As America’s strategic competitors advance their technological advantage, the U.S. must take action to avoid losing its edge, said the undersecretary of defense for research and engineering.
On Capitol Hill Thursday, Heidi Shyu told lawmakers at the House Armed Services Committee what the Defense Department must do to maintain its technological advantage. The first step, she said, is building a strong foundation for research and development within the department. The second, she said, is changing how DOD does business.
“Every strong structure needs to stand on a solid foundation to ensure this country retains our edge and fuels the future technologies and capabilities,” Shyu told lawmakers. “We must make a commitment to science and technology, particularly in basic research.”
Shyu said the department must, among other things, increase efforts to attract the best talent, must build more robust and necessary infrastructure for R&D, must perform joint experimentation and must do better at collaborating across the technology ecosystem.
“If we expect the department to attract the world’s best and brightest, to produce state-of-the-art technologies, we must modernize our laboratories and test ranges,” she said. “The future of the department depends on talented people, and we’re committed to developing this talent.”
As part of that commitment, she said, the department has invested in a variety of workforce, educational and research programs ranging from K-12 robotic systems to STEM scholarships and social science research.
The Defense Department has historically been a leader in R&D and still is. But now, in the U.S., the private sector’s capacity for R&D — without the DOD’s involvement — has exploded, Shyu said.
“As seen in Ukraine, novel commercial technology, paired with conventional weapons, can change the nature of conflict,” she said. “The department’s processes, ranging from programming, to experimentation, to collaboration, should be updated to reflect the dynamic landscape of today and anticipate the needs of tomorrow.”
The U.S. private sector, Shyu said, is America’s competitive advantage.
“We must focus on improving how the government and private sector work together,” she said. “I am committed to working with you to ensure the department can move as quickly as possible as it engages with the private sector, and the whole innovation ecosystem, to rapidly transition technology to future capabilities.”
The future of warfare could be determined by the Defense Department’s ability—or lack thereof—to quickly adopt emerging technologies.
Decades ago, the federal government and U.S. military drove nationwide technology advancements, funding countless cutting-edge initiatives that resulted in technologies like GPS and the internet.
Today, technology research and development funding is led by private sector companies, with federal agencies and the Defense Department serving as customers for—and not necessarily leaders in—cutting-edge technologies.
However, accessing, acquiring and employing new technologies spearheaded by startups and innovative technology firms has become increasingly problematic for a host of reasons for the Defense Department and government broadly, resulting in what’s been termed the “valley of death.”
To begin Season 13 of Critical Update, Nextgov spoke with Pete Modigliani, Software Acquisition Lead for the Office of the Undersecretary of Defense for Acquisition and Sustainment at MITRE, about how the Defense Department can bridge the valley of death and ensure warfighters today won’t miss out on technologies of the future.
You can listen to the full episode below or download and subscribe to Critical Update in Apple Podcasts or Google Play
May 13, 2022, 8:34 AM EDTUpdated onMay 13, 2022, 9:52 AM EDT
The US is readying new encryption standards that will be so ironclad that even the nation’s top code-cracking agency says it won’t be able to bypass them.
The National Security Agency has been involved in parts of the process but insists it has no way of bypassing the new standards.
“There are no backdoors,” said Rob Joyce, the NSA’s director of cybersecurity at the National Security Agency, in an interview. A backdoor enables someone to exploit a deliberate, hidden flaw to break encryption. An encryption algorithm developed by the NSA was dropped as a federal standard in 2014 amid concerns that it contained a backdoor.
The new standards are intended to withstand quantum computing, a developing technology that is expected to be able to solve math problems that today’s computers can’t. But it’s also one that the White House fears could allow the encrypted data that girds the U.S. economy – and national security secrets – to be hacked.
Scientists estimate viable quantum computing could arrive anywhere from five to 50 years from now, if ever.
The contest by the National Institute of Standards and Technology, or NIST, is intended to update the algorithms that underpin widespread public-key cryptography that secures emails, online banking, medical records, access to control systems, some national security work and more. That system, developed in the 1970s, allows for the private exchange of information by relying on publicly accessible algorithms. Announcement of the winners is imminent, officials said.
The Biden administration last week unveiled a plan to switch the entire US economy to quantum-resistant cryptography, which will rely on new NIST algorithms, as much “as is feasible by 2035.”
Joyce, of the NSA, said it was a question of “when, not if.” He is among those who worry U.S. adversaries are stealing and stockpiling encrypted data intended to remain secret for decades or more in anticipation of being able to unlock it when viable quantum computing arrives. China, for one, is pouring billions of dollars of investment into developing quantum computing, according to US researchers.
NIST, which started the post-quantum contest in 2016, has taken pains to stress independence in overseeing the public competition, which is now down to seven finalists from 69 initial viable submissions “from all over the world.” While the NSA has helped design and edit NIST standards in the past, this time the institute has made all decisions about the new algorithms internally, relying on the expertise of its post-quantum cryptography team, a NIST spokesperson told Bloomberg.
The NSA already has classified quantum-resistant algorithms of its own that it developed over many years, said Joyce. But it didn’t enter any of its own in the contest. The agency’s mathematicians, however, worked with NIST to support the process, trying to crack the algorithms in order to test their merit.
“Those candidate algorithms that NIST is running the competitions on all appear strong, secure, and what we need for quantum resistance,” Joyce said. “We’ve worked against all of them to make sure they are solid.”
