templates and checklists that is much easier than in the past. Will the PMO issue findings for some of the packages that have attestations? Probably. But over time this will diminish and weed out the 3PAOs who aren't investing in training and process improvement. I say let's get on with the proposed changes and work to improve the process.

^^^ 100x

This all points to the issue of outdated legacy systems and should continue to push the government toward modernization. Agencies need to focus on preventative work, as Kanter says, not just fixing current problems.

And then there's this story: http://www.bloomberg.com/features/2016-how-to-hack-an-election/

That's all well and good I guess but the V.A.system is still B.S

A big overblown system with lots of corruption covering up these horrible criminal acts against nature malpractice, malpractice using the burdensome of privacy laws to to get away with it no one of importance has ever said the m-word burying the veterans flesh deeper beneath the Earth

What a misleading article and title. Using a headline like "All of our networks are compromised" is significantly more inflammatory than what she actually said, which was that we have to assume that they are compromised. In addition, in spite of the fact that she is an Agency CIO, she has no real Cybersecurity expertise so I am not sure she is qualified to make the statement in the first place.

Please - don't get hysterical. Millions of people get good reliable care on a regular basis. The intake processes suck, but the care is GOOD when you get to it. Just remember - the VA is three separate pieces - Cemetaries - Hospitals - Benefits. The VA pays for research on PTSD and Traumatic Brain Injury that no private business would touch.

It's refreshing to hear an agency is focusing on innovation. Looking forward to seeing what they come up with

The VBA/BVA. is doing RICO

Many states, including MInnesota, never left paper ballots and, therefore, we never had to face declining voter trust or the incredible expense. As Minnesota's Secretary of State from 2007 until retiring in 2015 I was in a position to watch state's that had moved to computer-based/Internet vulnerable voting begin to rethink and then to begin the painful and expensive process of moving back to the re-countable and scannable paper ballot. We will be using this kind of ballot for as long as the voting public wants to look over the shoulders of election officials during recounts. That will be, I predict, quite a long time.

Dan Verton

There absolutely needs to be transparency and trust in the voting process. I've covered electronic voting for more than a decade, and find it fascinating that this is one of the few areas where the IT industry has utterly failed in its lobbying effort. I recall packed hearings with all of the electronic voting vendors testifying that their machines were secure and people should trust them more than manual processes. The pendulum has completely swung back out of their favor.

When it comes to resilience is setting the bar too low. The Cyber Security Framework and its five major functions of identify, protect, detect, respond, and recover ignore anticipation and avoidance.

For best results, the value proposition for resilience is based on the ability to anticipate, avoid, withstand, minimize, and recover from the effects of adversity whether natural or man made under all circumstances of use.

Instead, the Government is settling for the operations of withstanding, minimizing, and recovering. Why is this a problem?

The most consequential threat to resilience lies in the cascading and propagating triggers that lie hidden in the complexity of critical sector interactions and dependencies inherent in the system of systems that make up the Critical Infrastructure. Without anticipation and avoidance, cascade triggers are left unattended.

Very interesting. Looking forward to seeing what machine learning can make possible. Seems as if the possibilities are endless

Hackers are clearly getting faster, and it seems like agencies can't keep up. They need to make it a priority to step up their cyber security strategies.

Maybe, FISMA needs a congressional revision to ensure the credibility of the trust relationships between the basic input/output of data processing that is now moving into the cloud computing which is 100% open architecture to make a transparency in the global business integration within the C2C model(s).
Turning the C2C to G2G or C2G is a hard-challenging task ... unfortunately, in today IT world the cyber security is indefensible due to the rise of new ghost computing. Ironically, ghost computing can be a legal way for business practices by many dubious information service providers.
BTW, the NIST sets the pathway for FEDRAMP to implement the federal cloud computing, but the IT industry won't like to see any new regulations for cloud computing to alter the C2C model.

I advocate a shift from "patient" and "beneficiary" to thinking about the lives of the "people we serve." Patient advocates often epresent a niche -- often those with chronic conditions with a lot of touch points within healthcare. A majority of "people we serve" have administrative and information exchange needs that patient portals don't meet. Patient are too complex, too time consuming, and too health data intensive, and fail to create pathways to data sharing to social and enabling services. Remember, being safe, having and shelter, child care, diapers, and transportation are a higher individual priority than getting A1C checked.

Corrected: I advocate a shift from thinking about "patient" and "beneficiary" needs to thinking about the lives of the "people we serve." Patient advocates often represent a niche -- often those with chronic conditions who have a lot of touch points within healthcare. A majority of "people we serve" have administrative and information exchange needs that patient portals don't meet. Patient portals are too complex, too time consuming, and too data intensive, and fail to create pathways to data sharing that facilitate the whole of our lives and those critical social and enabling services. Remember: Being safe, having shelter, child care, diapers, school registrations, and transportation end up being higher individual priorities than getting routine blood pressure or A1C checks. Recall Maslow's Hierarchy of Needs. Healthcare outcomes suffer when healthcare is treated like a distinct silo set aside from a person's life.

As in the IT sphere, agencies need to get more comfortable with sharing best practices among each other and establish some sort of standard across the entire Federal gov. What good is it to have our agencies competing with one another when it comes to employee happiness, IT acquisition, etc..?

So are you going to publish names and details or will you keep insinuating things that cannot be validated as true or not?

Dan. Did FedRAMP hurt your feelings along the way here or is this all you can muster working in your underwear from your home office?

Who are you talking about? If it is Matt, then can he start by citing your company as not capturing business?

This is a growing problem, especially when Hospitals and key infrastructure is exposed to ransomware. Because of the random nature of the attacks, and the clever use of encryption, this malware and it's proponents need to be stopped. When you wipe a machine and restore the data, some loss is inevitable, and some information is irreplaceable, which makes this especially egregious. I am glad to see the FBI recognize this, although their response has been visibly weak in the past.

It stands to reason that as the role of the CIO evolves, so must the capabilities of those that HAVE the role of CIO. In other words, perhaps the changing role is dictating a different set of experiences and capabilities that CIOs have to bring to the job. And that may mean that the "old guard" may not fit the bill.

Scary to think that hackers are evolving beyond needing human error to get inside a system

You would think that agencies - no matter the size - would be focused on cyber security strategies to protect their data. Hackers are getting more creative and poor cyber hygiene needs to be fixed.

Dan Verton

Oh Anonymous, you have so many different personalities. It's hard to keep up with you. I'm more than happy to have an adult conversation on-the-record about the public comments of government officials. At least Matt Goodrich has always had the courage to own his own commentary -- you will notice there are quotation marks in this story, detailing what he said (on-the-record) about one of the biggest criticisms his program has received from industry.

Replacing Lawyers, Business Admins, Accountants and all other non-IT govies with Silicon Valley types is good thing and its not happening fast enough if its really happening.

The only reason I can think of for an agency to refuse to share a FedRAMP ATO is because they don't have confidence in their decision and don't want other agencies to see their reasons for accepting risk and making the authorization. All FedRAMP ATOs are supposed to be reported to the FedRAMP PMO.

Why were these certain states selected? Wonder if more states will join in.

What the heck? These people are qualified experts? What nonsense?

First of all, Mr. Rivkin is absolutely uninformed and perhaps even nuts if he thinks that the only way to track down a terrorist is to use digital surveillance. How about following the money? How about meta data, both digital and offline? How about offline surveillance? How about infiltration?

Second, Ms. Strossen is misinformed to say that data mining is not junk science. If it was, companies like Google, Facebook, Twitter, and LinkedIn wouldn't be multi-billion dollar companies, because they are all completely dependent upon data mining.

The article seems to suggest that neither debate understands the true nature of the issue. It isn't an issue of security vs privacy. It's an issue of personal security vs. national security. National security must never trump personal security, because the only valid reason to justify national security IS personal security.

Ugh ... and I hate the fact that I can't edit my comment if I spot typos in it. Not to mention the fact that there's no way to format it into paragraphs. Even if you try, this stupid website squashes them all into one paragraph.

“Everyone here is in exactly the right position,”

Obviously he works at a different FDA.

It will be interesting to see if agencies start moving to the cloud more with Box. It's great that Box is working on the added security too.

States tend to move in a different direction when the federal government is too heavily involved. Will be interesting to see what happens and if states choose a different network.

Great to see big data working to combat such a pervasive, national issue. Hopefully a sign of things to come in other areas.

I think this will improve collaboration between agencies, strengthen the push to comply with FedRAMP and the move to the cloud. Box is a great investment for the fed agencies and an investor. I see a great future ahead.

Think it's great to hear that a full effort is being put in to fight against cancer. It is time for all hands on deck

This is a great example of what data collection and analytics can provide. Look forward to seeing how big data can impact other areas of healthcare.

It would have been useful to actually have someone knowledgeable about data security comment on the issues.

You are doing a great justice let's hope you awaken the sleeping giant(s) who know what a sham all of this is

I can hear the Donald now when he takes office, "You're Fired!".

I just felt the silent majority get angrier. Maybe the 18F team should have focused on developing a new sign for transgender bathrooms?

The government’s 18F, with its manageable hours and public service mission, is attracting former journalists http://www.niemanlab.org/2016/05/the-governments-18f-with-its-manageable-hours-and-public-service-mission-is-attracting-former-journalists/

real story is how many of 18F's hires are bloggers and journalists, should make the public worried they're more focused on branding and stories vs. actually doing IT?

I'd have to agree with you...18F branding sounds a lot more like fluff than actual work

So wait. Government employees are working on the weekend - when they aren't getting paid - and this is newsworthy and something to complain to congress about? Please. Find something real to report on.

This is quite the expansion - a lot of big name techies. Hope this approach will drive new technology in the defense field.

Every Federal Department has an org chart chock full of IT, security, development, marketing, etc., professionals. So we need another layer to foster...what?

From 18F's site:

"[W]e’re an office of federal employees acting as a civic consultancy for the government."

What does that mean? What the heck is civic consultancy? If you do a search, you'll find "Civic Consulting" fairly easily, and guess where the top links take you? That's right - Chicago! Why am I not surprised? This smells like another 'social responsibility' scheme cooked up by the left. How much is this costing us, for Federal employees to offer us 'civic' insights. Sounds to me like Big Government once again trying to manage everything centrally from DC.

nice to see someone reporting on what has aggravated so many people in Washington for quite a while now. would be great if gsa focused on their actual mission - never mind that it's completely out of gsa's scope to even create a group like 18f. i too am all for government IT innovation - but take one look at the list of "innovations" 18f has tackled and you'll laugh...and then probably cry.

So, these are the people the Administration wants to handle technology transformation?

The 18F blog post from 5/10/16 - Building a Modern Shared Authentication Platform is quite humorous given this recent turn of events. Physician heal thyself?
https://18f.gsa.gov/2016/05/10/building-a-modern-shared-authentication-platform/

"In addition to making logging in to government sites easier, the public will also benefit from a more streamlined and efficient interaction with the federal government in general." - Check

"This system is designed to be your one account for government, giving you control over how you want to interact with agencies, and breaking down critical barriers between participating agencies, if you so choose." - Check

Preserving privacy by mitigating privacy risks and adhering to all federal privacy guidelines. - Needs Improvement...

How is it that this organization is tasked with anything? What is its authority? What is its funding? What compliance obligations attach to it? Why did the government set-up this organization in the first place?

https://18f.gsa.gov/2016/05/12/introducing-18fs-new-visual-identity/

This article is nothing more than uninformed whining. You judge a federal program based on its logo?

The design team's weekend work didn't cost the taxpayers a dime --- they're salaried. Whether they stop on Friday at 5pm or work through the weekend, the taxpayers pay the same. If you are going to talk about money wasted, show us how you come up with your facts.

To the poster at 4:44-It's not whining; its frustration with a pack of neophytes skirting the law, undermining the processes of government, and falsely proclaiming their value. Congress needs to intervene here and put an end to this nonsense before these parasites do more damage than what the vulnerability reported today.

Skirting the law...by creating a new logo...on their own time? Those monsters! Somebody's got to stop them.

Wow, you're *terrified* of 18F. Your fear is palpable. Why is that?

What a fiasco. The Air Force is scrounging for parts to keep our jets flying while money is siphoned off to waste on this nonsense.

Excellent title on this article - If only Congress could figure out what attracts and motivates government workers to work over the weekend, on their own time, to produce higher quality outputs... imagine that.

Perhaps the OPs feel like I do. As we're seeing other news reports, we're at two incidents in about a week associated directly or indirectly with what increasingly appears to be an operation going rogue: the one just identified by the IG, and the GitHub/Uber breach. With regard to the latter, that third-party platform, because it's use requires consent to its terms, appears to be a barrier between citizens and their government.

While we're on the subject of third parties, it's not clear how that platform was selected for use. Nor is it clear how the product identified by the IG was selected, nor the drives identified in the IG report, nor the IaaS provider 18F uses. Maybe it's all good; maybe not, but there's no real transparency to understand what's going on there, and, rather than providing it, the organization resorts to self-congratulatory statements of success.

Look, there are some of us who are willing to be convinced otherwise, but, over time, there really hasn't been a lot of detail around this group, and yet, its scope of responsibilities seems to change, to grow, and to duplicate other activities. It may be the culture of postings to respond with hyperbole ("*terrified*") and snark, but the organization would do well to start getting serious about what it does and explain itself, in concrete terms. Otherwise, as the increased interest of the oversight community demonstrates, it's days may be numbered.

Just some friendly advice.

Gotta say, I liked the old logo better than the new one.

This is a disappointment given the mission of 18F. I get that they're supposed to be innovative, but they're also supposed to work within the constraints of FISMA. On a larger scale, this is the same agency that oversees FedRAMP, the framework that is supposed to be providing assurances to the federal government that it is ok for agencies to use commercial cloud services. This incident certainly lends credence to the assertion that GSA is playing fast-and-loose with the security rules in achieving so-called innovation. When are these so-called geniuses going to learn that these security controls are requirements, not just good ideas?!?

This is overblown: https://18f.gsa.gov/2016/05/13/how-18f-handles-information-security-and-third-party-applications/

Can't wait for the GAO/OIG report on this fully reimbursable "business line." Next year, 18f will be less relevant and forgotten than the Bush years quicksilver projects, except they accomplished something.

Agreed, overblown.

The reality is that under this administration your social media content is not likely to get you barred from a clearance. In fact, the more radical you appear, the more likely you are to get a clearance from this bunch. Instead, they'll use this information to see how useful a tool you can be to them.

My problem is that they're trying to turn coders and developers into managers and communicators. That talent already exists in the organization. If we hired them to program because we have trouble getting that skill set in the gov, then great, stick to that. Some of the 18F folks come from start ups. Communicating across a start up is a lot different than communicating across large orgs and gov wide audiences. 18F's web "standards" announcement is a perfect example. A rookie comms mistake that could have been prevented, had they talked to experienced people.

It's great to see data being put to good use in the health care system. Value-based care can definitely make some positive changes in this field.

Great example of public-private partnership working to improve the lives of citizens - hopefully this can be replicated nation wide

Agree that healthcare organizations must get ready to disrupt or be disrupted. With the shift to value-based care and more and more burden being placed on IT and health IT teams, CIOs must come up with an overarching strategy to ensure organizations don't fall behind.

interesting

Where's the report? Have you been squashed?

So, in addition to losing money, it risks losing data. Nice. BTW, nice to see the bizarre statement issued after the event. Obviously, GSA's lawyers are asleep.

Will there ever be a day that legislators will be smart enough not be surprised by these kinds of results? Seriously folks if these legislators would simply get some street smarts we would be allot better.

There are going to be 10 parts to this bitch fest?

follow the money

you have just scratched the surface of mismanagement of IT resources at NASA

THANK YOU! This was amazing. Nailed everything this 2210 has been dealing with since the PIFs came along, newest iteration of it isn't any better.

Certainly misleading - perhaps a better headline would be "EPA CIO assumes bad guys have access to all of our data".

I'm looking forward to reading the whole series. I have served in uniform within military IT, as a civilian, and now (again) as a contractor. During my time in service as a 2210, I watched every new idea roll down the pike since 1995, becoming the latest panacea offered for what ails IT in any given agency. But, in what has become an obvious pattern, after the initial glow has worn off it is usually back to business as usual, with only the name of the framework and the acronyms changing. (One thing the government is REALLY good at is coming up with new acronyms!) Look at the recently released FITARA scorecard and it is plain to see that we are not improving; in many areas, we are getting worse.

zzzzzzzzzzz This again
Who ran the survey? I guess its polling time and any survey will do

Where did you find these "officials" ???

If 41% are unaware of what GSA's plans are they aren't even reading your blog. Seems like a stretch to call them "Federal IT decision makers" and to call this post "news"

--mental health stigma

Yes, you can call it that. We also once called voiced rape/stigma. Seems we did not learn from that.

Big Data often provides the answer, but is it the answer we are looking for? If it enforces what we want to believe, good data. If it proves our "ethical opinion" wrong, bad data.

"Get your facts first, and then you can distort them as much as you please."
-Mark Twain

It's great that transparency is increasing in health IT. This will really help advance current practices

This should definitely be a flag to the FedRAMP team that changes need to be made if government officials are doubting its value

Great story. Look forward to what we'll learn as more analysis is done and insights shared.

The above commenter clearly hasn't bothered to read anything on 18F's blog. Can you name another federal agency that speaks as openly about process and failure as GSA, or 18F in particular?

I don't think that getting rid of the CSP Supplied path was a good idea. That decision is going to add to delays.

It will never be possible to obtain a Provisional ATO in 3 months. Anyone who thinks this is possible does not really understand FISMA or the risk management framework.

Thank you for taking a chance and capturing this story. I look forward to future chapters. It will be scary to see just how pervasive the discontent in IT is.

Excellent chapter....I look forward to the next installment.

Well, this is unsettling. Atleast now the SSA is aware and can work towards better protection

The cyber leaders at SSA need to step up their plan of action. We don't need another OPM-size breach.

While SSA may have data on EVERY American citizen, it doesn't have the level of detail of information that OPM had in all the SF85 and SF86 forms. It's apples and oranges folks, yes, still very serious but having SSA's information doesn't provide the same goldmine to Foreign Intelligence Services (FIS) like the OPM background investigation database does. It's "just" the ultimate ID theft jackpot.

Average CIO tenure is 2 years ... And many are on a constant speaker circuit promoting themselves.

While many people look at these failures as IT failures, and many are, those of us on the inside know that's not the whole story. Anybody who works at a place like a hospital knows that the hospital does whatever it wants and the FCIO isn't going to alter their behavior. I remember an audit at my hospital that had IT brass in attendance, sadly this is practice is no longer in effect. I offer two pieces of advice, the first is to have the site's audit weigh heavily into the facility director's evaluation. The second is to have IT SESs directly participate in every audit from the time a site is put on the calendar until the IG releases its results. Require recorded weekly meetings between the SES facility director and the IT SES. Get the two sides to work together and we'll perform much better in these audits.

Excellent points...I appreciate your candor in touching this conversation. It prompted a couple of thoughts on my side. Are you familiar with the book The Phoenix Project, by Kim, Behr, and Spafford? It is arguing for DevOps, but it makes the case for agile as well, hitting on a number of your points.
I look forward to reading how you see the impact of the federal budget process. The need to forecast a budget two - three years in advance work reinforces the waterfail method. Budget requests require documentation in the form of requirement documents and OMB reports. There is greater control over the budget when working in shorter sprints, but the powers that be are not always open to new ideas.
Finally, agile seems to help when the inevitable leadership change occurs. Instead of a never ending series of planning efforts in response to new direction given by new leadership, IT teams can demonstrate functionality achieved and adjust as new guidance is provided without losing work.

Brian joined VA in 2014...Burns has held senior IT positions at the Defense, Education, Health and Human Services, Interior, and Treasury departments.

"I am very pleased to announce that Mr. Brian Burns has accepted the job as the new chief information security officer for the Department of Veteran Affairs," VA CIO LaVerne Council wrote in an email to staff on Nov. 6 (2015)

Aug 20, 2015 -"Department of Veterans Affairs officials have tapped Associate Deputy Assistant Secretary for Security Operations Daniel Galik to take over as acting chief information security officer for the agency when current CISO Stan Lowe retires from government next week."

Brian Burns left the CISO position at VA in early April. He went back to his previous position (VA/DoD Interagency Program Office). Ron Thompson took over the CISO role in early April, but is still performing his duties as PDAS for IT Enterprise Strategic Initiates.

Burns was only the CISO at VA for 5 months. He took the job from Dan Galik who was acting as Dan's background is more Security rather than a CISO. Galik same from Security at HHS, not an IT position. Appears as the VA has some serious issues retaining people in this position.
Burns has held 8 different positions in 13 years. Sounds kind of odd don't you think?

Tony Scott on the other hand comes from a very impressive background. However Scott's position is political so the CIO slot will be vacant come Jan 2017. Basically the CIO lame duck slot and nothing more than a reference for a resume . Mr. Scott led the global information technology group at VMware Inc., a position he had held since 2013. Prior to joining VMware Inc., Mr. Scott served as Chief Information Officer (CIO) at Microsoft from 2008 to 2013. Previously, he was the CIO at The Walt Disney Company from 2005 to 2008. From 1999 to 2005, Mr. Scott served as the Chief Technology Officer of Information Systems & Services at General Motors Corporation.

If Tony Scott made this decision then the man has lost his ever friggin' mind. Stop and think about why Burns as such a long list of agencies where he has worked - he's always left them with a foot up his backside. Council did not mention his tenure as CISO because she had to relieve him of those duties because the place was in freefall - 150+ expired ATOs with no immediate plan for remediation - only to have everything taken care of by 2018! In fact, this is a new OIG finding for VA! Steph Warren may have been Saddam Hussein, Burns is ISIS. Tony - if you are reading this and this is your choice, for the sake of the country please reconsider!!! Burns will screw up somehow and it will be in spectacular fashion.

Why is it a surprise that he would leave that CISO role? I am surprised he lasted as long as he did. While he is solid executive and no one would doubt his expertise in a senior general IT position, he is not an information security professional and was not qualified to run a program like that in the first place. When will the government get it that you can't just throw any Senior Executive (no matter how good they are elsewhere) into a complex Cybersecurity role and expect miracles? D.W. Stender

No one should be shocked if this happens. The Federal Government has a history of assigning non-Cybersecurity professionals to senior Cyberecurity roles and then acting shocked when they are unable to perform? Definition of insanity?: Doing the same thing over and over and expecting different results. D.W. Stender

Transition costs are an issue, yes. A look at the overall economics of each scenario, with hook-up requirements included, will often show an economical project.
This article says nothing new nor does it pose any way to lessen these costs.

Why are the posting of previous news clips "comments?"

Fantastic effort by ONC to empower consumers. So many doctors/health systems make it difficult to get data.

Seems like Moe is really stepping up to the plate with Virginia's IT. Let's hope his good work continues!

today is June 3rd - not April 1st! Tony - please say this is a joke!!!

Because these people are so busy playing roles and getting titles and moving from job to job so as to hide the fact that no real work gets done. They clearly forgot that they were there to take care of our veterans. Instead they loose their identity info and fail at simply getting the veterans and appointment.

Back in the 2000/2001 time frame, Burns was CIO of the Bureau of Indian Affairs (BIA). Security was so bad under his management that he was court ordered to disconnect BIA from the Internet. This was all tied to the Corbell v. Salazar case (https://en.wikipedia.org/wiki/Cobell_v._Salazar) and the Indian Trust Fund data lawsuit. BIA, along with several other bureaus within Interior were off the Internet for nearly 8 years! Just Google Brian Burns, Bureau of Indian Affairs, Corbell v Norton.

Around 2006 Burns made his way to the Department of Education as Deputy CIO, hired by his buddy and former IRS colleague Bill Vajda. At this point Burns was I believe in the middle of MSPB hearings relative to his performance (or lack thereof) and Vajda threw him a lifeline and pulled him into ED.

Because of his massive failure in putting together the Education Enterprise IT Services Contract (EDUCATE) In 2007 he was removed from the Deputy CIO position and put in Special Projects by Education COO, Hudson LaForce (Former Dell Computers Executive). In late 2007 or early 2008, LaForce detailed Vajda to OMB and Burns to Navy. Danny Harris, who was the Deputy CFO was installed as acting CIO. Vajda was later detailed to ODNI and where he was eventually sent back to Education. He resigned upon his return and moved back to Michigan and became City Manager for Marquette (he has since resigned from that job and is now working for an ice machine manufacturer). Burns was booted from Navy and made his way back to Education where he was put in an office by himself and basically told to color. He finally made his way to VA was put in the DoD/VA Integrated Program Office (IPO). He managed to talk his way into the CISO position at VA but after 5 months, was moved back to the IPO...and here we are.

