The Department of Veterans Affairs is moving toward a more operational approach to cybersecurity.

This means VA is applying a deeper focus on protecting the attack surfaces and closing off threat vectors that put veterans’ data at risk.

Eddie Pool, the acting principal assistant secretary for information and technology and acting principal deputy chief information officer at VA, said the agency is changing its cybersecurity posture to reflect a cyber dominance approach.

“That’s a move away from the traditional and an exclusively compliance based approach to cybersecurity, where we put a lot of our time resources investments in compliance based activities,” Pool said on Ask the CIO. “For example, did someone check the box on a form? Did someone file something in the right place? We’re really moving a lot of our focus over to the risk-based approach to security, pushing things like zero trust architecture, micro segmentation of our networks and really doing things that are more focused on the operational landscape. We are more focused on protecting those attack surfaces and closing off those threat vectors in the cyber space.”

A big part of this move to cyber dominance is applying the concepts that make up a zero trust architecture like micro segmentation and identity and access management.

Pool said as VA modernizes its underlying technology infrastructure, it will “bake in” these zero trust capabilities.

“Over the next several years, you’re going to see that naturally evolve in terms of where we are in the maturity model path. Our approach here is not necessarily to try to map to a model. It’s really to rationalize what are the highest value opportunities that those models bring, and then we prioritize on those activities first,” he said. “We’re not pursuing it in a linear fashion. We are taking parts and pieces and what makes the most sense for the biggest thing for our buck right now, that’s where we’re putting our energy and effort.”

One of those areas that VA is focused on is rationalizing the number of tools and technologies it’s using across the department. Pool said the goal is to get down to a specific set instead of having the “31 flavors” approach.

“We’re going to try to make it where you can have any flavor you want so long as it’s chocolate. We are trying to get that standardized across the department,” he said. “That gives us the opportunity from a sustainment perspective that we can focus the majority of our resources on those enterprise standardized capabilities. From a security perspective, it’s a far less threat landscape to have to worry about having 100 things versus having two or three things.”

The business process reengineering priority

Pool added that redundancy remains a key factor in the security and tool rationalization effort. He said VA will continue to have a diversity of products in its IT investment portfolios.

“Where we are at is we are looking at how do we build that future state architecture, as elegantly and simplistically as possible so that we can manage it more effectively, they can protect it more securely,” he said.

In addition to standardizing on technology and cyber tools and technologies, Pool said VA is bringing the same approach to business processes for enterprisewide services.

He said over the years, VA has built up a laundry list of legacy technology all with different versions and requirements to maintain.

“We’ve done a lot over the years in the Office of Information and Technology to really standardize on our technology platforms. Now it’s time to leverage that, to really bring standard processes to the business,” he said. “What that does is that really does help us continue to put the veteran at the center of everything that we do, and it gives a very predictable, very repeatable process and expectation for veterans across the country, so that you don’t have different experiences based on where you live or where you’re getting your health care and from what part of the organization.”

Part of the standardization effort is that VA will expand its use of automation, particularly in processing of veterans claims.

Pool said the goal is to take more advantage of the agency’s data and use artificial intelligence to accelerate claims processing.

“The richness of the data and the standardization of our data that we’re looking at and how we can eliminate as many steps in these processes as we can, where we have data to make decisions, or we can automate a lot of things that would completely eliminate what would be a paper process that is our focus,” Pool said. “We’re trying to streamline IT to the point that it’s as fast and as efficient, secure and accurate as possible from a VA processing perspective, and in turn, it’s going to bring a decision back to the veteran a lot faster, and a decision that’s ready to go on to the next step in the process.”

Many of these updates already are having an impact on VA’s business processes. The agency said that it set a new record for the number of disability and pension claims processed in a single year, more than 3 million. That beat its record set in 2024 by more than 500,000.

“We’re driving benefit outcomes. We’re driving technology outcomes. From my perspective, everything that we do here, every product, service capability that the department provides the veteran community, it’s all enabled through technology. So technology is the underpinning infrastructure, backbone to make all things happen, or where all things can fail,” Pool said. “First, on the internal side, it’s about making sure that those infrastructure components are modernized. Everything’s hardened. We have a reliable, highly available infrastructure to deliver those services. Then at the application level, at the actual point of delivery, IT is involved in every aspect of every challenge in the department, to again, bring the best technology experts to the table and look at how can we leverage the best technologies to simplify the business processes, whether that’s claims automation, getting veterans their mileage reimbursement earlier or by automating processes to increase the efficacy of the outcomes that we deliver, and just simplify how the veterans consume the services of VA. That’s the only reason why we exist here, is to be that enabling partner to the business to make these things happen.”

The post At VA, cyber dominance is in, cyber compliance is out first appeared on Federal News Network.

© Getty Images/ipopba

Hackers sponsored by China are targeting federal agencies, technology companies and critical infrastructure sector organizations with a new type of malware affecting Linux, VMWare kernel and Windows environments that may be difficult to detect and eradicate.

The Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Canadian Centre for Cyber Security are strongly advising organizations take steps to scan systems for BRICKSTORM using detection signatures and rules; inventory all network edge devices; monitor edge devices for suspicious network connectivity and ensure proper network segmentation. The organizations released a malware analysis report to help organizations combat the threat.

“BRICKSTORM underscores the grave threats that are posed by the People’s Republic of China to our nation’s critical infrastructure. State sponsored actors are not just infiltrating networks, they are embedding themselves to enable long term access, disruption and potential sabotage. That’s why we’re urging every organization to treat this threat with the seriousness that it demands,” said Nick Andersen, CISA’s executive assistant director for cybersecurity, during a call with reporters today. “The advisory we issued today provides indicators of compromise (IOCs) and detection signatures to assist critical infrastructure owners and operators in determining whether they have been compromised. It also gives recommended mitigation actions to protect against what is truly pervasive PRC activity.”

CISA says BRICKSTORM features advanced functionality to conceal communications, move laterally and tunnel into victim networks and automatically reinstall or restart the malware if disrupted. Andersen said CISA became aware of the threat in mid-August and it’s part of a “persistent, long-term campaigns of nation state threat actors, in particular those that are sponsored by the People’s Republic of China, to hold at risk our nation’s critical infrastructure through cyber means.”

The malware has impacted at least eight organizations, including one where CISA provided incident response services to. Andersen wouldn’t say how many of those eight were federal agencies or which ones have been impacted.

“This is a terribly sophisticated piece of malware that’s being used, and that’s why we’re encouraging all organizations to take action to protect themselves, and if they do become victims of it or other malicious activity, to report it to CISA, so we can have a better understanding of the full picture of not just where this malware is being employed, but the more robust picture of the wider cyber threat landscape,” Andersen said.

New way to interact with industry

Since January, CISA has issued 20 joint cybersecurity advisories and threat intelligence guidance documents with U.S. allies, including the United Kingdom, Canada, Australia and New Zealand, as well as with our other international partners.

“Together, we’ve exposed nation-state sponsored intrusions, AI enabled ransomware operations and the ever evolving threats to critical infrastructure,” Andersen said.

Along with the warnings and analysis about BRICKSTORM, CISA also launched a new Industry Engagement Platform (IEP). CISA says it’s designed to let the agency and companies share information and develop innovative and security technologies.

“The IEP enables CISA to better understand emerging solutions across the technology ecosystem while giving industry a clear, transparent pathway to engage with the agency,” CISA said in a release. “The IEP allows organizations – including industry, non-profits, academia, government partners … and the research community – with a structured process to request conversations with CISA subject matter experts to describe new technologies and capabilities. These engagements give innovators the opportunity to present solutions that may strengthen our nation’s cyber and infrastructure security.”

CISA says while participation in the IEP does not provide preferential consideration for future federal contracts, it serves as a channel for the government to gain insight into new capabilities and market trends.

Current areas of interest include:

• Information technology and security controls

• Data, analytics, storage, and data management

• Communications technologies

• Any emerging technologies that advance CISA’s mission, including post-quantum cryptography and other next-generation capabilities

Andersen said while the IEP and related work is separate from the BRICKSTORM analysis, it’s all part of how CISA is trying to ensure all organizations protect themselves from the ever-changing cyber threat.

