I thought this was an interesting piece from Stan Soloway. It’s a drum he’s been beating for a while, but with the 809 Panel evaluating DoD’s regulations, seems like there’s a hot iron to strike somewhere in there.
For the time-challenged, here’s the money quote:
Given that the gap between the government’s needs and the commercial marketplace is narrower than ever, and given that the bureaucracy does indeed tend to dilute exceptions and change, we should flip the table and make commercial acquisition the norm, the default, for everything other than the most government- or defense-unique of needs. This would include not only strengthening Part 12 of the Federal Acquisition Regulation, but also flipping the table on other government-unique requirements that were borne of, and relevant to, a very different era.
Curious to hear what you all think about it.
——————————
Jonathan Messinger
Public Spend Forum
Washington DC
——————————
So as a dumb sales guy the wide-ranging legal ramifications of moving in this direction are beyond me. However I’ve written on this site previously about how important I think it is to eliminate the Govcon “merit badges,” random requirements that find their way into solicitations, add no value and make it really difficult for non-specialists to compete for Government work.
Also I really liked Raj’s letter to WSJ published awhile back,”How About Fairness for Taxpayers?” in which he pointed out that artificial barriers to market entry hurt tax payers and sort of pokes around the edges of a similar point.
However I think Stan Soloway is a bit too trusting of the contracting community, stating that “even when given tremendous latitude, government and industry recognize that reality and their responsibility [to conduct procurement ethically].” I’m not so confident in myself my fellow contractors. I feel like any loosening of procurement rules needs to be counter balanced by stiffer penalties and accountability mechanisms to help prevent violations of the public trust.
——————————
Spence Witten
Director of Federal Sales
Lunarline
——————————
——————————————-
Original Message:
Sent: 01-19-2017 14:00
From: Jonathan Messinger
Subject: Should government “flip the table” and start focusing on commercial practices?
I thought this was an interesting piece from Stan Soloway. It’s a drum he’s been beating for a while, but with the 809 Panel evaluating DoD’s regulations, seems like there’s a hot iron to strike somewhere in there.
For the time-challenged, here’s the money quote:
Curious to hear what you all think about it.
——————————
Jonathan Messinger
Public Spend Forum
Washington DC
——————————
More than interesting! But, how do we turn an awareness of commercial / private sector best practices into a change platform?
——————————
Joseph Sandor
Professor
——————————
——————————————-
Original Message:
Sent: 01-19-2017 14:00
From: Jonathan Messinger
Subject: Should government “flip the table” and start focusing on commercial practices?
I thought this was an interesting piece from Stan Soloway. It’s a drum he’s been beating for a while, but with the 809 Panel evaluating DoD’s regulations, seems like there’s a hot iron to strike somewhere in there.
For the time-challenged, here’s the money quote:
Curious to hear what you all think about it.
——————————
Jonathan Messinger
Public Spend Forum
Washington DC
——————————
Man, that’s an interesting discussion to have. It is very nuanced as I could think of some current regs that appear to be restrictive, but at the same time much of the bureaucracy is there as a response to something, potentially legitimate. I think some agencies have run with all the OTA actions as freedom from regulations. Early on I think everyone has the Government’s best interest in mind. But things like these are quickly taken advantage of when the masses begin using them. Years ago VA was given the statutory authority to award sole source contracts to SDVOSBs under $5M with essentially no justification. Out of fear of abuse VA restricted that ability and put some policy on top of that. When it works against us we are upset, but there is some prudence in policy like that. It is unfortunate that we are all affected by sweeping regulation/policy, but not realistic that we can all be governed individually.
——————————
Mark Junda
Eatontown NJ
(732) 795-1019
——————————
——————————————-
Original Message:
Sent: 01-20-2017 10:14
From: Spence Witten
Subject: Should government “flip the table” and start focusing on commercial practices?
So as a dumb sales guy the wide-ranging legal ramifications of moving in this direction are beyond me. However I’ve written on this site previously about how important I think it is to eliminate the Govcon “merit badges,” random requirements that find their way into solicitations, add no value and make it really difficult for non-specialists to compete for Government work.
Also I really liked Raj’s letter to WSJ published awhile back,”How About Fairness for Taxpayers?” in which he pointed out that artificial barriers to market entry hurt tax payers and sort of pokes around the edges of a similar point.
However I think Stan Soloway is a bit too trusting of the contracting community, stating that “even when given tremendous latitude, government and industry recognize that reality and their responsibility [to conduct procurement ethically].” I’m not so confident in myself my fellow contractors. I feel like any loosening of procurement rules needs to be counter balanced by stiffer penalties and accountability mechanisms to help prevent violations of the public trust.
