By integrating insights from Technology Modernization Fund and Federal Citizen Services Fund projects, OMB intends to prioritize how they’re used to support shared services and programs.

The new strategy for the funds is laid out in OMB’s IT Operating Plan, required by the Consolidated Appropriations Act of 2022 to maximize the impact of congressionally approved funding.

“We are at a unique moment in time to drive digital transformation across the federal enterprise,” writes Clare Martorana, federal chief information officer, in the plan’s introduction. “We can deploy technology that is secure by design, reduces costs for agencies, eliminates administrative burden for both customers and the federal workforce, delivers government services that meet modern expectations for the American people, and inspires the next generation to serve our great country.”

OMB plans to use the FCSF to scale and modernize high-impact, governmentwide priority initiatives — in keeping with its short-term focus on high-impact service provider (HISP) services. Long term, OMB wants to improve designated cross-agency life experiences.

Shared services previously funded by other sources or agencies — like the Federal Audit Clearinghouse and Presidential Innovation Fellows Program — will be migrated to the FCSF, under the General Services Administration‘s purview.

GSA already intends to request amendments to FCSF appropriation language so services are reimbursable and the spending cap is increased for high-impact projects, after Congress kept its fiscal 2022 funding flat at $55 million.

Meanwhile, OMB will gather performance data on TMF IT modernization projects to inform efforts at all agencies and identify when new shared services are needed. GSA may develop them, or agencies may scale their own for adoption by other agencies with the Office of the CIO and U.S. Digital Service’s support.

OMB also plans to conduct enhanced readiness assessments, in which teams build rapid prototypes to test assumptions, to ensure they’re prepared for IT modernization.

Lastly, the office wants to demonstrate an effective TMF investment model to set new benchmarks for modernization projects.

“The [IT Oversight and Reform Account], TMF, and FCSF are key to enabling strategic-level execution of IT efforts and investments across federal agencies,” reads the plan. “The funds have different and complementary strengths that stem from their inherent purposes and variations in the operating models of the implementing organizations.”

The post White House to coordinate TMF, FCSF funding of shared services appeared first on FedScoop.

OPM spent the last six months on the migration and is preparing to inventory agencies’ HR IT systems and modernization roadmaps.

The Trump administration originally designated the General Services Administration the HR quality services management office (QSMO) as it attempted to abolish OPM, but now the latter is heading up governmentwide HR shared services from enterprise resource planning (ERP) platforms to point solutions.

The QSMO program was created in April 2019 to reform how the government works with shared services. Though the program, single agencies were designated as leaders in the provision of specific services to other government agencies and programs.

“Every agency feels like they need to have the features of a Lexus SUV, but they have the budget for a Toyata hatchback,” said Steve Krauss, interim director for the civilian HR transaction services QSMO, during ACT-IAC’s Shared Services Summit on Thursday. “They feel like they are falling farther behind as time goes on, and the reality is the only way to square that circle is through some sort of ride-sharing arrangement.”

The QSMO is focused on hiring assessment and data analytics solutions to start, the former to help agencies comply with the July 2020 executive order to modernize and reform federal hiring. Commercial hiring assessment solutions exist, as does OPM’s USA Hire based on a commercial solution contract.

On the data analytics front OPM may stand up a Human Capital Data Analytics Community of Practice across agencies with private sector participants.

The Cybersecurity and Infrastructure Security Agency‘s QSMO has already made two major shared services awards for a vulnerability disclosure platform service, which received its authority to operate (ATO) three weeks ago, and a protective DNS resolver service that received its ATO on Wednesday.

CISA is currently engaging with agencies and industry on how best to incorporate commercial solutions into its QSMO marketplace.

“We’re going to be turning a lot of focus to, for example, how can we partner with GSA on governmentwide vehicles,” said Branch Chief Jim Sheire. “How do we bring more commercial providers into the QSMO marketplace to provide those services to agencies?”

CISA has a request for information (RFI) out now looking at security operation services and how to implement them in a zero-trust context, in response to larger agencies with security operations centers seeking a “cereal aisle” of offerings, Sheire said.