“The threat here is not theoretical, and BRICKSTORM underscores the grave threats that are posed by the People’s Republic of China to our nation’s critical infrastructure,” he said  “We know that state sponsored actors are not just infiltrating networks. They’re embedding themselves to enable the long term access disruption and potential sabotage that enables their strategic objectives, and that’s why we continue to urge every organization to treat this threat with serious demands.”

The post Agencies, IT companies impacted by latest malware from China first appeared on Federal News Network.

© The Associated Press

The Technology Modernization Fund is running out of time. In 10 days, the reauthorization will expire for the 8-year-old governmentwide account to help agencies update IT systems.

If Congress doesn’t act before Dec. 12, the TMF will not be able to make any new investments, freezing more than $150 million.

“The Technology Modernization Fund remains one of the federal government’s most effective tools for rapidly strengthening cybersecurity and improving high-impact systems. Reauthorizing the TMF is essential to ensuring stable, flexible funding that helps agencies deliver secure, modern services for the American people,” said a GSA spokesperson in an email to Federal News Network. “We look forward to working with Congress on the reauthorization effort.”

There is support in the House for reauthorizing the TMF. Rep. Nancy Mace (R-S.C.) and former Congressman Gerry Connolly (D-Va.) introduced the Modernizing Government Technology (MGT) Reform Act in April that included an extension of the fund to Dec. 31, 2031.

The bill hasn’t moved out of the House Oversight and Government Reform Committee and there is no Senate companion.

The House did pass a version of this bill in May 2024, but, again, the Senate never moved on the bill.

The Senate, however, did allocate $5 million for the TMF in its version of the fiscal 2026 Financial Services and General Government appropriations bill, released last week. This comes after Congress zeroed out new funding for the program over the last three years. The House version of the FSGG bill didn’t include any new money for the TMF.

Mace tried to include her TMF bill as a provision in the House’s version of the National Defense Authorization bill, but language didn’t make it in the version passed by the lower chamber. The Senate version of the NDAA also didn’t include the TMF extension, but there is still hope to get it in during the upcoming conference committee negotiations.

“Extending and reauthorizing the Technology Modernization Fund, which expires on Dec. 12, is a high priority for the committee and we have requested in a bipartisan manner that it be included in the final Fiscal Year 2026 National Defense Authorization Act,” said an Oversight and Government Reform Committee spokesperson. “This is a shared policy priority with the administration and the Office of Management and Budget. Extending the fund also has broad industry support, specifically the Committee has support letters from the Information Technology Industry Council (ITI), the Center for Procurement Advocacy (CPA), the Professional Services Council (PSC) and the Alliance for Digital Innovation (ADI).”

TMF: 69 investments, $1 billion

ADI wrote lawmakers a letter on Nov. 24 advocating for the TMF extension.

“To date, the TMF has catalyzed transformation across government, from strengthening cybersecurity defenses to improving citizen-facing digital services. By providing flexible capital through a merit-based process overseen by federal technology leaders, the Fund enables agencies to undertake complex modernization initiatives that would otherwise remain trapped in multi-year budget cycles. This structure ensures accountability while giving agencies the agility to respond to rapidly evolving technology landscapes and emerging threats,” the industry association said in its letter to House and Senate leadership. “The MGT Reform Act provides the right framework for the TMF’s next chapter. By extending authorization for seven years, Congress would provide agencies the long-term certainty needed to plan and execute substantial and transformational modernization programs. The legislation’s transparency provisions, including the establishment of a federal legacy IT inventory, will give policymakers greater visibility into modernization progress and priorities. These reforms strengthen oversight while preserving the operational flexibility that makes the TMF effective.”

GSA says in its fiscal 2026 budget justification that the TMF currently manages more than $1.07 billion worth of systems upgrades and modernization projects totaling 69 investments across 34 federal agencies. The TMF board has received and reviewed more than 290 proposals totaling about $4.5 billion in funding demand.

The TMF board made only one new investment in calendar year 2025. It awarded $14.6 million to the Federal Trade Commission in June to develop a cloud-based analytics platform that uses artificial intelligence tools and to train staff to handle data analysis in-house.

GSA says it had more than $231 million in available funding for 2025 and it expected to have more than $158 million for the TMF in 2026.

“The government needs updated technology, and those updates need to be done efficiently. I’m proud to co-sponsor the bipartisan Modernizing Government Technology Reform Act introduced by Cybersecurity Subcommittee Chairwoman Mace,” said Rep. Shontel Brown (D-Ohio), ranking member of the Cybersecurity, IT and Government Innovation subcommittee, in an email to Federal News Network. “The best course of action would be the Oversight Committee and Congress advancing this legislation before the authorization ends.”

Technical debt would increase faster

Former federal technology executives say letting the TMF expire would set back agency modernization efforts.

Larry Bafundo, the former executive director of the TMF program office, said without the TMF, agencies will have a more difficult time finding funding to modern legacy systems.

“We spend a vast majority of our funding on maintaining existing and outdated systems instead of adapting systems to meet changing needs. I think something is broken in the way we fund modernization of IT systems. Congress is incentivized to think in terms of projects instead of services that evolve over time. There is a huge disconnect between how the government works and how IT projects are funded,” said Bafuno, who is now president of Mo Studio, a digital services company. “There isn’t a clear, governmentwide IT modernization strategy, with a clear inventory of systems, to align programs like TMF against. As a result, we approach the problem piece-meal, rather than as part of a deliberate, or coordinated, plan. Similarly, agencies can sometimes lack incentives to modernize effectively. In many cases, they not only lack performance baselines to measure change against, but there are also very few senior executives in govt today who are evaluated based on the value of the services they provide the public. Instead, they are incentivized to preserve the status quo. All of this makes showing ‘return on investment’ difficult, along with the fact that Congress is not united in its understanding of what the return on investment looks like — is it cheaper, more secure, faster, etc.? We don’t have a common definition for success when it comes to programs like TMF.”

Bafundo said the TMF works because it provides agencies with guardrails or characteristics for the types of projects the board would invest in.

“We relied on good ideas or good proposals and someone who could defend their ideas, as opposed to a set of focal areas and show us what you can with seed funding. You can use that experience to unlock further funding,” he said. “That is how it should work instead of a 3-to-5 year plan that many programs have. In some ways the TMF because it relies on lengthy proposals instead of working software is more like a grant program than a seed fund.”

Gundeep Ahluwalia, a former Labor Department chief information officer, helped the agency win TMF funding for six different projects between 2018 and 2024.

Ahluwalia, who is now an executive vice president and chief innovation officer for NuAxis Innovations, said the TMF helped Labor pay down its technical debt.

“Whether it’s improving services to Americans or protecting against foreign adversaries, the cost of not doing anything here is just too large, especially considering the investment is paltry,” he said. “The TMF used an approach very similar to the private sector where you would make your business case, tell the board how much the company would get back from the investment. This business case is a no-brainer. For $500 million or even $250 million, it could give agencies the opportunity to improve services, reduce risks and become cyber strong.”

OMB seeks change to TMF

It’s unclear why support on Capitol Hill has been tepid a best for the TMF.

Ahluwalia said lawmakers still have trouble understanding why something like the TMF is needed and there isn’t an outspoken supporter like Connolly, who passed away in May, was for IT modernization funding.

“If you don’t understand something and there is a significant resistance to spending this becomes yet another government program. But this isn’t just another one, the TMF is a way out of our technical debt conundrums. It’s modeled after the private sector and I don’t think people may not understand that,” he said.

OMB, which didn’t respond to two requests for comments on the TMF expiring, proposed through GSA’s 2026 budget request a new funding model for the program. The White House wants to make it a revolving or working capital fund of sorts that would be authorized to collect up to $100 million a year in otherwise expired funding.

The legislative proposal would let “GSA, with the approval of OMB, to collect funding from other agencies and bring that funding into the TMF,” GSA wrote in its budget justification document. “This would allow agencies to transfer resources to the TMF using funds that are otherwise no longer available to them for obligation. This provision is essential to providing the TMF with the necessary funds to help the federal government address critical technology challenges by modernizing high-priority systems, improving AI adoption and supporting cross-government collaboration and scalable services.”