——————————
Spence Witten
Director of Federal Sales
Lunarline
——————————
——————————————-
Original Message:
Sent: 01-19-2017 14:00
From: Jonathan Messinger
Subject: Should government “flip the table” and start focusing on commercial practices?
I thought this was an interesting piece from Stan Soloway. It’s a drum he’s been beating for a while, but with the 809 Panel evaluating DoD’s regulations, seems like there’s a hot iron to strike somewhere in there.
For the time-challenged, here’s the money quote:
Curious to hear what you all think about it.
——————————
Jonathan Messinger
Public Spend Forum
Washington DC
——————————
More commercial best practices would be a great step to improving overall federal acquisition. Further, commercial practices are the best way to help in federal IT, as the ability to acquire the necessary technological tools to modernization government are badly hampered through the current procurement bureaucracy.
Modernization is an almost impossible challenge in this status quo system. Not that there are any silver bullets of course to these difficult challenges, but commercial practices offer the best path forward.
——————————
Jaime Gracia
——————————
——————————————-
Original Message:
Sent: 01-19-2017 14:00
From: Jonathan Messinger
Subject: Should government “flip the table” and start focusing on commercial practices?
I thought this was an interesting piece from Stan Soloway. It’s a drum he’s been beating for a while, but with the 809 Panel evaluating DoD’s regulations, seems like there’s a hot iron to strike somewhere in there.
For the time-challenged, here’s the money quote:
Curious to hear what you all think about it.
——————————
Jonathan Messinger
Public Spend Forum
Washington DC
——————————
Its never as easy as it sounds, is it? Some commercial practices would be great to adopt and would make clear sense. Then there are some government-specific requirements that would never fly in the private sector.
One specific example is the Authority to Operate requirements for selling software into the government. As most software is now connected to some broader system (and typically a cloud-based one), it needs to be reviewed by the cyber experts of that particular department to ensure it doesn’t pose a vulnerability to the larger system.
I expect in the commercial world, there is an informal ATO process at more established companies to ensure some degree of cyber sanitation. But would that practice be rigorous enough to give a federal leader confidence that the software they are buying and installing won’t create a direct line to foreign enemies?
Maybe we can get there on some low-hanging fruit practices, but as with any change in government, widespread implementation can throw good policy out with the bad.
——————————
Frank McNally
Director, Learning & Content Development
——————————
——————————————-
Original Message:
Sent: 01-20-2017 21:21
From: Jaime Gracia
Subject: Should government “flip the table” and start focusing on commercial practices?
More commercial best practices would be a great step to improving overall federal acquisition. Further, commercial practices are the best way to help in federal IT, as the ability to acquire the necessary technological tools to modernization government are badly hampered through the current procurement bureaucracy.
Modernization is an almost impossible challenge in this status quo system. Not that there are any silver bullets of course to these difficult challenges, but commercial practices offer the best path forward.
——————————
Jaime Gracia
——————————
——————————————-
Original Message:
Sent: 01-19-2017 14:00
From: Jonathan Messinger
Subject: Should government “flip the table” and start focusing on commercial practices?
I thought this was an interesting piece from Stan Soloway. It’s a drum he’s been beating for a while, but with the 809 Panel evaluating DoD’s regulations, seems like there’s a hot iron to strike somewhere in there.
For the time-challenged, here’s the money quote:
Curious to hear what you all think about it.
——————————
Jonathan Messinger
Public Spend Forum
Washington DC
——————————
So I think the ATO process is a great example, preciously because it’s such a heinous, soul-crushing, dollar-bill-bonfire of an exercise. FISMA is the law of the land, so the ATO process is inevitable for certain types of businesses that want to work with the Government. But the way some of the applicable resolutions are written makes the ATO process an impossible barrier, particularly for small and even mid size businesses.
It also becomes a chicken n’ egg problem:
Agency: No deployment without ATO.
Provider: How do we get an ATO?
Agency: No ATO without deployment.
However under looser procurement rules maybe we could empower decision makers to make risk based decisions. For example if I were a CIO I could buy and deploy, in a limited fashion, an otherwise cool solution, despite the fact that it didn’t check all the ATO boxes. Maybe it’s a cloud solution that I provisionally authorize for low risk use, like cafeteria support? And then I could choose to work with that vendor to hand hold them through the ATO process before authorizing the solution for higher risk uses.
Too often bright-line procurement rules don’t allow our federal leaders to make those kinds of decisions. And I’m not so sure that’s the best thing for government.
——————————
Spence Witten
Director of Federal Sales
Lunarline
——————————
——————————————-
Original Message:
Sent: 01-24-2017 08:03
From: Frank McNally
Subject: Should government “flip the table” and start focusing on commercial practices?