The agency also released technical reference and architecture guidance on its Secure Cloud Business Applications (SCuBA) project a few weeks ago for public comment.

Meanwhile the newest QSMO, the grants QSMO within the Department of Health and Human Services, has engaged with all but two “very small” awarding agencies out of 49, said Executive Director Chad Clifford.

The QSMO closed an RFI in late March inquiring about commercial grants management solutions and services, data implementation, customer experience and potential acquisition strategies, and the responses are currently being evaluated by an interagency group of reviewers.

“How can we expand this marketplace by next year to bring on commercial providers, and where should we focus first?” Clifford said. “We know what the agencies need, but how can we do that now while maturing over time?”

The financial management QSMO within the Treasury Department‘s Bureau of the Fiscal Service just reached an agreement with GSA on a contract acquisition approach to populate its marketplace with commercial offerings, a special item number under the Multiple Award Schedule vehicle. Tech companies will be able to apply to participate in the QSMO marketplace starting in mid-May, said Reed Waller, financial systems advisor for the QSMO.

At the same time the QSMO is working to identify the best IT system candidates for modernization.

“We’ve collected an inventory of financial systems that I don’t think has ever existed before,” Waller said.

The post OPM was quietly redesignated the point office for HR shared services appeared first on FedScoop.

GSA will also explore including sites like benefits.gov and grants.gov in the entrance to shared services addressing major life experiences.

The executive order signed Monday builds on the vision of the President’s Management Agenda for effective, equitable and accountable service delivery by introducing 36 customer experience (CX) improvement commitments.

“The Biden-Harris administration is undertaking an all-hands-on-deck effort to make government services simpler and more secure, and as the home of governmentwide shared services, GSA has a leading role to play,” said Administrator Robin Carnahan in a statement. “For years, GSA has pioneered innovative solutions, like login.gov and USA.gov, that make it easier for the American public to interact with the government online, and today’s executive order will build on these efforts.”

The executive order further directs GSA to create a sustained, governmentwide service deliver process in the form of a product roadmap.

Multidisciplinary teams will support agencies delivering the most important public-facing services, known as high-impact service providers (HISPs), in alignment with state and local governments when possible.

GSA will also work with the Department of Veterans Affairs to seamlessly integrate login.gov customer accounts in lieu of outdated, duplicative sign-in options.

The post USA.gov to serve as ‘digital federal front door’ to shared services appeared first on FedScoop.

GSA holds weekly meetings with the Office of Management and Budget, U.S. Digital Service, Cybersecurity and Infrastructure Security Agency, federal chief information officers, and industry to discuss the $1 billion added to the Technology Modernization Fund (TMF) and $150 million to the Federal Citizen Services Fund (FCSF).

The TMF is a central pot of appropriations that agencies can apply for to fund impactful modernization projects under the stipulation that they’ll pay it back within five years. The FCSF, on the other hand, is an internal GSA fund that TTS can use to support interagency digital services initiatives.

While process improvements streamlining how that money is distributed to agencies will be determined in the coming weeks and months, the news that GSA teams like Technology Transformation Services and 18F will offer assistance should assuage tech companies that demanded as much in a letter last month.

“If we can be of service along the way — whether it’s through our technology expertise, whether it’s through our acquisition expertise, whether it’s through our thought leadership in certain areas,” Sonny Hashmi, commissioner of the Federal Acquisition Service, told FedScoop in an exclusive interview. “We will be available as a resource for those agencies to tap into in the most frictionless way possible.”

TTS is working with the TMF Board to bring in the right people, potentially from the Centers of Excellence and Presidential Innovation Fellows programs, said Dave Zvenyach, the TTS’s director and deputy federal acquisition commissioner.

Adding the right capabilities and skills to the evaluation side of investments is a priority, Hashmi said.

“We have to figure out our org chart behind the scenes and work with our agencies in all the many different ways that we can,” he added. “Because that has been a challenge historically that I think we have the ability to overcome.”