If the TMF authority expires, GSA would still be able to support existing investments with already approved funding and other program support services.

The post House lawmakers to try again to extend TMF through NDAA first appeared on Federal News Network.

© Federal News Network

The Defense Department wants to shake up how it works with value-added resellers.

In a draft memo obtained by Federal News Network, the Pentagon would place a 5% cap on most fees charged by resellers starting with a specific special item number (SIN) for IT products. This cap would only apply to IT products sold through the General Services Administration’s schedule contract.

DoD says it spent about $2 billion in fiscal 2024 through the GSA schedule on these technology products.

The draft memo is one of two expected from the administration to address what it believes are higher than normal costs when buying IT products and services through resellers.

GSA initiated this review and proposed overhaul of the reseller market earlier this year. It started in June with a letter to 10 value-added resellers to collect data to better understand the role of such companies and what it would take for original equipment manufacturers (OEMs) to sell directly to the government. Then in early October, sources said GSA was close to issuing a memo that would establish such a cap on resellers.

While GSA has yet to issue such a memo, this undated draft memo from the undersecretary of Defense for Acquisition and Sustainment, Michel Duffey, offered more specifics into what this market cap and oversight process would look like.

Duffey references GSA’s plans in his draft memo.

Duffey wrote the initiative would “initially entail GSA contracting officers’ use new control measures to support their determinations of price reasonableness for products offered for sale under IT Special Item Number 33411. Specifically, GSA will more closely scrutinize pricing from entities that hold themselves out as resellers.”

It would focus on SIN 33411, which is for the purchasing of new electronic equipment, including desktops, laptops, servers, storage equipment, routers and switches and other communications equipment, audio and video equipment and even two-way radios.

Since this cap would only apply to purchases off the GSA schedule, DoD is returning to the idea that these prices are no longer automatically considered “fair and reasonable.”

This harkens back to 2014 when both DoD and NASA issued deviations to the Federal Acquisition Regulations that said schedule prices shouldn’t be automatically considered fair and reasonable. Several years later, DoD and NASA removed that deviation.

“When placing orders on IT contracts, I expect the department’s contracting officers to independently determine fair and reasonable pricing by considering the unique factors of a given acquisition in the same manner as GSA,” Duffey wrote in the draft memo. “Finally, and in general, we will apply the same common-sense approach to avoid paying excessive pass-through costs and avoid paying non or low-value added price markups across the complete range of the procurement.”

A third change DoD would require is for vendors to disclose in their price proposal the manufacturer or dealer price, the percentage markup from the OEM price. DoD also will require a description of the value provided that compromises the markup amount. Any markup more than 5% would require additional vendor justification and a higher level management attention. The memo doesn’t describe what either of those will look like.

Multiple emails to DoD seeking comment were not returned.

DoD’s reasoning for price caps questioned

Federal acquisition experts and resellers questioned the DoD’s rationale for applying price caps.

Three different executives who work for resellers as well as a former federal acquisition official, all of whom requested anonymity for fear of retaliation and to talk about a pre-decisional memo, said this approach flies in the face of what the Trump administration has been trying to do since January to relieve the burden of federal acquisition and encourage more vendors to participate.

One executive at a reseller says the first thing that DOGE went after was cost plus contracts. Now, DoD wants to take what this person called clean and simple transparent firm fixed price contracts for commercial products and turn these into cost plus type contracts, which the executive said makes no sense.

“Audits, narratives, justifications, additional steps and time, how is this simplifying acquisition and growing the industrial base?” the executive asked. “Are they going to cap gross profit on other items they buy like cars, furniture, office supplies, building materials, heating, ventilation and air conditions (HVAC) systems, lighting, plumbing, tools, safety gear and maintenance supplies next?  Where does it stop? Why are we being targeted?”

The executive says there seems to be a big misunderstanding about the role of resellers and even how the market works.

“It’s competition, not price controls, that drive down price. If that’s the ultimate goal,” the executive said. “Capping margins would drive out the best, service-oriented partners that invest in engineering and innovation — leaving behind low-touch resellers who only process orders. This reduces competition, supplier diversity and access to expertise.”

Another executive at a reseller says determining what constitutes an “excessive mark-up” is subjective. The source said for an administration that wants to keep things moving in a timely pace, giving contracting officers discretion about what is an excessive mark-up will cause more problems than it will solve.

“They are assuming that the contracting officers have the appropriate knowledge and training to do that,” the executive said. “Unfortunately and frequently that isn’t what the contracting officers have. There is a lack of understanding that will end up causing confusion and delays.”

VARs solve problems

A third executive questioned how DoD, or any agency, would oversee this entire initiative.

They asked whether the resellers would not need a cost approved accounting systems? If so, that would add significant costs and burdens.

Finally, the former federal acquisition executive, who spent more than 25 years in the federal government, says resellers provide a lot of value to agencies, partly because OEMs traditionally don’t sell directly to the government nor do they want to, but also because the resellers solve problems for the agency.

“They know the technology. They know the OEMs and can tell you what will work or what will not work. Resellers are invaluable,” the former executive said. “In terms of their markup, you just have to negotiate better. If you get at least two resellers to bid, you will get a good price.”

Is capping profits even legal?

All the sources agreed that if DoD or GSA wants better prices, they should do two things: ensure there is competition at the task order level and train contracting officers and other acquisition workers to be better negotiators.

“If you don’t have contracting officers who can push for better pricing at the task order level, then how are you going to have contracting officers who can make these determinations of the value of the markups that are over 5%?” asked the third executive. “You are better off training contracting officers to go after better prices at the task order level. GSA has ways to help like the 4P tool that combs all over for publicly available prices. But applying caps on fees or profit goes against capitalism. It goes against common sense and it will be detrimental to the government and its industrial base.”

Aside from just questioning the rationale behind the price caps, experts also asked whether the memo would violate the FAR and even some federal laws.

One of the reseller executives highlighted five FAR provisions and/or laws this idea seems to violate.

The executive says this requirement seems to violate the Truth in Negotiations Act (TINA) in the sense that commercial Items are not subject to TINA, which requires contractors to provide certified cost or pricing data to the government during negotiations for other items because the commercial marketplace is presumed to be a competitive environment and should drive a reasonable price.

Another part of the FAR this initiative may violate is Part 2 for the acquisition commercial items. The executive said if the government is obtaining a “fair and reasonable” price, then the focus is not about contractor costs, reasonable mark-up, or profit, it’s about the price the agency is paying.

A third section of the FAR this may violate is under Part 15. This includes a prohibition on obtaining certified cost and price data for commercial items.

Cy Alba, a procurement attorney with the firm Piliero Mazza, said if the government is buying through a firm fixed price contract, then they are not supposed to be asking for cost or price information. He added if it’s awarded through the GSA schedule and it’s below the maximum order threshold then prices are determined to be fair and reasonable by GSA.

Alba also said if it’s a commercial item, or really anything that has adequate price competition, the market is supposed to make that determination that the price is fair and reasonable. He said if the government thinks the markup is too high, then they don’t have to buy the product or service from the vendor.

The post Draft memo details DoD plans to cap most reseller fees first appeared on Federal News Network.

© AP Photo/Alex Brandon

Since January 2025, the Justice Department has been aggressively holding federal contractors accountable for violating cybersecurity violations under the False Claims Act.

Over the last 11 months, the Trump administration has announced six settlements out of the 14 since the initiative began in 2021.

Sara McLean, a former assistant director of the DOJ Commercial Litigation Branch’s Fraud Section and now a partner with Akin, said the Trump administration has made a much more significant push to hold companies, especially those that work for the Defense Department, accountable for meeting the cyber provisions of their contracts.

“I think there are going to be a lot more of these announcements. There’s been a huge uptick just since the beginning of the administration. That is just absolutely going to continue,” McLean said during Federal News Network’s Risk & Compliance Exchange 2025.

“The cases take a long time. The investigations are complex. They take time to develop. So I think there are going to be many, many, many more announcements, and there’s a lot of support for them. Cyber enforcement is now embedded in what the Justice Department does every day. It’s described as the bread and butter by leadership.”