He has made claims that he was the Education CISO (Not true) and has made similar claims about other his professional experience that are also not remotely accurate. Other than a few months as CISO at VA, he has no security experience. He is known as a bully, lacks integrity (completely bankrupt), and is grossly disingenuous.

He has a history of bouncing (running) from agency to agency, is extremely disruptive and certainly unprofessional. He has been at IRS, HHS, VA, Education, and Interior. His tenure with each organization ended almost always due to sub par performance or some professional misstep.

Why the government keeps people around like this is beyond disturbing.

"Burns has held senior IT positions at the Defense, Education, Health and Human Services, Interior, and Treasury departments." Oh, and at the VA. And we wonder why nothing ever gets done within the government. Come January 2017, we'll be seeing another across the board shuffle of all SES staff, just like we did in January 2009, and it will take another 12 months beyond that for the dust to settle.

Dom probably won't like it at the VA. LaVerne Council doesn't want the best cyber security program in the federal government, or a good program, or even a program that is fully compliant with the FISMA-mandated minimum requirements. All she wants is to do the bare minimum to convince VA OIG to reduce the "material weakness" to a "significant deficiency" for FY16, before she bails out. You can bet the problems at VA extend beyond this years audit sites and there will be a material weakness in future years. Who wants to be the CISO under that kind of leadership? He'll just be the next one to take the blame. Hopefully the next VA Secretary will want a good, or even great, cyber security program at the VA. Our veterans deserve it (and should be demanding at least what is required by law).

Thank you for sharing, Chelsea! US Cyber Challenge is a great way for young women (18 and above) to get involved in cybersecurity. And the organization's founder, Karen Evans, is a great role model for aspiring women in the field. www.USCyberChallenge.org

I guess we all need to secure ourself and VPN like PUreVPN is mandatory these days

just note that, even more so than in the past, the VA OIG always gets its whistleblower!

Ms. Council needs to, at the very least, communicate with her staff and could probably benefit from GEN Reimer's comments about turning the mirror and evaluating one's self in addition to pointing out the shortcomings of all the "other people." More is done behind the curtain now than with past CIOs.

Sad that IT is not told what is going on. I think this is a big money grab for Council and Susan (@baypines). Fired from Johnson and Johnson and Susan is a outsourcing professional. HMMMM how many Vets will be out of work with the contracts that are going to put out.

This transformation of OI&T will greatly impact the service to veterans trying to receive compensation benefits. This will reduce the staff levels at the Regional Offices, creating delays in servicing employees with technical issues, increasing delays in processing veterans claims for benefits. OI&T employees are not being informed of any of this transformation process, creating labor issues.

The hiring craze for docs and nurses has been done without the fore thought on the additional support that would be required with IT Assets. Service Lines have not been fully implemented after stealing the best and brightest IT professionals from the facilities. Now, the newly built orgs can' function well as the orgs they were robbed from. Morale is at a very low point.

Read the headline - "...Before Massive Election Turnover" How many senior IT leaders are left now that know the depth and breadth of corporate VA and its many interrelationships? My way or the highway seems to be the law of survival currently.

Don't worry about the brain altering effects though

VA OI&T Senior Management is at an all time low under Ms. Council (Terminated from Johnson and Johnson) and Susan McHugh-Polley (outsourcing specialist with 10 years IT experience) that is very little experience to fill a job as Deputy Assistant Secretary Service Delivery and Engineering. At one of the Realignment meetings Susan McHugh-Polley made a statement that she used undocumented workers from ICE to move and set up IT equipment. She said she doesn't care where the work comes from. The senior leadership work under cloak and dagger while trying to outsource most of VA IT operations to outside vendors costing the taxpayer billions of dollars. They have created a culture of fear. Rumors if you make any waves you will be black balled and no one in OI&T is going to offer you a job when we realign. Currently 70% of VA IT postilions are filled by veterans.

I served 10 years for my country and give every effort to accomplish all that I can every single day. I should not have to come to work worrying about what my senior leadership who are non veterans are trying to do veterans who are employed by the VA. My wife and daughter who are also veterans should not have to worry that the VA has declared war on their veteran IT employees just to outsource jobs and billions of dollars to large corporations.

Sad that the VA has little empathy for the veterans that are employed by them. But like the VA says it all about the veterans unless you work there.

Couldn't agree more. Ms. Council built a wall around herself and only certain people get an audience. Mr. Warren, although a bit difficult sometimes, had an open door. Ms. Council is rightly suspect of her subordinates but at the same time makes sweeping ill-informed decisions based presumably upon their input. We all wonder.

But this is not new news. Googling Ms. Council prior employ shows that she has left a wake of broken IT organizations on her path to the VA. Good thing she went into IT vs becoming a neurosurgeon (http://www.computerworld.com/premier100/detail/224)

Enterprise Operations is what is wrong with OI&T. Get rid of this organization and IT will improve. Quoting our office a million dollars for a single website tells me the EO folks in Austin do not understand IT or business.

There are good people and groups in EO. Lack of qualified leadership like the rest of the VA plagues EO.

Access the book now at http://arcg.is/1PhxC3U and http://arcg.is/1UoDWbv . Thanks Jessie!

Glad to see Stan Lowe back in the news, if not quoted by name!

Steph = Sadaam Hussein. LaVerne = ISIS

When OI&T took over VBA, VHA and AAC (EO) years ago they added so much overhead that they broke EO. Paperwork, lenghty approvals, data calls, dog and pony shows, budget exercises, non-stop planning leading to nowhere, and hundreds of confusing and worthless processes became much more important than IT services and customer satisfaction. IT moved from results-based performance to CYA reporting.

OI&T and VA leadership forgot that HR, Budgeting, IT Business Offices, Contracting, and other support groups were there to enable IT to perform their core mission, not the other way around. If the military worked the same way as OIT, the combat troops would be responsible for supporting the mission of the logistical command, instead of the other way around.

In the case of EO, the result of this is that they are now bloated with non-IT staff who outnumber the technical staff 3 to 1. Costs increase and service declines and the same thing is happening throughout SDE. Nobody should wonder why sustainment costs eat up so much of the budget. At least 50% of the expenses are probably not core IT functions.

Leadership knows this and are making some changes. MyVA, VIP, reorganization and other initiatives are taking place but I hope they know that it's not just an IT staff problem, nor can IT staff alone fix it.

The real problem is that these IT staff and IT leaders are now responsible and accountable for work outside of their core competencies. Let IT people do IT work and hold those accountable who are not supporting them adequately. If Ms. Council is going to "embed sustainability", she needs to ensure these support groups pull in the same direction as the front line IT staff or they will never be successful. And if they think that outsourcing is the answer, it may work for a little while but eventually the layers of bureaucracy will embed themselves in those services and the same problems will impact them as well.

IT staff and leadership have problems just like any other IT group that's ever existed, but they've been beat up enough for things that are outside their control. You can't beat up an Army that has no logistical or intelligence support. The greatest Field Commanders in the world aren't going to be successful in that scenario.

LaVerne Council is hands down one of the most destructive and incompetent executives I have ever seen. Remarkable the White House seems to have forgotten to Google her before the nomination, because it isn't hard to find a history of destruction and bullying behavior that is clearly being repeated. She has done more damage than could have possibly been imagined in 9 months, with 6 more to go. It will take years to recover. Steph is sorely missed. He absolutely had the best interests of people and the VA at heart.

All they had to do was come to J&J and ask people. They would have told the truth...

I commend the author in exposing the truth around the leadership of Laverne Council. She leads by intimidation and bullying. Senior management is fearful of speaking up. One can only hope that the next administration does not renew this relationship.

Maybe someone should think about hiring someone with a good IT technical background and that also knows something about EHR's and medical informatics. Q-tip management is not the same as medical records, where semantics, interoperability, security all have come together in a cohesive manner. 14 documents to buy a computer, software or storage device and a 6 month lead time will never work. Have 30 people on software committee - 75% of which have no interest in the activity wastes times and money and even worse causes distraction for those actually trying to get work done.

Wow! I work in VA's OI&T org. I swear to god that reading all of these [negative] comments, that I had blacked out and written most of them myself and simply had no memory of doing it! Signed, a ~30-year military+Fed IT professional.

Interesting that Mr Wales says we can't withstand an EMP or CME, then says they aren't worth preparing for.

Space scientists say we are absolutely guaranteed to get hit with a CME. See the Lloyds Insurance report on the effects of a solar storm on the North American power grid.

Thirty year plus VA IT employee here. I can barely stand to get up in the morning and face the daily crap at work. Most (like 95%) of my peers plan to leave the instant they can afford to. IT has been broken since around 2007 when the first IT reorg was implemented. It has only gone downhill since then. The problem? Wow, where to start? First the culture of trust and the feeling that we were on the same team and valued went out the window. Then communication became a one way street. You can guess the direction. Then all the overhead was added, the policies and procedures, the chain of command, all the minutia that regulates how an IT employee will do anything. The management staff in IT outnumbers the worker bees by a good 5 to one. It’s all about centralization and control these days. The VA use to be an innovator. IT put an end to that. Innovation only exists at the VHA level and IT does it’s absolute best to make sure it never sees the light of day. The VHA (and others) actively try to work around OIT in order to get things done. This certainly causes more problems in the long run but departments are desperate to get what they think is important accomplished. IT has it’s “processes”, hundreds of them. In IT the process is much more important than the product. In fact by the time something is through the process the product may well be obsolete or the customer has moved on to something else.
If you are an IT employee at a facility you are basically a serf, a peon, and of absolutely no consequence. The worst possible job in the VA is that of the Facility CIO. The regional service lines are constantly beating on you to do more with less and the facility people are constantly mad at you because you can’t do what they want you to do. This is where the rubber meets the road and it’s the least appreciated and most understaffed area in the VA. It is starting to populate this level with contractors. Most IT staff believe this is where the VA is headed, to outsource the workforce.
If you're a regional service line employee you work from home and never darken the VA's door. I mean, hey that's beneath you and you might have to see one of the serfs, or God forbid, actually speak to one. There are rumors that the regional service lines will be merge in national service lines. Maybe some of the petty tyrants will fall.
There are some national IT folks. Some are good, some aren't. Mostly paperwork wonks. The most interesting group here is the new ePMO office. In one day 1400+ people were moved under this new office. Apparently it was a power/money grab. It appears they haven’t a clue as to what they are going to do with half of the employees they grabbed.
Then there are the contractors. Contractors are used in the DC area to do the actually work. The typical IT organization in DC has just enough VA IT employees to exercise "management" over the mass of contractors. I have little faith or trust of anything that occurs in DC. Booze, Allen, Hamilton has a massive presence in the VA. If all the Booze, Allen, Hamilton employees left the VA we would have a massive budget surplus and maybe, just maybe a semi-intelligent decision or two might accidently fall out of Central Office. Most IT folks consider BAH a parasitic infestation. We have many other contractors too. The latest are the hatchet men for OIG.
Then we have our senior IT non-SES management. The non-SES management people are almost all in an acting capacity, detailed to the position after that person left the VA. They are the leaders in the VA and what is keeping the VA running. They were mostly promoted from the field and have real VA experience. Most try, many are burnt out, some are counting down to 12/31/2016.
Then there is the IT SES crowd. I don't get to breath that rarified air and don't interact with any of them either. Almost all are new though and that's a good thing. The previous group, collectively, couldn't find water while walking neck deep in the Atlantic. The one standout is Susan McHugh-Polly, she appears competent. She must have been an accidental hiring on the VAs part. The new SES’ers are entirely Ms. Councils handpicked crew. They will do as she says, after all when your job depends upon your bosses whim independent thought is so inconvenient.

I am a Senior Engineer working in OI&T and will most likely leave my position and move to Microsoft and the reason is simple. I am tired of not being listened to regarding technical issues, instead folks with no technical experience are making decisions that are essential killing off all progress and making the entire VA’s OI&T work force look stupid. It’s time to draw a line in the sand, here now and today and move forward.

C'mon, It not only her fault. I worked in Private as well as other federal agency as a IT person and agreed that VA need some improvement. It seems like, senior leadership more concentrate on paper work, more cumbersome project management documentations, it just nothing but cut/paste of same materials with different heading (waste of time & Materials). Every month new proPath version with adding more useless documentations and bigger mess rather than reducing paper work and improving work environment. Also six month deliverables which should aligned by 6 month contracts, agile management is really big big mess, mismanagement of project and make job tougher for Project Manager than its really is. PMO support with 6 month increment is also a mess, contract award, then on-boarding process take 1-2 months, then 2 month for learning & familiarize with project and barely get hold on to the project with 2 month left on contract, which they use for activities related to transfer material to new team & close out their contract without accomplished any thing and cycle start all over again.... And here we go.. Flushing away... , PMAS, VIP, JAZZ, Primavera, TSPR and tons of other Acquisition related applications and processes, EPMO all those big acronyms with all confusing process make life at work place harder than enjoyable. It is easier to Manage 10 projects outside than 1 project at VA as Project Manager.. List will goes on and on and on.. but I will stop right here, with hope someday our VA and OIT will improve.

No worries, Ms. Council is doing what all the other OI&T executives are/have doing. Work in OI&T long enough to make direction changes that benefit themselves, quit the VA, and immediately become consultants for vendors that capitalize on the executives empire they had created.

Quite a list of impressive names, huh?

Ms. Council is not the problem. Rusty Baumgardner is the problem. The Guy thinks he knows IT and basically is an Idiot.
I do know all the details. But 50 million dollars down the toilet from one of his latest projects is a call to the OIG for sure. Give me a break.

Please understand from the inside looking out...Its all about Ms Council, specifically her next awards and magazine cover, period! Sec McDonald made a poor choice.

It is fascinating how each story I've read about this hearing has a different take on the outcome. Are 18F and USDS doing a good job? It there a little room for improvement or a lot of room for improvement? This story comes the closest to what I heard about the hearing. It will be interesting to see what 18F and USDS do next based on the results of the GAO report and the hearing.

Will be interesting to see how data in the classroom plays out with privacy concerns. It will be difficult to keep student records secure as we pack them with more and more information.

I've been in VA for over 25 years and it seems like a new era of blame the staff. Why can't you develop faster? They do it on the outside faster! Why can't you get that solution deployed faster? They can do it faster on the outside! Over and over again there is the assumption that OIT staff are a bunch of fools and can't get the work done. I would challenge, it's not the staff, but it's the polices and process that we all have to live by. You really want to change VA, stop focusing on thinking OIT staff are not equipped to do good work; change the policies and never ending process that inhibits us from doing what we need to do. Can they do it faster on the outside, probably, but I've yet to see a contractor, or appointee, come in to VA and do anything spectacular because they suddenly realize that we aren't crazy here.

The biggest problem, no chain of command. There is no clear decision tree on anything. Even strategic decisions made by high level managers are flat out ignored and there is no accountability at all. The lack of the chain of command is apparent as most of the time people don't even know who could would or has the authority to make a decision.

I think agencies do need to switch their mentality, but it will be difficult to secure all of these devices.

I wonder how much more money has been siphoned off to various other projects at the expense of the Blue Water Navy/Agent Orange issue?
others to demand that the VA assume responsibility for the effects of Agent Orange on Blue Water vets. Please sign our petition asking Congress to pass House Bill H 969 and Senate Bill S 681 and give us our benefits.
https://www.change.org/p/u-s-house-of-representatives-give-the-vietnam-blue-water-navy-veterans-their-presumptive-rights?recruiter=174924799&utm_source=share_petition&utm_medium=copylink

Call (202)224-3121, give the operator your state and/or zip code and they will connect you with your elected officials’ office. Ask to speak with the liaison for Veterans Affairs...make it clear you are calling as a constituent asking for their support of HR 969 and S 681, the Blue Water Navy Vietnam Veterans Act"

We ask you to stand with us, and with Representative Chris Gibson, Senator Kirsten Gillibrand, and others to demand that the VA assume responsibility for the effects of Agent Orange on Blue Water vets. Please sign our petition asking Congress to pass House Bill H 969 and Senate Bill S 681 and give us our benefits.
https://www.change.org/p/u-s-house-of-representatives-give-the-vietnam-blue-water-navy-veterans-their-presumptive-rights?recruiter=174924799&utm_source=share_petition&utm_medium=copylink

Hallo,can I apply for myself?

Council needs to leave now! She's a fool and McDoanld is a fool to hire her! Neither have improved anything, and in fact Council is making things worse.

Please visit https://mobile.va.gov
Not sure how many of the public facing apps are meaningful but many in iTunes now have favorable ratings and feedback like the PTSD coach. Not sure how they were funded but these Veteran facing apps seem to work.

Finally!

Who created a lot of those apps? A company called AgileX...

Who worked for AgileX? Roger Baker, former VA CIO.

Who acquired AgileX? Accenture Federal Services.

Who else did they acquire? ASMR.

Who worked for ASMR? David Waltmann, now an advisor within VHA.

What other work does ASMR/Accenture have now? VistA Evolution.

And Accenture just won a contract again for mobile apps. And it is well known within OIT and VHA that Accenture has already been pre-selected to win the forthcoming continuation of VistA Evolution work.

Does anyone see a pattern?

Government employees, working for these contracting companies and then coming back to VA, are getting kick backs left and right. Misappropriations of medical dollars. Us Veterans not getting the care we need and so we are dying. Its time for someone to investigate these connections!

The confidence in leadership the VA suffers at this time is rivaled only by the lack of confidence congress has in them. For good reason too. At this point not one VA leader is doing well for what they were hired to do. The secretary and his right hand clown buddy start the circus off. From there you have the CIO doubling down on the freak show. After her there's a long line of unqualified yes-men taking up space hoping to survive another week under the queen of hearts. I wish congress knew how difficult it is for the VA's field level IT workforce to get up in the morning and drag themselves into work to face another day of complete bafoonery. And with the mystery reorganizations that we're told will happen soon it's going to get even harder to suffer through the morning commute. Many are speculating that what we're seeing under this CIO is a planned slow strangulation of the current workforce so we can be replaced with contractors, and it's sad that there's nothing to suggest that's not true. The CIO's lack of open and meaningful communication with her front line workforce does little to ease those concerns so what we're seeing is the typical circling of the wagons at the facility level because of the unknown.

The worst part of this is that we all have to go into work tomorrow and deal with the added oppression this article will allow to rain down on us. It shouldn't but it always does. Like so many others in my hospital, I wish I could find another place to work.

OI&T just can't quit making terrible choices.

I have a great deal of respect for many of the smart, idealistic folks at 18f & USDS. However, I do take strong exception to the statement, “We do not intend, and in my opinion, do not compete with the private sector,” by GSA's Phaedra Chrousos. My small business builds websites for the government, 18f builds websites for the government. We are both competing for the same, limited number of projects. The only difference is that I have to be efficient enough to successfully deliver and still make a profit, whereas they do not, because they are subsidized by the taxes I pay. Furthermore, they have complete access to our proposals, pricing and our approach. These are devastating competitive advantages!

Ah, yes. The perpetual strawman that claims girls are blocked from STEM. Complete BS. Tell me...who is not granting them access? This is just more social experimentation by our Big Government, and ED has been at the forefront of it for its entire existence. Time to get rid of that useless Department. Trump 2016!

What about the companies pushing insecure products into the market? Ms. Adams' company released 135 security bulletins alone in 2015; works out to not quite 3 bulletins per week. What's the labor cost involved in applying those patches across the federal spectrum? It's not just the mentality of the agencies, industry needs to take a look at their mentality as well.

I think the encouragement young girls, and women, are receiving to pursue STEM opportunities is great. No one said they were ever blocked from STEM; it's more about building the confidence and support individuals need early on. I believe this mindset will really change the future of female STEM leadership

So does Amazon get a waiver to be able to fly without VLOS? Has amazon commented on the rules?

To all the 'federal employees' on this thread, with all the negative comments about Laverne, if you don't realize the VA/IT organization is in trouble, and blame Laverne, then YOU ARE PART OF THE PROBLEM! Get a clue, one person didn't bring the VA-house to this state; it's the federal employees.

Looking forward to hearing about the Amelia Earhart presentation.

Really?

It'll be nice when the VA Strategic Sourcing thing gets off the ground. They need to speed up the process and tell everyone 'no' a lot quicker.

There's no way to rationalize it, explain it or otherwise spin it. VHA broke the rules and they know it and everyone around them knows it. The whole thing stinks to high heaven. The IG report should be published and the officials must be held accountable. Otherwise, why have rules or IG.

So excited. One of those Taos 9th graders is my grandson Zach.

Great to see Federal agencies supporting technological advancements at the state and local level

***FLASHBACK 2013***
What's wrong with IT at Veterans Affairs?
https://fcw.com/articles/2013/05/01/veterans-affairs-trouble.aspx
Just replace the names...

DSCOVR sounds like it will really improve the accuracy of predicting the weather -- much safer for everyone. Wonder why it took this long to put a technology like this in place?

Eleanor Lamb

The Department of Commerce's post did not mention previous technology related to this satellite. MeriTalk is speaking with NOAA soon to learn more.

Hmm-five new full ATO authorities - NIST violation??

Senior leadership is forcing through so much change right now, without the necessary training of workers who must work in the changed environment. Things have been turned upside-down and ground work for assured failure has been laid. And they wonder why we are not all smiling. Yes, we suffer, but it is the veteran who ultimately pays for the failure.

“Kremlinesque” culture? What are we now, a mushroom culture? Kept in the dark and fed..... Morale in IT is so low you have to look up to see whale poop. Fill out these forms to do this, wait weeks to get fives signatures to do that. Listen to eight contractors tell you how, when, and where to do something else. I wouldn't wish a VA IT job to my worst enemy. I have one more year in this h3ll hole and I'm out.

Jesse, do you have a link to the webinars that you mention happen today?

Jessie Bur

Unfortunately, a link to the webinars was not provided in the press release, however, FedRAMP does post some of their previous webcasts on their website, which may have today's webinar in the next few days

This is a really interesting solution to potential energy issues. Will be interesting to see how microgrids grow.

Eleanor Lamb

Thanks for reading. MeriTalk will try to stay abreast of developing microgrid technology.

Obviously written by some one that has never accepted the risk of a system for the federal government. Remember that FISMA has NIST writing a framework for risk acceptance, then each agency implements those guides according to their risk criteria. DOD is more sensitive than say GSA. Many agencies would not accept the risk that GSA could..... That is why the JAB has the cross section of agencies.

FedRAMP is a good program, but it does need to mature. Mature as stated in this article is asking for trouble.... You accept risk based on an agency mission. You accept risk based on a complete view of the system..... Looking at an application is not a view into the risk of an entire system...

I was the author of the JAB Charter and have been a risk acceptance official on hundreds of systems. The author of this article is 99% wrong......

It is unfortunate that the CSP Supplied option was removed. Without that option, companies that have previously had government customers have a very distinct advantage.

One should consider that MeriTalk gained it's position as an authoritative voice because of FedRAMP and in its beginning tried to be helpful. When it was faced with being less than important it decided to bite the hand it lived off. Many CSPs have decided to distance itself from its appearant dislike and frankly prejudice inherent in this writers background. So rather than recognize it had a meaningful use in a certain time and place you act like the bitter boyfriend whose untenable behavior is no longer accepted and you show up in parking lots like a jealous boyfriend. Frankly you have gotten to the point of scary.

IG are not experts on everything nor is what they write gospel or even always accurate. Agencies across government can choose to agree with or reject an IG report.

The majority of challenges in Healthcare digitalization is in semantics, not IT hardware.

Get with it, EMC!

Interesting article with both sides of the story - each side brings up good points. Wonder when driverless cars will come into play

Dan Verton

Amazing volume of feedback - very much appreciated. As always, you can reach me in confidence at dverton@meritalk.com or at 703-883-9000 ext. 157

Any links to the actual site?

Eleanor Lamb

Here's a link to the Department of Commerce's Data Usability Project: https://www.commerce.gov/datausability/

Dan,
Thank you. You are, of course spot on. I do wish the "American People" especailly the ones who vote, would understand the sheer arrogance and self rightousness that is being displayed and put it in the context of how this would translate to the White House.

As a former military officer I used to have a Top Secret clearance. I understand that, what makes acdocument classified is thevtype of information that it contains. I would have expected Secreatry Clinton and her top aides to be briefed on this whaen thy starte working at State. But I suspect that, blinded with power, they did not pay much attention.