Its never as easy as it sounds, is it? Some commercial practices would be great to adopt and would make clear sense. Then there are some government-specific requirements that would never fly in the private sector.
One specific example is the Authority to Operate requirements for selling software into the government. As most software is now connected to some broader system (and typically a cloud-based one), it needs to be reviewed by the cyber experts of that particular department to ensure it doesn’t pose a vulnerability to the larger system.
I expect in the commercial world, there is an informal ATO process at more established companies to ensure some degree of cyber sanitation. But would that practice be rigorous enough to give a federal leader confidence that the software they are buying and installing won’t create a direct line to foreign enemies?
Maybe we can get there on some low-hanging fruit practices, but as with any change in government, widespread implementation can throw good policy out with the bad.
——————————
Frank McNally
Director, Learning & Content Development
——————————
——————————————-
Original Message:
Sent: 01-20-2017 21:21
From: Jaime Gracia
Subject: Should government “flip the table” and start focusing on commercial practices?
More commercial best practices would be a great step to improving overall federal acquisition. Further, commercial practices are the best way to help in federal IT, as the ability to acquire the necessary technological tools to modernization government are badly hampered through the current procurement bureaucracy.
Modernization is an almost impossible challenge in this status quo system. Not that there are any silver bullets of course to these difficult challenges, but commercial practices offer the best path forward.
——————————
Jaime Gracia
——————————
——————————————-
Original Message:
Sent: 01-19-2017 14:00
From: Jonathan Messinger
Subject: Should government “flip the table” and start focusing on commercial practices?
I thought this was an interesting piece from Stan Soloway. It’s a drum he’s been beating for a while, but with the 809 Panel evaluating DoD’s regulations, seems like there’s a hot iron to strike somewhere in there.
For the time-challenged, here’s the money quote:
Curious to hear what you all think about it.
——————————
Jonathan Messinger
Public Spend Forum
Washington DC
——————————
I hear what you’re saying on this one, and defer to your expertise on how this actually impacts the business process. Its not good policy to create “chicken & egg” scenarios and it sounds like this is what the ATO process has devolved into at some locations. Maybe many?
One question I have about CIOs wanting to make or have more decision autonomy – do they actually want this? I would hope the answer is yes, but at the same time can see how a central FISMA standard can effectively indemnify them if anything goes wrong with ATO-approved software.
If the answer is even a soft yes, then we’re into a larger issue about risk aversion & accountability. A real perverse incentive if the above is true.
——————————
Frank McNally
Director, Learning & Content Development
——————————
——————————————-
Original Message:
Sent: 01-24-2017 19:58
From: Spence Witten
Subject: Should government “flip the table” and start focusing on commercial practices?
So I think the ATO process is a great example, preciously because it’s such a heinous, soul-crushing, dollar-bill-bonfire of an exercise. FISMA is the law of the land, so the ATO process is inevitable for certain types of businesses that want to work with the Government. But the way some of the applicable resolutions are written makes the ATO process an impossible barrier, particularly for small and even mid size businesses.
It also becomes a chicken n’ egg problem:
Agency: No deployment without ATO.
Provider: How do we get an ATO?
Agency: No ATO without deployment.
However under looser procurement rules maybe we could empower decision makers to make risk based decisions. For example if I were a CIO I could buy and deploy, in a limited fashion, an otherwise cool solution, despite the fact that it didn’t check all the ATO boxes. Maybe it’s a cloud solution that I provisionally authorize for low risk use, like cafeteria support? And then I could choose to work with that vendor to hand hold them through the ATO process before authorizing the solution for higher risk uses.
Too often bright-line procurement rules don’t allow our federal leaders to make those kinds of decisions. And I’m not so sure that’s the best thing for government.
——————————
Spence Witten
Director of Federal Sales
Lunarline
——————————
——————————————-
Original Message:
Sent: 01-24-2017 08:03
From: Frank McNally
Subject: Should government “flip the table” and start focusing on commercial practices?
Its never as easy as it sounds, is it? Some commercial practices would be great to adopt and would make clear sense. Then there are some government-specific requirements that would never fly in the private sector.
One specific example is the Authority to Operate requirements for selling software into the government. As most software is now connected to some broader system (and typically a cloud-based one), it needs to be reviewed by the cyber experts of that particular department to ensure it doesn’t pose a vulnerability to the larger system.
I expect in the commercial world, there is an informal ATO process at more established companies to ensure some degree of cyber sanitation. But would that practice be rigorous enough to give a federal leader confidence that the software they are buying and installing won’t create a direct line to foreign enemies?
Maybe we can get there on some low-hanging fruit practices, but as with any change in government, widespread implementation can throw good policy out with the bad.