A range of high-profile cases

A few of the high-profile cases this year so far include a $875,000 settlement with Georgia Tech Research Corp. in September and a $1.75 million settlement in August with Aero Turbine Inc. (ATI), an aerospace maintenance provider, and Gallant Capital Partners, a private equity firm that owned a controlling stake in ATI during the time period covered by the settlement.

McLean, who wouldn’t comment on any one specific case, said in most instances, False Claims Act allegations focus on reckless disregard for the rules, not simple mistakes.

“We’ve seen in some of the more recent announcements new types of fact patterns. What happens is when announcements are made that DOJ has pursued a matter and has resolved a matter, that often leads to the qui tam relators and their attorneys finding more matters like that and filing them,” said McLean who left federal service in October after almost 27 years. “It’ll be interesting to see if these newer fact patterns yield more cases that are similar.”

Recent cases that involve the security of medical devices or the qualifications of cyber workers performing on government contracts are two newer fact patterns that have emerged over the last year or so.

Launched in 2021, the Justice’s Civil-Cyber Fraud initiative uses the False Claims Act to ensure contractors and grantees meet the government’s cybersecurity requirements.

President Joe Biden signed an executive order in May 2021 that directed all agencies to improve “efforts to identify, deter, protect against, detect and respond to” malicious cyberthreats.

130 DOJ lawyers focused on cyber

Justice conducted a 360 review of cyber matters and related efforts, and one of the areas that emerged was to use the False Claims Act to hold contractors and grantees accountable and drive a change in behavior.

“The motivation was largely to improve cybersecurity and also to protect sensitive information, personal information, national security information, and to ensure a level playing field, so that you didn’t have some folks who were meeting the requirements and others who were not,” McLean said.

“It was to ensure that incidents were being reported to the extent the False Claims Act could be used around that particular issue. Because the thought was that would enable the government to respond to cybersecurity problems and that still is really the impetus now behind the enforcement.”

McLean said the Civil-Cyber Fraud initiative is now embedded as part of the DOJ’s broader False Claims Act practice. It has about 130 lawyers, who work with U.S. attorney’s offices as well as agency inspectors general offices.

Typically, an IG begins an investigation either based on a qui tam or whistleblower filing, or a more traditional review of contracts and grants.

The IG will assign agents and DOJ lawyers will join as part of the investigative team.

McLean said the agents are on the ground, interviewing witnesses and applying all the resources that come from the IGs. DOJ then decides, based on the information the IGs bring back, to either take some sort of action, such as intervening in a qui tam lawsuit and taking it over, or to decline or settle with a company.

“They go back to the agency for a recommendation on how to proceed. So it’s really the agencies and DOJ who are really in lockstep in these matters,” she said. “DOJ is making the decision, but it’s based on the recommendation of the agencies and with the total support of the agencies.”

Many times, Justice decides to intervene in a case or seek a settlement depending on whether the company in question has demonstrated reckless disregard for federal cyber rules and regulations.

McLean said a violation of the False Claims Act requires only reckless disregard, not intentional fraud.

“It’s critically important for anyone doing business with the government, especially those who are signing a contract and agreeing to do something, to make sure that they understand what that is, especially in the cybersecurity area,” she said. “What they’ve signed on to can be quite complicated. It can be legally complicated. It can be technically complicated. But signing on the dotted line without that understanding is just a recipe for getting into trouble.”

When a whistleblower files a qui tam lawsuit, McLean said that ratchets up the entire investigation. A whistleblower can be entitled to up to 30% of the government’s recovery, whether through a decision or a settlement.

Self-disclosures encouraged

If a company doesn’t understand the requirements and doesn’t put any resources into trying to understand and comply with them, that can lead to a charge of reckless disregard.

“When it comes to employee qualifications, it’s the same thing. If a contract says that there needs to be this level of education or there needs to be this level of experience, that is what needs to be provided. Or a company can get into trouble,” McLean said.

“The False Claims Act applies to making false claims and causing false claims. It’s not just the company that’s actually directly doing business with the government that needs to worry about the risk of False Claims Act liability, because a company that’s downstream, like a subcontractor who’s not submitting the claims to the government, could be found liable for causing a false claim, or, say, an assessor could be found liable for causing a false claim, or a private equity company could be found liable for causing a false claim. There are individuals who can be found liable for causing and submitting false claims.”

She added that False Claims Act allegations can apply not only to just the one company that has the direct relationship with the government but also to their partners if they are not making a good faith effort to comply.

But when it’s a mistake, maybe an overpayment or something similar, the company can usually claim responsibility and address the problem quickly.

“DOJ has policies of giving credit in False Claims Act settlements for self-disclosure, cooperation and remediation. That is definitely something that is available and that companies have been definitely taking advantage of in this space,” McLean said. “DOJ understands that there’s more focus on cybersecurity than there used to be, and so there are companies that maybe didn’t attend to this as much as they now wish they had in the past. The companies discover that they’ve got some kind of a problem and want to fix it going forward, but then also figure out, ‘How do I make it right and in the past?’ ”

McLean said this is why vendors need to pay close attention to how they comply with the DoD’s new Cybersecurity Maturity Model Certification.

She said when vendors sign certifications that they are complying with CMMC standards without fully understanding what that means, that could be considered deliberate ignorance.

“Some courts have described it as gross negligence. Negligence would be a mistake. I don’t know if that helps for the for the nonlawyers, but corporations which do not inform themselves about the requirements or not taking the steps that are necessary, even if it’s not through necessarily ill intent, but it’s not what the government bargained for, and it’s not just an accident. It’s a little bit more than that, quite a bit more than that,” she said.

“The one thing that’s important about that development is it does involve more robust certifications, and that is something that can be a factor in a case being a False Claims Act and a case being more or less likely to be one that the government would take over. Because signing a certification when the information is not true starts to look like a lie, which starts to look like the more intentional type of fraud … rather than a mistake. It looks reckless to be signing certifications without doing this review to know that the information that’s in there is right.”

Discover more articles and videos now on our Risk & Compliance Exchange 2025 event page.

The post Risk & Compliance Exchange 2025: Former DOJ lawyer Sara McLean on ensuring cyber compliance under the False Claims Act first appeared on Federal News Network.

© Federal News Network

While much attention across the federal community has been focused on the Office of Personnel Management’s strategy to consolidate 119 different human capital systems across government, the agency, at the same time and with little fanfare, kicked off another major human resources modernization effort.

OPM is planning to revamp the USA Hire platform, which provides candidate-assessment tools for agency hiring managers, with the goal of making evaluations more efficient and leading to higher-quality applicants.

OPM, working with the General Services Administration, issued a request for information on Oct. 7 and has been meeting with vendors over the last few weeks to determine what commercial technologies and systems are available. The RFI closed on Oct. 21.

“This RFI is part of OPM’s ongoing effort to ensure agencies have access to cutting-edge, high-quality assessment tools that help identify and hire the best talent across the federal government—advancing a truly merit-based hiring system in line with the president’s Merit Hiring Plan and Executive Order 14170, Reforming the Federal Hiring Process and Restoring Merit to Government Service,” said an OPM spokesperson in an email to Federal News Network. “OPM also anticipates making additional improvements to USAJOBS and USA Staffing to enhance the applicant experience and better integrate assessments into job announcements.”

OPM says in fiscal 2024, USA Hire customer agencies used the program to assess approximately 1 million applicants for over 20,000 job opportunity announcements.  It provides off-the-shelf standard assessment tests covering more than 140 federal job series, access to test center locations worldwide and a broad array of assessment and IT expertise.

“USA Hire currently offers off-the-shelf assessment batteries covering over 800 individual job series/grade combinations, off-the-shelf assessment batteries covering skills and competencies shared across jobs (e.g., project management, writing, data skills, supervisory skills), and custom assessment batteries targeting the needs of individual agencies, access to test center locations worldwide, and a broad array of assessment and IT expertise,” OPM stated in the RFI.