This is consistent and another installment in a recurring theme of VHA spending medical dollars on IT. http://www.va.gov/oig/pubs/VAOIG-14-00545-343.pdf. Is anyone going to put an end to it?

Council isn't fooling anybody with regard her intentions before she cuts and runs. And while she's in the midst of swinging her wrecking ball, she's getting publicity for the next company who need somebody to bulldoze an organization. She's about as creative as a vending machine bean burrito. It's gotten so bad under Council that my supervisor can't withhold his disgust for for the disjointed mess she's made of the organization. I hope the next CIO can undo some of the mess she's trying to put into place before she leaves. Which is none too soon. I suspect there will be many raised glasses and toasts once she's gone. Before the fear of another failure being hired sets in.

Unless you're willing to buy the BS published propaganda coming out of the CIO's office, from the people at ground zero, the best way to describe IT's progress would be with a picture. I think the aftermath a strong hurricane would be most accurate.

The question isn't if she's trying to outsource jobs in VA, it's how much more she's wanting to outsource. We're already 50% outsourced, 8000 out of 16000 VA IT workers are contractors today, so where will it stop? That might be a better question.

Is Mr. Anderson's version of the scorecard publicly available? That would make it easier to understand the context here. I see a "Self Assessment" document linked on the USDA OCIO web site, but it's not clear that this is the same thing described in this article as being updated quarterly? http://www.ocio.usda.gov/sites/default/files/writings_selfassessment_OMB%20April%20Deliverable%20Final%204-29-16.pdf

Eleanor Lamb

I'm not sure if his version of the scorecard is publicly available. He did not share a copy of it with me. It may or may not be for agency eyes only.

Glad to hear the new CIO will be focusing on digital and cybersecurity at HHS. Looking forward to seeing what Killoran brings to the table

Things in VA OI&T were not good before but now the situation is much, much worse. Mass confusion reins, morale could not be lower, and veteran services are facing serious risks. The entire plan seems to be a dog-and-pony show which is designed to boost the profile of the CIO. For EPMO, an org chart was created but that about covers the planning. Nobody inside EPMO has any idea what they are supposed to be doing. Large numbers of employees get reassigned and the only communication which is provided is an automatic email from the personnel system. Enterprise Operations has basically been destroyed and fault lies with the CIO and the OI&T CFO. Decisions are made without an understanding of the ramifications or the field-level concerns. The people making these decisions will be gone when the audits and findings start coming in.

Re-engaging lost learners is one of the main thing! We've seen recently that around 80% of students believe their productivity would improve with gamified studies. At Drimlike we really believe that gamification is making a real difference and will continue to do so. Parents and teachers are more and more connected and cloud LMS is the future.
Great copy Kate!

Our score card is not publicly available yet but I can share what we are doing with score cards or out other FITARA artifacts with any Federal Agency.

Flip.Anderson@OCIO.USDA.GOV

VA OI&T is so corrupt it's actually criminal. The wasting of taxpayers money to buy IT Equipment so that OI&T employees position themselves for jobs after they "retire" from the VA happens over and over again. Network Engineers are more worried about keeping their Certifications up to date for their resume than actually doing Industry research on available technology.

To give credit where credit is due, Ms. Council came to the VA with a plan, a timeline and the best of intentions. Unfortunately, she and her team of newbies didn't know what they didn't know, and have made a mess of things. To get fast results, she anointed and then pushed special detail teams to produce something that would enable her to quickly declare that a goal was accomplished. The result of those special detail teams is nothing more than lipstick on a pig.

One of the earlier posters commented on the fiasco we call EPMO. The complexity of that change was grossly underestimated. Lift and Shift sounds good in theory, but in practice is has been a disaster. The resulting organization is big, unwieldy and disorganized. Too many disparate groups were thrown into one group without a clear understanding of how each group would serve the mission of the EPMO. The new organization has no clear escalation path for problems and decision-making. The process for approving new hiring has collapsed. Budgets are in disarray. The formal networks and relationships that at existed to get things done have evaporated. Policies are published, then rescinded. Groups don't know what they should be responsible for and therefore avoid any responsibility. The situation today is the worst I've even seen it.

Ms. Council's public statements suggest that everything is going great. It isn't. The accomplishments that are claimed would not bear close scrutiny. Scratch the surface and you get nothing but unfinished, poorly executed stop-gaps that create more process duplication. What Ms. Council and her team has done is genuinely destructive and an excellent case study in how not to implement change.

It will be very hard to recover.

A follow-on to this excellent article by Dan Verton is at www.crimetechsolutions.com/blog and https://fightfinancialcrimes.com/2016/07/13/police-data-beyond-black-and-white/

It's ashame VA's CIO will leave with the President, but is understandable. Despite the opinions of a few do-nothing's (the select group of entitled VA brats who love the security of their paycheck, but do nothing to earn it or help move the organization forward to help Vets) , she's been a breath of fresh air and is pushing the organization in a positive direction.

Good to see Tania Mejia has moved on to another position, where transparency is held in high regard: Hillary Clinton's campaign.

So she tells us on a call that all of this concern makes her chuckle. You aptitude for anything IT makes us chuckle too, so we're even. Just leave LaVerne, you're not welcome in our agency anymore, and we need to get started on reversing the damage you've caused. And to be clear, we will reverse it.

I hope that congress will read and pass the proposed legislation from Hurd. Our government is so very STUCK with outdated cyber security solutions, it is no wonder we are being hacked, at will, by foreign nation states and related bad guys. Time will tell

http://www.ted.com/talks/takaharu_tezuka_the_best_kindergarten_you_ve_ever_seen?language=en

His idea is fine, except that it is using the money saved to fund future modernization projects instead of the suggestion of providing a pool of money to modernize. If both were used: have a smaller pool of money available for agencies to modernize, then as money is saved, that money is put into an agency-controlled 5 year fund for continuation of the modernization. That fund will remain so that future money saved also goes into it.

The Dell executive involved in this procurement mysteriously became the VA's head of the Federal Desktop Core Configuration project for awhile. He went back out the revolving door recently. It happens over and over at every level of government.

The ones coming IN expect some cushy desk job where they are treated like Vice Presidents.
The ones going OUT realize it's sheer chaos.

http://www.va.gov/oig/52/reports/2008/VAOIG-08-02213-138.pdf
Pretty shady business, Dell.

If you are truly interested in the validity of gamification then find links to Mind Lab and Accelium.

Boo Hoo. Thanks for weighing in IT people, but here's the deal: the VA SUCKS at building stuff and VISTA is an aging dinosaur. Did you read this line? It also refocuses VA on buying best-in-class commercial technologies rather than building custom systems. Or were you only concerned about yourselves? It's time for COTS products - even if it means hiring vendors who CAN SUPPORT THEM. Which you can not.

Thanks so much, Eleanor, for raising these important points!! Two small clarifications: first, the Division of Vital Statistics (DVS) collects vital records such as births, deaths, and until the 1990s also marriages and divorces. The NDI only has death records; second, all public/private sector health/medical researchers can apply to the NDI, not just industry.

Interesting article, and great insight into the NDI -- didn't realize how much went into this

very well written and informative

more money, surprise!

Very good article Kate, I agree that younger children especially need to be engaged in a multitude of learning experiences without technology. I believe that technology can enrich any curriculum but should not be replacing all interactions with teachers and other students. Thanks! Mary Reilley

@AliceKeeler should top this list

"Greenhouse gas emissions?" The people are pretty tired of hearing this lie. And its always good to see targets that are established way out beyond someone's career. "30% reduction by 2030." Yeah, right. I'd like to see someone fund a study to see if promises made 20 years ago, or even 14 years ago to be fair, were achieved. We all know they weren't. This is why people are fed up with government. Waste upon waste. That's all going to change real soon.

I'm glad HHS has released new guidance on ransomware. Ransomware can be truly harmful to hospitals and I hope this increases the focus on prevention.

Great to see some bipartisan effort to address systemic IT issues in the Federal government

Hey Boo Hoo check your facts VISTA should be long gone but after 450,000,000 million dollars the vendor walked away and left a broken program. Same vendor did the same to the State of Florida for 90 Million. So why don't you read that line. Boo Hoo how many vendors have been fired for not delivering on their contracts? We will see how the outsourcing of the email as a service goes. Then you can run your mouth. Probably one of LaVerne's stooges. Did you get fired from your last corporate job too.

Thank you to the writers who supported Laverne Council and the fact that there are, in fact, a lot of people that are taking the spirit and idea of her objectives and looking for how they can provide support in their areas. The CIO had an idea, has done numerous presentations, offered upward communication paths, traveled with and sent her staff leadership across the country to meet with employees. She has had open employee engagement calls where she talks openly to OIT and takes all questions at the end; even the ridiculous ones. Ultimately, the old way wasn't working so she is pushing us to try something new. Let's work together and continue to try to make positive changes and continually seek improvement. Based on the demonstrated openness of Ms. Council, she will probably listen to your ideas or get you to the team that is working the problem.
For the naysayers that always seem to flock to the comments, you suck. Your negativity, failure to see opportunity, slamming parts of the organization, and worst of all, talking directly and naming people that you have no clue for which you speak demonstrate the biggest failure of OIT: you. Take the training available; read and review the OIT website; join discussions; ask questions. Look at how you do your work and see how you can align with Ms. Council's strategy and culture. If you can't find any way you can be a part of the solution, work on your resume because you are obsolete and part of the problem.

Nice article and read. It's good that the Department of Health and Human Services is taking action to help protect health information, but I have to wonder if it is too little and will be too late. Cyber security often pits slow to act agencies against passionate and driven hackers.

It's fairly easy and almost certain which side of the aisle Hutley lines up on. "If you think that state’s in your back pocket, just how exposed is it?" I don't think any candidate should view a state, or a single voter, as "in your back pocket." That's a pretty rude and assuming stance to take. No wonder no one rusts career politicians today.

(PS: the Captcha folks need remedial arithmetic. 7x9=63, but they don't like that answer. I wonder what value they have as 'correct.'

However nicely designed and implemented, physical tokens, cards and phones are easily left behind, lost, stolen and abused. Then the remembered password would be the last resort.

And, in a world where we live without remembered passwords, say, where our identity is established without our volitional participation, we would be able to have a safe sleep only when we are alone in a firmly locked room. It would be a Utopia for criminals but a Dystopia for most of us.

Are you aware of this?
https://youtu.be/-KEE2VdDnY0

Robin,

I have a few questions as to how this article might relate to jails a prisoners health. Would you please contact me 1-918-596-8951 (Josh Turley, Tulsa County Sheriff's Office Risk Management).

We don't need anything more from the government. Government IS the problem! You're asking the government to do more to increase STEM, when it is the government - specifically the unconsitutional Department of Education - that has dumbed down students by dumping hard sciences in favor of touchy-feely, multi-culti lesson plans. Then we import "talent" from abroad and pay our citizens a public stipend to stay home and do nothing. Really? Did the author speak to any conservatives/small government types for this article? Doesn't seems like it...

Great article. Its reassuring to know there is a plan to prevent a break in Cybersecurity, as well as steps to follow if a break is discovered.

I think it makes sense to increase a focus on technology in education. These will be skills students will need beyond their classes as they head into the workforce.

Well, For those advocating population control agendas, wifi on buses and schools is the perfect tool to microwave our kids into sterility. There are now over a dozen peer reviewed studies that confirm sperm damage from using a lap top and especially a tablet which is far worse than a cell phone. Does anybody ever look into the safety information and also read the safety information that comes with your cell phone and tablet. It says "not to keep the device next to your body" The FCC's own head of criminal and racketeering department is not going to unleash 5G on us as "fast as they can" so that health and safety concerns can not be addressed. The FCC is little more than a crime syndicate acting on behalf of their employers, the telecommunications industry. Do a little research and check this website for more information. http://www.wirelesswatchblog.org and check the wifi in schools section. DON'T INSTALL WIFI ON BUSSES AND GET IT OUT OF SCHOOLS. Over 60- international agencies, organizations, governments and hundreds of scientists world wide are working on informing the public and law makers about this but the media is owned by industry and our kids are being swept under the bus for industry profits and military surveillance agendas.

Intrigued to see if the telecommunications companies actually follow through and put forth measures to combat the robocalling.

IoT revelation will change the way our kids are learning, the way they being evaluated as analytic will become a significant tool. It will change the class room interaction, the classroom maintenance and so much more. Can't wait to see how it will affect our kids way to grow, learn and create.

WI-FI USES THE MOST LETHAL MICROWAVE FREQUENCY

Polson, P, DCL Jones, A Karp, and JS Krebs. 1974. Mortality in rats exposed to CW microwave radiation at 0.95, 2.45, 4.54, and 7.44 GHz. Final Technical Report Prepared for U.S. Army Mobility Equipment Research and Development Center, Fort Belvoir, Virginia, Contract DAAK02-73-C-0453. 105 pp.

Abstract

Dose-response (lethality) data have been obtained for rats exposed frontally to CW [continuous wave] microwave radiation in the frequency range 0.9 to 8 GHz. Approximately 1400 male rats of the Sprague-Dawley strain have been exposed in equal groups to four separate frequencies: 0.95, 2.45, 4.54, and 7.44 GHz. Power density levels have ranged from approximately 0.2 W/cm2 to 12 W/cm2[note: US/Canada guidelines are 0.001 W/cm2] and lethal exposure durations from approximately 10 sec to 300 sec. Gross and histological evaluation of selected tissues from some 20 animals has been obtained. The cause of death has been established as congestion, hemorrhage, and obstruction of nasal passages and/or congestion, hemorrhage, and often edema of the lungs. The lethality data have been subjected to a probit analysis, yielding LD50 curves for each of empirically fitted the four frequencies, and the LD50 values have been with a mathematical model. The LD curves very closely approximate the shape of rectangular hyperbolae.

The workshop sounds like a great way to get people interested in cybersecurity; and really understand the importance of it. These should be held more often, if not already!

Great to see a Federal agency approach big data management in such a holistic manner, instead of piece by piece. Will most likely be more effective in the end.

I'm surprised they omitted teaching.com, typing.com and readspeeder.com, three of the most popular education sites.

I think it's great that GSA is using open data to analyze and share with stakeholders. Hopefully this will lead to more information sharing within, and across, agencies.

GSA isn't the only organization that raises the cost of federal procurement. Due to the focus on small, 8a, HUB, etc., procurement goals, my team frequently pays a 5 - 10% surcharge to route procurement through a distributor rather than working directly with the primary vendor. This surcharge is usually just a pass through fee, by which I mean I receive no value added services from the distributor.
A second challenge is how each organization is funded. Rather than partnering with the agency across the street to reduce costs, our funding streams dictate how we can apply funds to the contract.
The purchasing power of the federal government should be monumental, however, the rules guiding agency activity reduce the options to D&As.

If the Russians get tossed from the games, it will be interesting to see how they react. Opportunity for Mr. Putin to flex his cyber muscles to win a gold medal in hacking?

Nice to see the Federal Government actually taking action on a case like this. The fact that that they charged schools, who are so often strapped for funds, the highest cost is ridiculous.

I hope that all who travel to the Olympics this weekend are aware of the cybersecurity concerns, and the precautions they should take to ensure security. With an event this big, it is important that all are prepared.

"Broadband increases education in that students are able to have access to online resources to complete homework. Educated people participate in fewer unhealthy behaviors, such as smoking. Therefore broadband can increase health, according to Benjamin."

Correlation does not equal causation, and the head of a public health agency should be well aware of this. What about the fact that, as the US has transitioned to a knowledge economy, the knowledgable people ("the educated people") have gravitated towards the population centers? What about non-technical communication, e.g. talking with a coworker with a similar medical condition?

Suas informações não são verídicas #Plastyne!

It sounds like Hardik Bhatt has a solid strategy and tactics. Too bad there is only one of him. I have a feeling his vision and drive could be use in many states in the union.

Great to see movement towards a more central definition of the IoT - as it grows in significance, this will become more and more important for policy, lawmaking, etc...

Nice article. Straight forward and to the point. More information needed on DCOI.
Mark Twain would be proud.

Where's Karen going?

Apparently, these students, however bright in Science, are totally clueless to what the NSA is really doing. Even President Truman, who created the NSA/CIA with the stroke of a pen, became convinced it was the worst thing he did during his tenure in the White House. Instead of visiting NSA..they SHOULD have spent a day with Edward Snowden. And then read 1984. Meanwhile, all they are doing is becoming co conspirators in the most insidious invasion of privacy ever perpetrated on this planet. Just remember this. Should you go to work for NSA, your great grandchildren will spit on your graves. Now..stick your head back in the sand.

FEMA has needed something like this for a while. Great to see them getting on the app bandwagon

Shive needs to explain 18F's sound and complete approach to cross-vendor velocity assessment in technical evaluation boards. If GSA cannot explain how it used a sound and complete approach in procurements both its inspector general and David Powner have some work to do.

It's great to see technology being used to help with disaster relief. Thanks for sharing.

Shive needs to explain 18F's sound and complete approach to cross-vendor velocity assessment in technical evaluation boards. If GSA cannot explain how it used a sound and complete approach in procurements both its inspector general and David Powner have some work to do.

What improvements will give CIOs and CISOs confidence in the program? Lack of faith in the program will take time to turn around.

Flexibility to quickly adapt? Incentives to use?

Why is 18F needed? Who's been doing this activity previously and why do we need more government to address?

Keep digging, there's more.

With the new baseline, how long do you anticipate it will take CSPs to achieve FedRAMP high certification? Will even more controls mean an even longer process?

Great coverage Jessie - thanks. Ali (@collab9)

Vets.gov was not down.

Will there be more transparency into the projects 18F takes on? How can industry and TTS leadership better collaborate to mitigate risk and drive real results?

With FITARA, MOVE IT, and pressure from the Hill to modernize IT, when will18F start taking on larger projects? If GAO clearly identifies the highest risks, why aren't these legacy systems already first on the list when it comes to 18F's priorities?

Nice representation and coverage

Google

Google

Very couple of web sites that transpire to be in depth below, from our point of view are undoubtedly very well really worth checking out.

Love the idea of teachers getting involved with tutoring. Students can, too - the mobile app Yup connects students with live tutors for help in math/chemistry/physics right on their device. Check it out!

Sickening corporate cronyism...I work in IoT and it sickens me to see government and business fleece taxpayers by "investing" money that isn't theirs. People will pay for true value - there is no need for subsidies.

Great article! Love that DOE is willing to comment on their role in the show

Look forward to seeing Terry Halvorsen speak at the MeriTalk Cybersecurity Brainstorm on September 13th.

Eleanor, Good article on a hugely important topic. Sexual violence is soooo under reported across the board, and especially on college campuses as universities generally value marketing their brand over addressing the massive sexual violence issues on virtually every campus. Thanks for shedding some light on this topic, even in this forum. Hope you can do a follow-up article some time.

BTW, I was surprised that you did not mention FBI's Crime in the US report. I thought it was supposed to be the "official" annual crime report.

Can't wait to see what they pull out in 2020

Nice article Morgan. If a company is not simulating power failure, they are not ready for power failure!

It would have been more informative if you'd listed at least the top three!

What's Shive's development background? It's been reported he's trained in meteorology. Agile's been around long enough to assess the results of prior work. Its well known among Agilistas that the arbitrary nature of story points is a significant risk https://www.industriallogic.com/blog/stop-using-story-points/. What's Shive's plan to deal with his internal story point collapse in confidence?

My husband is a vet

So, any progress that's not fabricated? In the midst of the complete cluster that is another complete overhaul of the system, Laverne sits back and fiddles. The good news is the VA won't have to put up with Laverne much longer, the bad news is IT will suffer more criticism from every non-IT entity as the next CIO does their complete transformation. In this case it'll be a good thing because Laverne has proven how incompetent she is when it comes to organization building. My goodness, the lady can't even direct her staff to run a decent all-hands call. But I'm sure she'll tell somebody that she had a call, so that box was checked. And she can't leave soon enough, this cloud crap she's pushing for her next job is the worst thing any VA CIO has pushed. The next three months can't go by fast enough for the thousands of staff who are victims of her plan to secure a future on the talking circuit. Bye Laverne, we won't miss any part of you. And take your useless staff with you.

We can't get the crap to work within the VA, why the hell does the CIO think we can get it working with DoD? The CIO is just dumb enough to think she's being told the truth by the hacks she's surrounded herself with. But we've come to expect this as she's shown that she has no clue about IT, the VA, or the government. She's working really hard on her next job and the industry is just silly enough to think she has a clue about anything to do with anything. Other than her staff that we hope leaves with her, the field can't wait for her to move on to her next corporate victim. She's useless. Just ask her to detail the restructuring that's happening under her, and she'll struggle mightily to explain anything beyond her direct employees and few basic concepts like EPMO. Other than that she has not clue how things are going. She's just waiting for that next job offer and will jump at it in a heartbeat as the walls she's made within VA keep closing in on her.

Another useless mass of cells. Like was just said, bad choices are the only thing VA's IT leadership knows how to make. Polley is almost as bad at her job as Laverne is at hers. If this is what's going to lead the VA into the future, veterans are in serious trouble. After decades of IT breakthroughs we now have Laverne and Polley doing everything they can to use industry buzzwords and take the VA back into the dark ages as we are sold-out to every corporate sleaze bag who smiles and winks at them. In the case of Laverne it's pretty clear she's just looking for the right wink to go the route of Roger Baker and be bought to sit there and make money doing nothing. It's sad, our veterans deserve more than these kinds of people.

Wait a minute!!! Because some talking head can't find the policy in the departments operation orders it doesn't get a green check mark! Mr Yu you have a job; start doing it and look for it. Don't blame the department for you inadequacy...

In the VA all we do is buy things, and hire more ISOs who have no clue about how to operate what was purchased or understand the data. IT has even gone out way to hire other security people in hopes of getting around the inept ISO community. But with the IG, congress' lackeys, breathing down our throats, what else can you do. The truth is cyber security has become a liability to agencies accomplishing their missions. I know in my hospital we've all but given up on helping the doctors, they're on their own, we just spend all day trying to figure out how to make the numbers look good.

to anonymous: do you live in a big city. If so, please come and stay in Watkins Glen for a week or two. Enjoy the lake and the falls. But please take a 1 hr drive over the rural roads every AM and PM, along with doing farm chores and help the family with dinner prep. And you have a brother who is playing football so you have to go back into town for a game tonight, a Tuesday night. Repeat with the 2nd week you are in town. We need more student doing good in math and science. This is a great way to use 2 to 4 hrs of time to study or do research. Donna F.

The amount of data agencies are collecting is overwhelming. They need to determine an effective approach to analyzing, and using, the data collected.

Definitely some interesting rules, especially with the remote pilot certificate. Hopefully these rules create a safe aviation environment, and eventually includes protections for citizens' privacy.

"Adult conversation" implies that privacy advocates are acting like children in resisting his calls to build vulnerabilities that can be exploited by government agents. He doesn't appear to understand that the mythical government-only backdoor is as fictional as unicorns. There is no such thing. Any backdoor vulnerability is usually the 1st attack vector for hackers. The export grade encryption forced on browsers in the 1990s by government have resulted in numerous exploits and hacks affecting hundreds of millions of devices in this decade. A government-sponsored hacking group can make mince meat of those. There is no such thing as security for some, namely the government's own devices, but not for the public. The US has been losing the cyberwar thanks to the school of thought they he is pushing. He represents those whose job is to break into devices but there is nobody on the other side advocating for whats most important, which is keeping our systems, personal information and intellectual property safe from hackers.

It's great usage of Big Data and going to really benefit students in a big way.

"But Comey may have reignited the war of words with Silicon Valley when he basically told the tech industry’s giants that it’s not their place to decide national policy"

That decision is in the hands of the people, who can either endorse or reject the improved security with their wallets. They've chosen "endorse".

Chatbots have a great role to play in conversational education. Cognii is a chatbot that is helping students write constructed responses and get immediate guidance towards conceptual mastery.

meritalk

This is a great idea and would be a great government program. Standard internships provide energy and hard working new minds to the workforce. A return-ship could provide rusty, but seasoned professionals that are less likely to job jump which happens often in the world of tech.

Thanks Eleanor Good reporting for those of us who may face similar catastrophies

Brian

Excellent article. I wholeheartedly agree. Thank you :)peace

An issue that is been raised in some forums, but not addressed in the Fix FedRAMP 6-Point Plan, is how to "include" small-business CSPs where the Federal market represents a very small proportion of their customer base. These CSPs can neither afford, nor justify the ROI associated with the cost of obtaining a FedRAMP compliant ATO. However, the services offered by these CSPs are needed by a few Agencies to support mission needs, such as Agencies involved in scientific research where the CSP is widely used by non-federal collaborators.

