Advancing Government through Collaboration, Education and Action General Membership Meeting February 25, 2014

Advancing Government through Collaboration, Education and Action

General Membership Meeting

February 25, 2014

Advancing Government through Collaboration, Education and Action 2

Agenda

Welcome & Chair’s Remarks 4:00 – 4:15pmProgram – Stan Kaczmarczyk 4:15 – 5:00pmProgram – Cybersecurity Updates 5:00 – 5:45pm Networking Reception 5:45 – 7:00pm Tickets Lounge


Welcome and Chair Remarks

Jim Williams


Upcoming Events

Feb 26th Commodity Buying of IT Executive Panel

March 19th ACT-IAC General Membership Meeting

March 20th Acquisition Excellence 2014

March 24th Excellence.gov Awards

April 24th SBC 2014

4

Acquisition Excellence 2014

Education and Training event attended by more than 600 Senior Government Executives, Contract and Program

Officers and their Industry counterparts.

Sessions:• Acquisition Panel with GSA/NASA/DHS/NITAAC• Acquisition of Agile IT Services• Leveraging Transparent Procurement Data• How Industry and Government Perspectives Differ on Acquisition Issues• Protecting the Nation’s Cyber Infrastructure• Lifting the Veil on Decision Making• Relationship Between Protests and Debriefings

Acquisition Excellence 2014

Keynote Speaker:Katrina McFarland, Assistant Secretary of Defense for Acquisition, Department of DefenseAdditional Speakers:Dr. Nick Nayak, Chief Procurement Officer, Department of Homeland SecurityRob Coen, Acting Director, National Institute of Health, National Institutes of Health Information Technology Acquisition and Assessment CenterMark Day, Deputy Assistant Commissioner, Office of Integrated Technology Services, Federal Acquisition Service, General Services AdministrationMichael Smith, Director, Strategic Sourcing Program Office, Department of Homeland SecurityJoanne Woytek, Program Manager, NASA SEWP Program


Excellence.Gov Awards 2014

8

Registration Fees:

Government: $25.00IAC Member: $95.00Non Member: $130.00

For more information on Registration and Finalistshttps://actiac.org/groups/event/excellencegov-awards-march-24-2014

https://actiac.org/groups/event/excellencegov-awards-march-24-2014




Small Business Conference 2014

Theme for this year: Connect, Collaborate, Commit

3rd Annual Smackdown: open dialogue focused on creating practical solutions

Federal Agency Workshops

New for this year: Small Business Advocacy Award and Matchmaking Sessions

Small Business Conference 2014

Confirmed Speakers include:

Dan Tangherlini, Administrator, General Services AdministrationKevin Plexico, Vice President, DeltekEugene Cornelius, Deputy Associate Administrator, Small

Business Association Sandra Broadnax, Director, Small Business Programs Office,

National Geo-Spatial Intelligence AgencyChris Dorobek, Founder, DorobekINSIDER.com


ACT-IAC Academy UpdateUpcoming Academy Courses

12

March 19th Overview of the Federal – Industry Technology Partnership

March 25th Should your company have a GSA technology Schedule

March 26th Understanding the Federal Budget Process

March 27th Obtain a Working Knowledge of the FAR for IT Professionals

April 1-2 2014 Agile Project Management


(11) IAC new courses for 2014 Data Information Sharing across federal agencies (best Practices) Working Knowledge of the FAR for IT professionals (acquisition) Basic understanding of federal technology acquisition (small business focus,

best practices) Cost and pricing for federal Technology contracts: bid no/bid decisions (best

practices) Technology Proposal Writing, Capture & development management (small

businesses focus, best practices) Overview of the Federal – Industry Technology Partnership. (Small business

focus, best practices) Effective Risk management in federal technology contracts (best practices) Understanding the federal technology budget process (small businesses focus,

best practices) Federal Technology Customer Relationship management. (Best Practices) Creating an Innovative Technology Environment. (Best Practices, leadership) Should your company have a GSA technology Schedule? (Small business

focus)

13


Program Speaker

“Helping Federal Agencies Move to the Cloud”

Stanley Kaczmarczyk, Acting Director, Office of Strategic Programs, Federal Acquisition Service, Integrated Technology Service, General Services Administration

14

ACT-IAC Membership Meeting

February 25, 2014

Mr. Stanley KaczmarczykActing Director Office of Strategic Programs (OSP)Federal Acquisition Service (FAS)Integrated Technology Services (ITS)