——————————
Frank McNally
Director, Learning & Content Development
——————————
——————————————-
Original Message:
Sent: 01-20-2017 21:21
From: Jaime Gracia
Subject: Should government “flip the table” and start focusing on commercial practices?
More commercial best practices would be a great step to improving overall federal acquisition. Further, commercial practices are the best way to help in federal IT, as the ability to acquire the necessary technological tools to modernization government are badly hampered through the current procurement bureaucracy.
Modernization is an almost impossible challenge in this status quo system. Not that there are any silver bullets of course to these difficult challenges, but commercial practices offer the best path forward.
——————————
Jaime Gracia
——————————
——————————————-
Original Message:
Sent: 01-19-2017 14:00
From: Jonathan Messinger
Subject: Should government “flip the table” and start focusing on commercial practices?
I thought this was an interesting piece from Stan Soloway. It’s a drum he’s been beating for a while, but with the 809 Panel evaluating DoD’s regulations, seems like there’s a hot iron to strike somewhere in there.
For the time-challenged, here’s the money quote:
Curious to hear what you all think about it.
——————————
Jonathan Messinger
Public Spend Forum
Washington DC
——————————
I’m really enjoying this conversation, because I tend to take the bottom-up view; that is, the major problem in government often is nuts and bolts. I’ve seen C&A contracts that were vastly improved by emphasizing compliance and preflighting the package as a step. Maybe authorization work, largely a paperwork exercise, should be handled by compliance professionals, rather than less experienced cyber people. Certainly there are some clients who appreciate a “Big Four,” auditors’ mindset and recognize system certification isn’t leading-edge cyber work.
Do we need to rewrite the law, which is imperfect for many other reasons, to improve the system? Or do we need to refine requirements and evaluation factors to reward results and benefits over the how?
——————————
Jason Bakke
Proposal Manager
Censeo Consulting Group (Censeo)
Washington DC
——————————
——————————————-
Original Message:
Sent: 01-25-2017 08:36
From: Frank McNally
Subject: Should government “flip the table” and start focusing on commercial practices?
I hear what you’re saying on this one, and defer to your expertise on how this actually impacts the business process. Its not good policy to create “chicken & egg” scenarios and it sounds like this is what the ATO process has devolved into at some locations. Maybe many?
One question I have about CIOs wanting to make or have more decision autonomy – do they actually want this? I would hope the answer is yes, but at the same time can see how a central FISMA standard can effectively indemnify them if anything goes wrong with ATO-approved software.
If the answer is even a soft yes, then we’re into a larger issue about risk aversion & accountability. A real perverse incentive if the above is true.
——————————
Frank McNally
Director, Learning & Content Development
——————————
——————————————-
Original Message:
Sent: 01-24-2017 19:58
From: Spence Witten
Subject: Should government “flip the table” and start focusing on commercial practices?
So I think the ATO process is a great example, preciously because it’s such a heinous, soul-crushing, dollar-bill-bonfire of an exercise. FISMA is the law of the land, so the ATO process is inevitable for certain types of businesses that want to work with the Government. But the way some of the applicable resolutions are written makes the ATO process an impossible barrier, particularly for small and even mid size businesses.
It also becomes a chicken n’ egg problem:
Agency: No deployment without ATO.
Provider: How do we get an ATO?
Agency: No ATO without deployment.
However under looser procurement rules maybe we could empower decision makers to make risk based decisions. For example if I were a CIO I could buy and deploy, in a limited fashion, an otherwise cool solution, despite the fact that it didn’t check all the ATO boxes. Maybe it’s a cloud solution that I provisionally authorize for low risk use, like cafeteria support? And then I could choose to work with that vendor to hand hold them through the ATO process before authorizing the solution for higher risk uses.
Too often bright-line procurement rules don’t allow our federal leaders to make those kinds of decisions. And I’m not so sure that’s the best thing for government.
——————————
Spence Witten
Director of Federal Sales
Lunarline
——————————
——————————————-
Original Message:
Sent: 01-24-2017 08:03
From: Frank McNally
Subject: Should government “flip the table” and start focusing on commercial practices?
Its never as easy as it sounds, is it? Some commercial practices would be great to adopt and would make clear sense. Then there are some government-specific requirements that would never fly in the private sector.
One specific example is the Authority to Operate requirements for selling software into the government. As most software is now connected to some broader system (and typically a cloud-based one), it needs to be reviewed by the cyber experts of that particular department to ensure it doesn’t pose a vulnerability to the larger system.
I expect in the commercial world, there is an informal ATO process at more established companies to ensure some degree of cyber sanitation. But would that practice be rigorous enough to give a federal leader confidence that the software they are buying and installing won’t create a direct line to foreign enemies?
