The Department of Defense has released a directive establishing policy and providing governance structure for the management of all special access programs, or SAPs, across DOD.
The latest DOD Instruction, which took effect Thursday, outlines the responsibilities of the director of the DOD Special Access Program Central Office—or DOD SAPCO—the undersecretary of defense for research and engineering and USD for acquisition and sustainment, among other officials, for the oversight of SAPs.
The directive states that the director of DOD SAPCO should serve as the proponent for developing and implementing policies for SAP execution, management and governance and publish and maintain security classification guides, among other functions.
According to the document, the department will develop and apply SAP security protection to classified national security information in compliance with an executive order and other regulations to protect sensitive classified data related to advanced technologies and capabilities.
Register here to join the Potomac Officers Club’s 2024 Intel Summit on Sept. 19 and hear top U.S. intelligence community officials and industry executives discuss the challenges, innovation initiatives, opportunities and technologies shaping the future of American intelligence.
Up to 60% of all federal procurement spending happens at the end of the fiscal year, leaving little time for the government to conduct thorough contractor performance assessments.
And while self-assessments have emerged as a potential solution to the challenges of the contractor performance assessment ratings reporting process, Michael Derrios, the senior procurement executive at the State Department, said vendors rarely submit their self-assessments.
“Little to none,” Derrios said when asked what percentage of CPARS include vendor self-assessments. “It’s an incredibly underutilized tool. We would love to see more of it.”
“I will be the first to admit that our ratings at the State Department are not high. It’s challenging, and it almost always happens at the end of the fiscal year. It’s hard for people to find the time to do it. I also think there’s something skittish on the government side about, ‘I don’t want to really engage in a conflict with you.’ But if there’s a self-assessment that can serve as a starting point for that dialog, I think that kind of breaks the ice.”
Too often, there is little to no engagement between the vendor and the government from the beginning of the contract performance, so continuous communication throughout the contract period to avoid any surprises when CPARS ratings are finalized is crucial, said Derrios. “If any of you are ever shocked and surprised by a bad CPARS rating — somebody on the contract probably needs to get fired. Your program manager is not doing their job if they’re shocked that there’s a bad rating.”
“The dialog has to be happening throughout the year, and it’s almost like you have to be writing your CPARS the entire time with direct questions like, ‘How do you think this is going to play into CPARS ratings? You have to be that direct about the dialog.”
Dion Turner, the supervisory contracting officer at the Interior Department, said while CPARS can be somewhat subjective based on the contracting officer, documentation is key to ensuring fair evaluations.
“What’s not subjective is your documentation and what you did performing under that contract. One of the things I try to push is it’s not just about putting in rebuttals. That’s another reason why I’m a huge fan of the self-assessments because we should see your performance in the highlights that you have, even the ones that we have problems that the government didn’t know about that you resolved, but you did, just performing normally on the contract. Those are the types of things that I like to push for documenting your performance.”
“From a government’s perspective, I always push to have those conversations early on and to ensure you’re talking about performance. From a business perspective, you don’t know what to fix if you don’t know that there’s a problem and that leads to us having a project on the government side that may not go to full fruition or may have performance problems. At the end of the day, we’re always pushing for that win, win. It’s just a matter of how you document that,” said Turner.
Getting exceptional rating is possible even if you encounter problems
Contractors can still get an exceptional rating even after encountering progress — it’s more important how a company recovers from setbacks.
Soraya Correa, former chief procurement officer at the Department of Homeland Security and the CEO of the National Industries for the Blind, said contractors tend to hesitate to admit any contract problems during self-evaluation, but most of the time the strategy is counterproductive.
“Believe it or not, a lot of times it’s okay to have something go wrong. It’s how you recover. I’ll be very honest with you when I’m looking at self-assessment, if you tell me you’re great and wonderful and walk on water and never made a mistake — frankly, I don’t want you on my team. I want people that know how to recover from problems, know how to address failures and how to solve issues,” said Correa.
Defense contractors aren’t the only ones preparing for the launch of the Cybersecurity Maturity Model Certification 2.0. The Defense Logistics Agency is in the process of automating some of its contracting systems, including verifying a contractor’s compliance with the National Institutes of Standards and Technology’s Special Publication 800-171. This is a step in the direction of implementing the new CMMC proposed rule, released last month, which would incorporate CMMC requirements into contracts and solicitations once finalized.