16

Agenda

• Overview of GSA’s Office of Strategic Programs (OSP) Federal Acquisition Service (FAS) Integrated Technology Services (ITS)

• Lessons Learned - GSA’s cloud acquisition vehicles• GSA and Federal agencies’ ongoing exploration of the cloud

broker model• New Cloud Acquisition Vehicles - and the landscape for

acquiring cloud services

17

Program Offerings

GSA FAS ITS Office of Strategic Programs (OSP) key offerings include the:

• ITS’ Center for GWAC Programs•Center for Strategic Solutions and Security Services

The OSP manages Alliant, 8(a) STARS II, and VETS Government wide Acquisition Contracts (GWAC) as well as cloud contracts, SmartBUY, USAccess, and other strategic solution areas for government IT transformation.

18

Infrastructure as a Service (IaaS) and Email as a Service (EaaS) Blanket Purchase Agreements (BPA’s)Over time we have gathered lessons learned from various acquisition vehicles that GSA has • These lessons learned fed directly into key initiatives as well as will feed into

new acquisition vehicles:

• A few examples are:

Allowing agencies to award tasks to vendors on the Email as a Service (EaaS) Blanket Purchase Agreements (BPA’s) not requiring the cloud service Providers (CSP’s) to hold an ATO first

Allow for on boarding and off boarding of CSP’s

Add an actual financial penalty or credit back for missed SLA’s

Lessons Learned

19

Email as a Service (EaaS) Cloud Orders

Agency Vehicle Award Date Award Amount

Smithsonian Astrophysical Observatory (SAO) EaaS BPA 12/16/2013 $233,570.00

Inter American Foundation (IAF) EaaS BPA 12/16/2013 $25,557.50

Commission of Fine Arts (CFA) IT Sched. 70 09/09/2013 $18,355.68

National Archives and Records Administration (NARA) IT Sched. 70 11/27/2012 $7,182,269.75

County of Ventura, CA IT Sched. 70 12/10/2013 $1,655,000.00

Department of the Army IT Sched. 70 09/26/2013 $1,452,000.00

Department of the Army1 IT Sched. 70 09/27/2013 $861,000.00

Subtotal - EaaS BPASubtotal - IT Schedule 70

Total

$259,127.50$11,168,625.43$11,427,752.93

1 = Army Task Award was made against the Army CHESS BPA made against Schedule 70.

20

Infrastructure as a Service (IaaS) Cloud Orders

21

Lessons learned - GWACs• Need to make it easier to onboard new vendors and to create a process for

successful small businesses to participate in the “other than small” GWACs

• Need to standardize labor categories and link to an authoritative source

• Need a more flexible fee structure to offer reduced rates for agencies/vendors who make greater use of GSA’s contracts.

• Need to give agencies more flexibility to structure orders to support complex, and long term projects such as a data center migration and subsequent operation

• Need to provide more overlap between contracts and to support longer period of performances.

Lessons Learned

22

Lessons learned – GWACs continued

• Actual “as a service” cloud orders typically represents 20-30% of acquisition – the devil is in the details.

• GWACs offer single acquisition to meet overall requirement with flexible CLIN structure and scope:

Inventory & Discovery Application mapping Migration planning Migration execution Decommissioning services & “green” disposal

• FDCCI/Cloud migration roadmap (gsa.gov/cloud)

Lessons Learned

23

• GSA Enterprise Email and Collaboration Services Unisys is prime – Google Mail Software as a Service $6.7M

• Treasury Consumer Financial Protection Bureau Cloud infrastructure and administration services to operate web based

applications in a cloud environment Smartronix $5.4M

• IRS Enterprise Managed Storage Services (>7.5Petabytes) Unisys $138M

Examples of GWAC Cloud/Data Center Orders

24

• GSA is exploring a next generation acquisition vehicle - potentially the “Cloud Services Broker” model.

• The intent - is to provide government agencies a broad range of vetted cloud computing services through a “single business and acquisition interface” that automates the management and provisioning of cloud services and enables reduced cloud procurement lead times.

