The General Services Administration’s acting administrator and commissioner of the acquisition division discuss its technology programs, the beta.SAM migration, D-U-N-S transition, SolarWinds and more.
A new set of leaders have taken their places at the General Services Administration, the agency responsible for managing federal property, providing acquisition resources to other agencies and, in recent years, offering technology assistance for a fee.
As these new leaders settle in, they’re getting acquainted with a slew of Trump-era programs and priority decisions. Acting GSA Administrator Katy Kale and new Federal Acquisition Service Commissioner Sonny Hashmi—familiar faces from the Obama administration—spoke with Nextgov about the new administration’s priorities and the status and future of several ongoing initiatives.
The conversation—transcribed below and edited for length and clarity—touched on the agency’s ongoing projects such as the consolidation of procurement websites at beta.SAM.gov, the D-U-N-S numbers transition and e-commerce pilots. They also shared details about the fallout from the SolarWinds hack and the future of security-focused efforts like the Federal Risk and Authorization Management Program and the Defense Department’s Cybersecurity Maturity Model Certification.
Nextgov: Do you have any agenda or overarching policy or mandate guiding the early efforts for this administration?
Katy Kale: We are really working off of what the administration has provided, which is four clear priorities: managing COVID-19; bolstering economic recovery; advancing diversity, equity and inclusion; and tackling the climate crisis.
So we know that this is a whole of government approach but GSA will be playing a large part of this effort. We know we're going to be working with other agencies throughout the federal government to tackle these issues. A couple examples come to mind.
GSA is supporting FEMA as they set up vaccine centers throughout the country. Last week, we set up a drive-through vaccination center in King County, Washington. And then as the GSA administrator, I am a co-chair for the Safer Federal Workforce Task Force with the Office of Personnel Management to develop guidance for keeping our workforce safe now, and welcoming others back into the buildings when appropriate, which of course, will be guided by science and public health recommendations from the CDC.
These are just a few examples of the collaboration and the sense of purpose that are going to be guiding our work ahead in the next days and weeks and months to come.
In many ways, GSA is doing the same work that we have always done. I was formerly the chief of staff here during the Obama administration. And as you know, GSA serves as the backbone of the federal government. We have an incredible team of public servants. And, really, the one thing that is not going to change is the value in service that this agency continues to provide to the federal government and to the taxpayers.
Sonny Hashmi: To build on what Katy said, there's a very clear set of priorities that the new administration has outlined. And, as it turns out, FAS has an incredibly integral role to play in all four of them.
One of our key focus areas right now is to make sure that we're maximizing the buying power of the federal government to bring to bear and moving the needle on all those priorities. Whether it's making sure that agencies have the ability to acquire the personal protective equipment and the services needed to ramp up vaccination programs; whether it's refocusing our energies on areas where we can have a bigger impact to underserved communities and small businesses; and, similarly, when it comes to economic recovery, we're putting a lot of focus on how we can leverage this buying power to drive more job creation in the American supply chain, by helping agencies procure products that are built in America, made in America.
When it comes to technology, it's actually very encouraging to see the acute focus on technology modernization that the new administration is bringing.
But also not just modernization for its own sake, but really leveraging the power of technology to solve these crises that we face. Whether it's bringing data together to be able to make better strategic decisions around vaccine distribution, or being able to connect better with citizens that need help in applying for benefits that they need in this challenging time, technology is going to be a key driver in all of those. So, we are very actively working across the federal government right now, under the leadership of Dave Zvenyach, who is now the [Technology Transformation Services] commissioner, to really make sure that we are bringing next-generation technology, modern technology expertise to help agencies solve some of these problems. And that is not going to change.
We will continue to see more emphasis both on the technology focus, but also on how we can bring our buying power together to move the needle on very, very complicated but important challenges that our country faces. You've seen some of those conversations already starting, whether it comes to climate change agenda and how FAS’s fleet operations and the sustainable acquisition operations are going to drive some of that change. Or, how we're going to, hopefully, continue to move the needle on reaching out to underserved communities to create better jobs, new jobs, in, historically, communities where those jobs haven't existed before.