In addition to improving the way investments are made, government is reconsidering agency repayment requirements and how to hold projects accountable for the way funds are spent to “make the most good happen as quickly as possible,” Hashmi said.

GSA’s 10x program has had great success expanding Login.gov entity verification across government on a smaller budget than the TMF and FCSF have now, Zvenyach said.

He categorizes the uses of new funds in three ways: recovery tied to the COVID-19 pandemic, economy, racial inequity and climate change; rebuilding government services; and reimagining digital services delivery — all of which offer high-impact opportunities for investments.

“Some of them are going to be duds,” Zvenyach said. “But some of them are going to be home runs.”

Both officials declined to name specific initiatives that will likely receive TMF funds citing the many stakeholders involved in those decisions. But possibilities include immediate, tactical investments in cybersecurity in response to last year’s SolarWinds hack, new shared services, and specific systems helping people find COVID-19 vaccinations, vote or receive Social Security benefits, Hashmi said.

GSA is assisting the Small Business Administration with baking fraud detection into its loan application systems, which may have doled out as much as $105.4 billion in COVID-19 relief money to fraudsters.

“There are a range of specific initiatives we’re looking at,” Zvenyach said. “Everything from [the Federal Risk and Authorization Management Program] to improving forms and digitizing paper-based services.”

Another factor in all of this is President Biden’s appointment of Clare Martorana as federal CIO last month. Martorana‘s experience with IT modernization as CIO of the Office of Personnel Management and, before that, at USDS bodes well for projects reimagining digital and shared services.

“She brings a wealth of knowledge and experience,” Hashmi said. “And new thinking around how the TMF can actually be used as an investment fund to change things at a much greater scale, across multiple agencies.”

The post GSA planning to lend tech, acquisition expertise to support scaling TMF appeared first on FedScoop.

For the idea to work, Krebs says, the agency’s existing quality services management office (QSMO) will need the authority to compel all .gov agencies to use the resulting govnet services. The recommendation, which Krebs made Wednesday during a House hearing, comes as the Biden administration is expected to eventually release a governmentwide cyber strategy as it continues to respond to the SolarWinds breach.

Civilian agencies will struggle to meet the Biden plan’s requirements, Krebs said, unless their chief information officers and chief information security officers are allowed to hand the keys to some of their services over to CISA.

“CISA can build those services through the quality services management office — like a hardened, secure, cloud-based email instance — and pull everyone in,” Krebs told the Homeland Security Committee. “As of now, there are 101 different instances of email across the civilian agencies; that’s just not a defensive posture.”

Dmitri Alperovitch, executive chairman of Silverado Policy Accelerator, summed up the idea by saying CISA should effectively become the operational federal CISO for .gov agencies, much like U.S. Cyber Command is for the Department of Defense.

Congress made a “critical move” allowing CISA to threat hunt on agency networks without their permission in the fiscal 2021 National Defense Authorization Act, Alperovitch said at Wednesday’s hearing, but now it needs to provide the agency with additional resources.

A senior member of the committee expressed support for expanded CISA authorities after the hearing. Ranking Republican John Katko of New York highlighted Krebs’ QSMO idea in a news release and urged Congress to ensure CISA has the workforce, funding and authorizations it needs to respond to the SolarWinds incident.

“At its core QSMO is about creating a center of excellence for shared cybersecurity services within CISA,” Katko told FedScoop. “Building and expanding upon this centralization is foundational to the efforts I have long been pushing to ensure CISA has increased visibility to nimbly respond to threats.”

CISA will also need to strike information sharing agreements with .gov agencies’ on software with elevated privileges and sensitive data, Krebs said. SolarWinds, which has been attributed to a Russian intelligence agency, should be a loud wake-up call, he said.

“I’m hoping that … the Russian espionage campaign, is enough for Congress to take bold action and change the way that the federal government does business to secure its own networks,” Krebs said. “Centralize authorities; provide capabilities that are hardened and more defensible than leaving it up to the 101 different agencies.”

