Marketview 2014 conference Intelligence Report
Conference Intelligence Report
Cyber Space: The New Frontline
James Stavridis, Shawn Henry & Richard Clarke discuss threats from within and without >> Pages 2, 4 & 6
The State and Future of Contract Administration and Oversight >> Page 8
Incumbency: Bane or Benefit? >> Page 10
The Convergence of Technology and Services >> Page 11
a
PSC would like to thank all of our Marketview 2014 sponsors Five STar SPonsors
Box represents protected space
Four STar SPonsors
event and function sponsors Golf Tournament
JAMIS Software Corporation Trolley Tour
Phoenix Management, Inc. (PMI) Dougherty & Associates, Inc. (DAI) Sunday Reception & Dinner
Dell Services Federal Government Venable LLP Sunday Social: Beach Bonfire
The Boon Group
Monday Networking Breakfast
Monday Reception and Dinner
Heitech Services, Inc. Next Century Corporation
AECOM Government Service Administrators Honeywell Technology Solutions Inc. Sotera Defense Solutions, Inc.
Monday Bottled Water Service
Eagle Ray, Inc.
Tuesday Breakfast and Breaks Monday Luncheon and Keynote
Harris Corporation
Aegis Defense Services Opening Keynote ADdress Monday All Day Break Service
Baker Tilly
Information Management Consultants, Inc.
Table of contents OPENING KEYNOTE
2 Cyber Space: The New Frontline Luncheon Address
4 The Human Element of the Cyber Threat CLOSING KEYNOTE
6 Guarding Against the Enemy Within The State and Future of Contract 8 Administration and Oversight
10 Incumbency: Bane or Benefit? 11
The Convergence of Technology and Services: The Market of the Future…and Now
About PSC PSC is the voice of the government professional and technology services industry. PSC’s more than 370 member companies represent small, medium, and large businesses that provide federal agencies with services of all kinds, including information technology, engineering, logistics, facilities management, operations and maintenance, consulting, international development, scientific, social, environmental services, and more. Together, PSC’s members employ hundreds of thousands of Americans in all 50 states.
>>
VIDEO: Marketview 2014 Policy Overview
Dear Readers: PSC is pleased to present The Marketview 2014 Conference Intelligence Report, a comprehensive guide to the keynotes, panels, and discussions held at Marketview 2014: The PSC Spring Conference. It was my pleasure to chair the PSC Spring Conference Committee this year and I am very proud of the agenda we put together and the crowd of over 200 industry and government executives we convened for these important discussions. It has been a pleasure serving this important association and working with my fellow industry executives who helped make this conference a success. As you will see in the following report, we covered a wide range of topics and program areas — from Richard Clarke’s assessment of the cyber defense climate to discussions of the state of contract oversight and the convergence of technology and human work. I hope you will take the time to read our reports from the conference floor, watch our policy summary video at left and browse the photos of our speakers and networking. You may even find some of your social media comments in these pages! Before I go, I wanted to be sure to recognize our sponsors and conference presenters for making this event possible. It is only with their support that we are able to put on such a great event and make real progress toward a productive government-industry partnership. You’ll find a list of our sponsors to the left and we hope you will join us for the PSC Annual Conference, October 5-7 at The Greenbrier and for the many events we’ll hold throughout the year. <<
PSC’s Roger Jordan summarizes the policies and regulations discussed at the conference.
Tim Atkin Chief of Staff & Chief Administrative Officer, SRA and PSC Spring Conference Committee Chair
1
MARKETVIEW 2014
>> OPENING KEYNOTE
Cyber Space: The New Frontline W
hat keeps retired Navy Admiral James Stavridis up at night? It’s not violent extremists or rogue states or violent revolutions in Syria, Ukraine and Venezuela. “The thing that worries me the most today is cyber,” Stavridis said during Build bridges his opening keynote address to PSC members attending Marketview 2014 not walls, Adm. James on March 17. “We’re still at the beach of Kitty Hawk in terms of cyber.” Stavridis, shares strategies With cybersecurity, there is no international norm for how to secure creating a secure nation, activities. “We’ve not developed the FAA [equivalent for cyber],” the government, business community. former NATO Supreme Allied Commander Europe said. While we have not developed the structure to secure cyberspace, >>Frances Craig<< other threats to our security—like violent extremists, rogue nations, @FrancesUnanet cybercriminals and hacktivists—are already exploiting the weaknesses #Marketview2014 to target U.S. interests. To develop the necessary structures, we first need international collaboration, he said.
2
conference Intelligence Report
“
We have a U.N. entity that focuses on the seas. We need an international entity that focuses on cyber.