The Future of Technology Transformation Services
Nextgov: There have been a lot of changes to GSA programs since you two were last at the agency. Let's start off with Technology Transformation Services. When it was stood up at the end of the Obama administration, it was originally its own line of business at GSA—was supposed to be a third line of business—and then it got wrapped into FAS. Is there any plan to break TTS out again? Or is it going to remain under FAS?
Kale: I think that the work at TTS is more important than ever. With every priority set forth by this administration, from COVID to climate change, racial justice and economic recovery, technology is at the forefront of progress. Technology is no longer seen as a nice to have, but instead an essential to policy and providing Americans what they deserve.
So, with Dave Z's leadership, we're really primed and organized to unite around these priorities in the nation's most pressing challenges.
TTS—which includes 18F, login.gov, the [Presidential Innovation Fellows] and many others—were engaging and we're listening to our partners. We're meeting them where they are in this transformational journey and working with them to successfully implement mission critical initiatives.
We're really just here to listen and, and, and take that journey with them.
Hashmi: As Katy outlined, the value of technology is beyond just nice-to-have and upgrading legacy systems. That continues to be important. But now, technology is an important lever to deliver on mission promises and expectations that citizens have for their government. And so, the value of TTS is more important than ever before.
To me, the primary focus is to ensure that TTS is empowered to drive those conversations and to work with their agency partners to make the most difference as quickly as possible. Over time, that influence will only continue to grow.
We have a lot to think about in terms of how those best practices get baked into the work that every agency does. How do we enable those agencies to drive more innovative agendas and solutions within their own environment? There's a lot to do.
So, to me, it's less important the organizational structure of TTS. I look at TTS as an important arm of GSA helping and making tremendous impact across the government and we're all aligned to support that initiative and that goal.
Nextgov: There are definitely people out there who care about this organizational structure. So, have there been conversations about re-elevating TTS? Or is it going to stay where it is for now?
Kale: I don't know. I think we're in our third week here at GSA. My goal is to make sure that all of our agency, every part of our agency is working at the top level. And TTS, because of my history with them and the work that they do, this is definitely a part of the agency that I will be paying special attention to.
But the more important thing is that they're doing strong work, they're doing good work. And then, any other decisions can be made down the road.
FedRAMP, CMMC and Supply Chain Risk Management
Nextgov: Another major FAS program is the Federal Risk and Authorization Management Program, or FedRAMP, which has gone through a lot of changes over the years. What are your plans for that program, particularly how it ties in with the Defense Department’s Cybersecurity Maturity Model Certification, or CMMC, program?
Hashmi: What's interesting about FedRAMP is that I've actually been more tightly involved in FedRAMP when I was in the private sector than even when I was previously a GSA. Having experience working through the FedRAMP program as a provider to the federal government has really taught me a lot about opportunities and challenges that we have in front of us.
I couldn't be more thrilled about the direction that FedRAMP is going to take. It is going to be an extremely important, vital aspect on how the industry engages with the federal government moving forward.
It's already doing that. We have over 170 different agencies that are using FedRAMP authorized [provisional authorities to operate, or P-ATOs] at this point; we have over 213 cloud service providers that have been authorized, many more in the pipeline.
The challenges that we all know with FedRAMP is that it is a cumbersome process. And sometimes it can take some time, it can add burden to industry. So, we're constantly and keenly aware of all those challenges, and we have many different plans in motion to continue to think about how to streamline those challenges through automation, through data analysis, reduced focus on documentation, more focus on continuous monitoring, for example.
Part of that exercise is also to work very closely with [the Cybersecurity and Infrastructure Security Agency, or CISA] to really think about how we bake in the [Continuous Diagnostics and Mitigation, or CDM, program] capabilities—things such as continuous monitoring, log aggregation—as companies go through the FedRAMP program to constantly ask for and identify new ways to both reduce burden on the industry, but also improve the capability that we have the visibility we have in the government.