Hi Sarah,
I am certain that in your efforts to announce this opportunity to veterans that you never meant to create the potential for insult. There are problems with the shutterstock image used in the header of your article. Our flag hanging incorrectly. The field of blue is always to be in upper left hand corner while displaying our nation's flag. The flag placement in the shutterstock image would only be correct from the view of someone standing on the other side of it. I have never met a female member of the Army wearing BDUs who let their hair hang in a pony tail while in uniform. Granted it has been 18 years since I was active duty USAF and regulations/instructions change, but it is obvious to me that this image was not cleared by the US Army nor any other military-affiliated public affairs service. I suggest that you remove the image. Your article will stand up fine without it.
Cheers, Julia Sheehy -- > references: https://www.usa.gov/flag http://www.armystudyguide.com/content/army_board_study_guide_topics/flags/quick-guide-on-displaying.shtml http://www.va.gov/opa/publications/celebrate/flagdisplay.pdf http://www.ushistory.org/betsy/flagetiq.html

GREAT article. will this stop the holocaust of microwaves and screens that are decimating our kids?
Of course not. Corporate profits always trump human life in America. We are the most primitive culture on the planet.

This blog focuses on analytics that can help measure the effectiveness of an accountable care organization (ACO.) Check out: http://www.healthcaretownhall.com/?p=7247#sthash.z6fRqy4W.dpbs

Given the signed agreement, have they focussed their attentions elsewhere? I assume the agreement didn't mention allies?

DHS is a signature on the FedRAMP ATO for a CSP but they won't recognize the FedRAMP accreditation..maybe someone should talk to them as a do once accept many instead of Goodrich being beat up by Steve

Anyone who was at the event knows there was nothing legitimate about it. It was yet another Meritalk funded forum for Steve to be completely unprofessional and hurl accusations and lies at GSA and FedRAMP. Instead of having a constructive conversation, filled with actual solutions, Steve orchestrated a verbal assault that was both uncomfortable and unwarranted to watch from the audience. As a participant, it was great to see the GSA team handle it with class and dignity, which sadly can't be said for the Meritalk team and Steve.

For those of you not at the event, MeriTalk Founder Steve O'Keefe kicked off proceedings by grabbing a stack of fake $20s and solemnly placing a bundle at each table. That, as well as several other eyebrow-raising tactics are pure theater masquerading as serious dialogue. Keep up the cheap parlor tricks and we'll keep lol'ing. We'd rather hear about solutions than be treated to another installment of MeriTalk's personal vendetta. Seriously, it's old, it's tired, and you look silly.

I was there...and it didn't seem like Congressman Connolly thought it was very funny. If GSA doesn't get its act together he said the Hill will legislate

What does 'get its act together' mean?

Misinformed hype, isn't it?

However nicely designed and implemented, devices, tokens, cards and phones are easily left behind, lost, stolen and abused. Then the remembered password would be the last resort.

And, in a world where we live without remembered passwords, say, where our identity is established without our volitional participation, we would be able to have a safe sleep only when we are alone in a firmly locked room. It would be a Utopia for criminals but a Dystopia for most of us.

Are you aware of this?
https://youtu.be/-KEE2VdDnY0

Check out the VA CVE program - investment unknown to update the VCMS program to look like Extra View (COTS product). This is not uncommon with the government to invest in their own software programs without exploring what exists in the commercial world or what already exists within GOTS.

How much does anyone want to bet $150,000 that the anonymous comments saying this is "not serious" and just MeriTalk making noise are really 18Fers at work with too much free time?

After all 18F have the time to write a chatbot to replace "hey guys" with alternative language. How hard would it be for 18F to spend its time trolling any forum anti-GSA with bots as well. Now if they could just fix something more serious.

Either way, Congress and GAO will ultimately determine whether this is a big deal or not for GSA and CIO David Shive to solve. Either the GAO reports are released showing the issues or not.

"However, the agency has begun to migrate to the commercial cloud in addition to relying on these physical facilities..." Elanor, the cloud is just a co-location facility, run by a CSP, that shares its platforms, infrastructure, and software with customers. Your article suggests a delineation between cloud/virtual and physical facilities. They are all physical facilities. It just comes down to who "owns" the space.

It is so easy to stack up piles of money and take pictures of it, however difficult to attain an accredited 3PAO audited, agency approved FedRAMP ATO. These FedRAMP bashing articles are getting annoying, especially to those that know the program and its rigorous requirements. Possibly try to present positive solutions instead of trying to sway those new to FedRAMP into a negative trap?

I, too, am getting tired of these FedRAMP bashing articles. The FedRAMP ATO process mirrors FISMA ATO process described by the NIST Risk Management Framework. The primary difference is that the FedRAMP Moderate baseline requires about 60 additional 800-53 controls and enhancements.

Yup, the complainers are mostly industry who don't want to meet the FedRAMP control requirements and have a "what we do is good enough" attitude. It ranges from the ones that circumvent FIPS 140-2 validated data-at-rest encrypted storage control requirements at the IaaS layer by making it a customer responsibility (aka customer problem) to ones that want Gov/Mil business but aren't willing to spend what it takes to get there.

On the flip side, each agency wants to impose their rules/policies on a FedRAMP'd system but insist that a system already has to have a FedRAMP ATO -- as that car insurance advert says -- that's not how any of this works!

Agree with these posts. As a company who has been through this process, recommend move the discussion forward with more focus on what the ROI is/has been with this investment. Stop picking on Matt, focus on the beneficiaries of this process, start with the CIOs. Is anyone asking them what the benefits/ROI is so we can capture the other side of the story?

Nice knowledgeable article. Thanks all.

Those of us familiar with the NIST 800-37 Risk Management framework should view the FedRAMP process as a standard way of doing business. All you companies out there, quit whining and pony up the cash to make your systems compliant.

Also remember this, Meritalk is a parasite to the FedRAMP host.

That is the creepiest thing I've heard in the last month. Would love to know how they're going to convince students to let them monitor all their conversations, and if they're not going to do that, how they're going to gauge social interactions. The consequences of this kind of hubris are often destroyed lives.

She had an illegal server in her house. She destroyed federal records. If any of you endorsing her did that you would BE IN JAIL. How can you endorse this?

What are you all thinking, or drinking?? Hillary Clinton?? Unbelievable.

You have got be kidding me?!?!?!? Your decision to collectively endorse a candidate has alienated me and likely others. It's great if you have a personal opinion about who you would like in office. However, to use your organization which my company supports financially as a platform to endorse "your candidate" is aggravating and disappointing.

If Hillary get's elected is she going to kick off the next MeritTalk event with a talk on Cyber Ethics in Federal Government.!?!?! Or if Trump get's elected you guys are going to move to Canada.

How hard is it to stay out of one of the most polarizing elections ever? What real good came out of your "decision"? Are you reaching for a "Courage" award from ESPN? Is someone on the Bleach Bit board of advisers?

Sincerely,

LET DOWN

She allowed a US Ambassador and three other Americans trying to save him to be killed because she cared more about getting money for her foundation than their lives. As a Federal employee, I'd be in prison if I mishandled classified records and misused federal computer systems and records like she did. She is corrupt in every sense of the word. I'll unsubscribe as soon as I hit enter.

Unbelievable!!! I will work at ensuring your "Organization" is never used here. Ethics? Track record? On what remotely feasible fact did you base this endorsement? Ridiculously incompetency must rein with you folks. --Unsubscribe--

Although I believe you are correct regarding which candidate will best support technological advancement by having well considered plans, I was surprised that you chose to make this endorsement. Because our culture is currently skewed toward mistrust in all arenas, respectful discourse has become difficult if not impossible. I worry that by choosing sides, you may hamper your own ability to promote such discourse, as the comments before mine suggest. I would hope that had your choice been different than mine, that I would at least try to understand the rationale behind your choice and would have debated those considerations rather than simply identifying that the candidate that you chose is undesirable in other respects. Neither candidate is perfect, we are talking about the lesser of evils here, and in this instance, for our collective technological future. I agree with your assessment, but do wonder if, given the polarization of our culture it might better have been left unsaid.

The digital world in which we live in will push those dragging their feet in the Cloud to adapt quicker that they would like.

Agree or disagree, as a current Federal employee, I have no interest in receiving your political preferences at my .gov email account. Wrong venue and bad form!

I will immediately unsubscribe.

George Herbert Bush plans to vote for Hillary Clinton.

We always enjoy lively debate at MeriTalk, and anticipated spirited discussion in an election cycle where many people feel there is no ideal choice. To be very clear, the editorial board is endorsing Hillary Clinton through the lens of which candidate is strongest based on his or her stated IT policy. Are there questions about her using a private email address? Yes. Are many senior government officials using private email addresses even today? Yes. Is classified information critical to our nation's security? Of course. America is a great nation because we're open to free flow of ideas. I'm not going to make any comment about walls.

We respect your opinions -- we don't delete comments on our site unless they are hateful or obscene, and by that we do not mean contrary to the personal opinions of MeriTalk staff members or the Editorial Board.

Please keep your comments coming.

Respectfully,

Steve O'Keeffe
Publisher
MeriTalk

Someone beat me to posting the Bush 41 endorsement -- a man who is a GOP icon and person of integrity. Sorry to see we can't present one's views without unleashing a screed of invectives, I hope those who are unsubscribing stand ready to do the same when the POST, WSJ, NY Times, and other publications that come to their office do the same. Respectfully, Alan Balutis

I love Meritalk so much more now that you have supported the next President of the United States ..... Hillary Clinton. Donald Trump is clearly unfit to be President and those who support him have no business in Federal IT. Thank you for having the chutzpa to speak what is on your mind.

She had to cancel another fund raiser last night. Her body finally caught up with her brain .... she is sick.

What IT policies is MeriTalk and the Editorial Board saying are being touted by Hilary Clinton that are the best path forward for Federal IT? I haven't heard one.

Certain types of “warrant-proof” encryption could pose significant danger to law enforcement’s ability to investigate and prosecute crimes - The Bill of Right's also pose significant danger to law enforcement’s ability to investigate and prosecute crimes, inability to torture people and so on. This is like saying it's not legal to randomly strip-search people so we are going to pass a law outlawing clothing that is not totally transparent. Or make houses totally transparent. Wrong, you have to do you job within that limitations that exist. Demanding every change that way they live to meet laws enforcement needs is ridiculous.

Unsubscribe!!! I consider your endorsement to be "very Hollywood".

I have to agree with all the comments. As an IT Manager in VA, and having been in VA OIT for over 22 years (through ALL the transitions), morale IS at an all-time low, we have as many contractors in OIT as we have VA FTEE staff (NEVER a good sign--this typically indicates mismanagement). Council and her underlings have all but destroyed the ability of OIT to perform as required, and there is an overwhelming distrust of the leadership chain (except for Bob...I know everyone appreciates what he's been able to get done, and hopes that he can survive and stay on after the Presidential dance switches partners. Council...was hired DESPITE the fact that she informed VA that she would be leaving upon the arrival of the new President (regardless of party). Speaking for myself, I would never hire someone who gives me an end date.

I have applied for the Leadership classes, as, not only am I a proud employee, but, I also am an Army veteran, and I actually USE the VA, and have NEVER had a bad experience, and have direct visibility into issues, and the ability to some degree to fix them, which I strive to do.

Hopefully, Bob and Sloan start figuring out that they are NOT getting the straight poop from Council and others, and...venture out into the Field, to observe and listen to the lower-ranking staff. I know that what we have to say is NOT what they are being told, and, if they do that, and stay true to the goals they've set, then, they will be able to change OI&T to a better organization. If they do NOT go out to the Field and listen, learn, and change things...we're pretty much doomed--and THAT is what both disappoints and frustrates those of us who are trying to make things better with all our skills and work.

The entire reorganization seems to be smoke and mirrors. How is this helping the Veterans? How is hiring additional management helping the Veteran? Morale is at an ALL TIME LOW and I have been in VA OI&T for over 14 years both VBA and VHA. Yes, OI&T can do better and we need to re-structure to better server our customers so that they can serve the Veterans, but the way they are doing it appears to be setting up OI&T for failure. The centralization of IT has NOT worked in other civilian companies and government agencies, why are we not looking at their failures to determine what is the best course? We learn more from failures than successes. We should be taking best practices from similar organizations and implementing those, not relying on some audit from an outside agency (which wants our business to hire more of their contractors). I have very little trust in the current leadership in OI&T for the first time in many many years.

I do not understand the perception of “lack of reciprocity”. A FedRAMP ATO has reciprocity across the agencies. For example Amazon Web Services was initially granted an ATO by HHS – and since has been accepted almost everywhere else.

This is progress in the right direction!!

It seems like OPM is making good use out of big data. Hopefully they continue to leverage data as a way to detect and prevent future attacks.

OPM... 70Tb of data... Antiquated systems... What could possibly go wrong?

It's shameful that this is going on. However, there is much more illegal practices ongoing under Matt Eitutis' watch. Much more will be exposed soon. He needs to be FIRED IMMEDIATELY. He is a liar, he is manipulating and will do whatever it takes to get that job permanently. This article needs wider dissemination.

Matt has severely compromised Veterans and as a result of his lying he has DENIED Veterans access to their benefits. I cannot find more coverage of this very damaging article. Please push this to other media outlets.

Sadly, death sentence is not an accurate metaphor, if by most estimates, federal dollars make up more than 90% of ITT Tech's money, this is just taking a business model that has been artificially kept alive off life support.

When capitalism fails, and government programs keep failed business alive, tax payer dollars are pooled to give inept or our right malicious businesses a second chance.

But in this case, the business is based on government money.
Executives are making millions of dollars doing something no one really wanted in the first place.

This is no execution, it is a mercy killing.

The US DOT HQ alone has 6 separate IT networks, including a building mission-critical energy management IT system with known public internet security vulnerabilities. Detailed engineering and financial analyses led a major private investment firm to commit $100M to fully modernize DOT HQ networks and sub-optimized data centers based on $500M of guaranteed taxpayer savings. In September of 2015, Mr. McKinney not only refused to allow the project to proceed, denying taxpayers the opportunity to prove or disprove the efficacy of private IT infrastructure investment at zero taxpayer cost or risk. He further insisted that because federal IT would move to the cloud "in a few years," there was no need for new federal IT infrastructure. In the face of DOT's consistently failed FITARA grades, Congressional committee, federal agency and Representative inquiry may yet lead to a more fact-based IT and Datacenter Optimization disclosure for and adoption by Secretary Foxx and federal CIO Scott.

Why are people that claim to be in it for the sake of the vet when its more about money to them being placed in positions and being allowed to do more damage to vets than already placed on them serving this country? When does it all end? When does America finally realize that the system design to help Vets is a cluster and needs some serious overhauling.?

If most of the things this man is doing/not doing were known, then I doubt he would still be in the position he still is.

It also can be very difficult to read and follow electronic textbooks - plus they aren't available for reference down the road. Don't like the trend at all.

While I have no reason to doubt the numbers posted from the poll, I am highly skeptical that some 1/4 of the IT workforce would leave government service based on who is elected. First, where would they go? The market couldn't possibly absorb the sheer number of malcontents. Second, if one doesn't acknowledge the incredible waste in government leading to many in sinecure positions then it might possibly be true. However, the number of folks riding out the system means that they would never think to compete in the market, why should they? And those youngsters who would leave based on who is put in charge 8 to 9 levels above them are the ones we have already acknowledged are changing the face of the workforce by changing jobs and moving seamlessly between government and the private sector. All told, my read is that regardless of who is elected, the work force won't change much at the rank and file. Naturally for all the appointed positions, it could be a significant change, but no more than any shift between administrations. Last thought, it seems that a vote for IT modernization is also a vote for IT security as the two go hand in hand. Big changes? Nah, not so much.

IT professionals support an Original Classification Authority who violated the most fundamental IT security processes....what a sad thing

I wonder if the cost of technology really replaces the cost of paper, printing, binding, and warehousing. If using technology is cheaper, then the price tag is not justified. If the creation and upkeep cost are expensive, then the costs would be justified. I hope to have a well paying job someday, and the money has to come from somewhere; i.e. customers. There are several codes I needed to pass the class, or understand the material. In my experience, those products helped me to learn, so the costs were justified.

Tutoring is a great way for teachers to pursue another a career outside the classroom whilst doing what they enjoy - https://spires.co/

Both physical books and digital book are are helpful. It depends whether the student is comfortable. Physical are not really replaced by e-learning facility but it is giving chance to earn knowledge from different source.If you are buying book for one subject you get more then one choice i.e there many different author and each has some think different. It's impossible purchase all authors book since it will be expensive but if you buy single book and go for e-learning for the authors. It will be more beneficial. If you see from economical point of view, Now-a-days There are one web portals called Raajkart.com that provide both physical books and e-leaning products like Kindle, CDs, DVDs, Pen drive for each and every educational program. So, I appreciate the job done by the PIRGs. They doing great server to know the today's craze.

Matt came into HEC and it was like a hostile takeover. He had absolutely no respect for the subject matter experts. He and his team of dummies made it much worse than it already was. He put nothing in writing. Him and his team threw "Sh__t" up in the air and left before it hit the fan. They received promotions, awards and accolades for doing nothing. Sloan was right by his side as Matt told nothing but lies. Anyone with any intelligence knows you cannot fix something that has been broken for years in less than one year. In other words it was a joke, in which no one is laughing. We are dealing with Veteran lives. A fish rots at the head.

This is good news and an admirable start. That said, as noted by Microsoft in the article, they have been with FedRAMP since the beginning, are very familiar with the required controls, documentation, etc. I suspect the same applies to the CSPs mentioned that are in the accelerated pipeline. The real test of the accelerated process will be with companies who are less familiar with the process, required docuemntation and controls.

That's great to hear FedRAMP Accelerated has already granted authorization. But I agree with the above comment. Wondering how this program will work with companies who haven't been with FedRAMP since the start.

Vets.gov is only a site that pulls information from other partner service providers...they are like a shell corporation...lots of leadership that is paid a lot but in reality only provide the store front for the veteran. The companies that provide the backside databases, and web services for the veteran are competent service providers that have been providing these services for years.
So the question must be asked, what really does Vets.gov provide, and what is the money to run this site paying for?
If they cannot handle something as simple as health care; are they the right organization and do they possess the capacity to absorb all other veteran benefits services long term? I think not.....
Veterans cannot and should not EVER have an interruption to any service they earned by defending their country. There are many veterans who depend on these benefits every day and would not survive without them.
President Obama would know this had he served he served in our United States Military. Wanting to serve and actually raising your right hand and taking the oath are very different things.... its called commitment!
Never trust Vets.gov to provide anything to our Veterans and never trust a sitting President to support veterans that has never worn a uniform that serve.

anonymous...I heartily disagree with your assessment of President Obama not supporting veterans. There is absolutely no proof of that. What seems to be painfully obvious is that the technology of the computer system(s) and properly trained personnel have been woefully lacking for a long time. Having a new system become active when no one even knew it was about to happen, and not having a centralized system to begin with are two totally unacceptable components of this system. As with so many entities of the government, there seem to be too many highly paid supervisors/ managers who are not doing their jobs, too little communication, and a complete absence of training. My opinion is to fire a whole lot of managerial people and get some in there that can improve communication, training, and centralized record keeping. What a terrible mess! Our veterans should never be treated this way.

What's the purpose of MeriTalk, to be an independent voice reviewing Federal IT, or another version of the National Enquirer? "Word is..." "We hear..." "Conspiracy theorists..." Cite your sources and inform the reader whether or not you asked those mentioned in the article for clarification. You can offer the public a valuable service or simply be a different version of an non-credible social networking site.

Add USA Jobs and USA Staffing to the list of mission critical Federal sites / applications that are not FedRAMPed.

Why do sites with no PII or other sensitive government information need to be in FedRamp environment?

Sometimes where there's smoke there's fire! Does it make sense to shut down or spend millions to migrate so many sites to an environment (cloud.gov) that is less secure than the Content Management Platform. What is the specific issue with the CMP? Is this a last ditch effort to make 18F reimbursable? There seems to be a lot missing from this post in terms of details on both sides to know for sure what's going on. It's definitely worth looking into!

Only bad actor I see is the clown masquerading as the FedRAMP PMO he's just not credible in the role

I blame Phaedra!

The TRUTH is they DO have ATOs and they are up for renewal. The GSA OCIO Office is refusing to sign the renewal ATOs because they say they don't seem to understand containerization, which is commonly used now and part of the Amazon hosting environment too. The refusal to sign them appears to be because they want to claim they have no ATOs - therefore force transition to Cloud.gov (which lacks an ATO). Shively being the head of both TSS and OCIO now has a conflict of interest and needs to stop this stupidity.

Has GSA come to this? Open internal warfare. This is what happens when the B team runs the show. GSA has only diminished its credibility since the clown conference. It's a shame.

The amount of money spent on the entire FedRamp boondoggle could have probably cleared the national debt! I wish they would just get on with SOMETHING, ANYTHING, rather than killing us with this death of a thousand cuts.

I wouldn't say "It's all a big joke if you ask me" GSA has not refuted the allegation that FedRAMPs not FedRAMP'd or that its whole could infrastructures in a huge mess. Well done MeriTalk for outing this nonsense its anything but funny.

Wow.
Totally agree with Anonymous | Oct 4, 2016 at 11:02 am
The rest of the comments supporting the article are clearly other MT personnel. MT would leave us with absolutely no security if they could. Would suspect they are working for a foreign actor. Disgusting.
-e

"Word is folks are leaving 18F to avoid prosecution." True. And they are talking and telling the real story of the boondoggle within that they didn't sign up for. Cheers to you Steve for getting this started by publishing what other journalists are afraid to do. It's pretty clear you have well informed sources. GSA has been filtering, controlling and spinning this message for too long and the people are tired of it. Just wait, we'll hear more truths soon for sure.

This is Lawrence, CEO for Racemi - we are pioneers in Cloud Migration focused on the Global 2000. We have executed some of the largest government and public sector cloud migrations and I was not surprised by the survey results at all. The commercial sector has a different belief in the security of the cloud and they are focused on public cloud. I think for the most part, unless a mandate comes down, the government will move very slowly to the cloud, which is too bad as the cloud (public or private) has a lot to offer in making our government more efficient and agile.

The future software to analyze and make sense of all this corporate data mining of private information that has been getting sniffed and permanently stored will emerge in unpredictable formats seeking to expand previously un-dreamt-of fortresses of knowledge currently hidden in all that data. This is not necessarily a good thing, even for the parties that win the race and get to control all these databases - and by implication - all of us. - CMH

So many millions wasted and so many great people have left government because of this nonsense. 18f impact is so small and they don't deliver results anywhere close to the millions invested - yet they continue to receive funding from this GSA FAS fund - why? Would love to know how Administrator Roth justifies supporting this continued insanity. It's a good sound bite for her at events but when you pull back the curtain it's all talking heads, empty promises and lack of delivery.

Talk to the GSA CIO about that. Are there any secure and compliant environments at GSA? If so, why isn't at least FedRAMP in one? Let's get to the bottom of this with the facts. Who is accountable there, anyone? Has GSA even responded yet?

Martha Johnson was ousted for waste, fraud and abuse for $1M on a silly conference and shenanigans going on across her leadership team at GSA. How is this different. Clearly there's even more of it now and at the price tag of $100M ----WHAT?!? Guarantee they've had more than $1M in frivolous spending. who is accountable? Looks like Phaedra got out just in time.

Thanks, Morgan. I do think, though, that the article should make clear the remarks were made on the Steptoe Cyberlaw Podcast: http://www.steptoe.com/staticfiles/SteptoeCyberlawPodcast-131.mp3

However nicely designed and implemented, devices, tokens, cards and phones are easily left behind, lost, stolen and abused. Then the remembered password would be the last resort.

And, in a world where we live without remembered passwords, say, where our identity is established without our volitional participation, we would be able to have a safe sleep only when we are alone in a firmly locked room. It would be a Utopia for criminals but a Dystopia for most of us.

Are you aware of this?
https://youtu.be/-KEE2VdDnY0

There goes 18f again breaking all the rules, living in their own world, wasting more money. Only a couple more months of this and they will for sure be gone with the next administration regardless of who it is. No one wants this mess. Let's all agree it's another big fail, shiw then the door and move on.

