Federal Times Blogs

TSP Board withholding results of security review prompted by 2011 hacking attack

Bookmark and Share

Last year, following the disclosure that 123,000 Thrift Savings Plan accounts had been hacked, the Federal Retirement Thrift Investment Board launched a wide-ranging assessment of its computer system security.

That “Tiger Team” task force review is now complete, but the board isn’t making the findings public.

Instead, the agency is withholding the entire report on the grounds that disclosure “could reasonably be expected to risk circumvention of the law,”  Amanda Haas, a Freedom of Information Act officer with the board, said in a response today to Federal Times’ FOIA request. Haas did not immediately reply to a request for more information on why the board is claiming that particular exemption to the act’s requirement that government records are generally public.

The board began the review after learning early last year that Social Security numbers, addresses and other personal data for the 123,000 account-holders had been stolen from a contractor’s network. The cyberattack actually occurred in 2011, but board officials didn’t learn about it until getting notification from the FBI. The bureau has not announced arrests or charges in the case.

The Tiger Team review was in part intended to identify any computer security gaps and come up with ways to fix them, Greg Long, the thrift board’s executive director, told a Senate subcommittee last July.  Long made no mention of law enforcement issues, but acknowledged that–at the time of the attack–the board didn’t have a “breach notification plan” because it lacked the resources to develop one. (Long signed such a plan in June 2012.)

The TSP has some 4.6 million participants, including military personnel, civilian agency employees and U.S. Postal Service workers.

Scott Hodes, a lawyer who was once acting chief of the FBI’s FOIA litigation unit, was not familiar with the report, but said in an interview that the board has to establish a threshold to legally withhold information under the FOIA law enforcement exemption. Even then, parts of the report that don’t meet that threshold must be released, Hodes said.

“They can’t withhold everything.”

Tags: , , ,

Volcker pursuing new make-a-difference venture

Bookmark and Share

Paul Volcker, the former Federal Reserve chairman and veteran of a couple of blue-ribbon commissions, is launching a nonpartisan initiative with the goals of rebuilding both government performance and public trust in government. “Trust rests on confidence and too often government, at all levels, in the eyes of its citizens, has been unable to respond effectively to the challenges of the day,” he said in a news release this week announcing creation of The Volcker Alliance.

Heading the new organization is Shelley Metzenbaum, who recently departed the Office of Management and Budget, where she had worked since 2009 as associate director for performance and personnel management. Besides sponsoring research on government performance, the alliance will produce “actionable” recommendations for policy development and implementation, according to the release. It will also provide a forum for discussing new ways of strengthening “policy execution at all levels of government.”

The roster of the alliance’s board of directors shows some names that will be familiar to anyone who recalls the National Commission on the Public Service, which Volcker chaired about a decade ago. The board includes four people who served on the commission: former Health and Human Services Secretary Donna Shalala, former Sen. Bill Bradley, D-N.J., former Comptroller General Charles Bowsher, and Richard Ravitch, a New Yorker who’s done a lot of different things.

Some other members of the alliance board are ex-OMB Director Alice Rivlin, political scientist Norman Ornstein, former Federal Deposit Insurance Corporation Chairwoman Sheila Bair (who last year published a book on her experiences during the financial crisis), and Francis Fukuyama, another author probably best-known for his 1992 book, “The End of History and the Last Man,” which crunched 19th-century German philosophy and the end of the Cold War.

Assuming you can get everyone in the same room, there should be some interesting discussions–or at least a fun cocktail party.

DHS says Spires’ departure not linked to CIO authority issues

Bookmark and Share

The Department of Homeland Security is keeping tight-lipped about the details surrounding the resignation of its former chief information officer, which it says was not prompted by disagreements over authority issues.

In April, Rep. Bennie Thompson, D-Miss., ranking member of the House Homeland Security Committee, sent a letter to DHS Secretary Janet Napolitano asking why the department CIO Richard Spires was placed on voluntary or non voluntary leave, who made the final decision regarding his leave and additional information about the current acting CIO.