Last thing I'll mention is that FedRAMP, CMMC, [the Defense Federal Acquisition Regulation Supplement, or DFARS], NIST 800-171, they're all in this one ecosystem. So, it's one thing to say, ‘We have processes in place to certify secure technologies.’ But it's another thing to make sure that when agencies consume these technologies that they have trust baked into the acquisition process, that those technologies that they're going to buy are going to automatically meet certain criteria. There's a significant amount of work going on in that space.
We are, for example, integrating CMMC requirements into all of our schedule and [governmentwide acquisition contract, or GWAC,] programs so that when agencies buy through GSA, they already have built in confidence that those technologies are going to be, the providers are actually going to be compliant and can meet that compliance. Similar kinds of efforts are going to be underway for FedRAMP, as well.
So, CMMC is kind of like a proving point for us. We want to make sure that CMMC is baked into the acquisition decision across all agencies. But then as we expand beyond that—especially beyond the Department of Defense acquisitions—we have a lot more work to do.
That includes these areas, but also supply chain risk management that I mentioned earlier. It's very important for us to make sure that our entire nation's supply chain, especially when it comes to technology, is tested, validated and known to be secure. There's a lot more work to be done there.
But, long story short, there's a lot of [changes] coming for FedRAMP; some are focused on making it more efficient and streamlined, others are focused on making sure it's more well integrated into overall supply chain efforts.
Effects of SolarWinds Hack on GSA Programs, Customers and Federal Acquisitions Writ-Large
Nextgov: While we're talking about FedRAMP, and security and supply chain and all this stuff, I did want to touch on SolarWinds. One of the things that could be a long-term repercussion of the SolarWinds fallout is a lack of trust in third-party technologies. The federal government, in general, has been pushing to buy more and build less, and GSA and TTS have been at the forefront of that. What can you say to federal buyers and program managers out there who might be wary of buying third-party and off-the-shelf products after something like the SolarWinds hack?
Hashmi: It's a fair question. The first thing I will say is that, unfortunately, in the IT space, risk is never zero, right? So, we have to understand the risk and manage it effectively.
When people say we're going to build our own solution instead of buying from the market, you're actually assuming new risk, which may be different and even more acute than the alternate. It's not just about one versus the other being less risky.
We continue to be champions of providing the best, most secure products available in the commercial space, and bringing those products and capabilities to bear for the federal government's benefit. The innovation that's happening in the technology industry in America is unprecedented. There's literally solutions being developed today that the federal government, if we were to build those solutions ourselves would take decades. Yet, these companies for their commercial motives are investing a tremendous amount of R&D in building solutions, not just in the security space, but across the board. So, it's important for us to make sure that we have as frictionless as possible ability to tap into the best and brightest innovation across America.
No. 2, when it comes specifically to SolarWinds, that's a challenging and interesting set of things. It raises new questions, and it really raises questions around supply chain security for technology providers. It's not just limited to SolarWinds, it's a challenge that we need to look at from a very big lens.
Despite our best efforts, those risks still exist today. So, the questions that I ask out of that challenge is, obviously, a lot of agencies are focused right now on their response efforts. And, thanks to the coordination with CISA and many other bodies in the government, while it's been a huge challenge, the response has been equally fast and robust. So, we're continuing to work with all agencies to provide them the resources that they need, to supply the technologies they need, the services they need to be able to very quickly respond and secure their environments.
But the bigger questions remain, right? How do we up, for example, our game in FedRAMP and CMMC, in supply chain risk management, to work with our vendors on a deeper level, to really understand their environments better, to do code validation and deploy some of these technologies that exist in the marketplace to make sure that there's ongoing operations and maintenance happening with the appropriate amount of visibility and appropriate amount of continuous monitoring.
Over the next month, you will see more movement on this at all levels of government, everything from the CISA level, the federal CISO organization, all the way down to operational levels on how we continue to ask the right questions.