”
“We have a U.N. entity that focuses on the seas,” Stavridis said. “We need an international entity that focuses on cyber.” The U.S. government also needs better collaboration internally and with industry. Industry plays an important role in supporting government networks, ensuring that its networks that support the government are secure, and in sharing information with the government about threats to all networks, he said. The government also must proactively enforce security and conduct reconnaissance on cyber adversaries. “We need a cyber force,” Stavridis said. Even
before that, the Defense Department needs to separate the Cyber Command from NSA. “Having the same person in command of both is like having the same person command the Air Force and the FAA,” he said. “We need a leader who can focus entirely on each segment.” While we’re just beginning to understand cybersecurity and cyber threats, eventually all great powers will have robust cyber capabilities that will be able to destroy economies and launch kinetic attacks that shutdown transportation, power grids, defense systems and other critical infrastructure, he said. When
that happens, like in the Cold War, the only security will be in mutually assured destruction, which Stavridis called “strategic deterrence.” To achieve that level of protection “we need to cooperate with allies who also have great abilities,” he said. “We need to think through how to manage cyber when it becomes a huge capability,” which he estimates is only about five years away. “There are cyber wars now…We cannot stand back,” he said. “We can learn from the strategic lessons of the Cold War to manage cyber activity and, at a tactical level, this is something we need to engage in.” <<
To see photos from all of our sessions, click here
3
MARKETVIEW 2014 >> Luncheon Address
The Human Element of the Cyber Threat The digital infrastructure was developed decades ago and is being used today for purposes beyond what was intended, said former Executive Assistant FBI Director Shawn Henry.
“
I
f someone wanted to steal state or trade secrets 20 years ago, it took a complex plot to infiltrate physical walls. Now adversaries can ignore physical barriers because they can breach electronic walls from 6,000 miles away thanks to the digitization of society, said former Executive Assistant FBI Director Shawn Henry. Henry, who is now president of CrowdStrike Services, addressed a lunchtime crowd gathered at Marketview 2014. “Everything is digital and because of that adversaries know it’s easily accessible,” Henry said. “We have all of our data moving electronically…and it’s all built on inherently insecure infrastructure.” The digital infrastructure was developed decades ago and is being used today for purposes beyond what was intended. But the issue is not just about technology. It’s about how humans are using the network as a tool to attack devices and obtain state and trade secrets to be used for their own means or to otherwise cripple state and private-sector actors, he said. Terrorists, rogue states, hacktivist vigilantes, cybercriminal gangs, commercial enterprises and more are constantly working to break into vital government and industry systems to wreak various forms of havoc that could ultimately bring down financial, electrical, defense and other critical systems, Henry said. It is a threat not easily guarded
Everything is digital and because of that, adversaries know it’s easily accessible.
4
conference Intelligence Report
Information and intelligence sharing should be a common practice, Henry said. “If we are able to share information about attacks, adversaries and procedures, then everyone is better off. You can share intelligence without breaching privacy.”
against since there are multiple fronts to protect and multiple actors attacking, he said. Despite the constant attack on our systems, current security protocols continue to fail. To address these attacks, there needs to be a paradigm shift in the way we do things, Henry said. “It’s not about just locking the front door,” he said. “It’s about knowing who is at the door and what tools they’re using.” Intelligence should be a core component of any security strategy. Knowing your attacker is the best way to defeat him. Further, simply “blocking” the adversary is no longer sufficient. The most advanced adversaries will find a way to get in, so companies must also be able to “detect” them immediately when they make access and mitigate the consequences of the breach, he said. “The government will not be able to protect your network,” he said. “It’s the only battle where the private sector is the primary respondent.”