CISA’s QSMO, designated in April 2020, is already producing products for other federal agencies. It is expected to award a contract this year for a protective Domain Name Service capable of blocking access to malicious websites, when translating their people-friendly domain names into the numerical Internet Protocol addresses computers use. The security control will be one of the QSMO’s first marketplace offerings to civilian agencies.

The post Krebs to Congress: Empower CISA’s shared services office appeared first on FedScoop.

As an official quality services management office (QSMO), HHS can now stand up a marketplace and its customer agencies choose from a catalog of cloud-based systems and services offered by federal shared service providers.

While HHS presented its implementation plan to the Shared Services Governance Board last July, it had the longest road to becoming the fourth QSMO because it lacked a preexisting shared services model like the others.

“The grants QSMO is unique in that its marketplace will have a direct impact on the public at large,” Federal CIO Basil Parker said in the announcement. “Modernizing and leveraging shared grant solutions across the government should improve the user experience and service quality for the grants community and the federal government.”

Systems HHS’s marketplace will cover include grant management of pre-awards, awards, post-awards and closeouts, as well as recipient oversight.

The QSMO has its roots in the HHS ReInvent Grants Management Initiative proposed in 2017 as part of ReImagine HHS, the goal of which was to reduce administrative burden while improving transparency and efficiency.

Sharing quality services is Cross-Agency Priority Goal 5 in the current President’s Management Agenda, and the Office of Management and Budget is charged with designating QSMOs for standardizing agencies’ IT.

The other initial, official QSMOs include the Cybersecurity and Infrastructure Security Agency for cybersecurity services, Treasury Department for financial management services and General Services Administration for human resources services.

Just because HHS lacked a formal QSMO designation doesn’t mean its work toward a marketplace stopped.

“While we’re awaiting formal designation, we’ve been making significant progress in understanding the existing grants management ecosystem, engaging stakeholders including federal service providers, and supporting business offices bringing quality shared services to the market to accelerate the impact once we are designated,” said Alice Bettencourt, QSMO executive lead for HHS, in September.

The post HHS officially named shared service provider for grants management systems appeared first on FedScoop.

Earlier this year, GSA was designated by the White House as the Civilian HR Transaction Services Quality Service Management Office, activating the NewPay initiative. The purpose of NewPay is to create a secure, reliable, and innovative payroll platform where a federal employee’s professional experience is modern, efficient, and consistent regardless of the agency where they are employed. GSA’s NewPay program solves this problem, by implementing new, technology-based solutions for a modern federal payroll system, focused on removing inconsistencies in take-home pay between agencies.

Payroll administrators, timekeepers, and others will still each have their own distinct roles, but will no longer be the crisis managers of the federal payroll system. Instead, they will work together to ensure employees are paid consistently and accurately, even when transferring between federal agencies. Building on strong partnerships and collaboration between the federal government’s payroll SSPs has ensured that NewPay will provide a standards-based, secure commercial solution for agencies to use with ease.

Between 2003 and 2008, the federal government consolidated twenty-six payroll systems to four shared service providers (SSPs) in an effort that saved over $1 billion in cost avoidance over the next 10 years. Those SSPs currently serve the payroll and time and attendance needs of over 2.2 million civilian federal employees with their own unique, dependable payroll services.

Since that major consolidation, there has been no significant innovation in federal civilian payroll. The lag comes from having obsolete and costly IT infrastructure, creating a cumbersome, bureaucratic environment that struggles to support federal employees. Instead, both individual employees and HR payroll administrators are forced to do things manually (e.g., update timesheets and enter corrections) while managing complexities that come with antiquated data systems that are held together with baling wire and chewing gum. These systems are unable to communicate between agencies, let alone adopt common data standards. Simply put, when there are four different ways of managing core payroll and time and attendance functions, there are at least four different definitions of a day. Responding to changes in tax laws, or implementing the new maternity leave options becomes a herculean effort.

The NewPay initiative was established to make the federal government’s mission support services more efficient and effective in the short- and long-term in performance, customer experience, and operational costs. The NewPay team is ensuring that the applicable payroll laws serve as its foundation, which will ultimately shape payroll policies and lead to the development of uniform standards. For example, when Congress granted leave to employees suffering from COVID-19, each SSP had to individually spend time and money to make the changes necessary to support sick employees.