In the RFI, OPM asked industry for details on the capabilities of their assessment systems, including:

• Delivering assessments in a secure, unproctored asynchronous environment
  Delivering online video-based interviews
• Using artificial intelligence/machine learning in assessment development and scoring
• Minimizing and/or mitigating applicant use of AI (e.g, AI chatbots) to improve assessment performance
• Integrating and delivering assessments across multiple assessment platform

“OPM seeks an assessment delivery system that can automatically score closed-end and open-ended responses, including writing samples. The online assessment platform shall be able to handle any mathematical formula for scoring purposes,” the RFI stated. “Based on the needs of USA Hire’s customers, OPM requires an assessment platform that supports static, multi-form, computer-adaptive (CAT), and linear-on-the-fly (LOFT) assessments delivered in un-proctored, in-person, and remote proctored settings.”

An industry executive familiar with USA Hire said OPM, through the RFI, seems to want to fix some long-standing challenges with the platform.

“RFI suggests OPM will allow third parties to integrate into USA Staffing, which has been a big problem for agencies who weren’t using USA Hire. But I’ll believe it when I see it,” said the executive, who requested anonymity in order to talk about a program they are involved with. “Agencies are not mandated to use USA Hire, but if they don’t use it, they can’t use USA Staffing because of a lack of integration.”

USA Staffing, like USA Hire, is run by OPM’s HR Solutions Office on a fee-for-service basis. The agency says it provides tools to help agencies recruit, evaluate, assess, certify, select and onboard more efficiently.

RFI is a good starting point

The executive said this lack of integration has, for some agencies, been a problem if they are using other assessment platforms.

For example, the Transportation Security Administration issued a RFI back in 2024 for an assessment capability only to decide to use USA Hire after doing some market research.

“USA Hire is adequate for most things the government does. It’s fine for certain types of programs, but if you get out of their swim lanes, they have trouble, especially with customization or configurations. I think getting HR Solutions to do any configurations or customization is a yeomen’s effort,” the executive said. “My concern about USA Hire is it’s a monopoly and when that happens any organization gets fat and lazy. Maybe the Department of Government Efficiency folks kicked them in the butt a little and that’s maybe why we are seeing the RFI.”

The executive said the RFI is a positive step forward.

“It could be good for some companies if it comes to fruition and OPM brings in a legitimate way for other providers with some unique competencies or services to expand the offering from USA Hire,” the executive said. “It’s too early to tell if there will be a RFP, but if they do come out what are they buying? Are they trying to bring on new assessment providers? I think a lot of us would like to know what OPM is looking for or what holes they are seeking to fill in these new solutions.”

Other industry sources say OPM has laid out a tentative schedule for a new USA Hire support services solicitation. Sources say OPM is planning to release a draft request for proposals in January with a final solicitation out in October.

This means an award will not happen before 2027.

“Due to the complexity of requirements and the amount of market research that needs to be conducted, the USA Hire PMO expects the competition timeline to be more than a year long,” OPM said in a justification and approval increasing the ceiling of the current USA Hire contract. “The government estimates that transition could take up to two years depending on the awardee’s solution.”

OPM adds $182M to current contract

OPM released the J&A at the same time it issued the RFI. In a justification and approval, OPM increased the ceiling of its current USA Hire support contract with PDRI, adding $182.7 million for a total contract value of $395 million.

OPM says the need to increase the ceiling is because of the Transportation Security Administration’s (TSA) adoption of USA Hire and its need to fill thousands of vacant positions after the COVID-19 pandemic.

“Because of the EO, the need for USA Hire assessments has far exceeded the initial estimated amount, which has grown at a pace far faster than anticipated when the contract requirements and needs were first drafted and awarded,” OPM stated in the J&A. “OPM planned for the steady growth of USA Hire throughout all options of the contract; however, TSA alone has consumed 95% of the requirement in option year 2 and option year 3. The government issued a modification to realign ceiling value to support the additional assessments; however, the delivery of the assessments has increased significantly.”

An email to PDRI seeking comment on the increased ceiling and the RFI was not returned.

The OPM spokesperson said the agency expects the use of USA Hire to continue to grow over the next few years as agencies implement skills-based assessments as required under the Merit Hiring Plan and Chance to Compete Act.

OPM said in its J&A that it expects USA Hire to provide assessment services to 300,000 applicants for TSA, 10,000 entry level investigators for U.S. Immigration and Customs Enforcement, along with smaller customer agencies spanning cybersecurity positions, tax fraud investigations, entry level credit union examiners and HR specialists.

The post OPM’s HR modernization strategy sets next sight on USA Hire first appeared on Federal News Network.

© Getty Images/iStockphoto/ArtemisDiana

The Defense Logistics Agency may have solved two problems every agency tends to struggle with — attracting new and innovative companies and changing the culture of its workforce to work with those firms.

DLA’s Tech Accelerator Team has shown it can do just that. Over the last several years it has been using what are considered traditional private sector methods to attract up-and-coming firms and take an agile approach to solving problems using interviews, data and market research.

David Koch, the director of research and development at DLA, said the agency launched the Tech Accelerator Team about six years ago with the idea of finding commercial technologies from non-traditional companies to solve their most pressing problems.

“We don’t go into a problem with a solution in mind. We go into it solution agnostic,” Koch said in an interview with Federal News Network. “What is the problem that you want to solve? Then, let’s pull in a bunch of commercial folks that have tackled similar type of problems before. We usually do that through a request for information (RFI) that goes out to companies. We bring them in and we see what kind of solutions they throw up. We don’t go into it with a preconceived idea of how to solve this problem.”

Part of the challenge with this approach led by the Tech Accelerator Team was changing the way DLA leaders approached problems. Koch said they have done a lot of training around innovation to help DLA leaders and employees bring good ideas to fruition.

“It was more about, let’s interview senior leaders and let’s find a problem that we need to go solve. Now it’s really grown into a life of its own to where the program managers reach out and say, ‘Hey, I need a commercial solution for the problem that I have,’” he said. “I think a lot of times now it’s more internally focused, where we reach out to commercial solutions based on a problem that we know exists. We’ve become more aware of what’s going on across the organization. We know where those problem areas are, where there’s commercial opportunities to solve them.”

Koch pointed to an example of this approach in action with RGBSI Aerospace and Defense, a company providing engineering and technical support, around using digital twins differently. Koch said DLA had used digital twins for parts and for processes, but through this approach, the agency is using digital twins to improve its digital threads.

“You can pull in things like acquisition data, logistics data and manufacturing data, along with that thread so that you can pull in more industry partners and more people are available to make that part,” he said. “Now, what we do is we use a computer program to go in and follow where the data flows, and it maps the process for you. Sometimes you’re surprised when you find out how your process really works.”

The Tech Accelerator Team calls themselves “DLA’s innovation broker,” which works with other DoD and federal offices as part of a broad-based innovation ecosystem.

DLA spent $135 million in research and development in fiscal 2025 across three main portfolios:

• Logistics
• Manufacturing technology
• Its small business innovation program

Koch said about $53 million went to manufacturing technology and about $17 million was for DLA business processes or logistics research and development. Additionally, DLA received about $44 million from Congress, most of which went into R&D for rare earth elements and other strategic materials.

Testing an automated inventory platform

Koch said heading into 2026, DLA will focus on four specific areas.

“The first one is strategic material recovery. We hosted [in September] our kickoff event for that being our newest manufacturing technology project. But that doesn’t mean that we’re just now starting strategic materials research. We’ve been doing it out of our SBIR for now for our last few years. It’s very timely, it supports the stockpile and we’ve had some really good success stories,” he said. “[The second one is] additive manufacturing and it’s really about mainstreaming. We call it the joint additive manufacturing acceptability. But mainstreaming additive manufacturing is part of the normal supply chain process that the military can use when they order parts from DLA.”

The two other areas are artificial intelligence transformation and automated inventory management. Koch said DLA is testing the Marine Corps Platform Integration Center (MCPIC) and also adding new technology to the platform to help improve how they manage products across 25 distribution centers.

“We have a lot of stuff that’s outside, think big strikers and tanks and stuff like that that are just out there in the open. So you need something like a drone that’s going to go around and capture that inventory. Then you have a lot of small things, think firearms and stuff like that that we have to do inventory. So that’s the backbone that we’re building it upon,” he said. “The idea is you walk down the aisle and your inventory populates on your laptop or your iPad. We think we can get there.”

He added that DLA is piloting the integrated technology platform at its distribution center in Anniston, Alabama.