To me, the answer is we need to deploy a lot more automation and validation that is not based on documentation but rather through tooling and technology that is automated. So, when new versions of software are downloaded, we have the capability to make sure that they're tested against baselines so that we can have some confidence that there's no malicious code involved. Some of those things exist, but they just haven't scaled yet. And so, our focus is going to be to continue to find those ways to scale them so that we have greater amount of competence as we move on.
The risk is never zero. Agencies still have responsibilities to validate and test software in their environments. However, I think we can do a lot better. And so that's going to be our focus going forward.
Nextgov: We know that several GSA components use SolarWinds, including parts of FAS. Were any of those programs compromised or breached in this campaign? Specifically, were programs like login.gov or others that touch lots of other federal programs affected?
Hashmi: I would defer to David Shive, GSA CIO, for details. But I can tell you that we've done a thorough analysis of all of our programs, including those that face other agencies, and none of those programs were affected in a way that would actually cause any cybersecurity risk.
There were attempts made in our network. But because of all the great work that's been done by GSA OIT over the years to secure our boundary and put the right monitoring in place, we were one of the agencies that did not have the subsequent breaches that, unfortunately, other agencies had to face.
Transition from D-U-N-S to Unique Entity Identifier
Nextgov: Is GSA currently issuing Unique Entity IDs to vendors?
Hashmi: I never thought I would be excited to talk about D-U-N-S numbers in my career, but here I am. The short answer is no, not yet. But that is that is the direction we're moving in.
Nextgov: In this instance, timing is of the essence and a lot of the procurement and grants managers out there in the federal sector want to be able to use both D-U-N-S and UEI at the same time, so they can test their systems. Is there a hard timeline to start issuing UEI?
Hashmi: You touched on this challenge, right there. It is a complex challenge. It touches every single agency, both in the acquisition space on the grant management space. It touches many different systems that will probably have to be updated, from contract writing to reporting systems. So, this is not something that you just give a deadline and say, ‘Here's the deadline, everybody, transition over.’ That's the challenge right now.
While we build the backend infrastructure of entity verification and issuance of unique numbers, that's the easy part, essentially. The hard part is actually to integrate it into the acquisition and grant management process across the federal government. That will take a significant amount of time.
What we don't want to do is just dictate that timeline, and that's why I'm not going to give you a particular date or time today. But there's going to be a lot more communication coming on it. What we want to do is to make sure we work across the entire federal community and build a transition plan that makes sense to them, and also are well tested, validated, so that we're not causing undue issues in the supply chain acquisition space, as well as the grant space moving forward.
It'll be a gray area. We're going to work with those agencies with adequate time and guidance to make that transition real. But the actual work of having the facilities in place to start issuing those numbers is going to be later this calendar year.
Nextgov: Have there been any discussions about canceling the transition and reverting back to D-U-N-S?
Hashmi: Not that I'm aware of, no. I think right now we're actually moving forward. I think in the long run, it makes sense for the federal government. But like I said, this is not a simple project.
So, we'll be constantly getting feedback from the industry as well as from our federal partners, and we're going to adjust course as needed. But right now, the direction is to move forward with it.
Migrating Procurement Tools to beta.SAM.gov
Nextgov: So, we've got the transition from SAM.gov to beta.Sam.gov. You're doing the cosmetic change come April, and then the SAM capabilities will come over in May, at which time beta.SAM will become the only SAM.gov. What is the new administration's goal for the consolidated SAM.gov once it loses the beta?
Hashmi: There's a good reasoning why those dates exist. There's a ton of testing, A/B testing, feedback, validation that's happening right now, working with both our industry partners, as well as with our agency partners.
We want to do it right. We want to do it so that we identify and do adequate testing on this before we move the transition. And, back when I was at GSA as CIO, we were starting to work on the SAM future strategy back then. So, this has nothing to do with administrations or politics. This is just a good strategy, anyway, to consolidate these systems, for a couple of reasons.