Thank you for shedding light on the disfunction and lack of leadership at the GSA yet again. It has been complete chaos for several years after many poor leadership decisions. They brought Phaedra Chrousos in and she chopped up that organization, took the budgets from several solid, long standing programs to fund 18f experimental fun projects. Millions wasted and nothing to show for it. She empowered that team of arrogant short timers to choose what they wanted to work on when. She was more concerned with keeping them happy so they'd stay rather than actually getting them to produce anything meaningful. They spend more time traveling and speaking at events dropping buzz words here and there than doing actual work. This way of business will not survive and is doing more harm than good.

Look, I'm not a millennial, I'm a baby boomer so I grew up when the Constitution and the Bill of Rights still meant something. Those in charge are embracing "management" as a way of life which is tantamount to embracing totalitarianism and fascism/Bolshevism, leading us down a dangerous path toward a police state. Much of what has recently been released is NOT prejudicial to national security, it simply embarrassing to the person who made the statement. A higher standard MUST be applied to content for classification before we accept the need to classify something, PERIOD.

Did you also see how they bought a whole project for a dollar? https://www.techdirt.com/articles/20151107/00051032739/us-government-successfully-issues-contract-open-source-code-1.shtml

Yeah these guys are horrible (note sarcasm)... *eye roll*. 18F is exactly what the government needs...

How many GSA employees will be attending the Executive Leadership Conference in Williamsburg, VA this year at the taxpayers expense? GSA still seems to have the largest attendance at this conference/party.

GSA IS JUST ANOTHER CRIMINAL ENTERPRISE OPERATING AS A FEDERAL AGENCY AND IT CIRCUMVENTS THE SMALL BUSINESS ACT, BYPASSES AUTOMATIC SET ASIDES OF $ 3,000 - $ 150,000 FOR U.S. SMALL BUSINESSES. WHAT DID KINGDOMWARE DECISION OF THE SUPREME COURT SAY. EVERY REQUIREMENT IS A CONTRACT REQUIREMENT AND SUBJECT TO THE RULE OF 2. FAR 8.4 WAS CREATED BY WHITE COLLAR CRIMINALS TO BENEFIT LARGE BUSINESSES. THE SMALL BUSINESS ADMINISTRATION ADMINISTRATORS ARE WHITE COLLAR CRIMINALS AND ONE OF THEM VIOLATED ETHICS AND INTEGRITY RULES AND IS THE CEO OF FEDBID - A BID RIGGING SITE THAT VIOLATES FAR 15.206 EVERY DAY; VIOLATES THE SDVOSB PROGRAM EVERY DAY; AND VIOLATES THE RULE OF 2 AND AUTOMATIC SET ASIDES EVERY DAY. THOSE AGENCIES USING FEDBID ARE JUST MORE WHITE COLLAR CRIMINAL ENTERPRISES VIOLATING THE FAR AND SMALL BUSINESS ACT. THERE WILL BE A NEW WEBSITE TO SHOW JUST WHO THESE WHITE COLLAR CRIMINALS ARE - THEY HAVE NAMES AND TITLES AND SHOULD BE RECOGNIZED FOR THEIR WHITE COLLAR CRIMINAL ACTIVITY.

Guess what? Everyone knows this but 18f.
The 18f story is flashy but all smoke and mirrors. They illegally hire their friends, don't follow rules and continue the cult like behavior and arrogance that is so off putting to everyone inside and outside of government. 18f has many staff sitting the bench or working on fluff research projects to be semi billable. Their projects go no where because they think they are the first to produce these concepts and information, always. So they've redesigned a few websites - what? It took 200 people and $100M to do that???
There has been zero oversight and accountability for these characters and their lack of productivity. They have zero respect for most career civil servants and keep adding to the list of the many unhappy 18f customers. I'm sure the next administration will come in with a clear head and get rid of this massive liability right away.

One sad result of all this, is that the Sunlight Foundation, that was working hard to keep government honest, will soon close its doors because, "18f & USDS used their deep pockets to take all of our best people."

Boy could I ever use you. Everything we do is cloud based (Citrix) and my life is miserable due to lag time and poor network connectivity. The technology is great but hardware and network limitations create havoc and frustration when you finish typing a sentence in an email and look up to see the line slowly appearing one letter at a time, or you're working with a spreadsheet and response time is measured in many seconds. Small world problems to you, I'm sure, but it seems out of reach for our IT department and the misery continues and we all reminisce about stand alone computing and six inch floppies.

I'm not sure what this article means - the cloud hosting service should be fedramped not the site itself.

Poor implementations of complex technologies are not unique to cloud; usually its a case of laying really great solutions on top of an infrastructure that just isn't up to delivering the requisite performance needed to ensure an adequate end-user experience. But there IS help: bring in a crack team from a vender like General Dynamics IT to diagnose the underlying infrastructure problems and put in place a remediation plan.

Very interesting article!

FedRAMP was brilliantly conceived back in 2011-2012 but seems to have lost its way. For the first two years, it received continuous praise. It's possible that a more seasoned management team might be needed. Unfortunately the current processes don't work well and are not manageable. I think with a some process re-engineering the program can get back on track.

For clarity I believe the reference here is to the FedRAMP.gov program informational (WordPress) website - not any specific hosting environment that may be FedRamp approved.
.
For the question at Oct 8, 8:42 am ET, the answer is - FedRamp approvals are on hosting environments, not necessarily the applications or websites running in those environments which each carry their own security approvals (ATOs).

"folks are leaving 18F to avoid prosecution" - Um, you can't out run criminal charges merely by changing employers. If the author would reference his dictionary, prosecution is "the institution and conducting of legal proceedings against someone in respect of a criminal charge".

"folks are leaving 18F to avoid prosecution". Huh, how does that work? If the author would refer to his dictionary he'd see that prosecution is "the institution and conducting of legal proceedings against someone in respect of a criminal charge." You can't out run criminal charges by changing employers.

The article clearly states that it's talking about the fedramp.gov website not the FedRAMP concept. The irony here is that the clowns marching around telling CSPs and agencies that they need to have certifications and ATOs to run their systems in the cloud does not have those things for the website that hosts information about the program run by the FedRAMP PMO. Take the time to read before commenting please.

Is it over yet? Please tell us it's over...

what dr. bray is doing is refreshing, we need champions of change for our nation and world. the future is better because he's willing to empower folks of all kinds to make a difference.

She has not helped morale. It is worse.

Ransomware was a game changer for the cybercriminals. It took the cyberattacks to the next level as it made the cybercrimes economically beneficial. According to statistics, the ROI for a cybercriminal from ransomware is 1500%. A ransomware kit costs (estimated figures) about $5,900 and the buyer can make up to $90,000 within a month of operation. That explains the recent popularity behind ransomware. Any industry which uses connected networks to operate is a potential target for a criminal who has a ‘ransomware kit’ in his bag. The list includes Health sector, energy sector, financial sector, and Universities. https://cyware.com/journal/menace-ransomware-cryptodrop-solution/

Good, thanks. Also from that session: They said there are 4,000 ransomware attacks every day. (But they didn't define "attack". E.g., if a ransomware virus is sent to 1M email users, is that one attack or 1M attacks, or based on the number of successful infections?)
Ransomware had focused on Financial Services / Banking targets, but that sector has tightened security.
The ransomware target is shifting to Healthcare, since it is more distributed and less secure, and patient-care is urgent and time-critical. The greatest risk is to their internet-facing systems; the backend systems (e.g., that operate the Cat-Scan) are not exposed, not at risk.
The panel was not aware of zero-day vulnerabilities being the basis of ransomware attacks.
A new thing is Ransomware as a Service, where any attacker can use that RaaS as a platform for attacking the victims, and they then split the ransom payoff with the RaaS provider.
The ransomware attacks are financially motivated (to obtain the ransom payout), not done to be destructive to the victim's computers.
Kit Lueder
kitdaddio@yahoo.com

The network is a warfighting platform; Cyber is now the fifth domain, in addition to land, sea, air, and space.
Six keywords are: Hunt, Track, Kill, and, Care, Custody, Control.
Blacklisting doesn't work anymore (block the disallowed systems); have to move to whitelisting (identify the allowed systems).
But a trusted server can become compromised and be the source of infection for your entire enterprise.
ICD = Interactive Cyber Defense.
Treat Cyber as a forward operating base (FOB).
Kit Lueder
kitdaddio@yahoo.com

David is one of THE sharpest change agents out there.

Monopoly references. Cool ideas #ChangeAgents!

The VA has had it forever, it's just not cloudy enough, expensive enough, or private sector enough for the government leaders who are on the private sector's payroll.

Cancer has been at war with us for years. It sounds like we are finally at war with it.

119 people at the GS-15 level?
My God, no wonder things were such a mess. This looks like looting to me: get the GS-15 salary, screw things up horribly, leave a mess for other people to deal with, then leave.

Read the 18F blog that was released immediately after the OIG Report hit the airways, explaining away the problems and comparing themselves to a startup. Unfortunately, the taxpayers have lost their money, not some venture capitalist. Besides, proper and prudent management has been and will continue to be a major weaknesswith this group. Frankly, if we wish to infuse innovation into the Federal enterprise, we should use USDS, where there is at least some fiscal accountability, and rethink 18F.

No offense but how is this a headline? Key card access to resident halls. We did that 15 years ago. I was hoping the article was about using your phone for door access. Now that might be more "smart"

"18F’s operational costs are funded through the Acquisition Service Fund (ASF) out of GSA, which is comprised of revenue generated from Federal Acquisition Service (FAS) business lines. Under this memorandum of agreement, 18F must recover all costs from work performed in order to reimburse the ASF.

“'We also found internal discussions by 18F senior management that raise doubts about their intent to break even,'” the report said. It found that 18F’s director of operations stated, 'to be frank, there are some of us that don’t give a rip about the losses.'"

>>>How much money is in this ASF, and how do people get to draw money from it without a viable plan to recover what they draw? Who is auditing this fund, and how many such funds are floating around government to subsidize professional playpens for these anointed tech folks? This is a disgrace. We can't get money for acquisition people to be trained, but we can fund this nonsense? Disgusting.

I'm a GSA employee who lived through the aftermath of the Western Region Conference disaster. I can walk through GSA and find so many career employees who are just as smart and innovative and capable as the people in 18F, but whenever they want to try to do anything, they have to fight tooth and nail for every dollar. If GSA had given the money to these career employees and given them the leeway that 18F apparently had, you can be sure they would have come up with better ideas than a new timekeeping system or a Coffeemate bot. But instead, GSA leadership demoralized those good employees and let a bunch of jokers loose with taxpayer money. And it's going to be GSA employees who are going to clean up 18F's mess.

79% of 18F's staff are GS-14 or GS-15 level! That is unbelievable!

Can you believe how bold that Regional Administrator was about blatantly disregarding that these are our tax dollars at work? If he could care less, and is in charge of a region, what sort of message does that send to the staff? This administration, starting with the USDS, has decided that rejects from Silicon Valley are better than anyone in DC. Let's bring in more PR and design folks who break regulations with no accountability! Most startups fail, is that what we should be doing with our taxes?

If you go through most of the folks at 18F, most aren't really technologists ..... just various jobs like teachers, journalists, etc.

Wow, the comments on this thread are unreal. The value that 18F is delivering is well beyond a simple consulting firm. If the government want an internal Deloitte, Booz Allen, or lookahead martin, expect to receive the same level of cost and bloated and stalled bureaucracy. 18F is an attempt at the government trying something new and being measured under the lens of legacy business models. In the startup world or corporate innovation space. There is a period of time given to allow for experimentation and revenue loss. Yes it is tax payers dollars, and many of the tried and true practices have failed abysmally, a prime example was HealthCare.gov. From that fiasco came USDS, which receives pointed direction from the White House, under a separate set of funding and associated rules.

18F is a new business model for the government and since it is embedded within a legacy organization with operational processes that are not aligned to this strategic shift, there will be friction. Additionally, the non-billable projects 18F is working are the efforts that will be the real transformation game changers. Examples include the Calc tool: providing quick estimates for job roles; 18F open source policy and sharing of modern development standards and guides; Cloud.gov efforts to help agencies have an easy means to adopt cloud computing. The government is so far behind industry in many ways, it requires a leap forward, not the incremental steps that many administrators are wanting. This requires a different mindset of speed, urgency, and the requisite process to be modified.

Lastly, GS15 to someone coming from the Google's, Facebook's, Uber's and the epicenter of technology ecosystems such as Silicon Valley, Boston, and Austin is still a pay cut. I know long time career government employees see a GS15 as a long road to achieve, and giving this level to new entrants to the government can be seen as wasteful. The reality is that those same members have far lucrative options available to them where they currently are. In this case, they are taking a pay cut to do their part to aid the government in its digital modernization.

Tony Summerlin did not create FedRAMP and did nothing to launch it. That statement is a total lie.

I'm not surprised to see the legacy spend continuing to increase, even with DCOI. I wonder what it will take before agencies start spending less on their outdated systems.

So, is the naming of the Pixar guy an attempt to get people to stop talking about the fraud, waste, and abuse associated with the organization?

i don't recall that many silicon valley startups losing money this fast with a very weak path to recovery.

It looks like 18F has turned into a major issue for GSA and a real distraction to the enterprise in moving forward. All the talking heads in town refer to sing an agile approach and the concept of failing fast, learning from the failure and moving on. Maybe the time is now to end the 18F experiment, learn from it, let the chips fall where they fall, and move on.

GSA's FedRAMP responses are thorough and make sense.

What about the poor contractors probably caught in the middle of this mess!

This administration continues to exhibit bad judgment in information technology modernization at every step. Remember, the people that botched the Obamacare web stite roll out are the same people behind TTS. Those same people then ran another large deficit at the taxpayer's expense with 18F. This selection smacks of calling in Buzz Lightyear from an alternate universe. Denise should be required to testify what the selection criteria were for the candidates and how expertise in computer graphics satisfied the selection criteria. To infinity and beyond !

I think it's a nice PR win they were able to recruit someone from Silicon Valley (again) but is that really what that organization needs right now? Hasn't this experiment proven to be unsuccessful? Hasn't enough money been wasted - even though GSA Administrator Roth and her gang of misfits Andrew and Adam don't care. Many are shocked they haven't been asked to leave GSA yet.

Sure maybe in the short term this deflection from what's happening right now with the IG reports may help sightly but this new hire will soon lose his luster and they'll be back to solving the same problems -only we'll be looking at a $60M, $80M or more loss.

When will people realize they are actually killing fledgling innovative efforts in many agencies. Because as others have pointed out: 1) they didn't care to understand the core business of the agency, and 2) they aren't out to solve the critical problems that are actually at issue. From a technical perspective, "startup architecture"/a website is novelty architecture. We haven't seen real "how do we architect a sustainable, resilient solution" yet from these folks. It's not their background.

It's clear they are focused more on branding themselves during the short time they are there than any real impactful change in govt.

where are their success stories from other customers? It seems all their "amazing" successes are internal 18F projects to make sure folks have friends to get coffee with.....

8:20 a.m. has to be Matt Goodrich or somebody at the FedRAMP PMO. Nobody else would bother to read beyond the first page of the PMO response and if they did nobody could find it thorough and logical. It is disappointing that the PMO missed another opportunity to address real questions from the community and now we will see what happens to the program. Its time for sweeping change because from where I sit 18F and FedRAMP are all the same people and problems.

Administrator Martha Johnson was ousted for waste, fraud and abuse for less than $1M on a conference in Vegas. How is this any different? This is actually far worse in many ways and destructive to the entire agency. Why don't the 18F and GSA Administrator's team have to play by the rules, how can they stay in their positions after losing that much money with blatant arrogant disregard for warnings from seasoned career executives along the way. How can they continue to break laws and not be held accountable? This just sets a precedence for more corruption. Roth and her team knew about all of this and as we saw from the IG report's direct quotes from them, they DID NOT CARE! Zero integrity, everyone is in CYA and PYA mode (cover your a$$ and promote your a$$)

The other side of “Fail Fast, Fail Often” is to take responsibility and to learn from your mistakes; that’s the culture the VC’s look for, and it may not even be possible in government. 18F is an experiment, and should be viewed that way. If they got caught up in their own hype, that’s their problem, but the concept’s viable on a smaller scale.

President Obama said this last week and it's on point!!

Government isn't a business. They don't get to write off losses, they don't get to ignore problems, they don't get to choose who they work for and don't... the arrogance of the entrepreneur community is just mind blowing.

“Government will never run the way Silicon Valley runs because, by definition, democracy is messy,” Obama said. “This is a big, diverse country with a lot of interests and a lot of disparate points of view. And part of government’s job, by the way, is dealing with problems that nobody else wants to deal with.

“Sometimes I talk to CEOs, they come in and they start telling me about leadership, and here’s how we do things. And I say, well, if all I was doing was making a widget or producing an app, and I didn’t have to worry about whether poor people could afford the widget, or I didn’t have to worry about whether the app had some unintended consequences … then I think those suggestions are terrific.

“Sometimes we get, I think, in the scientific community, the tech community, the entrepreneurial community, the sense of we just have to blow up the system, or create this parallel society and culture because government is inherently wrecked.”

Wow, this is excellent! Where did he say this? Maybe this is finally them admitting the SV - 18F experiment didn't work. The pride and arrogance of the GSA leadership is keeing them from recognizing the disaster they have created and let stand by adding yet another SV type to continue the same. Much respect for Cook and his accomplishments but honestly it doesn't translate to government. Makes no sense.

As A GS 15 in GSA that actually works to save taxpayer money, this comes as no surprise. Take a look at the millions spent on failing category management and the Acqusition Gateway. Oh my, the answer is to restrict travel to those of us touching customers. Take Commsioner Sharpe too while you are cleaning house

The first comment is correct. Tony Summerlin did not write FedRAMP. That task was done by three GSA employees and a team of 12 contractors from two companies. Mr. Summerlin may have made contributions to the FedRAMP launch through comments on drafts and participation in focus groups. That said, I agree that the program needs to keep evolving to address the issues of cost and time. The FedRAMP PMO has made sincere efforts to improve, particularly in the streamlined processes issued in the Spring. Now the PMO needs to evaluate the first round of streamlined ATOs and continue to build on that success.
Katie Lewin
Lewin Consulting

Last time GSA got a public spanking a new directorate was formed, 27 people in all, to prevent things like a $100K branding meeting for 18F. They produce things like a 27 page document for filling out a request to, wait for it, have a meeting like the branding one. There is another story on epic government waste AND THE ANSWER IS TO CREATE MORE LONG TERM DEBT IN THE WAY OF SALARIES AND PENSIONS. The inmates seem to run the asylum. Phadre C claim was a newsletter in 12 languages. Yea that prepared her for government work and the results are wasted millions. I'd put her first on the list of congressional hearing witnesses to take the fifth. Leadership, no, the recycled SESs are still there and rewarded with more responsibility, e.g. the SES in Kansas City who lied to Senator McCaskill is now the government PM for an acqusition category. Like the ESPN segment, C'mon Man!!

I find this analysis disappointing. The Gen X population lost out to the downsizing of the 90s. Now the focus is on transferring the baton from Baby Boomers to Millennials/Gen-Y. There is an entire group of us who have worked hard to earn a seat at the table, and we really shouldn't be overlooked. I see that Bray actually looked to include all three generations. Did he succeed? Only the Baby Boomers at my organization were able to attend the event.

Did the 18F people who responded on this thread consider this as work that was billable? #18effedup

WOW. I really thought I was one of a handful of folks who wasn't thrilled with 18F. They came in and it was like all the amazing, innovative work we were doing as govies didn't exist from encouraging Open Source to teaching each other Git to pushing agencies to analyze users and provide best in class citizen services; all within the rules. We weren't always fast, the gov't is a big project to steer, but we made progress and then the PIFs and 18F came in and it was like we did none of it.

Good article. I hope more light is shed into 18F.....and let's add USDS to the list while we are at it. Infusing innovative thought into government operations is a laudable notion, but there are a ton of govies out there alteady who are thoughtful and constantly seek ways to meet their mission goals while maximizing the use of the taxpayer dollar......and thet are not rogue players.

Why couldn't GSA have looked at the successful examples of modernization and moving to public cloud hat agencies have done independently? Were they so focused on their brand they missed listening to the successful agencies?

Haha.. the only people fanning the flames is the old guard at GSA who's empires failed long ago and were taking a hit from something that actually achieved some success in changing the poor way government acquisitions worked. A stated goal all along was culture change. The old guard didn't like that 18F's success highlighted how ineffective they had become, how it detracted from their existing fiefdoms, so are killing it with their buddies at OMB (which is a lot of GSA people, right?). What we are seeing now is how the "we be here before you" crowd handles anyone with fresh ideas. Because "they be here after you". Textbook case of how culture eats strategy for lunch. How about we look at the financials of the other GSA programs if you want fair reporting of waste? You're writing an article about $30M when the other GSA programs are losing hundreds of millions? They're all losing money while investment fund money seems to flow out in buckets to preferred vendors (that happen to have ex-GSA'ers leading BD). Oh, that's right, you can't do that type of reporting because then the GSA people won't show up to speak at your paid events and you lose money... the entire process is so corrupt and full of nepotism.

Great anonymous sourcing in this article as always

Remarkable sourcing from a coward of a reporter and a coward anonymous sources.

This is the wild west of cyber security (as if anything isn't...) Much more information and guidance is needed -- for consumers and enterprises.

DOJ's progress is a great example for other agencies. It can be done.

Gee, I am so glad you figured out a way to let ordinary people leave a remark to respond to your perpective.

If @18F was equally open to other persons' perspectives, then they would have their own online option for #CX feedback .. without having to use back-channels to speak anonymously.

Stephen Buckley
sbuckley@igc.org

It was well known that the same folks behind the botched Obamacare website rollout were behind 18F. The leadership was naive and lacked integrity. The information technology management legacy of the current administration is one of technical incompetence and fiduciary irresponsibility. Scott is offering nothing new.

Correction: many of the folks that *fixed* healthcare.gov after contractors bungled it so gloriously are behind 18F (and USDS).

It took ten years to update that stale web policy and it is stale on arrival. Overall, I would say that it codifies recommended practices from five to fifteen years ago. Nothing is forward looking. This is why we can't have nice things.

18F is only part of the massive problem. 18F has spawned teams in other agencies under the same level of incompetence including the Department of Veteran Affairs. Hopefully, the Transition Team will root out all of these bungled IT initiatives under the name of Digital Services.

Let them jump ship. Thank.you MeriTalk for presenting information that penetrates through the GSA spin. Spreading sunlight into the situation hopefully will enable a rational and informed discussion about how, or if, 18F should continue.

Maybe the new Administration will also kill off USDS. Only time will tell. The names of the Prez elect's transition agency leads are starting to come out....those are the folks that need the honest information about the various digital services organizations.

My understanding is that the JAB exists to authorize clouds with the most government-wide use by agencies. This seems like an attempt to make sure they're investing in the right clouds? And if they don't have the six customers, they can still get an agency authorization. I'm not the biggest GSA fan, but why would you gaslight them by recommending that companies sue them instead of just talking to the PMO like it says in Matt's email? So, I'm confused - what's the story here?

And, are you saying that Matt Goodrich is responsible for the quotes on 18F and FedRAMP that you attribute to 'a source inside GSA'? The stories you link to contain no quotes. So, what is Goodrich the source for? To be honest, the article feels more like it's designed to confuse and mislead than inform. Can you clarify please Steve?

Seems GSAs moving the goalposts on FedRAMP and that CSPs may be out millions. THe program office should have been honest about how the program would work before they allowed CSPs to invest in the program.

Re 11/11@9:27 AM, I agree, in spades. It seems to me that the headline implies that Mr. Goodrich is Meritalk's "mole" in GSA in what appears to be a crusade to undermine 18F and FedRAMP, when in fact Goodrich is merely quoted as the source of a new public policy on CSPs. "Designed to confuse and mislead" -- yes, that seems to be the intent.

I'm disappointed in Meritalk's negative and increasingly partisan undermining of two initiatives I believe to be some of the best in Government IT, and this latest example makes me less likely to believe any similar postings in future. I no longer think Meritalk is dealing with GSA programs honestly and in good faith.

Let’s not lose sight of the story. It’s pretty simple and it's not Steve O'Keeffe's headline choice. It’s about GSA not dealing with the CSPs in good faith. This is the story, and there is no question of the source or if true: “The FedRAMP PMO tells CSPs that have invested millions to attain a JAB certification that they need to demonstrate that they have at least six unique agency customers–or they’ll get kicked out of the JAB certification and need to pursue an agency sponsor.” No one thinks FedRAMP is a bad idea. That’s why we see all the debate here. It’s a good idea that’s taking misguided steps. What’s the recourse for CSPs who have spent millions on JAB certifications and were just told, sorry – we’re adding a requirement so you no longer qualify?