But a reactive stance isn’t the only ensuring smaller business partners from option for companies and government law firms to business consultants and in this rapidly changing environment. subcontractors have secure systems so that Organizations must take proactive adversaries cannot infiltrate their true targets: the government and large military measures on their networks to make them contractors, Henry said. more resilient and robust, Henry Security monitoring said. should also be “nonstop,” Key among those whether it’s of the measures is leadership Shawn Henry company network or buy-in. Organizational said security is the people who use leaders across the a worldwide problem it, he said. “Look for C-suite, not just the across all sectors of anomalous behavior, chief information business. Glad PSC is look for red flags and officers and chief tackling issue. challenge them.” information security >>Eagle Ray Inc.<< Finally, information officers, play critical and intelligence sharing roles in defining and @Eaglerayinc should be a common driving better network #Marketview2014 practice, Henry said. security. “It’s a ‘whole of “If we are able to share company response’,” Henry information about attacks, adversaries said. Another key action is securing the and procedures, then everyone is better off. supply chain. Beyond counterfeit You can share intelligence without breaching parts, supply chain security involves privacy.” <<
5
MARKETVIEW 2014 >> CLOSING KEYNOTE
Guarding Against the Enemy Within T
he NSA may be monitoring emails and phone calls of the world’s leaders, but it’s not doing the same for those who enter its walls and access its networks, former National Security Coordinator Richard Clarke told PSC’s Marketview 2014 audience during his closing keynote speech on March 18. Clarke shared the lessons he learned as part of an advisory group President Obama appointed to investigate the NSA information leaks by Edward Snowden. “NSA and the other intelligence agencies, and most government agencies, have poor internal network security,” Clarke said. Despite all of the data the government collects on other people, it was unwilling to do the same for its own employees—even when those employees hold the highest security clearances and access the most sensitive national security information, he said. “If you are taking a top secret clearance, which nobody forces you to do, you ought to be subject to the same metadata search as others are,” Clarke said. Such searches are more effective than the current system of interviewing references supplied by the clearance seeker, he noted. As it stands today, “Our personnel security system is fundamentally broken,” Clarke said. “Collectively we have a responsibility to improve the system by which we vet people.” “If we shift from silly background investigations to continuous monitoring, it should be for everyone,” he said of clearance holders. There should be no difference between someone who is a contractor or government employee, he said. Clarke’s comments came on the day the Office of Management and Budget
6
“ ” Our personnel security system is fundamentally broken.
and the Defense Department issued separate reports concluding their reviews of the security clearance process in the wake of last year’s NSA data leaks and Navy Yard shooting. Clarke’s call for
continuous monitoring of security cleared individuals were echoed in the reports, which recommended establishing a system to use continuous monitoring and collect metadata to vet and observe those seeking
conference Intelligence Report
“
Collectively we have a responsibility to improve the system by which we vet people.
and holding security clearances. But continuous monitoring is just one way the intelligence community can better secure itself. The community needs to do a better job of encrypting data on the classified network, Clarke said. While the network has excellent perimeter defenses,
the information behind the firewall is not encrypted and often viewable by everyone, even those who don’t need to ever see any of the data, like network administrators, he said. Encrypting such data is standard practice in commercial sectors, like the financial sector and medical sectors,
”
Clarke said. The commercial sector networks are far more secure because of the internal encryption and continuous monitoring they deploy. These common sense steps could better secure federal and intelligence networks, he said. The government also needs to rebalance the “need to know” with the “need to share,” Clarke said. Post-9/11, the “need to know” environment that kept vital information secret within the intelligence community changed to an open sharing environment that has made too much information available to people who have no use for it, Clarke said. The “need to share” needs to be targeted at sharing information with the people who can use it, not making it freely available on the network through wikis and other sharing tools. << PSC President Stan Soloway, Keynote Speaker Richard Clarke and PSC Spring Conference Chair Tim Atkin.
Speaker presentations are available upon request. Contact membership@pscouncil.org for your copy today.
7
MARKETVIEW 2014
The State and Future of Contract Administration and Oversight
T
he government can and should do better when it comes to oversight functions, like close-out audits and risk evaluation of contractors, said former DCMA Director Charlie Williams, at the PSC Marketview2014 conference on March 17. While the Defense Contract Management Agency and the Defense Contract Audit Agency have made progress, they’re still far behind on contract close out. “It should not take six years to close out a contract,” Williams said. “We need a bold move to clean the books.” As an alternative to the current timeand dollar-driven auditing landscape, Williams offered a true risk management structure based on approved business systems, standard non-intrusive surveillance, and stiff consequences for failures. In other words, “self-governance with transparency,” such as the regime the FAA employs with its inspections, he said. The current, DCMA/DCAA mandatory inspections are “not driven by any factual reality about the risk of product being surveilled,” Williams pointed out. The
8
“
It should not take six years to close out a contract. We need a bold move to clean the books.
government needs to switch to data-driven assessments based on the risk a contractor poses to the government, he said. Under the current model, in some cases the costs of the government’s oversight regime outstrip savings generated from any detected waste, fraud and abuse, he said. There are barriers to reforming the current system, however. The government culture and environment is compliance and oversight oriented, resource constrained, and lacks the right number of people with the right training and skills to get the job done, according to Williams. These barriers “reduce the agility we need in the system,”
”
he said. “We need to make inroads into that to influence the regulatory and oversight regime of the future.” “The business of acquisition is art not science,” Williams said. The government needs people who can think critically and make smart, informed decisions, he said. But all is not lost. Williams is hopeful the Defense Department’s Better Buying Power efforts and cost driver reviews, coupled with Rep. Mac Thornberry’s House Armed Services Committee reform efforts, can help lift these barriers. “We need top level support to dispense of some burdens,” Williams concluded. <<
9
MARKETVIEW 2014
Incumbency: Bane or Benefit? F
ewer incumbents are winning work under multiple award contracts (MACs), according to a new Bloomberg Government study first presented at PSC’s Marketview 2014 conference. Since 2006, the dollars spent on MACs have grown, but the number of task orders has dropped, said Bloomberg Government’s Miguel Garrido. At the same time, more companies are competing for these MACs, meaning that there is a highlevel of competition for every dollar spent. Over the same period, the percentage of the top 50 MAC contractors that retained their positions on MACs fell from about 90 percent to about 75 percent. Thus, as competition intensified, the market share of new entrants grew, he said.