Another important change is that NewPay will move the government away from expensive, custom-built systems or systems that the original providers no longer support. Instead, NewPay takes advantage of successful commercial offerings and uses a software-as-a-service (SaaS) platform to manage payroll and other HR-related functions. This industry-leading best practice will ultimately reduce operating costs, mitigate the risk exposure associated with legacy technology, and standardize business processes. As a result, NewPay will improve cybersecurity by placing the responsibility for cloud-based security in the hands of commercial providers who utilize highly automated and centralized security platforms. This increasing investment on HR SaaS infrastructure will help mitigate the evolving and escalating cyber threat facing the government’s legacy IT systems. The NewPay solution meets Federal cybersecurity standards, which will ensure a reduction in time and cost to implement for customer agencies.

NewPay is breaking the cycle of using separate, stand-alone legacy payroll systems that have outgrown the federal government’s changing needs. We are also replacing antiquated and siloed approaches for handling the most important thing to a federal employee — their payroll — with a secure, cohesive, and dynamic payroll system. In doing so, we are leveraging current technology in a more innovative manner to standardize data, reduce operations and maintenance costs, modernize and automate processes, and improve overall customer satisfaction. Federal employees deserve to have a secure, modern way to receive their paychecks — NewPay delivers that solution.

Emily Murphy is the Administrator of GSA.

The post Breaking the cycle: Modernizing the federal payroll systems appeared first on FedScoop.

The government technology advocacy group found the U.S. Department of Agriculture to be driving shared services spending in 2020 followed by the Treasury Department, General Services Administration and State Department. Together those agencies account for 61% of the $1.9 billion spent on shared services.

Sharing quality services is Cross-Agency Priority Goal 5 in the current President’s Management Agenda, and based on the numbers, recent efforts by the Office of Management and Budget to standardize agencies’ IT appear to be paying off.

“This really builds on the emphasis of the federal government in terms of expanding shared services and the quality services management offices, the QSMOs, that have been stood up,” said Steve Vetter, a federal strategist at Cisco, during PSC‘s Federal Market Forecast Conference on Monday. “And you can see the power of what USDA and other leaders have done in that area.”

PSC analyzed federal IT Dashboard data and found a 3% decrease in spending on cloud, down to 3.4% of overall IT spending. Spending on a Software-as-a-Service declined 21%, while spending on Platform-as-a-Service and Infrastructure-as-a-Service increased by 8%.

The move away from SaaS to PaaS and IaaS could be the abrupt shift to telework and remote work necessitated by the coronavirus pandemic.

Of the $29 billion in discretionary funds set aside to deal with the crisis, $3.02 billion has been spent on IT. The Department of Veterans Affairs accounted for nearly 50% of that spending, followed by the Department of Health and Human Services and the Department of Defense.

To date, agencies have largely spent COVID-19 funds for IT on their networks, cyber, end-user devices, hardware, and software. Data science tools — namely machine learning and visualization software — have also been procured to help analyze and communicate COVID-19 data to policymakers. 

“Overall the pandemic really created a tipping point for modernization and digital transformation,” said Josh Verville, business development executive at Perspecta.

Cybersecurity spending is increasing at a rate of 3% annually, but that’s slowing — a trend that could very well reverse as agencies look to combat the tripling of cyberattacks during the pandemic, Vetter said.

The National Institute of Standards and Technology’s Zero Trust Architecture guidance and Department of Homeland Security’s Trusted Internet Connections 3.0 guidance have ushered in a more customized approach to cybersecurity at agencies.

“It is not a one-size-fits-all, ram-it-down-a-federal-agency’s throat approach,” Vetter said. “It’s about tailoring solutions for individual agency leads to produce the outcomes that they’re looking for.”

Similarly, GSA has been developing contract vehicles allowing agencies to procure solutions to meet their specific mission outcomes — especially as-a-service solutions, he added.