Maybe we can get there on some low-hanging fruit practices, but as with any change in government, widespread implementation can throw good policy out with the bad.
——————————
Frank McNally
Director, Learning & Content Development
——————————
——————————————-
Original Message:
Sent: 01-20-2017 21:21
From: Jaime Gracia
Subject: Should government “flip the table” and start focusing on commercial practices?
More commercial best practices would be a great step to improving overall federal acquisition. Further, commercial practices are the best way to help in federal IT, as the ability to acquire the necessary technological tools to modernization government are badly hampered through the current procurement bureaucracy.
Modernization is an almost impossible challenge in this status quo system. Not that there are any silver bullets of course to these difficult challenges, but commercial practices offer the best path forward.
——————————
Jaime Gracia
——————————
——————————————-
Original Message:
Sent: 01-19-2017 14:00
From: Jonathan Messinger
Subject: Should government “flip the table” and start focusing on commercial practices?
I thought this was an interesting piece from Stan Soloway. It’s a drum he’s been beating for a while, but with the 809 Panel evaluating DoD’s regulations, seems like there’s a hot iron to strike somewhere in there.
For the time-challenged, here’s the money quote:
Curious to hear what you all think about it.
——————————
Jonathan Messinger
Public Spend Forum
Washington DC
——————————
I think you pose the question more as a hypothetical and I think I know how you would answer it, but feel compelled to give my own.
Laws don’t create outcomes, people and process do. Re-writing the law would just result in people finding new ways to mess it up, misinterpret it, or creatively ignore it.
Fix the process and incentivize the people to pursue outcomes. It sounds so cliche, but its how stuff gets done.
There’s my two pennies!
——————————
Frank McNally
Director, Learning & Content Development
——————————
——————————————-
Original Message:
Sent: 01-25-2017 19:46
From: Jason Bakke
Subject: Should government “flip the table” and start focusing on commercial practices?
I’m really enjoying this conversation, because I tend to take the bottom-up view; that is, the major problem in government often is nuts and bolts. I’ve seen C&A contracts that were vastly improved by emphasizing compliance and preflighting the package as a step. Maybe authorization work, largely a paperwork exercise, should be handled by compliance professionals, rather than less experienced cyber people. Certainly there are some clients who appreciate a “Big Four,” auditors’ mindset and recognize system certification isn’t leading-edge cyber work.
Do we need to rewrite the law, which is imperfect for many other reasons, to improve the system? Or do we need to refine requirements and evaluation factors to reward results and benefits over the how?
——————————
Jason Bakke
Proposal Manager
Censeo Consulting Group (Censeo)
Washington DC
——————————
——————————————-
Original Message:
Sent: 01-25-2017 08:36
From: Frank McNally
Subject: Should government “flip the table” and start focusing on commercial practices?
I hear what you’re saying on this one, and defer to your expertise on how this actually impacts the business process. Its not good policy to create “chicken & egg” scenarios and it sounds like this is what the ATO process has devolved into at some locations. Maybe many?
One question I have about CIOs wanting to make or have more decision autonomy – do they actually want this? I would hope the answer is yes, but at the same time can see how a central FISMA standard can effectively indemnify them if anything goes wrong with ATO-approved software.
If the answer is even a soft yes, then we’re into a larger issue about risk aversion & accountability. A real perverse incentive if the above is true.
——————————
Frank McNally
Director, Learning & Content Development
——————————
——————————————-
Original Message:
Sent: 01-24-2017 19:58
From: Spence Witten
Subject: Should government “flip the table” and start focusing on commercial practices?
So I think the ATO process is a great example, preciously because it’s such a heinous, soul-crushing, dollar-bill-bonfire of an exercise. FISMA is the law of the land, so the ATO process is inevitable for certain types of businesses that want to work with the Government. But the way some of the applicable resolutions are written makes the ATO process an impossible barrier, particularly for small and even mid size businesses.
It also becomes a chicken n’ egg problem:
Agency: No deployment without ATO.
Provider: How do we get an ATO?
Agency: No ATO without deployment.
However under looser procurement rules maybe we could empower decision makers to make risk based decisions. For example if I were a CIO I could buy and deploy, in a limited fashion, an otherwise cool solution, despite the fact that it didn’t check all the ATO boxes. Maybe it’s a cloud solution that I provisionally authorize for low risk use, like cafeteria support? And then I could choose to work with that vendor to hand hold them through the ATO process before authorizing the solution for higher risk uses.
Too often bright-line procurement rules don’t allow our federal leaders to make those kinds of decisions. And I’m not so sure that’s the best thing for government.
——————————
Spence Witten
Director of Federal Sales
Lunarline
——————————
——————————————-
Original Message:
Sent: 01-24-2017 08:03
From: Frank McNally
Subject: Should government “flip the table” and start focusing on commercial practices?