Cloud Broker Initiative

25

Cloud Broker Proof of Concept (POC)Overall Approach and Progress to Date

Concept Development Analysis Proof of Concept (POC)Identify Business Issues, Conduct Market Research, and Engage Government and Industry

Analyze RFI Responses, Acquisition Planning for Proof of Concept (POC)

Launch Comparative Evaluation of Cloud Broker Platforms, Assess Decision to Move Forward with Full Operating Capability (FOC)

Key Activities

• Engage Cloud Computing Government Leaders Through Brainstorming Sessions

• Engage Industry through Request for Information (RFI) Development and Publication

•Gain Approved Funding for FY13 Activities

•Analyze RFI Responses•2 Rounds of Vendor RFI Follow-up

Meetings •Develop Statement of Objectives

(SOO) for POC •Develop Acquisition Documentation

and Issue Request for Quotation (RFQ)

•Re-engage with Brainstorming Group & secured Early Adoption Customers – DHHS and DHS

•Draft POC Use Cases

•Award POC Contract• Launch POC•Conduct Iteration Testing •Continued Involvement of Early

Adoption Customers DHS and DHHS

•Complete POC Summary Report and Findings

• Evaluate POC Findings and Impacts to FOC

Expected Outcome

s

•RFI is Published•High Level Requirement Areas

Identified• Funding secured for GSA FTE

• RFI Responses are Compiled and Analyzed

• Decision to Launch POC is Made • POC Uses Cases are Developed

•Proof of Concept is Executed • Summary Report and Findings

Completed1

Phase 1 Phase 2 Phase 3Jan ‘12-Sept ‘12 Oct‘12-Sept ‘13 Sept ’13 - Mar‘14

1-Determination to pursue FOC is still under consideration

“Go/No-Go” Decision

26

Cloud Broker Proof of Concept (POC) Project Schedule

• POC Base Period:

– Period of Performance: Sept 2013 – March 2014

– Purpose: Evaluating 3 of 5 platforms• Enstratius, Gravitant and Jamcracker – Under evaluation• CA & RightScale

– Current Status:

• Nearly 50% complete from a timeline perspective

• On schedule, on budget

• Completed 3 out of 6 iterations for 2 platforms

• Planning to add a 3rd platform for evaluation through the end of March 2014 based on findings from use cases 1-3 of 2 platforms

27

Cloud Broker Proof of Concept (POC) Preliminary Observations

1. Cloud Broker Platform use as a cloud procurement tool for contract/task order establishment is not recommended due to:• Insufficient platform software maturity• Disparate federal and agency procurement practices

2. Single cloud broker platform supporting multiple agency customers simultaneously not feasible: • Customer agencies have specific requirements • Inconsistent broker software implementation models

3. Align next steps to meet motivated customer agency demand:• Strong interest and engagement with GSA during POC • Customer agencies seek a flexible and complete contracting

solution to procure cloud technologies and services

28

Here is who is playing in that space today:

Defense Information Systems Agency (DISA) • In a memo issued by the DoD CIO on June 26, 2012, DISA will act as

Enterprise Cloud Service Broker (ECSB) for DoD.

Department of Energy (DOE), National Nuclear Security Administration (NNSA) • Implemented the Cloud Services Broker model “YOURcloud

State of Texas - Department of Information Resources (DIR)• Implemented the Cloud Services Broker Pilot leveraging Gravitant’s

technical cloud broker platform.

The National Aeronautics and Space Administration (NASA) • Jet Propulsion Laboratory (JPL) turned to cloud services four years ago, the

lab's IT department became the de facto cloud brokerage for NASA.

Cloud Brokers – Agencies in the Space Today

29

GSA’s GWACs have been very successful, but all follow similar trend of rapid growth and rapid decline over their 10 year life cycle

Alliant II

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018$0

$500,000,000

$1,000,000,000

$1,500,000,000

$2,000,000,000

$2,500,000,000

$3,000,000,000

$3,500,000,000

$4,000,000,000 *FY14 – FY18 are forecasted obligations.

FAS 8(a) STARS II GWAC FAS 8(a)STARS GWAC FAS Alliant GWACFAS Alliant Small Business GWAC FAS ANSWER GWAC FAS Millennia GWACFAS Millennia Lite GWAC FAS VETS GWAC

30

2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023

1 2 3 4 5 6 7 8 9 10 1 2 3 4 5- 167% 99% 59% 31% 9% -9% -25% -38% -49%

Base Alliant Contracts Option 1 Alliant Contracts Alliant Task Order POP

Contract Year

2016 2017 2018 2019 2020 2021 2022

1 2 3 4 5 6 7

Award Alliant II & Alliant Small Business II*

* POP of new contracts TBD

Historical year to year business volume variation

Current Alliant and Alliant Small Business Period of Performance

How ITS is helping? - New vehicles – Alliant II

Provide more overlap between expiring Alliant Contracts & Alliant II Contracts to mitigate business volume declines.