In a May 13 response, the department’s assistant secretary for legislative affairs, Nelson Peacock, said personnel and privacy rules prohibit DHS from discussing why Spires took elective leave from the agency and later resigned May 17.

Peacock said Spires was not placed in an administrative leave status because of disagreements concerning his authority as CIO but provided no further details. Concerning acting CIO Margie Graves, Peacock said she is fully qualified to serve in her current role and confirmed that she was hired as a Transportation Security Administration employee in 2003 and was not converted from a consultant position.

In a follow-up letter to DHS this week, Thompson pressed for more details, following the department’s refusal to provide adequate responses. This time, Thompson has asked for a copy of Spires resignation letter; an explanation of why he was placed on leave and who played a role in making that decision; an explanation of who is empowered to make information technology decisions at DHS and Graves’ employment history prior to being named acting CIO.

Tags: ,

Werfel missed at Senate hearing

Bookmark and Share

Danny Werfel is just starting his new gig as acting IRS chief, but leaders of a Senate oversight committee are already wishing he were back in his old post as controller of the Office of Management and Budget.

Werfel “has demonstrated integrity in everything he’s done in the federal government,” Sen. Tom Coburn of Oklahoma, the top Republican on the Homeland Security and Governmental Affairs Committee, said at a hearing today. “My hope is that he’s  there for a short period of time and back where we can use him in a better way.”

“He really has a base of knowledge that very few people have.”

The committee’s chairman, Tom Carper, D-Del., quickly seconded, joking that “I approve this message.”

Werfel had been scheduled to testify at the hearing on program duplication and overlap, but instead assumed his new job today. As a result, Gene Dodaro, head of the Government Accountability Office, had the witness table to himself.

The bipartisan praise suggested one reason that Werfel–a career financial manager (albeit Senate-confirmed) who has worked closely with the committee on improper payment issues–was chosen to run the IRS despite never having overseen a large agency: A straight-shooter reputation with Congress in a job that will likely call for plenty of face time on Capitol Hill in the weeks to come.

But his exit from OMB adds to the exodus of senior leadership at the budget agency. Although Director Sylvia Burwell quickly won Senate confirmation last month, both the deputy director positions are vacant, as is the post of administrator at the Office of Information and Regulatory Affairs and, of course, Werfel’s job.

Although Carper’s committee later in the day approved Brian Deese to be deputy budget director, a final vote by the Senate won’t happen until next month at the earliest. Ditto for the nomination of Howard Shelanski to head the regulatory affairs office. President Obama has so far not formally settled on any candidate for the posts of deputy management director or controller.

“Nobody’s home,” Carper said. “Sylvia’s terrific, but we’ve got to get a really great team around her.”


Tags: , , , ,

Attention, Combined Federal Campaign charities, PCFOs, participating employees (and anyone else involved in the CFC)

Bookmark and Share

Dear CFC community:

As many of you know, the Office of Personnel Management is seeking public comment on a proposed overhaul of the campaign. As of this morning, almost 160 comments had been submitted; because the deadline for commenting is June 7, Federal Times would like to do a story for our next print issue on reaction to the plan.

But we need your help. OPM isn’t posting the comments online and won’t otherwise release copies without a Freedom of Information Act request (which typically takes months to process).  So, if you’ve weighed in on the plan, we’re asking you to send us your comments directly. If you’re comfortable doing that, please email them to me (Staff Writer Sean Reilly) at sreilly@federaltimes.com. With your permission (and please make that clear in your message), we’ll also post as many of the comments on Fed Times’ site as our bandwidth and hard-working web staff can handle.

Thanks in advance for your help!




Chief performance officer’s job now vacant; Senate proceeding with Deese nomination

Bookmark and Share

Four years after President Obama created the post of chief performance officer to some fanfare, the job is now vacant, a spokeswoman for the Office of Management and Budget confirmed this week.

“OMB does not currently have a chief performance officer,” Ari Isaacman Astles said in an email to FedLine. “The responsibilities of the CPO are being handled by the OMB management team.”