18 F has gotten into hot water mostly because of lack of measurable value from their involvement. Their focus on building all technology from scratch while disparaging the value of COTS has been especially troublesome at DHS and VA. USCIS's &3.1B Case MGT System is the poster child of mismanagement.

This is simply a failure by the vets.gov Team within the Department of Veteran Affairs. A few political appointees under President Obama were pushing an incomplete solution to make a name for themselves. It is well known within the VA that the vets.gov Team provides no communication to the key stakeholders in either VHA or VBA - noted in the article above. Hopefully, President-elect Trump's Transition Team will see through this scam and remedy this to provide the services our Veterans deserve.

Excellent!

Riiight. The founder of MeriTalk gets no voice in the headline for an article he authored. 😉

Come on. Back to reality.
You know what Trump's people are going to do in GSA? They're going to figure out a way to sell Federal real estate to the Trump corporation for very little money, so that the Trump corporation can turn it into hotels and golf clubs. You know that. It's what he does.
They don't care about 18F or the IT Modernization fund. Unless those things involve illegal immigrants, Trump's people aren't going to do one thing to improve Federal IT.

The VA or more correctly, the Vets.gov team at the VA, just did the exact same thing with the veteran's education benefits last Friday by deploying a non-validated form being sent to corporate VBA systems where VA employees will have sift through the valid and invalid 22-1990 forms. Just amazing that this type of incompetence continues!

..and there is a member of the USDS VA team at a Bloomberg event right now as we speak lauding Vets.gov and how great it is. The digital services spin machine is in full operation, since none of the challenges cited in this article are being mentioned.

Only a complete outsider is surprised that VHA is trowing something into service before it's fully tested. This is just one small example, but rest assured VHA will be buying and pressing things into service that few people knew about and no planning has happened. The one thing VHA knows is that they can always get forgiveness, so why ask for permission and follow any process that might get in the way. This won't end until senior leadership holds somebody in VHA accountable. Biomed and Biomed purchased systems are the usual culprits..

I wish these articles could be bumped...

when will the regular peons get such security?

I could not find this "StepWise" app. Could you kindly link?

VistA has run the VA, DoD (CHCS-I), and the Indian Health Service (IHS RPMS) for nearly 40 years. The vendors of commercial products have tried to replace VistA, but have universally failed. The VA management has put incredible funds toward replacing VistA with Commercial Off The Shelf products with no real success. VistA was designed to be enhanced and adapt to the changing face of Health Care. VistA is currently 180 aspects of the hospital and will run on a large system or a desk-top or even a laptop. The VA has not allowed VistA to evolve as it was intended, to be enhanced at the point of care. Solutions can be added to VistA in days compared to 18 to 24 months required by vendors. VistA was the first environment that embraced Rapid Prototyping even before there was a term for it.

This is only a small piece of the Enourmous Unethical pie of Matt Eititus. he has hired all of his friends and buddies i. the last several months. ALL of them st GS15 levels - even his buddy who is a former Assoc Director at Topeka VAMC who is under investigation for having an inappropriate THREE YEAR AFFAIR who one of his employees and who used his VA computer to conduct the affair. Matt just reassigned him to a GS15 Director of VTS in Atlanta at the HEC. All of his hires did NOT have to go through the competitive process. Director of HEC, Director of Internal Controls, COO, Director of Finance. The list is long. He has changed the org chart at least five or six times in as many months creating new offices just for his friends and buddies. And that's just a fraction of his unethical behavior.

Did you hear about how he ordered employees to cancel pending applications? yes that's being done too all in an effort to get the pending application numbers down so that he (Matt Eititus) can look good. last known number of pending applications is circa 900,000! Matt was sent to Atlanta HEC to 'clean up' the pending app issue and under his watch over the last 14 months the issue had grown. He is a liar and should be fired!!! He is directly responsible for DENYING VETERANS THEIR BENEFITS THEY HAVE EARNED AND DESERVE! HIS ONLY quest is to get all his buddies jobs they don't deserve and know nothing about!

i have emails where Matt Eititus coerced and lied to the Human Resource folks, where he set up former directors who he wanted to remove so that he can get his buddies in. emails and text message of online affairs using government equipment, lies he commuted under oath during an investigation, discriminatory behavior , prohibited personnel practices, ..the list goes on! he is currently awaiting a permanent assignment as the new SES Director for Member Services. if he gets the position it will be the absolute worst decision not only for the employees but more importantly for Veterans.

And...his buddy that he just reassigned to the GS15 position is currently under investigation by VA's Office of Specual Counsel because of misconduct due to use of VA equipment to conduct the affair. and to top it off, he is still listed in the VAs global directory as still being the Associate Director at Topeka VA, Why? To hide the fact that Matt assigned him to Director of VTS in Atlanta? Does OSC know about this? hmmmm?

And he just hired. new Director for HEC in Atlanta who has absolutely no experience and who only worked for VA for a few months. there is an email floating around where this new female director talks about being hung over from a night out during with Matt during a visit to D.C. to meet with the Under Secretary...so is that how she got a GS15 job with no experience, knowledge or skillset to run a complex national office?

This is only a small piece of the Enourmous Unethical pie of Matt Eititus. he has hired all of his friends and buddies i. the last several months. ALL of them st GS15 levels - even his buddy who is a former Assoc Director at Topeka VAMC who is under investigation for having an inappropriate THREE YEAR AFFAIR who one of his employees and who used his VA computer to conduct the affair. Matt just reassigned him to a GS15 Director of VTS in Atlanta at the HEC. All of his hires did NOT have to go through the competitive process. Director of HEC, Director of Internal Controls, COO, Director of Finance. The list is long. He has changed the org chart at least five or six times in as many months creating new offices just for his friends and buddies. And that's just a fraction of his unethical behavior.

Did you hear about how he ordered employees to cancel pending applications? yes that's being done too all in an effort to get the pending application numbers down so that he (Matt Eititus) can look good. last known number of pending applications is circa 900,000! Matt was sent to Atlanta HEC to 'clean up' the pending app issue and under his watch over the last 14 months the issue had grown. He is a liar and should be fired!!! He is directly responsible for DENYING VETERANS THEIR BENEFITS THEY HAVE EARNED AND DESERVE! HIS ONLY quest is to get all his buddies jobs they don't deserve and know nothing about!

ANONYMOUS | NOV 21, 2016 AT 9:14 PM - REPLY
i have emails where Matt Eititus coerced and lied to the Human Resource folks, where he set up former directors who he wanted to remove so that he can get his buddies in. emails and text message of online affairs using government equipment, lies he commuted under oath during an investigation, discriminatory behavior , prohibited personnel practices, ..the list goes on! he is currently awaiting a permanent assignment as the new SES Director for Member Services. if he gets the position it will be the absolute worst decision not only for the employees but more importantly for Veterans.

ANONYMOUS | NOV 21, 2016 AT 9:20 PM - REPLY
And...his buddy that he just reassigned to the GS15 position is currently under investigation by VA's Office of Specual Counsel because of misconduct due to use of VA equipment to conduct the affair. and to top it off, he is still listed in the VAs global directory as still being the Associate Director at Topeka VA, Why? To hide the fact that Matt assigned him to Director of VTS in Atlanta? Does OSC know about this? hmmmm?

ANONYMOUS | NOV 21, 2016 AT 9:25 PM - REPLY
And he just hired. new Director for HEC in Atlanta who has absolutely no experience and who only worked for VA for a few months. there is an email floating around where this new female director talks about being hung over from a night out during with Matt during a visit to D.C. to meet with the Under Secretary...so is that how she got a GS15 job with no experience, knowledge or skillset to run a complex national office?

Very informative and excellent suggestion.

If a cadre of experts is created within GSA, I suggest they are not fee for service based, such as 18F is currently. This new group will have to tackle, huge national level problems and not have to burn up resources courting agencies to perform relatively minor tasjs, such as developing code for improving web presence. Free them from fee for service shackles, get them out of he business of competing with industry and have them focus on the really big issues that plague the nation.

Please note that Vets.gov is being touted as a big success by GSA's 18F group, who evidently had a huge hand in the development of the bad code which caused this huge mess. Thanks 18F for helping to screw over our Veterans.

So, just so we're clear, Jonathan Alboum wants the ability to terminate a contractor for doing what the GS-14 COTR told them to do to stand up the system?

"Other Silicon Valley leaders might decide to be supportive of a Trump presidency eventually, once the stigma of supporting the presidential candidates passes."

And therein lies the problem. It's not really about fixing things. It's about how we look when we're doing it.

Unfortunate.

The Department of Veteran's Affairs has a long pattern of criminality and cover-up to harm Veterans. The LEADERSHIP must be flushed, audited, and overseen by an independent Program Oversight organization that reports directly to the White House and President Trump.

PRESIDENT TRUMP should flush out every OBAMA CIO THESE WHITE COLLAR CRIMINALS ARE RESPONSIBLE TO ENSURE THAT ONLY THE OFFICIAL GPE www.FBO.gov FEDBIZOPPS is utilized to post solicitations with a value of greater than $ 25,000 The GAO stated this in B-411489 and B-411848

CIO s of the UNITED STATES ARE WHITE COLLAR CRIMINAL EXECUTIVES PERIOD.

Great post as always Dan, thank you for sharing.

STRATEGIC SOURCING CIRCUMVENTS US SMALL BUSINESS ACT AND HARMS US SMALL BUSINESSES
AND IS JUST ANOTHER WHITE COLLAR CRIME OF CLAIR MCGRADY, RICHARD GINMAN, SHAY ASSAD AND DPAP.

Great article. I think 18F and USDS are in for a bumpy and short final ride unless the new Administration shifts their focus away from tinkering on small value projects and tackling very complex and pervasive IT issues that plague government, such as data standardization. Standardizing data will go a long way to loosening the stranglehold large ERP vendors have on Federal business infrastructure systems (e.g. finance and acquisition) and open up competition for all, especially small business.

Curious to see what you think is going to happen to DIU(x)?

The evidence of government IT failure lies in its continuing string of Cyber Security failures.

If an agency can't afford to lose the data, it shouldn't put it on the Internet.

Here are some of the reasons. The state of Cyber Security is dire. Cyber Security is a problem without a solution. Cyber Security is an intractable challenge. Cyber defense measures in use today are like shoveling sand against the tide. When it comes to Cyber Security, hope is not a strategy in using the Internet. Cyber Security cannot be approached as business as usual.

Without Skin in the Game, there will be no Fed IT fix.

Hiring lowest bidders to "agile" out chunks of work using shiny new technologies with the help of stratospherically-compensated and over-titled 18F/USDS Obama fanboys (albeit uber-qualified!) is as much "self-service", as taxpayer-service.

Many USG HQ offices are packed (packed, like a stuffed turkey, I say!) with GS-14/GS-15s providing near zero value. Quality operators who deliver real value are 1 out of every 10, at best.

Trim the fat. Drain the swamp. Use attrition. Get skin back in the game, on all fronts.

Federal Fantasy Football......

"Jamison said that net neutrality, imposed by the FCC, inhibits economic growth because Internet service providers encounter regulations that prohibit innovation in an effort to curb their monopoly status."

Everything after "Jamison said that" is a lie.

The Vets.gov Team is continuing to build other applications for the VA just like the Healthcare Enrollment form. The exact same problem of lost veteran records will be a continuing saga as Vets.gov launches new features. This continues to be a Digital Services failure.

Wow, what an interesting reversal. Despite ITIF's retraction, both USDS and 18F are deeply flawed, opetate with a lack of transparency, lack oversight and are not really taking on the biggest IT issues that hamper overall government efficiency. Will Hurd suggested at an earlier hearing that the GAO High List be used as a guide for choosing projects. If the Trump Administration chooses to keep these two groups, they should have them.take on large, pervasive issues instead of tinkering with "quick impact" lower value tasks. After all, the taxpayers are paying for a boatload of GS-15s or equivalents....make them earn their pay.

Agree with agencies CIOs have independence. Not sure the value of USDS is there unless it is completely restarted anew. 18F made everyone GS-15s or equivalents which is extremely flawed for the level of work they were doing.

Anyone who is familiar with Gov IT should know that 18F and USDS have saved hundreds of millions in IT consultancy costs and are some of the only inroads into bringing modern IT practices and tools to government.

The goal of 18F is not to be a zero cost venture. You can complain that government doesn't work or has poor IT practices (original healthcare.gov) but then complain about innovative organizations that help solve that.

So much for the myth of decision being made based on the candidates with the best qualifications being selected!

I'm always amazed by the number of comments VA related articles have, it's like VA IT employees are fed up enough to speak their minds. I hope Meritalk takes note and keeps the articles coming daily. With all the things happening in the field if Meritalk is smart they'll dig into OI&T's field operations and let the comments take them in places more interesting than they ever imagined. Start with the CIO and don't stop until you get to the last person willing to talk in the current service line structure. Write a piece that pits the facility staffs against the service line staff and you'll witness unending fireworks.

Hint hint...

Rolls eyes!!! I work on the inside and I'm here to say that I see no evidence of the progress being claimed. While D.C. may have new leadership there's not more turnover in the field that I've seen in my 34 year career, but we do have some new paint on the walls.

Question the numbers, question the source, and question the motive to makeup the numbers.

I've found that if you throw in any number of cool sounding words federal CIOs will buy into without question.

I think most vendors have figured out that if you prepend "cloud" to a turd federal CIOs will buy them by the pallet.

ITIF has no credibility after this. There should be a lotto on which company threw money around to change the position.

It's easy to pick on the failures. Regular Feds do that, too. Unfortunately, 18F hasn't had the sense to find the obvious allies who already work in government. Those of us who are pushing tech forward (and meeting our budgets, unlike 18F) will likely never meet most of these n00bs before their rotations run out and they flee, having never realized that they could have been so much more effective by exercising just a smidgen of their humanity. (Hint: allies are a good thing.)

What bothers me the most is that Matt is putting people in charge of management positions that have absolutely no specialized experience. They are not knowledgeable about VA laws, regulations or directives. They don't even know the basic principles. They are incapable of running any job at the VA; but since they are friends, ex-coworkers, neighbors and all worked together at DOD, that is what is getting them the job. Matt wants puppets he can control. Blatant prohibited personnel practices are going on. I am starting to wonder if anyone is left at DOD. Ha Ha Ha! Qualifications don't matter. A Health Eligibility Center director was chosen and was only with the VA for 3 months and came from DEA. She went from a GS12 to a GS15 in 3 months. Well, it is not a drug problem at the VA; it is abuse of power, waste, fraud, and gross mismanagement that is going on at the Agency. Contract money with no one assigned to oversee the funds. It is much worse than it what was before Matt and his looney tune characters diverged on the Agency. It was a hostile take over. Then OIG comes to the agency and barely looked at anything; then cleared the Health Eligibility Center as if the problems where fixed. It is one big joke and cover up. It is a shame the Veterans; such as myself, my brothers, and my sons have to suffer due to incompetence. They are not even capable of running a day care center for the mentally challenged (no offense to them). There is no one we can trust to care for the Veterans. They want the appearance of trying to fix the problem to pacify the public and the media. A class action law suit is needed before we get these dummies out of management and that may not help! They have protection from the VA Deputy Under Secretary and the Secretary. It is idiots with no brain cells (zombies) in charge. Let's not even talk about the amount of travel dollars being wasted during this time of technology; such as online meetings that can be used. The Whistleblower laws mean nothing. Another joke. As soon as you report a problem you are marked for the rest of your VA career. I will continue to pray; because VA needs divine intervention.

Amen the previous post; same problems on the VBA side!

Matt is a blatant racist. Stevie Wonder can see he removed all people of color from their positions and replaced them with his buddies. I personally applied for several positions at the HEC and was best qualified. Only to receive an email 4 times saying they will not be hiring from that certificate . Next thing you know Matt's buddies are in those positions. Sounds like a class action lawsuit if you ask me. Let's talk about the inappropriate relationships that are happening between management and subordinates. Let's stalk about the nepotism, and special favors that are happening at the HEC. Matt continues to bring persons into positions that they are not qualified to manage. Bottom line!

First, get rid of the Obama administrations policies that invite an invasion of Central Americans since 2009. Our U.S. Border Patrol agents and Customs and Border Protection officers are tied up wet nursing and processing Central Americans, Haitians, Cubans (why do we still have wet foot, dry foot for Cubans?) and Eretrians, so they can enter and remain in the U.S. (without vetting, other than a cursory check to see if they have been previously handled by U.S. authorities) to pursue worthless asylum/refugee applications.

Fleeing poverty, crime and corrupt governments doesn't meet the statutes for granting such relief. If it did, more than half the world would already be in America. Hopefully, Trump will cancel those "paroles" and remove these people.

Once the message goes out to the world that America intends to enforce it's immigration laws, the invasion should be greatly reduced.

Drones are nice, but far more expensive than manned aircraft with heat seeking/infrared technology. We need to get our manning levels back up to the current authorized level and then seek legislation to increase the numbers. It takes agents on the ground to interdict what drones and manned aircraft discover.

We also need to get Homeland Security Investigations (HSI) back into the game combatting transnational crime organizations through enforcing our immigration laws. Those aren't leprechauns smuggling and distributing that meth, cocaine and heroin.

Have ICE freed up from processing, transporting and wet nursing aliens pursuing worthless asylum/refugee applications. They should be chasing and arresting and deporting ethnic gang bangers, and other criminal aliens.

Return to the 287(g) program (the section of of law under the Immigraion & Nationality Act that allowed the training/certification of local and state police officer to enforce immigration law. It was started under President George W. Bush, and worked like a charm as a force multiplier, until Obama brought it to a screeching halt.

So you see, it takes more than just drones, it takes a total robust approach from every level of government. Sanctuary should be for Americans and our invited guests, only!

PMAS was a Waterfall environment, VIP is an Agile environment...

Hey CSP thanks for spending millions on achieving a FedRAMP jab p-ato - Now f#ck you!

When is this nightmare going to end for VA! It's virtually impossible for VA to have made a transformation without addressing the root cause of systemic issues. The fabrication of data should be illegal, but VA officials are allowed to continue deceiving the public.

This is the worst transformation in VA history. VA has been plagued with corruption by the highest officials yet the word "accountability" has taken on a new meaning for a segment of the population. In VA, under Matthew Eitutis leadership "accountability" signals a hall pass to treat minorities disparately and to blatantly discriminate against employees who look different than he does. As a VA manager I find his behavior to be disgusting. He feels he is shielded from "accountability" by top VA officials, but they will not be able to protect him much longer. He should face justice for his wrongdoing. Public corruption, waste of government funds and not the mention the use of government funds for personal reasons is illegal. VA leadership, how dare you to bring Matthew Eitutis to the agency to terrify people? I've never been more outraged by what I've seen and experienced by Matthew and his team. Let's not allow him to reduce to disgruntled employees, when that is so far from the truth instead exercise your freedom of speech.

There is power in numbers, so continue to make a stand and speak out. I will not breathe a sigh of relief until the truth is told. To the honest and hardworking VA employees - don't allow reprisal or intimidation to obstruct your freedom of speech. Veterans matter, all people matter. Let the evidence speak for itself. Hopefully, President Elect Trump will call for an investigation into his illegal acts. The current leadership has proven that accountability does not apply to all, just certain employees.

WOW, you guy's still keep this up. I guess you are waiting on the recount.

Well said! "I have more respect for a man who let's me know where he stands, even if he's wrong. Than the one who comes up like an angel and is nothing but a devil." X

VistA was the top rated EHR in this report for 2014 and 2016, http://www.medscape.com/features/slideshow/public/ehr2016#page=9, and Cerner is midway down a long list. It has been estimated it would cost $16 billion by Roger Baker, a former CIO at the VA, to replace VistA. One has to ask why would anyone want to replace the best there is with something inferior especially at that very high cost?

Operating out of the Office of Management and Budget (OMB), General Gregory Touhill is the First U.S. Chief Information Security Officer (CISO), a new position whose mission is to ensure open and transparent government, one that protects People’s Information and preserves Privacy, Civil Rights, and Civil Liberties.

It is important that this broad charter reduction to five lines of effort be the correct arrangement of things since this is the First U.S. Chief Information Security Officer (CISO), and as the twig is bent so grows the tree.

Know Yourself in Cyber Security
https://www.linkedin.com/pulse/know-yourself-cyber-security-don-o-neill?trk=pulse_spock-articles

No more hand writing; No more home work; No more exam(may be); Students only need to listen to learn.

Is she gone yet? Is it safe to come out?

Very interesting app. Looking forward to seeing the other ways in which AR is utilized

PLASTYNE = MITO BY TKEVINO 😛

Not sure why this news....Luke is a political appointee so submitting his resignation is expected and not news. But what do you expect from a fake news organization.....

Dan Verton

Paragraph 3: "As a political appointee, his departure is not unexpected (MeriTalk has a list of 25 CIOs and their expected status during the transition)."

Typical response from FAA. Hide behind NAS for failures to comply and make progress. Leadership is to blame. They have solutions but politics and personal agendas are in the way.

It should be noted that the current VA leadership claims everything is veteran focused. I'm certain they claim the toilet paper in the latrine is veteran focused. Please don't fall for all the fluff people, especially if it's being peddled by LaVerne Council.

This from a Department that went fro D to D- on OGR FITARA scorecard.

Guess we will see 4000 articles just like this

and somehow splitting this into two chains of command is supposed to help with a) preparedness still being a problem, and b) personnel integrity and ethics. Can't see how NSA advanced tools are going to be readily shared with a separate cyber command team, as its still a people-problem with twice the reporting structures.

There are still many people who use pagers and believe that they are the most secure and reliable means of communication. Please see: http://www.braddye.com/paging_english.html

Hi Eleanor,
Great post, just a small correction. Data.mil was actually created using LiveStories.com—a data storytelling platform for the public sector and not data.world as is mentioned in the blog post. The raw data was posted on both data.mil and on data.world for people to download and work with. The site and the stories were created using LiveStories.com.

You can read more about the LiveStories open data portal offering here: www.livestories.com/open-data-portal .

The probability of failure in electronic circuits is so high that it's not a question of will it, but when. Conductive whiskers forming is enough of a threat to destroy any confidence in this technology. Failsafe operation must 100 percent over the life of the system, that simply cannot be done.

You go boy...

When are they going to stop wasting tax payer dollars on these useless apps. Just make the website mobile-ready and skip the nonsense of making an app for it. How many tax payers will really find this useful enough to download on their phones?

almost all Democrats...won't have much ability to shape any tech agenda....

Promoting national competitiveness should be up Trump's alley. Hopefully some support for initiatives like this, as well as addressing the cyber issues that go hand in hand.

The safest answer is the best answer.

TSA should be abolished. Subjecting citizens and visitors to the U.S. to searches that police won't do unless arresting a person is clearly a civil rights violation. TSA is a jobs program for the unemployable.

Good post Dan. I would quibble with you where you state your sources "..paint a disturbing picture of a Trump national security team." Your sources seem to be more evenly split about Flynn, but kudos to you for reporting both sides.

Up to now, the public has seen no real evidence that shows Russia was instrumental in the "hacking" of the DNC or Podesta emails. The Podesta emails were a simple phishing attack that anyone could have performed - no sophisticated tools required for that. The DNC hack used an outdated Ukranian malware kit that was readily available on the internet. Many of the IP addresses identified in the joint DHS/FBI report are known addresses of hosting providers. Latest revelation (if it is true), no one from the US intelligence agencies actually got their hands on DNC equipment to perform their own independent analysis. They are simply basing the technical conclusions from the CrowdStrike report who was hired by and paid by the DNC.

From a technical perspective of we have seen, I would argue not only Trump but the American people should be very skeptical. Maybe the report next week will change my mind as Clapper "pushes the envelope".

The anon-CEO is absolutely correct, and my company has experienced this (in fact, repeatedly) as well, but a different information technology subject matter. The last paragraph of this story pretty much says it all... A PMO with no antitrust authority or *accountability, yet can "make life difficult for a firm" sounds like a racketeering biography. DOJ and IG investigations work is not done yet, not by a long shot.

The majority of the opinions expressed in this article regarding General Flynn read as largely supportive of his skepticism with the intelligence agencies performance. So it is pretty outrageous to label this as a personal vendetta and political payback.

