Quick Hits for Nov. 14

*** The Office of Personnel Management received a double dose of oversight in the last few weeks, with reports from the Government Accountability Office and OPM’s own Inspector General dinging the agency for its continued cybersecurity woes.

A Federal Information Security Modernization Act report from OPM's IG declared that information security continues to be a "material weakness" at the agency -- a finding in effect since 2007. 

"This is an area in which OPM has historically struggled, and to some extent is a result of agency culture and the degree to which IT operations continue to be inappropriately decentralized," the report found. The report contains 39 recommendations, many of which are carried forward from as far back as 2008 and some of which are new

The IG report characterized the internal agency response to the finding as "unusually adversarial." 

In reply comments under the signature of former Director Jeff Tien Han Pon, the agency complained that the agency was being penalized "for the success of its corrective efforts which discourages the overall growth and improvement in our system management process." Pon also stated that at points, the IG's "comments intrude on the broad discretion afforded to the agency by FISMA to make its own choices regarding appropriate safeguards that are administratively and technologically feasible."

Michael R. Esser, the assistant inspector general for audits, said OPM's comments reflect a misunderstanding of the oversight process.

"The idea that certain areas of a federal department or agency would be 'out of bounds' for a federal Office of Inspector General to review and recommend corrective action runs counter to the spirit and letter of the IG Act and its various amendments," he wrote.

GAO found that more than a third of cyber improvement recommendations made to OPM in the wake of the devastating 2015 hack of personnel systems had yet to be put in place. In a report released Nov. 13, GAO said that of Sept. 20, 2018, OPM had implemented 51 of 80 recommendations. OPM has pledged to knock out 25 of 29 of the open recommendations by the close of the calendar year, and three more by the end of fiscal 2019. 

OPM "does not intend to implement one of the recommendations to deploy a security tool on contractor workstations" according to a briefing GAO delivered to key congressional committees as required under appropriations legislation.

*** The White House is honoring 131 senior executives with the annual Presidential Rank Awards, and the list includes a few names familiar to tech and acquisition watchers. Soraya Correa, the chief procurement officer at the Department of Homeland Security, was named a Distinguished Executive Recipient of the PRA. At the Pentagon, Principal Deputy CIO Essye Miller was named a Meritorious Executive Recipient. 

"The PRA winners are exemplars of public service excellence, and have demonstrated a consistent and lasting dedication to the leadership ideals of the Federal government’s career civil service," said Bill Valdez, president of the Senior Executives Association. Winners will be honored at the Presidential Rank Awards Leadership Summit on Dec. 13 in Washington, D.C.

***The Navy has extended its Next Generation Enterprise Network services sole-source contract by eight months. Virginia-based Perspecta subsidiary Enterprise Services, LLC landed the award, which has a ceiling value of $486 million. The modified contract extends the ordering period from Oct. 9, 2019 through May 31, 2020, for work to be done in the U.S., Guam, Europe, Korea and Japan.

*** The National Institute for Standards and Technology has put out a request for information to "help identify, understand, guide and develop" the agency's forthcoming privacy framework. 

 The request cites the difficulties that many current and emerging technologies like mobile devices, artificial intelligence and the Internet of Things will create for digital privacy and notes that other nations are racing to develop their own standards. 

NIST wants to canvass the private sector and outside stakeholders "to understand whether organizations that design, operate, or use these products and services would be better able to address the full scope of privacy risk with more tools to support better implementation of privacy protections." It also wants to know where organizations have high-priority gaps in their ability to manage privacy risk.

 The document lays out 26 different questions for respondents, such as how organizations measure and manage privacy risks, how regulations impact their privacy practices and whether their current policies are well-positioned to absorb challenges from new and emerging technologies.