Back in April 2009, Obama had tapped  Jeff Zients, who became OMB’s deputy director for management, to also serve as chief performance officer. In that role, Obama said at the time, “Jeff will work to streamline processes, cut costs, and find best practices throughout our government.” But Zients quietly handled off those duties early last year to Lisa Brown, another White House staffer, when he again took over as acting OMB director. At the beginning of this March, however, Brown became general counsel at Georgetown University.

Astles didn’t say whether Brown was still serving as acting chief performance officer at the time of her departure. No word on a possible replacement, although Chief Information Officer Steve VanRoekel is now temporarily overseeing the management side of the house at OMB. (Zients left the deputy director’s job last month.)

Meanwhile, the Senate is moving forward with the nomination of Brian Deese to serve as deputy OMB budget director. The Senate Homeland Security and Governmental Affairs Committee has scheduled a vote on Deese’s candidacy this afternoon; the Senate Budget Committee could soon follow suit after holding a confirmation hearing yesterday.

So at least one of these jobs may soon be filled.



Tags: , , , ,

Amazon gets federal cloud certification

Bookmark and Share

Amazon Web Services is the latest vendor to pass a rigorous security review for all federal cloud products and services.

So far, only CGI Federal and North Carolina-based Autonomic Resources have completed the Federal Risk and Authorization Management Program (FedRAMP). The governmentwide program was launched in June to standardize security reviews of commercial cloud products and is housed within the General Services Administration.

Under the FedRAMP program, Amazon was granted an Authority to Operate (ATO) by the Health and Human Services Department. This means HHS has certified that Amazon’s GovCloud and regional cloud service offerings meet federal security standards, and the company’s services are authorized for use at HHS. The purpose of FedRAMP is for other agencies to save time and money by using or building on the security review HHS has done.

More than 300 government agencies are currently using Amazon Web Services, Teresa Carlson, vice president of worldwide public sector, said in a statement.

By June 2014, all cloud services and products in use at federal agencies or in an active acquisition process must meet FedRAMP requirements.


Tags: ,

Agencies challenged to balance data sharing and security, experts say

Bookmark and Share

Agencies are on the hook to publicly release more digital data in a way that protects citizen’s personal information and does not comprise government security.

One challenge, however, will be determining how that data could be combined with existing public data to identify an individual or pose other security risks to agencies, according to experts speaking at ACT-IAC’s annual Management of Change conference this week.

“The awareness is there, the concern is there, [but] the practice of it is relatively immature,” said Mike Howell, deputy program manager in the Office of the Program Manager of the Information Sharing Environment. “The policy framework around how you prevent inadvertent aggregation of personal identifiable information [and] sensitive information, it’s a known problem. It’s good that people are paying attention, but it becomes incumbent on whoever the aggregator is what they do with that information.”

Howell, whose office falls under the Office of the Director of National Intelligence, highlighted the administration’s recent Open Data policy that refers to this issue as the mosaic effect. The policy memo, released this month, directs agencies to:

Consider other publicly available data –in any medium and from any source-to determine whether some combination of existing data and the data intended to be’ publicly released could allow for the identification of an individual or pose another security concern.

The challenge for many agencies, however, is they’re struggling to understand what data they have let alone what data is already in the public domain.

According to the policy, “it is the responsibility of each agency to perform the necessary analysis and comply with all applicable laws, regulations, and policies. In some cases, this assessment may affect the amount, type, form, and detail of data released by agencies.”

There’s a natural tension between releasing open data and securing it, said Donna Roy, an executive director in the Department of Homeland Security’s Information Sharing Environment Office.

Agencies have been instructed to:

- Collect or create only that information necessary for the proper performance of agency functions and has practical utility.

- Limit the collection or creation of information that identifies individuals to what is legally authorized and necessary for the proper performance of agency functions.

- Limit the sharing of information that identifies individuals or contains proprietary information to what is legally authorized.