Its never as easy as it sounds, is it? Some commercial practices would be great to adopt and would make clear sense. Then there are some government-specific requirements that would never fly in the private sector.
One specific example is the Authority to Operate requirements for selling software into the government. As most software is now connected to some broader system (and typically a cloud-based one), it needs to be reviewed by the cyber experts of that particular department to ensure it doesn’t pose a vulnerability to the larger system.
I expect in the commercial world, there is an informal ATO process at more established companies to ensure some degree of cyber sanitation. But would that practice be rigorous enough to give a federal leader confidence that the software they are buying and installing won’t create a direct line to foreign enemies?
Maybe we can get there on some low-hanging fruit practices, but as with any change in government, widespread implementation can throw good policy out with the bad.
——————————
Frank McNally
Director, Learning & Content Development
——————————
——————————————-
Original Message:
Sent: 01-20-2017 21:21
From: Jaime Gracia
Subject: Should government “flip the table” and start focusing on commercial practices?
More commercial best practices would be a great step to improving overall federal acquisition. Further, commercial practices are the best way to help in federal IT, as the ability to acquire the necessary technological tools to modernization government are badly hampered through the current procurement bureaucracy.
Modernization is an almost impossible challenge in this status quo system. Not that there are any silver bullets of course to these difficult challenges, but commercial practices offer the best path forward.
——————————
Jaime Gracia
——————————
——————————————-
Original Message:
Sent: 01-19-2017 14:00
From: Jonathan Messinger
Subject: Should government “flip the table” and start focusing on commercial practices?
I thought this was an interesting piece from Stan Soloway. It’s a drum he’s been beating for a while, but with the 809 Panel evaluating DoD’s regulations, seems like there’s a hot iron to strike somewhere in there.
For the time-challenged, here’s the money quote:
Curious to hear what you all think about it.
——————————
Jonathan Messinger
Public Spend Forum
Washington DC
——————————
So far the examples of adopting commercial practices have been IT, not procurement. I’ve been ignorantly (in jest) on the government side for my career. What commercial procurement practices can we institute that we don’t currently?
——————————
Mark Junda
Eatontown NJ
(732) 795-1019
——————————
——————————————-
Original Message:
Sent: 01-26-2017 17:12
From: Frank McNally
Subject: Should government “flip the table” and start focusing on commercial practices?
I think you pose the question more as a hypothetical and I think I know how you would answer it, but feel compelled to give my own.
Laws don’t create outcomes, people and process do. Re-writing the law would just result in people finding new ways to mess it up, misinterpret it, or creatively ignore it.
Fix the process and incentivize the people to pursue outcomes. It sounds so cliche, but its how stuff gets done.
There’s my two pennies!
——————————
Frank McNally
Director, Learning & Content Development
——————————
——————————————-
Original Message:
Sent: 01-25-2017 19:46
From: Jason Bakke
Subject: Should government “flip the table” and start focusing on commercial practices?
I’m really enjoying this conversation, because I tend to take the bottom-up view; that is, the major problem in government often is nuts and bolts. I’ve seen C&A contracts that were vastly improved by emphasizing compliance and preflighting the package as a step. Maybe authorization work, largely a paperwork exercise, should be handled by compliance professionals, rather than less experienced cyber people. Certainly there are some clients who appreciate a “Big Four,” auditors’ mindset and recognize system certification isn’t leading-edge cyber work.
Do we need to rewrite the law, which is imperfect for many other reasons, to improve the system? Or do we need to refine requirements and evaluation factors to reward results and benefits over the how?
——————————
Jason Bakke
Proposal Manager
Censeo Consulting Group (Censeo)
Washington DC
——————————
——————————————-
Original Message:
Sent: 01-25-2017 08:36
From: Frank McNally
Subject: Should government “flip the table” and start focusing on commercial practices?
I hear what you’re saying on this one, and defer to your expertise on how this actually impacts the business process. Its not good policy to create “chicken & egg” scenarios and it sounds like this is what the ATO process has devolved into at some locations. Maybe many?
One question I have about CIOs wanting to make or have more decision autonomy – do they actually want this? I would hope the answer is yes, but at the same time can see how a central FISMA standard can effectively indemnify them if anything goes wrong with ATO-approved software.
If the answer is even a soft yes, then we’re into a larger issue about risk aversion & accountability. A real perverse incentive if the above is true.
——————————
Frank McNally
Director, Learning & Content Development
——————————
——————————————-
Original Message:
Sent: 01-24-2017 19:58
From: Spence Witten
Subject: Should government “flip the table” and start focusing on commercial practices?