Register on GSA Interact to obtain information and provide comments on Alliant II

31

GWAC Dashboard – Active GWACs business volume updated nightly at GSA.gov/gwac

GWAC

32

GWAC Prices Paid Portal – high, low, and average prices paid on Alliant’s 80 labor categories.

Available to government project teams and contracting officers preparing independent cost estimates and price reasonableness determinations.

GWAC

strategicsourcing.gov

33

Streamlined acquisitions

In support of the Federal Data Center Consolidation Initiative (FDCCI) GSA FAS ITS Cloud Computing Services Program Management Office (CCS PMO) assisted in the creation of five (5) Statement of Objective (SOO) templates:

• GSA's Multi-Agency Working Group developed sample SOOs that can be found at: www.GSA.gov/CloudIT

• This is an attempt to help agencies realize cost savings quicker through increased efficiency, agility, and innovation, that will require less time to close data centers.

• The sample SOO templates support two key administration priorities — Cloud First and data center consolidation.

Cloud Migration Phase Cloud Sample SOO Templates

1. Inventory2. Application Mapping3. Migration Planning

Cloud Migration Services SOO template phases 1 - 3

4. Migration Execution Cloud Migration Services SOO template phase 4

5. Decommissioning Services,Equipment Disposition, andFacility Disposition

Cloud Migration Services SOO template phase 5

How ITS is helping? - Streamlined acquisitions

http://www.gsa.gov/CloudIT

34

Streamlined acquisitions

IT Solutions Navigator Tool - Was set up to help agencies evaluate GSA’s IT and telecommunications solutions• The IT Solutions Navigator displays the most suitable contract vehicle(s)

matching an agencies selections and responses• The tool also provides online help so that an agency can select and use GSA’s

contract vehicles• The tool walks a user through three (3) basic steps

Step 1 - Select whether you are a federal or tribal, state or local government organization

Step 2 - Select your Information Technology and Telecommunications needs

Step 3 - Select your acquisition requirements

How ITS is helping? - Streamlined acquisitions

Websites and Points of Contact

Point of Contact: Stan Kaczmarczyk [email protected]

Learn more about all of GSA’s cloud offerings at: http://www.gsa.gov/cloud

Register on GSA Interact to obtain information and provide comments on Alliant II

35

mailto:[email protected]

http://www.gsa.gov/cloud


Updates in Cybersecurity

Bradley Nix, Director, Chief Information Security Officer, Office of Information Technology, Information Security Office, Food and Nutrition Service, Department of Agriculture

Leo Wong, Deputy Chief Information Security Officer, Office of Information Technology, Information Security Office, Food and Nutrition Service, Department of Agriculture

Jonathan Addelston, Principal, UpStart Systems

Don Johnson, Office of the Secretary of Defense USD (AT&L) – DASD (C3 & Cyber)

36


Cybersecurity Shared Interest Group

Bradley Nix

Cybersecurity SIG GAP Member


Mission Statement

38

The Cybersecurity SIG provides opportunities for government and industry executives to collaborate on identifying and overcoming obstacles to help secure the cyberspace and

critical infrastructure on which the nation depends


Current Initiatives

• Task Force created to address Priority Area Leader (PAL) request for support in developing a taxonomy of cybersecurity terms that can be incorporated into acquisition documents

• Task Force created to address training required to adopt a risk-based approach to cybersecurity

• Supporting a PAL request on threat information sharing standards

• Continuing to foster Cybersecurity SIG Speaker Program39


Next Cybersecurity SIG Meeting

• Date – March 5, 2014• Location – ACT-IAC Headquarters, Fairfax, VA• Speaker – Emile Monette, GSA

“Improving Cybersecurity Through Acquisition”, Mr. Monette will provide an overview of the report’s recommendations and discuss what’s next in developing an implementation plan.