Tags: , ,

GSA to launch cloud broker pilot

Bookmark and Share

The General Services Administration is moving forward with plans to stand up a cloud broker contract for acquiring and managing the performance of federal cloud services.

The Department of Homeland Security is one of two agencies that has committed to testing GSA’s cloud broker model in a pilot program expected to launch this fall, said GSA’s Mark Day. Speaking Monday at the annual Management of Change conference in Maryland, Day said GSA will award one contract to test the concept of a broker model and reevaluate the pilot by year’s end to determine how it could be expanded.

GSA has not yet defined all the services a cloud broker would provide, but the National Institute of Standards and Technology defines a cloud broker as “an entity that manages the use, performance and delivery of cloud services and negotiates relationships between cloud providers and cloud consumers.” Technology research firm Gartner defines cloud brokerage as a business model in which an entity adds value to one or more cloud services on behalf of one or more cloud users.

Some question whether the cloud broker model will add value or end up costing agencies more money. In a Feb. 14 letter to Rep. Doris Matsui, R-Calif., GSA’s Lisa Austin said the cloud broker model could be more effective in creating ongoing competition among cloud providers, rather than awarding single contracts for each cloud service.

“Part of the pilot is really understanding what’s the right role, [and] what’s the right process” for a cloud broker model, Day told Federal Times. ”We think we have an idea, but now we’ve got to test it.”

Day made clear what cloud brokers would not do inherently governmental functions, such as contracting. It isn’t clear to what extent brokers would negotiate services between agencies and cloud service providers, but the hope is that cloud brokers will increase vendor competition and reduce pricing and reduce the complexities of acquiring cloud services and integrating them with existing services.

Roughly 15 agencies are part of the cloud broker discussion, Day said. He would not name the second agency that has committed to testing the broker model because the agency has not announced it publicly.

The challenge for GSA has been attracting business to some of its existing federal contracts, rather than agencies launching their own contracts or using other agencies’ contracts. To garner greater use of its strategic sourcing contracts and future use of its cloud broker contract, GSA is meeting with agencies to determine their commitment to participate in market research and use the contracts, Day said. GSA can better leverage the federal government’s buying power, and vendors have an idea of what’s possible, in terms of business volume on a contract, he said.

Tags: ,

Contract flaws found in GSA Disney trip

Bookmark and Share

More than half of the attendees at a big training meeting in 2011 for the General Services Administration’s acquisition arm hailed from the Washington area, but when it came time to figure out a location, officials headed to sunny Orlando instead.

As outlined in a memo released by the GSA’s Inspector General this week, a review found that Federal Acquisition Service officials settled on a contract proposal for conference planning and training that came to nearly a quarter million dollars, while the next highest vendor proposed just $79,784.

Despite the price, the IG found that officials essentially steered the conference to the Disney Institute by cutting and pasting from the request for quotation of a GSA leadership conference held months earlier by the FAS office in Atlanta. Three other vendors were rated poor and disqualified.

“This indicates that the competition may have been restricted since the requirements in the work statement could not be meet by other potential vendors,” James P. Hayes, deputy assistant IG, concluded in a May 15 memo to FAS Commissioner Thomas A. Sharpe, Jr., who was not in charge of FAS at the time.

Overall, the Florida conference conference cost $164,000, while 58-percent of the 155 attendees came from the Washington area, the IG found.

In am email, Dan Cruz, a spokesman for GSA, said the activity took place in 2011 and “would not be tolerated today.”

He said Acting GSA Administrator Dan Tangherlini, who also was not with GSA at the time, has enacted reforms leading to greater oversight of travel, conference spending and related procurement activities.

“Over the past year, GSA has cancelled more than 50 conferences,” Cruz said. “These internal reforms, including cuts in travel and conference spending, have led to $73 million in savings.”

Tangherlini was named head of GSA after the former chief, Martha Johnson, resigned amid embarrassing disclosures of lavish, taxpayer-funded conferences, including a now infamous gathering in Las Vegas that cost more than $800,000 and featured a red carpet party and a mind reader.