So I think the ATO process is a great example, preciously because it’s such a heinous, soul-crushing, dollar-bill-bonfire of an exercise. FISMA is the law of the land, so the ATO process is inevitable for certain types of businesses that want to work with the Government. But the way some of the applicable resolutions are written makes the ATO process an impossible barrier, particularly for small and even mid size businesses.
It also becomes a chicken n’ egg problem:
Agency: No deployment without ATO.
Provider: How do we get an ATO?
Agency: No ATO without deployment.
However under looser procurement rules maybe we could empower decision makers to make risk based decisions. For example if I were a CIO I could buy and deploy, in a limited fashion, an otherwise cool solution, despite the fact that it didn’t check all the ATO boxes. Maybe it’s a cloud solution that I provisionally authorize for low risk use, like cafeteria support? And then I could choose to work with that vendor to hand hold them through the ATO process before authorizing the solution for higher risk uses.
Too often bright-line procurement rules don’t allow our federal leaders to make those kinds of decisions. And I’m not so sure that’s the best thing for government.
——————————
Spence Witten
Director of Federal Sales
Lunarline
——————————
——————————————-
Original Message:
Sent: 01-24-2017 08:03
From: Frank McNally
Subject: Should government “flip the table” and start focusing on commercial practices?
Its never as easy as it sounds, is it? Some commercial practices would be great to adopt and would make clear sense. Then there are some government-specific requirements that would never fly in the private sector.
One specific example is the Authority to Operate requirements for selling software into the government. As most software is now connected to some broader system (and typically a cloud-based one), it needs to be reviewed by the cyber experts of that particular department to ensure it doesn’t pose a vulnerability to the larger system.
I expect in the commercial world, there is an informal ATO process at more established companies to ensure some degree of cyber sanitation. But would that practice be rigorous enough to give a federal leader confidence that the software they are buying and installing won’t create a direct line to foreign enemies?
Maybe we can get there on some low-hanging fruit practices, but as with any change in government, widespread implementation can throw good policy out with the bad.
——————————
Frank McNally
Director, Learning & Content Development
——————————
——————————————-
Original Message:
Sent: 01-20-2017 21:21
From: Jaime Gracia
Subject: Should government “flip the table” and start focusing on commercial practices?
More commercial best practices would be a great step to improving overall federal acquisition. Further, commercial practices are the best way to help in federal IT, as the ability to acquire the necessary technological tools to modernization government are badly hampered through the current procurement bureaucracy.
Modernization is an almost impossible challenge in this status quo system. Not that there are any silver bullets of course to these difficult challenges, but commercial practices offer the best path forward.
——————————
Jaime Gracia
——————————
——————————————-
Original Message:
Sent: 01-19-2017 14:00
From: Jonathan Messinger
Subject: Should government “flip the table” and start focusing on commercial practices?
I thought this was an interesting piece from Stan Soloway. It’s a drum he’s been beating for a while, but with the 809 Panel evaluating DoD’s regulations, seems like there’s a hot iron to strike somewhere in there.
For the time-challenged, here’s the money quote:
Curious to hear what you all think about it.
——————————
Jonathan Messinger
Public Spend Forum
Washington DC
——————————
Hey there Mark
So I think the term “Commercial Practices” muddies the water. The jist of Soloway’s point that Jonathan used to jump start this discussion goes something like this:
I think that’s what Soloway is getting at in his article.
——————————
Spence Witten
Director of Federal Sales
Lunarline
——————————
——————————————-
Original Message:
Sent: 01-26-2017 18:00
From: Mark Junda
Subject: Should government “flip the table” and start focusing on commercial practices?
So far the examples of adopting commercial practices have been IT, not procurement. I’ve been ignorantly (in jest) on the government side for my career. What commercial procurement practices can we institute that we don’t currently?
——————————
Mark Junda
Eatontown NJ
(732) 795-1019
——————————
——————————————-
Original Message:
Sent: 01-26-2017 17:12
From: Frank McNally
Subject: Should government “flip the table” and start focusing on commercial practices?
I think you pose the question more as a hypothetical and I think I know how you would answer it, but feel compelled to give my own.
Laws don’t create outcomes, people and process do. Re-writing the law would just result in people finding new ways to mess it up, misinterpret it, or creatively ignore it.
Fix the process and incentivize the people to pursue outcomes. It sounds so cliche, but its how stuff gets done.
There’s my two pennies!
——————————
Frank McNally
Director, Learning & Content Development
——————————
——————————————-
Original Message:
Sent: 01-25-2017 19:46
From: Jason Bakke
Subject: Should government “flip the table” and start focusing on commercial practices?