It provides a much richer base of data and analysis that we need as we start to tackle things like buy better, Buy American, clean energy, purchasing green fleet, engagement, compliance with section 889 of the NDAA, compliance with supply chain risk management—all of those initiatives hinge upon the data that we collected and manage in the SAM environment. So, having a modernized SAM environment is foundational to making all of these other things work. We're going to continue to push on that.
The second thing is, I think, some of these legacy systems pose their own risks, and we want to get off them as quickly as possible. That need hasn't changed.
To me, the third priority also is to simplify the experience for our vendor community, as well as our federal community. Historically, it's been pretty challenging: multiple systems to log in to and not being able to figure out exactly where to go to get the information you need. That simplification and user experience is also critically important as far as I'm concerned.
For all those reasons, we're going to continue to double down on the SAM strategy and move forward. In fact, I've told my team to identify areas where we can even fast- track certain capabilities that perhaps we haven't thought about before.
But the first thing in all of that is to put the new UI in place and integrate SAM and beta.SAM.gov. Once we have them all on one platform again, then we have much more work to do to continue to integrate another set of half a dozen or so systems that we're planning to integrate into the one platform over the next year.
Kale: I just wanted to tie it back to things that we've heard out of this administration along the way, which is our priorities in reducing barriers for doing business with the government. Increasing transparency, increasing accountability, reducing reporting burden and increasing data quality and integrity. These are part of modernizing our technology. GSA is set up so well to do it.
All of these specifics that you've been asking about are examples of big projects that the administration, our federal partners, our contractors, they trust us to do this work. And we're going to continue to do that to the best of our ability.
Status of E-Commerce Pilots
Nextgov: GSA is working with commercial e-commerce platforms to develop instances in which federal buyers can purchase directly from those platforms. Where are those pilots at right now and what are the next steps there?
Hashmi: Directionally, I think we're seeing some really encouraging signs. But there's a lot more to be done.
What we're seeing is that there's too much of federal spending on commodity purchasing that goes through unmanaged spending. In other words, somewhere around $300 million a year of federal spending on commodity buying goes through unmanaged spend, which means somebody literally goes out to a website, puts the credit card down and buys the things that they need.
So, there's clearly a need for it, especially in the face of the pandemic, where people are having to act very quickly, buying PPE, buying supplies that they need to protect their workforce just to enable their mission. We're seeing that spend actually go up. There's a need for commercial platforms in that federal buying cycle that, on the one hand, provides that commercial experience, that frictionless experience that people will come to expect from the private sector, but at the same time, has more visibility, more analytics, more data and ultimately more compliance with things like green purchasing requirements, minority set-asides, small business, AbilityOne contractor, access to those kind of things. That's exactly where the program is right now.
It's still in pilot. We are working with [three] different providers right now. We're seeing the data right now coming through, and we're seeing the adoption go up. We're working with an increasing number of agencies, including some very large ones that are going to be coming on to the pilot in the coming month. Then we want to see the data: we want to see what works and what doesn't work.
The ultimate story for me is: the alternative isn't very good. The alternative is that hundreds of millions of taxpayer dollars are being spent on charge cards directly to the private market, which increases a tremendous amount of risk when we buy things. We can't comply with small business commitments, green purchasing commitments, [Trade Agreements Act] compliance issues come up when country of origin is not available. So, by bringing that spending under a platform that is equally user friendly and accessible and has a wide plethora of catalog items available, but at the same time has more visibility, more compliance, more risk aversion, more contract aspects that lead to better outcomes for the federal government, it's a good thing.
However, when we look at the data and how these platforms are performing over the coming months, we'll start to make some decisions around what to do in the next phase of this program.
Kale: We are really excited about the work that GSA has ahead; excited to work with our federal government partners, as well as our contractors and suppliers. I think that good things are ahead. We're excited for them.
Editor's Note: This article was updated to correct the number of providers working on GSA’s e-commerce pilot.
NEXT STORY: Quick Hits