40


Cybersecurity SIG & GAP Leadership

• Chair – Bob Post,

Crossroads Cyber Solutions• Vice Chair – Cheryl Soderstrom,

HP Enterprise Services• Communications – Mike Agrillo,

OnPoint Consulting• Program Chair – Carrie Boyle,

Grant Thorton• Knowledge Capture - Vacant

• Gary Galloway, State• Christopher Garcia, FAA• Adrian Gardner, NASA• George Jakabcin, Treasury• Sean Lang, Library of Congress• Chuck McGann, USPS• Emile Monette, GSA• Brad Nix, USDA

41


Cybersecurity ForumImplications of Privacy to Cybersecurity

Leo Wong


Overview

• On January 28, 2014 the Cybersecurity Forum was held at the Grand Hyatt, Washington, DC

• Over 70 registered attendees• Speakers

– Peter Miller, Chief Privacy Officer, FTC (Keynote)– Naomi Lefkovitz, Senior Privacy Policy Advisor, ITL, NIST– Justin Somaini, Chief Trust Officer, Box– Brad Nix, Chief Information Security Officer (CISO), FNS, USDA– Leo Wong, Deputy CISO, FNS, USDA– Maria Horton, President, EMESEC – Bob Post, President, Crossroads Cyber Solutions– Ron Lichtinger, FierceMarkets (Planning Committee)

43


Breakout Working Sessions

• Track 1: Shaping the concepts of privacy– Differing perspectives on privacy (generational, regional, cultural)– Opt In/Opt Out– Technical Data Collection and Impact on Defining Privacy

• Track 2: Technicalities of Privacy in the Face of Everything– Privacy By Design– Data Ownership and Accountability– Use of Data/Who owns data/repackaging of data

44


How often terms entered into the conversation is demonstrated below

45


Community Privacy Initiatives

• Cybersecurity Framework Volume 1.0 deleted the Privacy Annex due to lack of consensus

• NIST is hosting a Privacy Engineering Workshop on April 9-10, 2014 in Gaithersburg, MD

46


Object Management Group (OMG)Cybersecurity Threat Model

Work-in-Progress

Standards Coordinating Council

C&T SIG Information Sharing Committee

Cybersecurity SIG

Jonathan Addelston & Don Johnson

Advancing Government through Collaboration, Education and Action 48

Joint Activity across ACT-IAC

• Standards Coordinating Council• Collaboration and Transformation (C&T) Shared Interest

Group (SIG) Information Sharing Committee (ISC)• Cybersecurity SIG


Standards Coordinating Council

• Advisory Working Group to White House Interagency Policy Council• Members:

– OMG– IJIS– AFEI– ACT-IAC– Organization for the Advancement of Structured Information Standards (OASIS)– Global Justice Information Sharing Initiative - DOJ– National Information Exchange Model (NIEM) - DHS

49


Related Activities

• Standards-Based Acquisition white paper update by C&T SIG ISC

• ISE Interoperability Framework (I2F) by PM-ISE and SCC• NIEM 3.0 by DHS• NIEM Uniform Modeling Language (UML) Standard by OMG

50


OMG Cybersecurity Threat Model

• Part of the SCC effort to develop and use industry-driven information exchange standards

• Focused on modeling the information which should be shared across industry and government to aid cybersecurity, starting with threats

51


Current Activities

• Use existing standards, like MITRE’s Structured Threat Information eXpression (STIX) to define basic concepts like– Indicators– Threat actor– Kill chain

• Analysis of the business processes for attackers, defenders, and other “actors”

• Emphasis on deriving the model through specific use cases (scenarios)

52


No Current Common Information Model

53

PhysicalThreatModel

STIX

SNORT

IODef CAP

IntrusionDetectionSystems

CommonAlertingProtocol

IncidentObject

Description and

Exchange Format

Data Conversions require ~N2

versions


Semantic InteroperabilityCommon Meta Model

Meta Model

STIX IODef CAP SNORT

Physical

Threat

Model

54

Data Conversions require ~N versions


Call for Action

• We are working on cross-collaboration across existing ACT-IAC organizations and activities with interests in cybersecurity

• We need volunteers to work on the Cybersecurity Threat Model and related Information Sharing and Safeguarding approaches

55


SAVE THE DATE:Next Membership Meeting

March 19, 2014


Networking Reception

Tickets Lounge

Documents

Advancing Government through Collaboration, Education and Action General Membership Meeting February 25, 2014