I’m really enjoying this conversation, because I tend to take the bottom-up view; that is, the major problem in government often is nuts and bolts. I’ve seen C&A contracts that were vastly improved by emphasizing compliance and preflighting the package as a step. Maybe authorization work, largely a paperwork exercise, should be handled by compliance professionals, rather than less experienced cyber people. Certainly there are some clients who appreciate a “Big Four,” auditors’ mindset and recognize system certification isn’t leading-edge cyber work.
Do we need to rewrite the law, which is imperfect for many other reasons, to improve the system? Or do we need to refine requirements and evaluation factors to reward results and benefits over the how?
——————————
Jason Bakke
Proposal Manager
Censeo Consulting Group (Censeo)
Washington DC
——————————
——————————————-
Original Message:
Sent: 01-25-2017 08:36
From: Frank McNally
Subject: Should government “flip the table” and start focusing on commercial practices?
I hear what you’re saying on this one, and defer to your expertise on how this actually impacts the business process. Its not good policy to create “chicken & egg” scenarios and it sounds like this is what the ATO process has devolved into at some locations. Maybe many?
One question I have about CIOs wanting to make or have more decision autonomy – do they actually want this? I would hope the answer is yes, but at the same time can see how a central FISMA standard can effectively indemnify them if anything goes wrong with ATO-approved software.
If the answer is even a soft yes, then we’re into a larger issue about risk aversion & accountability. A real perverse incentive if the above is true.
——————————
Frank McNally
Director, Learning & Content Development
——————————
——————————————-
Original Message:
Sent: 01-24-2017 19:58
From: Spence Witten
Subject: Should government “flip the table” and start focusing on commercial practices?
So I think the ATO process is a great example, preciously because it’s such a heinous, soul-crushing, dollar-bill-bonfire of an exercise. FISMA is the law of the land, so the ATO process is inevitable for certain types of businesses that want to work with the Government. But the way some of the applicable resolutions are written makes the ATO process an impossible barrier, particularly for small and even mid size businesses.
It also becomes a chicken n’ egg problem:
Agency: No deployment without ATO.
Provider: How do we get an ATO?
Agency: No ATO without deployment.
However under looser procurement rules maybe we could empower decision makers to make risk based decisions. For example if I were a CIO I could buy and deploy, in a limited fashion, an otherwise cool solution, despite the fact that it didn’t check all the ATO boxes. Maybe it’s a cloud solution that I provisionally authorize for low risk use, like cafeteria support? And then I could choose to work with that vendor to hand hold them through the ATO process before authorizing the solution for higher risk uses.
Too often bright-line procurement rules don’t allow our federal leaders to make those kinds of decisions. And I’m not so sure that’s the best thing for government.
——————————
Spence Witten
Director of Federal Sales
Lunarline
——————————
——————————————-
Original Message:
Sent: 01-24-2017 08:03
From: Frank McNally
Subject: Should government “flip the table” and start focusing on commercial practices?
Its never as easy as it sounds, is it? Some commercial practices would be great to adopt and would make clear sense. Then there are some government-specific requirements that would never fly in the private sector.
One specific example is the Authority to Operate requirements for selling software into the government. As most software is now connected to some broader system (and typically a cloud-based one), it needs to be reviewed by the cyber experts of that particular department to ensure it doesn’t pose a vulnerability to the larger system.
I expect in the commercial world, there is an informal ATO process at more established companies to ensure some degree of cyber sanitation. But would that practice be rigorous enough to give a federal leader confidence that the software they are buying and installing won’t create a direct line to foreign enemies?
Maybe we can get there on some low-hanging fruit practices, but as with any change in government, widespread implementation can throw good policy out with the bad.
——————————
Frank McNally
Director, Learning & Content Development
——————————
——————————————-
Original Message:
Sent: 01-20-2017 21:21
From: Jaime Gracia
Subject: Should government “flip the table” and start focusing on commercial practices?
More commercial best practices would be a great step to improving overall federal acquisition. Further, commercial practices are the best way to help in federal IT, as the ability to acquire the necessary technological tools to modernization government are badly hampered through the current procurement bureaucracy.
Modernization is an almost impossible challenge in this status quo system. Not that there are any silver bullets of course to these difficult challenges, but commercial practices offer the best path forward.
——————————
Jaime Gracia
——————————
——————————————-
Original Message:
Sent: 01-19-2017 14:00
From: Jonathan Messinger
Subject: Should government “flip the table” and start focusing on commercial practices?
I thought this was an interesting piece from Stan Soloway. It’s a drum he’s been beating for a while, but with the 809 Panel evaluating DoD’s regulations, seems like there’s a hot iron to strike somewhere in there.
For the time-challenged, here’s the money quote:
Curious to hear what you all think about it.
——————————
Jonathan Messinger
Public Spend Forum
Washington DC
——————————