Agencies Seek Savings
The move away from incumbents with experienced workforces comes as agencies are increasingly looking for ways to fulfill needs for fewer dollars. Agency speakers on the “Target: Key Agency Opportunities in a Cost Reduction Environment” panel outlined how their specific agencies are driving down costs and looking for program and process efficiencies. Agencies View LPTA as Cost Control Tool
An outgrowth of this desire to control pricing is the growth of “lowest price technically acceptable” (LPTA) contracting. Another panel of agency officials, “Services on the Ground: A Changing Environment” panel, also sounded off on LPTA usage during the conference. One DoD official, speaking on background, told the crowd that the use of LPTA is driven by program managers who are no longer willing to make cost tradeoffs to get better capabilities at a slightly higher price. If the requirement is to run at 85 percent capacity, why should an agency
10
Top: Fluor’s Matt Carroll, future DoD Comptroller Mike McCord and VA ePMO Executive Director Gregg Giddens discuss agency budget cuts. Bottom Left: DHS CPO Nick Nayak joins via VTC with moderator Tom Eldridge of SAIC and other panelists — Army Director of Small Business Programs Tracey Pinson, Greg Giddens, and DPAP Director Dick Ginman — to discuss the changing state of services. Bottom Right: Miguel Garrido from Bloomberg Government unveils their new incumbency report.
pay more for 95 percent capacity if it didn’t indicate it needed that, the official asked. Procurement officials from the Homeland Security and Veterans Affairs Departments said that while they believe LPTA has its uses, government is not very good at writing clear requirements that will allow for both innovation and affordability. The speakers’ consensus was that to achieve better requirements development government
needs greater industry engagement at the early stages of the acquisition cycles, a joint requirements activity, and a new position of chief requirements officer. The better a company can understand agency requirements, the better it will be able to meet government needs, the VA panelist said. Whether that company is an incumbent or a new entrant, the value of innovative solutions to government is nearly priceless. <<
conference Intelligence Report
The Convergence of Technology and Services: The Market of the Future…and Now I
f one had any doubt about whether the new Technology Policy Council PSC established on March 11 was properly timed, one only need to hear Greg Giddens, executive director of the Veterans Affairs Department’s Enterprise Program Management Office, declare “it is becoming more difficult to separate IT from mission.” When looking to buy information technology or mission services, Giddens said “The lines are beginning to blur for us.” The lines are blurring for industry too. A panel of PSC member company executives talked about how they’re viewing the convergence of technology and services, particularly as the government is looking to drive down costs. “There is a cost for barriers and separation,” said AECOM Government President Jim Jaska, who moderated the industry panel. “These new models of convergence draw talent at cost across the global platform to optimize a result or output.” “If a customer wants to drive down cost these new sets of requirements will drive convergence,” he said. To stay competitive in this cost-conscious environment, professional services companies need to rethink their business models, said Dennis Kelly, president and CEO of A-T Solutions. “Technology is our discriminator,” Kelly said. “Customers demand solutions to their challenges on a real-time basis” and convergence allows companies to respond at the speed of innovation while allowing customers to do more with less, he said.
But in moving to a delivery model that ties technology and services, companies should not abandon their core competencies. “It’s an extension of the core competency,” Kelly said. “It has to be a discriminator that enhances your service offering.” Companies need to shift to more agile business models swiftly, said Robin Lineberger, principal in Deloitte’s Aerospace and Defense Practice. Technology and services “are coming together very rapidly,” Lineberger said. As consumption-based purchasing takes hold in the government, companies can no longer sell hardware separately from services, he said. Dell Services Federal Government President George Newstrom said convergence involves transformation,
information, connectivity, and protection. While this is happening at light speed in the commercial sector, “we are our own worst enemy” in the government sector as procurements continued to be hampered by mil-specs and process barriers, he said. The government is also hampered by its inability to “on-ramp” new technology onto contracts quickly, said Craig Reed, Engility Corporation’s senior vice president for strategy and corporate development. The commercial sector can not only bring them on more quickly, they also already make extensive use of consumption buying, he said. “The velocity, space and scale in the commercial market far exceeds what is going on in the government market,” Reed said, and government is missing out on valuable solutions. <<
11