“We spend tens of millions of dollars a year doing inventory, and it’s very people intensive. Our automated inventory project is all about automating that process,” Koch said. “The goal is that we can do 100% audit, totally automated, and save a lot of that funding, and then have that information feed into our warehouse management system. We’re definitely excited about the possibility.”

The post DLA’s Tech Accelerator Team showing how to spur innovation first appeared on Federal News Network.

© Getty Images/iStockphoto/ipopba

Over the last 11 months, the General Services Administration has signed 11 enterprisewide software agreements under its OneGov strategy.

The agreements bring both standard terms and conditions as well as significant discounts for a limited period of time to agencies.

Ryan Triplette, the executive director of the Coalition for Fair Software Licensing, said the Trump administration seems to be taking cues from what has been working, or not working, in the private sector around managing software licenses.

“They seem to be saying, ‘let’s see if we can import that in to the federal agencies,’ and ‘let’s see if we can address that to mitigate some of the issues that have been occurring in some of the systemic problems that have been occurring here,’” said Triplette on Ask the CIO. “Now it’s significant, and it’s a challenge, but it’s something that we think is important that you understand any precedent that is set in one place, in this instance, in the public agencies, will have a ripple of impact over into the commercial sector.”

The coalition, which cloud service providers created in 2022 to advocate for less-restrictive rules for buying software, outlined nine principles that it would like to see applied to all software licenses, including terms should be clear and intelligible, customers should be free to run their on-premise software on the cloud of their choice and licenses should cover reasonably expected software uses.

Triplette said while there still is a lot to understand about these new OneGov agreements, GSA seems to recognize there is an opportunity to address some long standing challenges with how the government buys and manages its software.

“You had the Department of Government Efficiency (DOGE) efforts and you had the federal chief information officer calling for an assessment of the top five software vendors from all the federal agencies. And you also have the executive order that established OneGov and having them seeking to establish these enterprisewide licensees, I think they recognize that there’s an opportunity here to effect change and to borrow practices from what they have seen has worked in the commercial sector,” she said. “Now there’s so many moving parts of issues that need to be addressed within the federal government’s IT and systems, generally. But just tackling issues that we have seen within software and just tackling the recommendations that have been made by the Government Accountability Office over the past several years is important.”

Building on the success of the MEGABYTE Act

GAO has highlighted concerns about vendors applying restrictive licensing practices. In November 2024, GAO found vendor processes that limit, impede or prevent agencies’ efforts to use software in cloud computing. Meanwhile of the six agencies auditors analyzed, none had “fully established guidance that specifically addressed the two key industry activities for effectively managing the risk of impacts of restrictive practices.”

Triplette said the data call by the federal CIO in April and the OneGov efforts are solid initial steps to change how agencies buy and manage software.

The Office of Management and Budget and GSA have tried several times over the past two decades to improve the management of software. Congress also joined the effort passing the Making Electronic Government (MEGABYTE) Act in 2016.

Triplette said despite these efforts the lack of data has been a constant problem.

“The federal government has found that even when there’s a modicum of understanding of what their software asset management uses, they seem to find a cost performance improvement within the departments. So that’s been one issue. You have the differing needs of the various agencies and departments. This has led them in previous efforts to either opt out of enterprisewide licenses or to modify them with their own terms. So even when there’s been these efforts, you find, like, a year or two or three years later, it’s all a wash,” she said. “Quite frankly, you have a lack of a central mandate and appropriations line. That’s probably the most fundamental thing and why it also differs so fundamentally from other governments that have some of these more centralized services. For instance, the UK government has a central mandate, it works quite well.”

Triplette said what has changed is what she called a “sheer force of will” by OMB and GSA.

“They are recognizing the significant amount of waste that’s been occurring and that there has been lock-in with some software vendors and other issues that need to be tackled,” she said. “I think you’ve seen where the administration has really leaned into that. Now, what is going to be interesting is because it has been so centralized, like the OneGov effort, it’s still also an opt-in process. So that’s why I keep on saying, it’ll to be determined how effective it will be.”

SAMOSA gaining momentum

In addition to the administration’s efforts, Triplette said she’s hopeful Congress finally passes the Strengthening Agency Management and Oversight of Software Assets (SAMOSA) Act. The Senate ran out of time to act on SAMOSA last session, after the House passed it in December.

The latest version of SAMOSA mirrors the Senate bill the committee passed in May 2023. It also is similar to the House version introduced in March by Reps. Nancy Mace (R-S.C.), the late Gerry Connolly (D-Va.), and several other lawmakers.

The coalition is a strong supporter of SAMOSA.

Triplette said one of the most important provisions in the bill would require agencies to have a dedicated executive overseeing software license asset management.

“There is an importance and a need to have greater expertise within the federal workforce, around software licensing, and especially arguably, vendor-specific software licensing terms,” she said. “I think this is one area that the administration could take a cue from the commercial sector. When they’re engaged in commercial licensing, they tend to work with consultants that are experts in the vendor licensing rules, they understand the policy and they understand the ins and outs. They often have somebody in house that … may not be solely specific to one vendor, but they may do only two or three and so you really have that depth of expertise, that you can understand some great cost savings.”

Triplette added that while finding these types of experts isn’t easy, the return on the investment of either hiring or training someone is well worth it.

She said some estimate that the government could save $50 million a year by improving how it manages its software licenses.  This is on top of what the MEGABYTE Act already produced. In 2020, the Senate Homeland Security and Governmental Affairs Committee found that 13 agencies saved or avoided spending more than $450 million between fiscal 2017 and 2019 because of the MEGABYTE Act.

“The MEGABYTE Act was an excellent first step, but this, like everything, [is] part of an iterative process. I think it’s something that needs to have the requirement that it has to be done and mandated,” Triplette said. “This is something that has become new as you’ve had the full federal movement to the cloud, and the discussion of licensing terms between on-premise and the cloud, and the intersection between all of this transformation. That is something that wasn’t around during the MEGABYTE Act. I think that’s where it’s a little bit of a different situation.”

The post How the administration is bringing much needed change to software license management first appeared on Federal News Network.

© Federal News Network

The founder and executive chairman of Govini, a provider of acquisition data and software to the government, has been arrested and charged with four felonies, including multiple counts of unlawful contact with a minor.

Eric T. Gillespie, 57, of Pittsburgh, allegedly used an online chat platform to attempt to solicit sexual contact with a pre-teenage girl.

The Pennsylvania’s Attorneys General Office says at arraignment, a magisterial district judge denied Gillespie bail, citing flight risk and public safety concerns.

The attorneys general says one of their agents “posed as an adult in an online chat platform often utilized by offenders attempting to arrange meetings with children, and engaged in a conversation with Gillespie. Gillespie then made attempts to arrange a meeting with a pre-teenage girl (in Lebanon County).”

Govini said in an updated statement late on Wednesday that it had fired Gillespie.

“On November 12, 2025, the Govini Board of Directors terminated Eric Gillespie from the organization, including as a member of the Board, effective immediately. Mr. Gillespie stepped down from the role of CEO almost a decade ago and had no access to classified information,” a company spokesperson said. “Govini is an organization that has been built by over 250 people who share a profound commitment to America’s national security, including veterans, reservists, and people who have dedicated their lives to causes greater than themselves. The actions of one depraved individual should not in any way diminish the hard work of the broader team and their commitment to the security of the United States of America.”

Poplicus Inc., which does business as Govini, had 26 contracts with the government in fiscal 2025 worth about $52 million, according to the USASpending.gov platform. The vast majority of the awards came from the Defense Department, with two other smaller contracts coming from the departments of Commerce and Energy.

Govini’s main DoD customers include the Army, the Defense Information Systems Agency and the Navy.

Since 2021, Govini has won 107 awards worth more than $255 million.

The company said in October that it surpassed $100 million in annual recurring revenue (ARR) and secured a $150 million investment from Bain Capital.

Gillespie launched Govini in 2013 after launching Recovery.org back in the early days of the American Reinvestment and Recovery Act.

If convicted, Gillespie would spend at a minimum seven years in jail and face up to $15,000 in fines. After serving time, he would have to register as a sex offender for at least 10 years under Pennsylvania law.