“We’re gearing up as we speak to implement that into our processes as well as our automated program to assess the cybersecurity processes or practices, I would say, of our vendors,” said Jajuan Evans, systems procurement analyst for DLA, on Federal Monthly Insights — Contract Management Modernization. “NIST is the precursor. So we are in a position now where we validate that a vendor is covered by a NIST assessment if they’re going to have access to unclassified data or covered defense information. And then it’s going to be an overlap where we start to update our systems to implement CMMC.”
Evans said DLA analyzes risk in relation to vendors and the item being purchased, in relation to the price quoted for that item. That’s part of the supplier performance risk system, DLA’s authoritative source for vendor performance. As the supplier performance risk system lead for the DLA enterprise, Evans said he’s been involved specifically in tying certain cybersecurity assessments into that system, allowing DoD to access the system security plans of vendors who use controlled unclassified information or covered Defense information. DLA’s efforts to increase the use of automation in their contracting system include using that information to asses a supplier’s risk and quality score as a necessary validation before making an award.
Improving contracting efficiency
DLA already uses an extensive amount of automation in its contracting system, Evans said, as part of a recent push to improve contracting efficiency.
“Over the last few years, we really made a push to automate processes where we can. We already have a really robust automated solicitation program that, without any manual intervention, publicizes solicitations, requests for quotes, as well as an automated award program that will award procurements that meet certain criteria automatically,” Evans told the Federal Drive with Tom Temin. “So really reducing that need for manual intervention or for a contracting officer to make that award decision. We’re also leveraging new technology to improve contracting efficiency.”
That includes the use of robotic process automation, he said, to free up contracting professionals from repetitive tasks. For example, DLA created a “master solicitation” — a 12-to-15 page master list of clauses and provisions that apply to solicitations. Automated solicitations then refer back to the latest revision of that document, so that vendors can refer to that document, determine what applies to them and their particular proposal, and ensure they’re in compliance.
Evans said there’s a bit of a learning curve for new contractors working with the federal government, but with a little time and investment, they’re able to learn it and use it effectively.
That’s not to say every contract goes through this automated process; Evans said some more critical solicitations still require manual assembly by a contracting officer. In those cases, it’s incumbent upon the contracting officer to manually include the required provisions.
“So the goal is to leverage that capability as much as possible where it makes sense,” Evans said. “And then for more complex contract actions, we’ll lean on the acquisition specialist or the contracting officer to create those.”
Similarly, DLA is using an automated system to make awards in certain cases, where it determines the product is an correct fit and within pricing parameters. In other instances, however, it will flag an award for manual review. For example, it would do so if a contractor objected to a specific term.
Reducing acquisition lead time
DLA has implemented all of this automation as part of a larger effort to reduce procurement acquisition lead time. DLA tracks time-to-award in on-time deliveries. Acquisition specialists and contracting officers have certain metrics they’re required to meet, like specific solicitation or award times. This helps DLA identify and address bottlenecks in the acquisition process.
“At the end of the day, our goal is to provide that item or that service to our customers, to the warfighter, where it needs to be, when it needs to be there,” Evans said.
The FTUAS are intended to help brigade combat teams by providing reconnaissance and surveillance. The data they collect will enable the BCT commanders to make the right decisions during multi-domain operations.
The MOSA certification was done by replacing the hardware and software of the vendors’ prototype aircraft with the mission computer from a third-party surrogate. This allowed the independent assessor to determine the openness and modularity of the prototype.
During the flight demonstrations, held at the Army Redstone Test Center, the unmanned systems were evaluated based on their vertical takeoff and landing, on-the-move command and control, reduced acoustic signature, system integration, rapid emplacement and flight performance.
The FTUAS program is in accordance with the mission of the Program Executive Office for Aviation, particularly the Uncrewed Aircraft Systems Project Office, of modernizing the Army’s aviation fleet of crewed and uncrewed aircraft.
MITRE has released its response to a request for information issued by the Federal Risk and Authorization Management Program regarding a set of metrics meant to measure the end-to-end FedRAMP authorization experience.
Public input had been sought for those metrics with the aim of focusing and refining them, MITRE said Tuesday.
Input was solicited from a variety of stakeholders, including cloud service providers and third-party assessment organizations. Responses were to be submitted no later than Aug. 29.
For its part, MITRE recommended that the metrics be expanded to enhance the effectiveness of FedRAMP beyond cost and timeliness to include the streamlining of compliance and the reduction of redundant assessments.
Concerning the latter, MITRE specifically proposed that FedRAMP processes and metrics be revised to bring about “reciprocity-at-scale,” a concept that calls for the reuse of assessment information across risk management frameworks and assessment and authorization processes.