Agreed, good post Dan. And well said, "Anon @ Jan 6, 2017 AT *8:01 AM"... I'm very close to this subject, and you are so accurate in all of the points you make. The difficult thing to discern: was their sole reliance on the CrowdStrike report a matter of laziness or divisive politics. I believe US citizens believe it as the latter, and that is the largest part of the problem. There were many technical flaws in the prior report including the mincing of unrelated actors and vector terminology, where industry experts read as a sophomoric attempt to force a conclusion (bought and paid for). I think Flynn will get things right and will do well. To be a fly on Trump's SCIF wall today = priceless. Trump's body language today will tell it all...

Dan Verton

Thanks for the Feedback folks. Good points all around.

Very interesting and informative! Thanks for such a quick update on the situation!

---> Industry observers also worry that the combined power of Veris Group and Coalfire would enable the companies to drastically increase the pay offered to licensed 3PAO assessors, draining the market of available talent for those that cannot afford such high salaries. <---

Typically when a merger occurs, salaries for employees don't go up, its the opposite and layoffs occur. You have to pay for an acquisition somehow...

There are several providers that have done very good work for major CSPs that will serve as alternatives. Where the PMO and A2LA will have their hands full will be around potential conflicts of interest between audit and advisory services which are prohibited to be performed by the same organization.

Two that I've attended previously that you should add to your list: the NCCE conference, this year in Portland in March; and the NYSCATE conference in Rochester, NY, right before Thanksgiving every year. Both are excellent experiences.

A couple of things the author and the anonymous CEO failed to state are : 1) Both of these businesses were, until fairly recently, small or mid-sized and trying to make their way as 3PAOs. They happened to do a much better job (in many ways) than anyone else and became true experts in their field. They became the largest, most successful 3PAOs, because they set the gold standard for FedRAMP professional services. As a result, their customers, the FedRAMP PMO, JAB and agencies recognize them for their efforts. 2) The wage discussion is completely off-base. If anything, all 3PAOs face the wage barrier challenge every time a cloud service provider (usually the 3PAOs customer) poaches a 3PAO assessor or advisory professional to become an in-house expert. It is not uncommon for CSPs to promote and increase wages of a very junior, yet qualified 3PAO assessor by more than 40% to gain a small edge over their nearest competitor. And they have the bankroll and counsel to fight the legal battle to retain the talent despite breaching service agreements with the 3PAOs they poach from.

"The information that was suspected to be stolen was designed to break into computer systems of countries such as Russia, North Korea, Iran, and China."
AHAHAHAHAHAHAHAHAHAHAHA WOWOWOWOW.

Since when was Cisco a Russian/NK/Iranian/Chinese company?
https://en.wikipedia.org/wiki/Cisco_Systems
http://blogs.cisco.com/security/shadow-brokers

Since when was Angela Merkel Russian/NK/Iranian/Chinese?
http://www.spiegel.de/international/world/merkel-calls-obama-over-suspicions-us-tapped-her-mobile-phone-a-929642.html

"Swalwell, who agreed that the tech industry offers a lot of potential for increasing the skilled workforce, added that the government should work to invest in tech education for areas that aren’t necessarily tech centers, so that the incoming workforce has the skills to fill available jobs in the future."

There is no shortage of skilled tech workers in America. If that were true, wages would be going UP. Until the US stops the practice of cheaper foreign labor being allowed into the country (looking at YOU h1b, h4, eb1, eb2, eb3, L1, F1, OPTs, anyone would be foolish to consider tech as a viable career option.

two CIOs...more indicative of the Obama Administration view that the CIO is Chief Geek rather chief INFORMATION officer...unbelievable and a wage of huge amounts of hard earned taxpayer money.

I guess OMB doesn't have to deal with FITARA. This move will cause more silos and duplication with other management functions. USDS hasn't really fixed anything. Name one real government problem they fixed. Did they fix cybersecurity issues? Did they reduce the time to gain access to VA benefits? Did we get a joint electronic health record for our military and vets? I noticed that Todd Park was the HHS CTO when Healthcare.gov started, and moved to "save it" after the crash. USDS also demostrated their lack of understanding what the Federal government does vs. State and local, just look at their Ted talk. Lots of talk, little action.

It's not cloud by nearly any accepted definition. It has not been through any FedRAMP or DoD accreditation. The IL5 referenced is for the IBM managed data center at ABL in WV. So much mis/disinformation.

Can they come up with a sensor in cars so traffic lights can make the flow of cars more smoothly,
I am tired of sitting at a light and I am the only one there. Or only four cars get through a left turn when the line is ten deep and there are no other cars coming from another direction

Once all vehicles on the road reach full autonomy, there will be no need for traffic lights. Vehicles will simply coordinate by adjusting speeds to pass through intersections without stopping. This is quite a few years out, with many steps up to that point, but it will be pretty incredible.

Another non-cybersecurity guy assigned to a senior cybersecurity post. I am sure he is a wonderful person, and I am sure that he was a great CIO, but that does not make him an educated, trained, and certified cybersecurity professional anymore than staying at a Holiday Inn Express would. His comments are interesting and deserve discussion, but he should never have been in any of the cybersecurity related positions he held in civilian government in the first place.

Finding this late, but all the comments still apply. The damage done by Ms. Council and upper leadership has caused a culture of mistrust in staff and 'colleagues' since we arent supposed to call them customers any more. They want rumors to stop, yet no information is given to quell rumors. Centralization of IT has ruined the customer (yes, I'll say it) experience and ultimately, the Veterans suffer for it. I'm not sure if the next CIO will be able to fix this mess of low morale and mistrust. Will certainly be a monumental task.

Pretty sad when an article like this can only generate one comment. Sort of reinforces the idea in that comment that BG Touhill was not a significant player in the field.

this is an important step forward for the entire federal government. glad to see the push to the cloud!

It's an upside down world out there today. We can't have more security and we need less regulation. At the same time small business setasides can be incompatible with big program requirements. Thank you for the perspective Eleanor.

CISOs get your running shoes on again. Maybe it would be a good idea for the new administration to sit down with Tony Scott and Federal CISOs to understand what we learned from the last cyber sprint before we set off running again?

Alan Chvotkin, executive vice president and counsel for the Professional Services Council (PSC) Does not speak for my SDVOSB business. From what I read, this is an agency to benefit LARGE, MEDIUM and foreign businesses. NOT VETERANS.. You'll have to get a lot more specific Mr. Chvotkin. I have already told the American Legion and American Small Business League that PSC doesn't represent Veterans that own businesses ( SDVOSB or VOSB )

This bill is part of the effort to eviscerate the new rule on Affirmatively Furthering Fair Housing, a federal requirements for recipients of Community Block Grants for over 40 years. The opposition is all about scuttling even the minor efforts of HUD to reduce racial, ethnic, and economic segregation in housing. With the incoming Secretary of HUD declaring fair housing to be "communism," we should all be very afraid of what the segregationists are trying to do with HB 482 and its companion bill in the Senate, S 103.

Without this type of information how will the Republicans know how to draw voting districts in their favor and rig elections?

Please, people, every disparity of any type in the world is not due to evil or being Republican (or Democrat). Like most of life, sometimes things just "are" and are not the fault of anyone or anything. Love these anonymous posters that blast out "fake facts" such as "racial, ethnic, and economic segregation in housing" and "rig elections". Sounds like you "fact" up, folks !

Hey, You might like to see if AAPL is considering to buy BBRY for it's QNX patents, AAPL has already hired most of BBRY's QNX employees and set up shop in Canada near BBRY's QNX autonomous cars head quarters, and John Chen does not complain, hmm. Trump's focus on Cyber Security may mean AAPL buys BBRY for their security patents as well, since Trump wants American company's. Might be a story here for you? Not to mention Trump's Giuliani's relationship BBRY.

This happens with such regularity you could set your watch by it. Yet every time the VA tries code written for the private sector it's found to lack all the things congress wants. If it's not lacking in performance, it sure doesn't pass security muster.

I don't even try to keep up with who's who, and what they're supposed to be doing. And that's probably exactly what leadership wants. I wish I could embed a musical chairs gif.

IMO this whole Vets.gov situation is a huge failure, I was perfectly happy with the Ebenefits website and I feel that time and resources would have been better spent improving what we already had. There are too many problems within the VA and adding an additional headache is the last thing we need.

It sounds to me like the power of lobby money has finally taken over congress and they are dead set to get rid of VistA. As the saying goes, "you don't know what you have until you lose it". Good luck VA trying to replace VistA with a commercial solution!

Glad to see there's constructive debate on this matter. Stewart Baker's question and example warrants logical debate and consideration. To quote Baker's what-if scenario, "For example, how would the situation be resolved if Cyber Command wanted to take down an enemy’s network but the NSA wanted it to remain open because it was collecting useful intelligence information from the network.", this represents a the most logical example for such prudence.

Why "upgrade" a system that is not failing? Just because they system is 40 years old doesn't mean it is not performing and completing the functions it was designed to do; collect data and schedule appointments. The fact it has lasted 40 years while multiple other software has failed should tell congress something. Don't waste your money on a Lockheed Martin software, we know where that money goes. Focus VA resources on what matters, VETERANS, and not on private companies.

Awesome...Awesome...Awesome

dr. bray is leading the way, other agencies should similarly adopt cloud to replace their legacy tech. i also agree with him that 18f and usds could be doing more to make it easier for agencies to acquire software as a service vs. writing custom code entirely from scratch.

This is a great point:

“Instead of data center consolidation, we should be talking about data center elimination,” Bray said.

Also hurrah for someone saving the taxpayers money:

David Bray, CIO of the Federal Communications Commission, managed to move the agency to 100 percent public cloud through commercial service providers by showing agency heads that the FCC was wasting 85 percent of its IT budget on maintaining legacy systems. Bray transitioned the FCC to the cloud in less than two years.

Thank you!

Going commercial would be a singular waste of taxpayer funds. Hopefully the new administration will nip this in the bud.

The selection criteria for the clown that Chive appointed as CTO should also be reviewed. The CTO himself has then selected people under him with minimal experience running these programs. Let's review all these incompetent folks wasting our tax dollars on projects such as the Alfresco rollout (three years and little to show for it).

The entire agency needs to be investigated. People like the CTO, Navin, get rewarded for failures like his IAE project, and moved up the ladder by Shive. They all lie to senior executives and tell them what they want to hear. Please investigate the manipulator now running the Digital Signatures project. Please look into her qualifications. Went from doing payroll at a small contractor to running major programs for GSA. No wonder all those projects are behind schedule and over budget. All these people must be ousted.

The idiot responsible for the CSP was given a promotion to CTO. He in turn brought in a bunch of other incompetent people to run programs for him. He keeps rotating them every 6 months and just makes it worse. Three years and they are still working on "taxonomy." At least the CSP will be dead soon now that IAE has cleaned house.

Airports have limited space that they can dedicate to security lanes, so what's the overall value to aviation security if all Clear is doing is creating a dedicated lane for a few privileged travelers who trickle in from time-to-time and then get placed in front of other fliers that are waiting in the normal security line? It seems like average fliers and taxpayers are being screwed in this equation. Taxpayers are still flipping the bill for TSA's security officers to perform a check on Clear's line jumpers. I think Clear and/or airports should have to pay for their own private screeners instead of capitalizing on other taxpayers' dollars who are forced to wait in even longer lines because a full security lane is being dedicated to only a few travelers that get to "jump the line" for $180/year.

And on the biometrics, let's ben honest about what's going on. There's no value to "anti-terrorism" in the model Clear is using for biometric verification. They aren't performing any risk assessments on their customers, and US airports, TSA security checkpoints, and airlines are not equipped with the biometric devices to authenticate travelers using biometrics during check-in, security, and on-boarding. As a result, Clear's biometrics are purely a means for verifying the enrollment status of their own customers while keeping other "flier trash" out of their lines. In fact, I'd argue that Clear's model makes airport security even worse! The normal security lines are longer wherever there's a Clear lane, so that presents a opportunity for more casualties in a terrorist event that targets large lines in this less secure area of the airport terminal.

It's time to take a stand and push airports and TSA to expand TSA PreCheck to more travelers and airport lanes. Let's let all taxpayers and travelers benefit from expedited screening of "trusted" travelers!

That's big news. I'm definitely buying the SP5. Thanks for reporting it.

Simply put, VistA is better. Suck it Congress, anybody can make a secret waiting list, no EHR will stop that. Just let the VA hire the people we need, then get out of the way. Oh, and tell you friend Trump that he needs to let us hire IT people too. You're cowards if you don't. You can't expect to allow the VA to hire 35,000+ employees, and none of them be IT. Or are you that ignorant?

Just found this, but as a J&J retiree who endured Laverne Council until she was unceremoniously dumped by J&J, I can only pity the IT staff at the VA. She is a dishonest self serving witch. She destroyed IT at J&J. When she was nominated I called my Senators in opposition. I'm a veteran and was a Global IT Director at J&J. Hopefully she'll get booted from the VA.

Your headline is biased and not reflective of the rest of the story.

I don't understand why VA, with an internal cloud, doesn't absorb all these little departmental data operations and eliminate those datacenters?

Great start, there's more, look at other agencies, other IGs.... 18f's blatant disregard of good security and governance has spread...

USDS and 18F blatantly and consistently disregard Federal regulations and mandates. Why isn't Connelly asking for a Congressional hearing?

One would think that lying to the IG would get someone fired. Is it like Uber where someone is considered too much of an asset to have to comply with minimal rules? It does not appear, however, that one has the ability to delete a GSA-18F app from one's phone.

Oh, look.
Private sector hotshots thinking that government just needs to do things faster and better and cooler. Private sector hotshots thinking they're awesome and they don't need to play by the rules, because rules are for losers, man. Private sector hotshots getting their GS-15 paychecks then getting out of dodge.

Public servants getting the privilege of cleaning up the mess they left behind.

Thanks, Aaron. Thanks, Phaedra. You really screwed everybody's pooch on this one.

I don't think that a witch hunt is what we need here. That said there are good people in Government leadership who do the right thing. This is one of those cases where executive mandate supersedes the power of the folks governing. 18F used a lot of Obama capital to make progress under the guides of "Change". Because of this real leadership in all government agencies find themselves under the spot light to deliver quik government initiatives without planning and oversight. This is where i do blame the government and more importantly the appointees that drive initiatives under the banner of presidential mandates leaving the agency with all the fallout to deal with.

I have to say I respect Shives for taking it in the chin since it is his shop and to other points I think there should be some sort of investigation and congressional hearing but not directly target at Shives or the GSA administrator but geared more towards the appropriation process that circumvented GSA leadership.

Must be nice to break the law, collect a GS-15 salary, leave a trail of disaster in a Federal agency, and have civil servants clean up your mess.

Great job, Aaron.

18F used a lot of Obama capital to make progress under the guides of "Change".??

"Progress"? They did jack squat. They took international trips at taxpayer expense to talk about how great they were. That's about it.

Shive could only do so much. Call up Dan Tangherlini and Denise Roth; as Administrators, this was on their watch

"Jack squat"!? Are you out of your mind?

18F has built Cloud.Gov, an entirely new cloud hosting option for all USG agencies, and it actually works, for a fraction of the cost than if it had been built by the usual Beltway Bandits: https://18f.gsa.gov/2017/02/02/cloud-gov-is-now-fedramp-authorized/

18F has built a brand new publishing platform for government websites that runs on the previously mentioned Cloud.gov: https://federalist.18f.gov/

18F has built an entirely new micropurchase platform, and developed a new Agile Purchasing Agreement, specifically to enable the government to make smaller purchases from the private sector (which is cheesing off the Usual Suspects to no end): https://micropurchase.18f.gov/ & https://18f.gsa.gov/what-we-deliver/agile-bpa/

In fact, they have completed projects for agencies all across the USG, on-time, on-budget, and on-spec, like the following:

https://18f.gsa.gov/what-we-deliver/myuscis/
https://18f.gsa.gov/what-we-deliver/college-scorecard/
https://18f.gsa.gov/what-we-deliver/fec-gov/
https://18f.gsa.gov/what-we-deliver/c2/
https://18f.gsa.gov/what-we-deliver/calc/
https://18f.gsa.gov/2015/09/09/how-a-two-day-spring-moved-an-agency-twenty-years-forward/
https://climate-data-user-study.18f.gov/

On top of everything else, they have done all this while working in as transparent a manner as possible, creating new standards and documentation and many new tools, libraries, and applications for free adoption, adaptation, and reuse across the USG: https://pages.18f.gov/guides/ & https://github.com/18f

Finally, 18F is funded by the work they do for other agencies. If they weren't doing great work at a fraction of the price of the Beltway Bandits, with incredible success rates and short schedules, they would have simply been starved out of existence years ago.

sad to see 18F and Aaron create a big mess and then leave saying 'not my department anymore'.

good on the FCC CIO for asking for more details and accountability for 18F's costs and overhead.

"18F is funded by the work they do for other agencies" - Horsepucky!!! 18F is funded by other revenue generating activities in GSA and through appropriations. As for the other things - Cloud.gov: was the ATO issued by your self-appointed CISO? The shameless self-promotion is telling. I see no other agencies coming to 18F's defense on these posts. You are what others say you are, and others are saying that 18F has been filled with a number of self righteous spoiled millennials who have provided little to no value to federal agencies that are proportional to the costs of the program. Enjoy collecting unemployment soon.

" On top of everything else, they have done all this while working in as transparent a manner as possible, creating new standards and documentation and many new tools, libraries, and applications for free adoption, adaptation, and reuse across the USG:"

Here's the thing.
There were people throughout the US government who were just as smart and capable and talented as 18F people thought they were. They were career government employees who would have done just as well or better carrying out the mission of 18F. The only difference is, 18F didn't have to follow any of the same rules, apparently. I know for a fact that a number of projects 18F likes to brag about were started by government employees who had to adjust course based on laws and regulations that prevent, oh yeah, fraud and abuse and security breaches.

18F came in, didn't follow any rules that applied to everybody else, then bashed government employees. Then they said, "Nobody in government likes us because we make them look bad." Nobody in government liked you because you were idea stealing douchebags.

You can't have your cake and eat it, too. You can go through all of the bureaucracy and have a simple project cost millions of dollars and take 2 years. Or, you can cut through the bureaucracy and get things done quickly and inexpensively. 18F was essentially created to do things quickly and inexpensively, so you can't totally blame them for acting in a manner that allowed that to happen. It was in their DNA.

Now, having said that, we need to look at the cost:benefit analysis of that strategy. Ignoring security safeguards COMPLETELY is probably not a good idea, no matter how quickly and inexpensively it allows you to deliver product. But the "full suite" of current bureaucracy is also probably not necessary. What needs to happen is for someone to find the "sweet spot" between safety and cost/speed.

"18F is funded by the work they do for other agencies. If they weren't doing great work at a fraction of the price of the Beltway Bandits, with incredible success rates and short schedules, they would have simply been starved out of existence years ago." - Based on the other IG audits it appears that the work being done has not been covering the costs. You lost $9M in FY15, $15M in FY 16, and are tracked to lose $12M in FY 17. You thought costs would be covered by FY 19, but then said the loses could continue through FY 21. So....will you be starved out of existence soon, or will we have to wait until 2022? And where are the operating expense shortfalls coming from? Likely out of other activities at GSA...which is why they can never reduce their fees....they have to support the likes of you. Kids of like kids living in the parents basement.

Guys,
Noah is a joke as a manager. He is seldom around. In fact one of the running jokes was that we needed, a "Noah as a Service". He is a very busy. So much so that his calendar is blocked for eternity, all recurring appointments. He has a couple of hours for travel blocked as well as a couple of hours of exercise. YEP !! all on govt time. Go figure.
The CIO, Dave had to have known that Noah appointed himself as the Isso for cloud.gov.
Case in point
Recently Cloud.gov was granted a FedRAMP JAB ATO. One of the guys who sits on the JAB Board is Dave, CIO from GSA, who the whole function is to review the System Security Plan.
The System Security Plan consists of people responsible for functions such as ISSO, System Owner, Authorizing official.
Either Dave did not read the documentation, or he unknowingly signed off on the ATO.
Either way smells bad.
Same goes for the CISO shop as well. Bo, John, Man (yep that a real name), Kurt and their minion project manager with Valiant Solutions, milking it!!

Thank you for being one of few who are daring enough to cover this 🙂

The reason why agencies won't accept ATO's is twofold.
1 - Agencies think they will bear the cost of ATO's for the whole industry. With no return
2 - Agencies don't trust each other's authorization process

Same reason that DoD won't accept clearances from NSA, DHS, etc. How many "Public Trust" clearance packages have you filled out in your Cyber career.

You are stupid or dumb? VistA is better? You mean that 40+ year old antique that continues to suck tax payer money and is still obsolete for today's needs. Have you not been following over the decades with the VA's disaster of an IT department? How many millions has the VA wasted over the years with no real improvements, many Vet's still without adequate service or response times.

I can guess where you work. You are part of the problem. Get out of the way and let the real technologists fix these embarrassing issues.

How many q-bits does Q operate on?

Q Physics (based on probabilities) is a BIG FALSE! The theory of probabilities is for games, not for science! We have to forget the lessons from obsolete school.

Think twice! Physics is about energy, not probabilities or statistics! Max Plank was wrong. To this level all is imagination, not observation. In addition, many "specialists" think very wrong about fundamentals in electromagnetism, gravity and universe. For details you can talk with ... Einstein.
If Q Physics is true, then anything is true! In other words, if 1+3=5 then 1+4=6!!
Where Quantum Physics is, the chaos is!

Dan your point is well-taken, even without some of the critical details missed in your post. In the instance of the TV's example, the device needs to first be compromised via USB (physical access to the TV) to install the malware according to many reports regarding this particular exploit.

That said, however, the CIA is clearly subverting the Vulnerabilities Equities Process under the guise of national security interests. We need to ask the question is the CIA contributing to making the internet as a whole less safe? They should no longer assume that any tool or exploit they develop will not eventually end up in the hands of enemies or criminals.

Dan Verton

The USB vector is a relatively minor issue. Most assume remote capabilities were/are being developed. Event if they prove difficult, the physical supply chain can be compromised with the USB method. Good points all around, but I think we are past the point where we can unilaterally disarm in cyberspace. That would be unwise.

Boo Hoo - you must be a contractor shill. For 10 years, the OI&T CIOs (starting with Roger Baker) have purposefully let VistA rot on the vine - they played games with the "funding" and stopped VistA modernization projects just before the development phase. They took the VistA budget and wasted it on dubious contract work and instituted PMAS, the work-stopping garbage that became the tool for destroying VistA one small cut at a time. LaVerne Council was one of the most incompetent executives ever to work at VA - the perfect idiot to destroy VistA. Understand that Congress GOP'ers have wanted to outsource VA health Information systems and give their corporate friends the work (probably in return for campaign contributions). Corrupt scumbags like Steve Buyer slipped in the codicil to throw in-house development under the bus within the National Defense Authorization Act (NDAA) in 2006. Now the Veteran's care is dependent on contractors (may who are inept) in regard to EHR maintenance. A SAD day for the Veteran and a cash in day for Congressmen.

Thank you for the article, it was interesting to see what directions data and analytics are trending in from someone who is well versed in the field.

Hi Morgan,

I have a story for you regarding Accessibility. How can I contact you?

Gonzalez is lying or is being misquoted. There is no way 120 something unmanned aircraft Evans spotted on the Miami Dade airport property almost all of the siding is ever mentioned our faults and aren't actually unmanned aircraft or know where unmanned aircraft would be. These reports are just unsubstantiated claims.

Thank you, a very nice article that accurately captured speaker views at the 2017 Cyber Resilience Summit.

Having worked with Dr. Meyerrose, MGEN ret, over the past two decades, I was delighted with his articulation of the real cyber situation facing the federal govt. As promised, he did not sugar coat the problem, and called out the many flaws of the current thinking being driving by the Defense Industrial Base actors. Thank you Dale for you continued thought leadership and support of the IT-AAC efforts to usher in new thinking and standards of practice outside the reach of the DIB power brokers. John Weiler, IT-AAC

Social media policy? UCMJ, conduct unbecoming, end of discussion.

Great article. Thank you.

Digital Rights Management can protect the actual data. It is an excellent solution when someone tries to physically take your data. Data is encrypted at the file level in a manner that requires a user to validate the level of rights they have to the data before it is decrypted. Even then, a user cannot do anything they want with the data. The ability to restrict what the user can do, i.e. only view and not print, copy, modify or delete is possible. I have never understood why we do not use this to provide the final layer of security to protect our most valuable data...