The post Govini founder charged with 4 felonies first appeared on Federal News Network.

© AP Photo/Matt Rourke

A veteran-owned small business in the northwest part of the country is waiting for the government to pay them about $20 million in contract invoices.

The company executive, who requested anonymity for fear of retaliation, said their line of credit will only last so much longer before the banks and other creditors come asking for payment.

“Once we hit our limit, we are stuck and the only thing we can do is work with vendors to let them know we are good for money once the government reopens,” the executive said in an interview with Federal News Network. “Once you cross a certain threshold, banks want to see certain things because you are using 80% of your line of credit. They want to know why you’re past due on your receivables, so they want to see reports. Some banks do not understand the government resell process and the fact that we do not operate as a traditional business.”

This IT product reseller, which is located in a Historically Underutilized Business Zone (HUBZone), is one of thousands of companies, both large and small, suffering an extra level of pain during the partial government shutdown.

Not only are firms facing stop work orders, reduced contract scopes or terminations of convenience altogether, but many are waiting to get paid from invoices submitted on or before Sept. 30.

“There isn’t anyone working at the pay centers to approve invoices. A lot of what we do is net 30 stuff that goes through the Invoice Processing Platform (IPP) or other payment portals. We usually submit our invoices and the government approves them, but there isn’t anyone there to do that,” the executive said. “We have one instance where we need additional information before submitting our invoice, but no one is there to give us that information, so can’t submit the invoice. In general, we are submitting invoices and seeing what happens. Then our accounting team is doing outreach after 30 days, and that’s when we are getting bounce backs from emails.”

The company executive said agencies made a lot of purchases on Sept. 30, which means not only are the invoices more than 30 days old, but the vendors they bought from are expecting to get paid regardless of whether or not the government pays first.

“That is creating problems for us in terms of having to make changes and manage cash flow,” the executive said. “The majority of the vendors we deal with know the government space, they are aware of shutdown and they are being friendly about the situation. They aren’t hounding us about past due bills, but with others we are floating the money. We have to use our line of credit or make partial payments to keep them happy.”

Interest penalties accruing

Adding to the challenge of waiting for payments when the government reopens is that vendors are entitled to interest on late payments under the Prompt Payment Act.

The Treasury Department says the interest rate for calendar year 2025 is 4.625%.  This means that the small business which is owed $20 million in outstanding invoices would be owed about $74,000 in interest as of Nov. 10.

This one example is just the tip of the Prompt Payment Interest iceberg that agencies will face when they reopen.

Tim Soltis, a former federal financial management executive who worked at the Office of Management and Budget, Treasury and the Education Department during his 25-year career in federal service, said there usually isn’t money to pay for these interest payments, so agencies will have make to cuts elsewhere.

“They may have to cut overtime or cut hiring to make room for these payments,” he said. “At Education, I ran both the financial and contracting side and budget and contracting work hand-in-hand in many cases. The budget has to be adjusted before an invoice is paid and it must draw from the same appropriation line. With the shutdown happening at the beginning of the fiscal year, agencies probably have money to pay the interest, but they will have less things to spend on during the year.”

Soltis said over the last decade through IPP or other electronic payment processing systems, the government has basically solved the issue of late payments to contractors, which is why Congress passed the Prompt Payment Act in 1982.

He said a lot of agencies may have to figure out how to calculate and pay the interest because it’s been so long since they’ve had to do it.

When is the invoice accepted?

Eric Crusius, a procurement attorney and partner with Hunton law firm, said he rarely hears from clients about prompt payment issues. But contractors need to be prepared to claim interest when the government reopens.

“If the invoice was submitted before the shutdown, then it’s supposed to be applied automatically,” he said. “I’d recommend first sending an email to the contracting officer about the interest that is due, and then lodge a claim with the contracting officer if they don’t accept it. Unless the contract has some other terms and conditions, usually there is a seven-day invoice acceptance period no matter if the government is open or not. Now, the government could make the argument that there wasn’t anyone there to receive the invoice or product or service. I’d recommend to make a claim and argue it should be automatically accepted.”

The issue of when the government “accepts” a company’s invoice is one of the biggest, and most concerning, questions that vendors need to understand.

Soltis said an agency accepting an invoice is usually dependent on how the contract is set up.

“There are specific terms in the contract for invoice acceptance and that is what would drive it. But in general, the contracting officer technical representative or contracting officer usually is the one that has to accept an invoice. And legally if the government doesn’t respond within seven days, it’s considered constructive receipt,” he said. “But a lot of times it’s later than that, and a lot of contractors don’t want to get a customer upset over when an invoice is officially accepted.”

Soltis said the issues become more complicated with products where there needs to be someone at a receiving dock or in the agency to accept the package, validate it and match it to the invoice.

In fact, Dell Technologies and its partner Carahsoft said in an email to a vendor supplier, which Federal News Network obtained, that the order placed by the supplier would be on hold until they receive confirmation that the agency customer will be on site to accept the delivery.

Vendors should document all expenses

Solstis said another challenge will be that agencies will face a backlog of invoices when they return to the office.

“Contractors who are holding their invoices could be sabotaging themselves. What people will tell you is to submit it and let the government sit on it. Then you can say you submitted it and the government delayed paying. But if you hold your invoices, then you can’t claim interest,” he said. “When the government reopens, I would have a meeting with all contractors and go through their issues to make sure we are on the same page. It’s a two-step process. First, what invoices need to be paid? Second, how do you get the contractors whole? Which ones need to get paid with interest? That will become a budget issue because you have to figure out where the money comes from, how to move it around and how to prioritize payments.”

The industry executive said they really don’t know when the clock starts for invoices on Sept. 30 or those submitted during the shutdown.

“If no one is there to accept the invoice, does it start when the government comes back?” the executive said. “Our success rate on getting prompt payment penalties is very small. The majority of the time the agency says they accepted invoice on specific date and that is when the clock starts. Sometimes, they will wait until day 28 or 30 and reject the invoice, which starts the clock over again. I feel like DoD takes advantage of rejecting it and forcing us to resubmit it, and then they have more time to accept it and then 30 days to pay it.”

Crusius said this is why it’s imperative for contractors to log their expenses and costs associated with their contracts during the entire shutdown.

“They can file claims when they need to, and with certain contracts there are ongoing expenses even if they have tried to pair them down. A lot of that will be dependent on whether they received a stop work order or had their contract scope reduced or received a termination for convenience,” he said. “Contractors have to be diligent in writing down their costs so they can try to collect them.”

The post Shutdown brings reemergence of prompt payment penalties first appeared on Federal News Network.

© Getty Images/iStockphoto/Morakot Kawinchan

The Cybersecurity and Infrastructure Security Agency developed a zero trust architecture that features five pillars.

The Defense Department’s zero trust architecture includes seven pillars.

The one the Department of Homeland Security is implementing takes the best of both architectures and adds a little more to the mix.

Don Yeske, who recently left federal service after serving for the last two-plus years as the director of national security in the cyber division at DHS, said the agency had to take a slightly different approach for several reasons.

“If you look at OMB [memo] M-22-09 it prescribes tasks. Those tasks are important, but that itself is not a zero trust strategy. Even if you do everything that M-22-09 told us to do — and by the way, those tasks were due at the beginning of this year — even if you did it all, that doesn’t mean, goal achieved. We’re done with zero trust. Move on to the next thing,” Yeske said during an “exit” interview on Ask the CIO. “What it means is you’re much better positioned now to do the hard things that you had to do and that we hadn’t even contemplated telling you to do yet. DHS, at the time that I left, was just publishing this really groundbreaking architecture that lays out what the hard parts actually are and begins to attack them. And frankly, it’s all about the data pillar.”

The data pillar of zero trust is among the toughest ones. Agencies have spent much of the past two years focused on other parts of the architecture, like improving their cybersecurity capabilities in the identity and network pillars.

Yeske, who now is a senior solutions architect federal at Virtru, said the data pillar challenge for DHS is even bigger because of the breadth and depth of its mission. He said between the Coast Guard, FEMA, Customs and Border Protection and CISA alone, there are multiple data sources, requirements and security rules.