PSC expects a Federal Acquisition Regulation rule in the next month or so establishing that lowest-price-technically-acceptable source selection is not preferred when procuring solutions to meet mission outcomes, Vetter said.

The post Federal efforts to get agencies using shared IT services appear to be working appeared first on FedScoop.

HackerOne filed a bid protest of the General Services Administration’s $13.5 million award to EnDyna, Inc. with the Government Accountability Office on Oct. 9. The goal of the contract is to create a platform that agencies can use to safely collect information about security flaws in their networks.

A decision isn’t due until Jan. 19, 2021.

“We believe the security of our national cyber infrastructure depends significantly on the efforts of security researchers. CISA’s requirements are clear on what they need in a vendor to support this bold initiative,” said a HackerOne spokesperson. “We can confirm that we have filed a protest challenging the award to EnDyna to ensure eligibility requirements to carry out this vital task are fully met, and that the vendor selected can support the work CISA is entrusting them to do.”

McLean, Virginia-based consulting firm EnDyna planned to provide the centrally managed system in early 2021 for processing reports from freelance researchers as they find vulnerabilities in agencies’ externally facing IT systems. San Francisco-based HackerOne is known for running bug bounty competitions for the U.S. military and other large organizations.

The VDP platform was the first of three initial shared services CISA intended to offer agencies as an officially designated quality services management office (QSMO).

CISA will eventually manage a marketplace of cloud-based systems and services, offered by federal shared service providers, for agencies to choose from — rather than finding or developing their own.

GSA’s Federal Acquisition Service partnered with CISA to acquire the VDP platform on Sept. 25, so both the service and the acquisition vehicle eventually will be available to agencies through the marketplace.

The next shared-services project for CISA is a security operations center-as-a-service (SOCaaS) that the Department of Justice will provide small agencies, with commercial providers being identified later.

The post CISA’s first shared-services offering is delayed by protest appeared first on FedScoop.

Kantara Initiative will assess the conformity of Login.gov’s identity proofing and authentication with the National Institute of Standards and Technology‘s Special Publication (SP) 800-63-3, the government’s digital identity guidelines.

Login.gov already provides its services for 80 applications across 23 agencies, 12 of them Cabinet level, and increasing their confidence that people accessing their apps are who they say will only drive further use. NIST’s guidelines are widely used throughout government and industry.

“By going through this third-party assessment, login.gov will be performing a best practice for shared services that demonstrates trustworthiness and maturity,” a GSA spokesperson told FedScoop. “We anticipate this to be helpful for agency organizations to better trust login.gov to provide critical user identity assurance for any citizen-facing website that requires it.”

Global nonprofit Kantara has assessed industry and government services since 2010, and its model is based on past work for the private sector.

The Office of Management and Budget‘s M-19-17 memo mandated that agencies like GSA follow NIST’s digital identity guideline, so that’s what login.gov will be assessed on.

“They need to prove conformity against the requirements and controls that Kantara has taken from NIST 800-63-3, and that became the criteria,” said Ruth Puente, director of assurance operations at Kantara. “We have an Assurance Review Board (ARB) that is composed of experts in identity management fields.”

Kantara uses its Identity Assurance Framework (IAF) to grant approvals to credential service providers, like login.gov, and accreditation to its assessors. The ARB manages the IAF day to day.

Assessors will spend four to six weeks looking for evidence— reviewing documents, records, operations, staff, and systems — that login.gov conforms with SP 800-63-3’s individual requirements. Their findings will be relayed to the ARB, which will make recommendations to Kantara’s board of directors for a final decision to approve, do so with exceptions or disapprove. The entire process takes four months, minimum.

Kantara was first authorized as a federal trust framework provider to GSA’s Federal Identity, Credential, and Access Management Trust Framework Solutions program in 2011.

“It’s actually going to enable more services to integrate with login.gov,” said Colin Wallis, executive director of Kantara. “Because at the moment it’s, ‘Trust us, we know what we’re doing.'”

The post Login.gov to be third-party assessed against NIST’s digital identity guidelines appeared first on FedScoop.