Excellent topic. Where I might contribute is the observation that our focus is the protection of enterprise information and the assumption the THE INTERNET is the only way to interconnect the Enterprise. The competing demands for greater remote work flexibility and higher levels of engagement, security and oversight present real structural problems if we maintain this assumption.
A more functional, secure and cost effective use of networks can be seen in the Air Force recent implementation of an Intranet architecture. Understanding the relevence for strategic employee deployment (think COOP) and secure network infrastructure of Enterprise Centers might create a Plan B "Safe Harbors" approach to the current Plan A "Manage the Tides of the Internet"

Bully for Ontario. Evidently, no one in Canada is smart enough for the posting, so they hired a failed US government wonk to ensure their program never succeeds. No wonder Canada is going to pot.

Dr. Bray and his team of Change Agents are leading the way. Great news and Team strategy for all organizations tackling legacy systems as well a step new innovations together.

Aw, this was an incredibly good post. Taking the time
and actual effort to make a superb article… but what can I say… I
put things off a whole lot and don't manage to get nearly anything done.

Juventus Kläder

Maybe I know more about VistA, and EHRs as a whole, than you do. As for wasted millions, just wait until we throw billions at another company who sells idiots code built for a healthcare system that's dwarfed by the VA, and not ready for all the extra items the government will require. The system that works fine at County General might not do all the things VHA, congress, and the IG wants to see.

the best part about this article is a cio who recognizes the importance of organizational empathy and is a true lead. this quote is key:

“Those people that had been threatened by change came back and said this is one of the best things that has ever happened to us,” Bray said. “It’s the role of the CIO to take those hits for the team.”

Bigman's right that we are heading for a catastrophe but he's barking up the wrong tree.
What we desperately need is agreement on IoT classifications and what security elements need to be put in place. The Mirai attack could not have happened if there was agreement in place on access control to internet-connected cameras an household devices.
To put IoT device suppliers in the same category as Microsoft and Redhat as Bigman has done is meaningless.
Let's agree to encourage the IoT Cyber-security Alliance in the US, the IoT Security Foundation in the UK and IoTSEC in Australia to develop these guidelines and promote them - before we're forced to by some regulatory body that doesn't understand.
Thx.
Graham Williamson

There is a much faster, more secure, and way more energy efficient path than this. Get out of the on-premise model all together or as much as is technically and politically feasible.

It's a modern civil rights issue.

The Department of Energy has buried it's contractors with layers of excessive oversight that has muddied the lines of accountability and added billions to the cost of doing work. Obsolete agencies such as the DNFSB, and the legions of their supporters within the DOE, add to the insanity. Under the Obama administration irrelevant working groups, boards, and committees flourished to the point that mission work became secondary to academic stupidity. QER, QTR,EPSA,ARPA-E,OTT, it just goes on and on. Moreover the Under Secretary organization structure isolates the Secretary from the people that are ultimately accountable for the work. We need to reset the Department to 2007 or better yet to the Manhattan Project.

Privacy Rule should be respected and the government must stop trying to get into individual's account! VPN remains to be the best answer here like Astrill.

Great article!!!

Suggesting the VA has any leadership in IT is a stretch, a huge stretch at that!

So...breed NO loyalty in employment; make it clear and unambiguous that NGA WILL treat tech workers like hired prostitutes to use, abuse, and throw away. And this is going to engender loyalty to the government, or save the government money? Hired guns will require EXCEPTIONAL compensation packages in order to have such volatility in their employment, and will be EVEN MORE likely to turn rogue as they will see themselves as pawns being used by Big Gov'ment. Smart.

Eleanor,
Good summary! So few individuals are even aware this report has been published. The status of information sharing is vital and certainly requires constant work. I’m one of the few individuals in law enforcement with the awareness and involvement seeing the evolution of information sharing. I been involved with the first major Mexico border “Four Border Counter Narcotics Strike Force” intelligence and investigation initiative in the 70’s; original Regional Information Sharing System (RISS) in the 80’s; Southwest Border information systems in the 90’s; General Counterdrug Intelligence Plan (GCIP) late 90’s into 2001 and National Criminal Intelligence Sharing Plan (NCISP) since its inception. In 2010 upon my retirement from Arizona DPS/HIDTA I was one the six lead assessors for the ISE/DHS I & A that did the first base line capabilities assessment of the nation’s fusion centers. If you seen one fusion center, you’ve seen one fusion center. That kind of goes with the general finding of this report. I think overall it was stated very well in 2012 National Strategy for Information Sharing:
“our national security relies on our ability to share the right information, with the right people, at the right time As the world becomes an increasingly networked place, addressing the challenges to national security—foreign and domestic—requires sustained collaboration and responsible information sharing The imperative to secure and protect the American public is a partnership shared at all levels including Federal, state, local, tribal, and territorial Partnerships and collaboration must occur within and among intelligence, defense, diplomatic, homeland security, law enforcement, and private sector communities.”
Best
Ritchie Martinez

Is "data personality" a new term?

Violate human rights? Terrorist coming into the country to kill us violates human rights more don't you think? Not only that, but so what on the password issue? They give it to us and let us look to see if they are bad guys - then they change them. Oh the horror. Fly don't Spy? They want to come into our country. We are asking them for proof if the come from a country that has little or no records gathering capability. So how are we spying? We are asking them to prove who they are or go away. I don't get the silly outrage on this one. Heck, they are not even American citizens.

i am impressed that this high caliber of leader was able to deliver such impressive results given all the constraints he must have faced in government. our nation needs more leaders like him.

If the database fails to distinguish clearly between regional and national accreditation--and to explain the difference--users will lack critical information.

Wow, the data are woefully out of date. I just looked at my institution and it is data from 11 years ago! FAIL.

This is definitely not a NEW database, I've been using that OPE website for at least 10 years.

All universities and colleges in the U.S. are REGIONALLY accredited. That's what you should mainly look for when studying an institution as a whole. National accreditation more often covers a subject area. Look for national accreditation when it comes to particular programs such as music, nursing, counseling, etc. Frankly, you do not want the federal government to start nationally accrediting schools, unless you are looking at online-only where there is no physical base. The regional accrediting agencies are rigorous enough for traditional universities. The for-profit is a different story - I'm not sure how they should be handled and perhaps a national accreditation would be okay, but I'm leery the feds can really handle accreditation.

Federal iT is not to be play with

Uh, oh...looks like Trump is again violating Federal open meetings laws by hosting these "working Sessions" with CEOs. What else is new?

The CIO meetings are a good sign. Crazy it is the "first time agencies get to provide direct input on what they experience and need." Would be interesting if Liddell could provide aggregated insight/impressions.

Assessing the cybersecurity capabilities to the rest of the world is a logical activity --- as long as the target state is feasible. I am curious about the Framework that they will use to assess each report that is provided to them. @careerevolved

An IT security article that starts with "The latest leaked draft of President Donald Trump’s cybersecurity executive order" ???? That's the real problem we face nowadays. No irony there at all!

Unlike most careers, the FBI, among other federal law enforcement, is restricted to recruiting to age 37. After 37, you are too old to join the FBI. Perhaps it would make sense to look at a change in policy that is pretty old itself and look to leverage those that have a solid technology handle, but worked in the tech industry till their mid-to-late thirties and are looking for their next career.

The Department of Commerce established its FITARA interdepartmental team before the first scorecard. Erin Cavanaugh heads the Commerce team, which has representation across the CXO communities and the bureaus. Erin and Flip (USDA) have collaborated across departments from standup of these two first-in-government FITARA teams. The use of a FITARA team has been a critical success factor in Commerce's position at the top of every FITARA scorecard.

From one who has worked across several DoD and Government agencies, the civil workforce is all about process and PowerPoint, often with more Program Management staff than engineers and/or developers.

Those certifications are useless as industry has proven and especially for the PMP, akin to MENSA.

The architecture are not secure as most do not read the controls or RMFs or directivres at all, and often the Cyber requirements are outside the main systems engineering requirements traceability matrix.

Add management's love for buzz-words and fads like the Cloud, and you have invited the disaster at hand.

Time to rethink the size and complexion of the civil workforce. Leadership is lacking, and often confused with management. The lame and lazy cannot be fired. And the young staff is ready to line up behind this old engineer and retired naval aviation engineering officer and do the Rapid Tech Insertion, but stalled by Congressional processes and reports that border on absurd and most are candidates for frauds, waste and abuse.

And how can anything be secured when leaders like Hillary and Obama violate the very core security and legal safeguards we must obey and practice daily?

Insider Threat training is a very positive step in the right direction. The data From Bay Dynamics shows that there are tremendous gains to be made through training. I agree that training will need to be continuously reinforced, and believe that including real world 'we see these things happening within our organization' examples (without singling people out by name) should be an element of that training.

Mike Tierney
www.veriato.com

Kushner was a real estate guy. I doubt Kushner understood data analytics, but rather had it explained to him. By people within Cambridge Analytica and the Russian Intelligence. Are we really supposed to believe this man (who didn't have the grades to get into Harvard so his father made a donation and viola, he's in) suddenly developed an understanding of these complex data algorithms, many of which were based on data that has been alleged to have been stolen from Facebook? Sure, it's possible. Or do we consider Occam's razor, that the simple answer is usually right. And that would be someone from Russian Intelligence was able to coordinate with Kushner on the Trump digital campaign of misinformation and fake news.

The optimal solution to the problem Mr. Matheny is addressing is likely to insert AI tools throughout the supply chain of intelligence, from collection to evaluation, identification, and analysis, so that human analysis can take place when and where it is most effective. Important to keep in mind that, as AI tools improve, their application should be adjusted...

dr. bray is a terrific leader and champion of change agents, while he will be missed at the fcc he will definitely direct massive improvements at nga!

It is fundamentally flawed to assume that buying a common code base for an EHR system necessarily means that interoperability will be achieved. The Corner (or Epic, VistA, etc) system must be configured with sets of clinical data representing patient problems, vital signs, smoking cessation questions, specimen types, bacteriology results, units of measure, etc. There are literally thousands of large and small code sets to be configured. And in the real world, each vendor customer/site typically configures differently. It does help that the underlying information models will be more similar when you share an underlying code base with at least one big partner (but not, of course, others). Yet without true computability, based on a common configuration of clinical data terms used by the system, human readers still must bridge the gap and interoperability will be limited even within VA (or DoD). One won't be able to easily roll up, for example, hospital infections by bug type or even arithmetically correlate vital sign readings. The lab and the pharmacy can pick different sets of units of measure. This is the exact problem that VistA (which, after all, started as the "Decentralized Hospital Computer System") has long faced. And moving to a COTS solution, by itself, does not address that problem directly. An expensive program of limited, information-lossy mapping can help. But a better solution is to configure the clinical terminology used in the implementations in a comprehensive, controlled, and similar (as much as possible) manner. Unfortunately, VA never had the institutional will to comprehensively do that in VistA.

Unless someone at the decider level thinks past the glossy marketing materials and colorful, cyclic PowerPoint slides, it won't happen with a COTS solution either. In that case, VA will discover in five or seven years that it is little more interoperable than it is today. And remember, the Secretary has identified community interoperability as highly important. A few years (or even less) after separation from the service, it is more important for the average patient than DoD interoperability. And only some of those community partners will ever use Cerner. Without comprehensive, commonly held, cross-institutional implementation of national standards, promoted by the weight of VA-DoD in standards bodies and the vendor community, a COTS buy won't move VA off the interoperability dime.

I've seen Dr. David Bray as a leader and he is both inspiring and focused on getting stuff done with speed. He will be terrific in this new role ahead. Kudos to NGA for hiring him.

What they really want is a single system of record of a patient accessible from any EHR front-end; DoD, VA, Cerner, others. This follows a model I call the patient Data Custodian, an entity responsible for managing a patient's data. Posts of events can be made by any validate/authorized client such as EHRs, wearables, or any other input to a patient's health. Interoperability between EHRs is just a land grab for patient data. If the EHR accessed a common source of patient data, interoperability comes free.

The comments by anonymous make sense and is really the benefit of having an electronica record. ability to become independent of a physical place, records..so if you need them when you are "x" and then again when you are in "y" in one or more cases where the patient isn't known you aren't starting fro scratch.

yes, technical, process, procedural challenges but it is a worthwhile goal.

Flawed study when the lead says "cloud systems are harder to establish security controls over..." This is a false and spurious statement.

Cutting Unemployability for Veterans is wrong. I am 90% disabled and have not pursued 100% because I was awarded Unemployability. I stopped open appeals and did not submit prepared claims with my lawyer. I will lose $1,200/month and my spouse will lose Champva insurance. The Insurance will cost me $180/month. I will lose the PA benefit for home taxes costing $160 per month. My wife will lose the benefits when I die. The total losses at this time is $1,550/month. I am not qualified for the Choice program since the nearest VA clinic is 12 miles away, however, they don't have a Cardiology Dept. and don't do xrays. cat scans or any other testing requiring me to drive 50 miles to the VA Medical Center. I further understand I will get no COLA adjustment and the active duty troops get a raise. When I served and was disabled I got $350/month. So this is how I feel about your 2018 Budget proposal.

TRUMP IS NOT HONORING U.S. SMALL BUSINESSES IN AMERICA. 25 % OF THE U.S FEDERAL PRIME CONTRACTS ARE NOT BEING AWARDED TO U.S. SMALL BUSINESSES WORLD-WIDE AS REQUIRED BY THE SMALL BUSINESS ACT FOR ALL 440 U.S. FEDERAL AGENCIES.
TRUMP IS CHEATING VETERANS TRUMP LIED TO VETERANS REPEAT TRUMP LIED TO VETERANS 3 % OF EVERY ONE OF THE 440 U.S. FEDERAL AGENCIES ARE TO BE AWARDED TO SERVICE DISABLED VETERAN OWNED SMALL BUSINESSES. TRUMP HAS LIED TO VETERANS AND TRUMP IS HARMING VETERANS BY PUTTING A RINGLING BROTHERS 3-RING CIRCUS ADMINISTRATOR LINDA McMAHON IN CHARGE OF THE SBA TRUMP HAS HARMED U.S. SMALL BUSINESSES
TRUMP IS ATTEMPTING TO CIRCUMVENT THE SMALL BUSINESS ACT BY GIVING $ 1 TRILLION IN CONTRACTS TO STATES OR TO HIS FAVORITE COMPANIES WITHOUT AGAIN HONORING THE SMALL BUSINESS ACT 40 % OF ALL U.S. FEDERAL CONTRACTS SUBCONTRACTS ARE TO BE AWARDED TO U.S. SMALL BUSINESSES. TRUMP HAS LIED AND TRUMP IS HARMING VETERANS HE MAY AS WELL BE PULLING THE TRIGGER AND KILLING 22 VETERANS A DAY BY HIS ACTIONS OF FAILING TO COMPLY WITH THE SMALL BUSINESS ACT.
TIME TO TELL HIM VETERANS WE WON'T TOLERATE ANYONE MISTREATING VETERANS OR VETERANS RIGHTS. DON'T TREAD ON US TRUMP

2017 has a lot of sell out

Eleanor, is the FITARA Scorecard 4.0 available? Thank you.

God will take hold when the time come

Eleanor Lamb

Thanks for the comment. As of now, we only have the 4.0 scorecard in PDF form. We will add the scorecard's link to the story when it is made available to us.

The Russians did it

Great article, thank you Morgan

"Scrape together"? Gathering the "CEOs from Apple, Amazon, Microsoft, Palantir, IBM, Intel, and Oracle, among others" deserves to be sneered at? It's one thing for Morgan Lynch to display her bias. It's another for the editor not to get the snark out of this article. Very disappointing that your bias intrudes into this story.

WELLCOME

I think Dr. Letteer is on the money with that discussion. We cannot talk security without proper assets management. Knowing what are on the network is a big part of securing the network. It is sad to say, but we, as the Marine Corps is failing. As Dr. Letteer mentioned it is a struggle to identify what we have on the network.

As the government is a criminal organization of thugs, murderers, pedophiles, and closeted gays, it is them doing all this petty crime.

Sixth paragraph; one might want to correct the spelling of "sate" to "state", since I do not know of sate governments, unless sate is an acronym.

Cloud provides emphasize that security is a 'shared responsibility model' for security. https://aws.amazon.com/compliance/shared-responsibility-model/
http://aka.ms/sharedresponsibility (Azure)

Thinking the cloud provider will prevent a breach because their reputation depends on it is a whole a lot of assumption ...

Cloud providers will NOT provide security down to the resources as that responsibility is on the customer to implement security features within the cloud similar to their own physical environments.

Nice info.

" That is a collapse in the belief in your own government,” said Connolly"
It's going to take more than data to improve trust in government. The public has had half a century to digest the harm done to them by government.
For known reasons, it’s almost impossible to create any federal aid program that doesn’t invite fraud, cost the taxpayers, unveil some congressman serving industry, enrich some corporation, and actually disserve those it was intended to aid.
Example – student loans.
see "who got rich off student loans [www.revealnews.org] (note the mention of a certain congressman)
Example – War on Poverty has increased number on welfare, created the poverty industry
Example - medicare - robbed the middle class, diminished the quality of health care, opened the way for massive fraud
Example - medicaid - runaway waste of taxpayers money
Example - War on Drugs - filled the prisons, cost millions in law enforcement, made drug dealers rich, killed thousands, still thousands on drugs
Example – Savings and Loan debacle (Fed misregulation of S&L)- look it up; remember the Keating Five
Example – Financial crisis (Government purchase/insurance of subprime loans; regs to force lending)
Example - Vietnam, Iraq,
Example - 9/11 was a direct consequence of government irreponsibility (Clinton) and arrogance (Bush) - despite the warning of Hart-Rudman
Example - Hart-Celler, Simpson Mazzoli, de facto amnesty: increased welfare and prison costs, increased the prices of rent and of homes, increased,(indirectly) the price of tuition at State universities, increased crime, killed hundreds, enabled increased profits for corporations, increased votes for Democrats,
Etc

References? Cloud COE repository? Cloud survival Guide?

Foreign aid has done a great deal of damage to the peoples of Africa by supporting corrupt dictators.

The Trouble with Africa: Why Foreign Aid Isn't Working by Robert Calderisi

The main cause of inefficient and ineffective IT in government is the lack of knowledge of systems by Bureau Chiefs and Division Managers. They are at the mercy of Beltway Bandits, who proceed to develop system requirements by asking (generally not very bright) system users. Then they can say: "We gave you what you asked for."
The better way is for very bright developers to develop domain knowledge and create the requirements themselves. Better systems would result, but the bandits wouldn't get nearly as much of the taxpayers' money.

All right

Paragraph 3: "EPIC asked the court to bar the creation of “a secret database stored in the White House..."
Paragraph 5: "The commission... said it would share the data with the public."

Don't u want to know if the dead are voting. There is so much voter fraud it has to be stopped.
It doesn't sound like they are they are getting any information you couldn't attain elsewhere.
If you have nothing to hide, you have nothing to fear.

Maria Roat is among the best in our profession. While many are stuck in bits and bytes, Maria is a visionary with incredible energy and drive. It doesn't hurt that she cut her teeth standing up FedRAMP. Great job SBA; the CIO, Deputy, and CTO are on the same page and working together! How many agencies can say that?

Collaboration between the government and the universities is a great idea to get these young people trained for this field.

The fed is going to have to make the public sector of information security more 'female friendly.' They need to REALLY ENFORCE so-called 'Equal Opportunity' regulations. The female contingent hasn't risen above 11% in the US in Cyber for the past 11 years (Frost & Sullivan 2017 Women in Cyber Report). If those numbers don't rise, it is time to put in a quota system. That quota system needs to include a quota in LEADERSHIP, as well. PROVE to women that you REALLY WANT THEM in the cyber work. As it is now, females enter at the bottom rung and stay there. MAKE IT WORTH THEIR WHILE.

LAWYERS

Why do you have a picture of a 48-pin through-hole PLCC in the picture? Such a chip does not exist in the real world. A real PLCC has surface mount J-leads.

This is a LIE!!! The H1B visa system is abused by companies such as Disney to bring in CHEAP labor that once trained by American workers results in the replacement of American workers.
I have been working in IT for over 25 years and I can tell you that the best and the brightest IT innovators are American IT workers. This is simply about GREED and profit.
The only SIN that the American IT worker commits is that they are compensated well due to their skill sets and experience. Please DO NOT be part of the proliferation of this LIE. This is not about finding skilled labors but about GREED and PROFIT!!!

We spent three years hearing about his masterful understanding of information resource management and his experience as a seasoned senior executive only to be left with a dozen technical projects that lack a desired end state, let alone any semblance of a strategic path forward. All of this backstopped by self aggrandizement that would perplex even the best psychologists...

Military grade security is required along with reliability, redundance, physical and logical performance and end point analytics fused with server side and cloud analytics. There are no IOT systems with corresponding drones and sensors that pass type and site accreditation out of the box so every serious deployment must be individual IT projects with the accompanying testing, resources and costs necessary. John Mullen CEO Promia

This is avery improtant contract and there were ten awards yet you only listed seven of the ten companies?

Chris Painter has it right. Cyberspace is an acknowledged domain in which our world exists. We can't touch it, hear it, see it, smell it, or taste it. Yet it is everywhere. Like any other operational domain, without rules there is no order and no security. Cybersecurity diplomacy doesn't aim to make cyberspace safe any more than traditional diplomacy prevents physical war. Diplomacy establishes the norms so aberrant behavior can be identified and countered. Without the discussion focused on cyber, burying cyber as a component of the bureaus at State will dilute and weaken the ability to act and react. If we have a bureau for European Affairs because we have interests, allies, and investment there then if follows that we need a bureau focused on cyberspace. It is a global domain without border and involves everyone. Let DHS and DoD build the walls and wield the hammer. Allow State to define the wall and shape the anvil. Cyberspace must be elevated to full bureau status and resourced to establish the international norms so that outliers can be coerced or punished as required.

I am shocked he lasted this long. This is a very complex job that requires much more knowledge and expertise than one would typically find in a retired Secret Service agent. No ding on him; I doubt many CIO's would be successful if they took over a high level Secret Service position like those he held. Why the government continues to put unqualified folks in complex and highly technical roles continues to baffle...

Wow. Making appointments by phone? Who'd thunk?

It no longer seems like an oversight

Got sourcing for this?

This guy managed an infamous awful application called ELIS. Time for him to leave.

David will certainly be missed. No nonsense customer focused guy...

This is encouraging news. I am looking into cybersecurity as a career option. My background is in nursing and library science.

Hire me. 😉

This makes my head spin.
Training that "guarantees compliance". What is the goal here, compliance or cyber resilience?
or at a higher level business sustainability, organizational resilience, product and service resilience, and trust? I'd love to see the statement of purpose for this activity and a statement of strategic intent beyond what is written here. Thank you Morgan.
Charlie Tupitza
CEO
NFPPC.org

I currently hold two COE's for Introduction to PC Security and also Advanced PC Security with Dakota Technical College. I work for a major Health provider as a Service Desk tech. I find it very hard and challenging trying to get my foot in the door with my employer in reference to Cyber Security. Can anyone out here help me in anyway!

Federal Stakeholder wanting to get some big data

Federal Reviewer

congratulations dr. bray and thank you for what you've done to improve the public service.

Dear anonymous - second paragraph in:

The awardees include AT&T, BT Federal, Qwest Government Services (doing business as Centurylink QGS), Core Technologies, Granite Telecommunications, Harris Corporation, Level 3 Communications, Manhattan Telecommunications, MicroTech, and Verizon.

Broadband Connection for rural opportunities program, sooner or later is going to the rural areas of united states, other countries in the world that do not have land lines, rely solely on mobile devices, mobile companies have seized the opportunities wherever possibly to establish their foot into the door of these countries

There is no shortage of workers in cybersecurity. If you just do a quick job search, you'll see there are few jobs and many candidates.

Interesting, nice work.

All office 365 users should deploy Exchange Advance Threat Protection. This is a $2 add on that process the URL's in the email to a controlled sandbox. If the user clicks on the links, Office 365 service will block the link. This is 99% effective in handling theses attacks.

The exchange ATP is design to handled delayed payloads. So if a bad actor sends a phishing email that makes it thought the initial filters, and later becomes active, Office 365 catches this.

Great move

Good Rire

The ACLU's Recipe founded itself to establish US Media Tyranny in the 1920s.

I am AI. Who are you?

Back in November 2016, just after the election, I was engaged by GSA OGP to participate in a tiger team. The goal was to develop a Concept of Operations (ConOps) for centralized IT program management for non-CFO act agencies. The paper was presented to Tony Scott (then Federal CIO) and OMB operatives.

Jess - Let's try and remember that the Fed did pretty well against WannaCry in comparison to the commercial world.