MITRE believes that through reciprocity, the government would be able to deploy secure cloud services faster by being able to recognize certifications and authorizations across varying frameworks, while service providers would be able to expand their services into new markets while enjoying savings from not having to undergo multiple certifications.
MITRE’s other recommendations include those concerning continuous monitoring and support for the adoption of quantum resistant cryptography and zero trust.
The 18F digital services agency within the General Services Administration’s Technology Transformation Services has released an updated guide to help federal, state and local government agencies reduce the risk of failure of government technology projects.
GSA said Wednesday the De-risking Government Technology Guide 2.0 includes an in-depth section on vendor management to help agencies manage the implementation of their tech projects and marks the first update since the document’s publication in 2020.
“The new section on vendor management adds even more value to a guide that’s already proven to be a useful resource across federal and state governments,” said TTS Director Ann Lewis.
“Thoughtful acquisition of software requires collectively understanding existing systems, programs, and agency goals. The updated guide offers foundational knowledge that helps reduce cost, time, and risk during technology procurement, making service delivery more efficient and effective,” she added.
The updated guide offers modern software development best practices and information on 18F’s experience working with federal and state partners. It also combines the original document’s two parts: the Federal Field Guide and the State Software Budgeting Handbook.
The document covers topics such as the differences and tradeoffs between custom and commercial software, how to buy custom software development services using performance-based services contracting and key principles for effective custom software development.
The Government Accountability Office has found that the Department of Defense does not have sufficient information to determine all the critical materials that should be included in its national defense stockpile.
A review of the DOD’s stockpile management also revealed a lack of clear guidelines for when to release and use products from the stockpile, GAO said Tuesday.
The DOD stores items that are strategic and critical to defense and essential civilian needs in times of national emergency.
GAO acknowledged the DOD processes for identifying material requirements and managing the stockpile but said the agency does not have program offices and other relevant entities providing the necessary data for stockpile modeling, resulting in the DOD not having stock of its highest priority materials.
DOD reports indicate that from fiscal years 2019 to 2023, the agency primarily stored up the same 50 types of materials but the number of items in shortfall increased by 167 percent, the government watchdog said.
GAO made six recommendations, including identifying the roles and responsibilities for providing data needed to model DOD’s requirements.
The Defense Department concurred with all of the recommendations.
Gen. John Lamontagne accepted the role of commander of the Air Mobility Command at a ceremony held at Scott Air Force Base, Illinois, on Sept. 9.
Gen. David Allvin, chief of staff for the U.S. Air Force, spearheaded the AMC change of command ceremony alongside several other mobility leaders to welcome Lamontagne, the Air Force said Wednesday.
“I could not be more proud to be here today and sharing this stage with these great mobility leaders and be a part of this passing of the baton to keep this air mobility machine moving. The country depends on it, and [Americans] can depend on it,” Allvin emphasized
The appointment comes simultaneously with the Air Force’s declaration to undergo a reorganization in preparation for great power competition.
Prior to taking on the AMC commander role, Lamontagne served as the deputy commander of U.S. Air Forces in Europe-Air Forces Africa. In this role, Lamontagne gained experience implementing strategic mobility and readiness across numerous environments.
Gen. Jacqueline Van Ovost, commander of the U.S. Transportation Command and 2024 Wash100 Award winner, said Lamontagne’s prior leadership experience should benefit the AMC’s global engagements.
“Members of AMC, you are gaining a tremendous leader who is ready to build upon your legacy and recent successes,” Van Ovost said to the room of airmen.
In leading the command, Lamontagne will manage a total force numbering 107,000 airmen and over 1,100 aircraft. Lamontagne said he looks forward to leading the men and women throughout the AMC as the Air Force aims to gain an advantage in the global warfighting landscape.
“To the men and women of Air Mobility Command, we stand here today on the shoulders of giants that have preceded us both personally and organizationally… it is a long proud legacy,” said Lamontagne, in his inaugural remarks as AMC commander. “Some things have changed, and some things have not… Our nation and our predecessors possess an asymmetric advantage, and that asymmetric advantage is the ability to project power anywhere in the world at the time and place of our choosing. And only this command can do it!”
The federal government is set to roll back—yet again—the date by which people must have specially verified driver’s licenses before boarding an airplane or conducting other business with the feds.
But in some ways, the Transportation Security Administration had little choice, faced with the fact that after two decades of prodding and tough talk, only 56% of driver’s licenses in circulation adhere to Real ID standards.
The TSA unveiled a proposal Thursday that would allow federal agencies to use discretion for two years in how strictly they should enforce the May 7, 2025, deadline for compliance. The open-ended guidance would instruct federal agencies to consider security, operational risk and impact on the public for how they choose to enforce the standards.