“What’s different about it is we viewed the problem of zero trust as coming in broad phases. Phase one, where you’re just beginning to think about zero trust, and you’re just beginning to adjust your approach, is where you start to take on the idea that my network boundary can’t be my primary, let alone sole line of defense. I’ve got to start shrinking those boundaries around the things that I’m trying to protect,” he said. “I’ve got to start defending within my network architecture, not just from the outside, but start viewing the things that are happening within my network with suspicion. Those are all building on the core tenants of zero trust.”

Capabilities instead of product focused

He said initial zero trust strategy stopped there, segmenting networks and protecting data at rest.

But to get to this point, he said agencies too often are focused on implementing specific products around identity or authentication and authorization processes.

“It’s a fact that zero trust is something you do. It’s not something you buy. In spite of that, federal architecture has this pervasive focus on product. So at DHS, the way we chose to describe zero trust capability was as a series of capabilities. We chose, without malice or forethought, to measure those capabilities at the organization, not at the system, not at the component, not as a function of design,” Yeske said. “Organizations have capabilities, and those capabilities are comprised of three big parts: People. Who’s responsible for the thing you’re describing within your organization? Process. How have you chosen to do the thing that you’re describing at your organization and products? What helps you do that?”

Yeske said the third part is technology, which, too often, is intertwined with the product part.

He said the DHS architecture moved away from focusing on product or technology, and instead tried to answer the simple, yet complex, questions: What’s more important right now? What are the things that I should spend my limited pool of dollars on?

“We built a prioritization mechanism, and we built it on the idea that each of those capabilities, once we understand their inherent relationships to one another, form a sort of Maslow’s hierarchy of zero trust. There are things that are more basic, that if you don’t do this, you really can’t do anything else, and there are things that are really advanced, that once you can do basically everything else you can contemplate doing this. And there are a lot of things in between,” he said. “We took those 46 capabilities based on their inherent logical relationships, and we came up with a prioritization scheme so that you could, if you’re an organization implementing zero trust, prioritize the products, process and technologies.”

Understanding cyber tool dependencies

DHS defined those 46 capabilities based on the organization’s ability to perform that function to protect its data, systems or network.

Yeske said, for example, with phishing-resistant, multi-factor authentication, DHS didn’t specify the technology or product needed, but just the end result of the ability to authenticate users using multiple factors that are resistant to phishing.

“We’re describing something your organization needs to be able to do because if you can’t do that, there are other things you need to do that you won’t be able to do. We just landed on 46, but that’s not actually all that weird. If you look at the Defense Department’s zero trust roadmap, it contains a similar number of things they describe as capability, which are somewhat different,” said Yeske, who spent more than 15 years working for the Navy and Marine Corps before coming to DHS. “We calculated a 92% overlap between the capabilities we described in our architecture and the ones DoD described. And the 8% difference is mainly because the DHS one is brand new. So just understanding that the definition of each of these capabilities also includes two types of relationships, a dependency, which is where you can’t have this capability unless you first had a different one.”

Yeske said before he left DHS in July, the zero trust architecture and framework had been approved for use and most of the components had a significant number of cyber capabilities in place.

He said the next step was assessing the maturity of those capabilities and figuring out how to move them forward.

If other agencies are interested in this approach, Yeske said the DHS architecture should be available for them to get a copy of.

The post Yeske helped change what complying with zero trust means first appeared on Federal News Network.

© Getty Images/design master

The decision by the Federal Aviation Administration to reduce air traffic by 10% across 40 “high-volume” markets beginning Friday morning isn’t just a reaction to the now longest partial government shutdown ever.

The FAA says it’s taking these drastic steps because it needs to maintain travel safety as air traffic controllers exhibit signs of strain. It also knows that air traffic controllers are starting to call out sick more often, creating this strain.

And air traffic controllers and Transportation Security Officers aren’t the only ones, though they may be the most well-known examples of federal employees working without pay during this partial shutdown. There are hundreds of thousands of others at the Social Security Administration, at the IRS, at the Centers for Medicare and Medicaid Services and dozens of other agencies who are in the same boat.

The decision to use sick leave or what some have referred to as a “sick out” is one way federal employees can pressure lawmakers into ending the shutdown.

A Federal News Network “pulse poll” taken over a 36-hour period earlier this week shows two-thirds of the 730 respondents say they believe more of their co-workers will call out sick more often if the lapse in appropriations continues deeper into November.

Federal News Network conducted an online poll from Nov. 4-6 of self-selected federal employees who said they are working during the partial government shutdown.

Aside from the few well-publicized strategic uses of sick leave like at the FAA or among TSOs, respondents say they have not necessarily noticed more federal employees calling out sick during the first month of the shutdown.

“As an excepted worker who must come in five days a week, I can’t take up a gig job like furloughed workers. I don’t think it’s a ‘sick out’ to protest, I think it’s people taking off to do part time jobs to start earning some money,” wrote one respondent.

Others say their time off has been to address the stress and anxiety of the current situation.

“My credit card balance is the highest it’s been since 2020. About to ask mom for a loan – USAA has them, but it’s a hard hit on your credit. I have a side hustle, but I have no time for it since I have to work every day. Been taking a lot of sick leave as mental health days,” wrote one respondent.

Joseph McCartin, a professor at Georgetown University and the executive director of the Kalmanovitz Initiative for Labor and the Working Poor, argued during the 2019 shutdown in American Prospect that a spontaneous sick out of federal workers in response to the 35-day partial shutdown may be warranted.

“Sick outs have long played an important role in the history of public sector labor relations. Because most state governments, like the federal government, prohibit strikes, public workers of all sorts have repeatedly turned in the past to sickouts when no other means of protest was available,” McCartin wrote. “They became so common in the inflation-ravaged 1970s, when public workers saw their pay outstripped by the skyrocketing cost of living, that they acquired creative names: Policemen called them the ‘blue flu,’ fire fighters the ‘red rash’ and teachers ‘chalk-dust fever.’”

The pressure on federal employees, especially those working without pay, is reaching a crescendo in many regards.

More than half of the respondents say they are “very concerned” about their personal finances, while another 23% say they are “somewhat concerned.”

“Everything is a stress. How do I pay my mortgage, buy food, pay for my car note and insurance, and not to mention gas to get to work? Then how long will it take to get out of this hole? I’ve almost depleted my savings. I don’t want to keep taking my credit unions 0% interest paycheck loan. I’m tired of being a political pawn,” wrote one respondent.

Another said, “Day-to-day expenses are more difficult to manage. I am also in the process of obtaining a cash out [refinance] for other purposes but carrying higher than usual credit card balances and less than usual emergency funds may negatively impact the rate I receive.”

Of the 406 comments respondents offered about what financial hardships or belt tightening they are experiencing, the most common were reducing or changing their discretionary spending (12% of the respondents) and 11% said they are just trying to pay their bills and nothing else.

“We have not bought anything we don’t absolutely need and made minimum payments on bills. We have been cooking meals that are easier to spread out for many days- a lot of soup with beans and rice,” wrote one respondent.

Another said, “My emergency funds are running out and may have to get a loan to pay my bills.”

Other respondents said they were worried about not just what’s happening today, but how the post-shutdown environment will impact them too.

“As workloads increase, stress increases, but costs and expenditures continue. There have been cost increases to employees since the return to work, now as more people resign or leave, those duties and extra work is put on others but the people that get the extra work aren’t paid for the extra work. Paying bills is harder. My situation is a bit different. I just graduated with my Ph.D. And the government shutdown, furloughs, RIFS, etc. I am waiting to see what my student loans will be and that is pending a court injunction. I will have to find a second job or a better paying job just to cover everything,” said one respondent.

Several respondents said they have planned for these types of emergencies or are lucky enough that they have a spouse or partner in the private sector.

“I am fortunately still getting paid so just anxiety at this point in time but have put off purchasing items and getting repairs in case I am told I won’t be getting a paycheck or order to have money stockpiled,” wrote one respondent.

Another respondent wrote, “I am financially stable with a non-fed working spouse, a long time side gig, and successful personal finances. I could handle a shutdown for years if I had to, but I hate seeing my fellow workers struggle.”

The post If the shutdown continues, more feds expecting ‘sick outs’ first appeared on Federal News Network.

© AP Photo/Paul Sancya