“The proposed rule does not extend the Real ID deadline,” the agency said in a press release. “Instead, it would allow TSA to consider a phased enforcement approach to Real ID implementation. Travelers without a Real ID compliant ID or another form of acceptable ID after the May 7, 2025, deadline could face delays at airport security checkpoints.”
In a formal announcement detailing the changes, TSA predicted the May deadline could lead to widespread anxiety and disruptions if agencies didn’t have discretion to enforce the rule as they see fit.
In 34 states, less than 60% of driver’s licenses complied with Real ID at the beginning of the year. For 22 of those states, in fact, fewer than 40% met the standards.
The long history of the Department of Homeland Security setting deadlines for Real ID compliance, only to abandon them as they approached, could make Americans complacent about upgrading their license.
“DHS believes this pattern is likely to delay increased adoption in many states despite best efforts to inform the public, potentially leading to last-minute surges in demand for Real IDs leading up to the deadline,” the agency wrote in a notice of proposed rulemaking. “DHS believes this surge could overwhelm states and result in backlogs and delays in Real ID issuance.”
Not only that, but people would likely show up to federal facilities with noncompliant IDs.
“For some agencies, this scenario may raise serious concerns related to security, agency operations and potential impact to the public,” the department explained. “While these concerns are especially acute in an airport security environment, DHS anticipates that other federal agencies that operate facilities visited frequently by the general public may also face similar concerns.”
Congress passed the Real ID law as part of a massive spending package that lawmakers approved in 2005. The idea came as a recommendation of the 9/11 Commission, which wanted states to improve driver’s license security because four of the 19 hijackers in the 2001 terrorist attacks used state-issued driver’s licenses to board the planes they later crashed.
President George W. Bush signed the measure into law in May 2005. It originally gave states three years to roll out systems that would verify that an applicant is in the country legally, using federal databases and original documents, such as birth certificates and Social Security cards. The law also imposed security measures for workers who handle driver’s license information or who produce the physical documents.
But state officials immediately protested the federal mandate. In fact, 17 states passed laws restricting or banning its implementation within their borders. Liberals and conservatives alike objected to the law’s costs, federal preemption of state practices and the potential threat to personal privacy.
Those initial objections softened over time. All states, the District of Columbia and the five U.S. territories that issue driver’s licenses currently comply with the law, according to DHS.
Now the challenge is getting compliant licenses in the hands of drivers, a task that COVID-19 made significantly harder.
Nearly half of all jurisdictions first started issuing Real ID-compliant licenses since 2018, giving people in those places limited time to get the more secure document. The pandemic then slowed down compliance because it forced most states to close their license facilities or limit hours, which led to fewer people getting Real ID-compliant licenses when it was time for them to renew. In fact, license holders have to be physically present at a license facility to get a Real ID, so many likely chose to get a noncompliant card instead, DHS explained.
“DHS observed widespread decreases in Real ID adoption rates coupled with significant increases in noncompliant card issuance rates during, and immediately after, the pandemic. This trend resulted in reduced adoption rates,” the agency wrote in its notice. Before the pandemic, the adoption rate of Real IDs had been increasing by 2.5 percentage points each month. But that dropped to 0.5 percentage points a month in the early days of the pandemic and never got much higher.
At this rate, DHS estimates that only 61.2% of licenses nationally will be Real ID-compliant by the May deadline.
And the pandemic-era dip “will also likely continue to depress adoption rates for several years,” because people tend to upgrade when their current license expires, which usually happens every three to eight years, DHS wrote.
The Air Force Installation and Mission Support Center—a.k.a. AFIMSC—has partnered with AFWERX to award contracts through the AFWERX Expedient Basing Challenge using the challenge’s Commercial Solutions Opening, or CSO, as a contracting vehicle to accelerate the deployment of technology capabilities to service personnel.
The military branch said Wednesday through the partnership, AFIMSC awarded Street Smarts VR a contract in August to build a virtual combat support training range.
“Using the CSO reduces project execution timelines and helps us put needed capability into warfighter hands more quickly,” said Dustin Dickens, principal innovation program manager at AFIMSC.
To address critical mission requirements, AFIMSC intends to use the CSO vehicle to award four more contracts in the near future.
These contracts seek to support the further development of an intelligence remote security tool, called Sentry; a logistics and asset management system; procurement and assessment of a corrosion protection technology for Air Force infrastructure, components and equipment; and the acquisition and evaluation of rapid repair kits for asphalt and concrete airfield surfaces.