The purpose of the open, public international scrutiny of the separate NIST algorithms is “to build trust and confidence,” he said.
Leaked documents from former NSA contractor Edward Snowden in 2013 revealed some of the NSA’s techniques for penetrating encryption and lent credence to allegations that the algorithm it created included a backdoor. Afterward, NIST revoked its support for the algorithm.
Choosing the algorithm is only a first step. NIST will then oversee an effort to turn the winning algorithms into public standards. The plan is to make them available in 2024 so that government and industry can adopt them.
The NIST spokesperson said the final standard will also be open to scrutiny for any weakness or flaws.
“The reason they take so long to standardize is our confidence in them is a function of how many hours really smart people are taking to try to break them,” said Charles Tahan, director of the national quantum coordination office at the White House, in an interview.
Immigration and Customs Enforcement has used facial recognition to search through the driver’s license photos of one in three adults in the U.S., according to a new report by Georgetown Law’s Center on Privacy and Technology.
Immigration and Customs Enforcement, or ICE, “now operates as a domestic surveillance agency,” according to a new report by Georgetown Law’s Center on Privacy and Technology based on a two-year investigation.
The report details how, since the agency was established in post-9/11 legislation, ICE has moved beyond cooperating primarily with other law enforcement agencies to assemble an infrastructure that enables it to pull detailed information on Americans, immigrants and non-immigrants alike, with data from private data brokers and state and local governments.
ICE’s “surveillance dragnet” also uses facial recognition, especially the scanning of driver’s license photos for immigration enforcement, according to the report, which involved hundreds of Freedom of Information Act Requests and reviews of the agency’s contracting and procurement records.
Between 2008 and 2021, ICE spent about $96 million on biometrics, a category that also includes fingerprinting and DNA testing, according to the report.
Currently, “there are few regulations limiting law enforcement’s use of face recognition generally and almost no regulations addressing ICE’s use of the technology,” the report states.
ICE did not reply to a request for comment on the report from FCW.
The use of facial recognition dates to a 2008 contract between the agency and biometrics company L-1 Identity Solutions, which gave ICE access to the face recognition database of the Rhode Island motor vehicle department, according to the report, which details ICE’s use of facial recognition searches of DMV databases.
ICE has used facial recognition tech to scan the drivers license photos of one in three adults in the U.S., and since 2015, the agency has requested face recognition scans of DMV databases in at least 14 states, according to the report.
“The use of face recognition on DMV data is particularly egregious because people don’t expect to have their images and personal data be shared with other agencies. This is a betrayal of the trust that people put in their state agencies and needs to stop,” said Allison McDonald, research fellow at the center and one of the report’s authors, in a statement to FCW.
“This doesn’t mean that other, less covert uses of face recognition are unproblematic. There is ample evidence that face recognition is unreliable and biased, and is not a technology that should be used by police or immigration authorities,” she continued.
The report urges ICE to stop the use of facial recognition for immigration enforcement, pointing to concerns with race and gender bias in algorithms, the potential for misidentification and wrongful arrests and concerns about privacy and due process.
Since May 2020, ICE policy has prohibited the use of facial recognition tech in its Enforcement and Removal Operations, the report states, but not its Homeland Security Investigations.
ICE isn’t the only agency to tap into facial recognition technology.
A 2021 report from the Government Accountability Office surveyed 24 agencies to find that most were using the technology for either domestic law enforcement, cybersecurity or physical security. The General Services Administration, for example, is currently considering the use of facial recognition for Login.gov.
The agency’s surveillance work has occurred largely without judicial, legislative or public oversight, the report states. Most congressional leaders didn’t know about ICE’ use of facial recognition scans of DMV photos until media reports in 2019 – over a decade after the first known contract in 2008, the report states.
Another major source of information for the agency detailed by this investigation is data and algorithmic tools.
ICE has tapped into databases from private data brokers and state and local governments – often data given in order to get essential services, the report states, pointing to records from the Department of Motor Vehicles, as well as utility information, employment records and housing records.
In 16 states and the District of Columbia, for example, undocumented people can get drivers licenses. In six of those states, ICE has used facial recognition to scan driver’s license photos; in five, it can look for driver’s license information to use for civil immigration enforcement without a warrant.
The report also estimates that ICE can likely obtain address information for 74% of adults in the U.S. using utility records created when they tap into gas, electricity, phone or internet in a new home – information that can help trace people for deportation, the report states.
The sharing of data handed over to get essential services has already created evidence of a “chilling effect,” or the deterrence of immigrants from interacting with government systems and enrolling in critical services, the report states.
The report does include recommendations, urging Congress to reform immigration laws, enact new data protections, update laws that limit the disclosure of information given by Americans to the DMV and conduct more oversight of ICE, including the agency’s use of biometrics.
It also includes recommendations for state lawmakers on the use of water, gas, electricity, phone and internet records for immigraiton enforcement and ICE access to DMV data.
The European Union is planning new legislation aimed at curbing the worst harms associated with artificial intelligence.
It’s a Wild West out there for artificial intelligence. AI applications are increasingly used to make important decisions about humans’ lives with little to no oversight or accountability. This can have devastating consequences: wrongful arrests, incorrect grades for students, and even financial ruin. Women, marginalized groups, and people of color often bear the brunt of AI’s propensity for error and overreach.
The European Union thinks it has a solution: the mother of all AI laws, called the AI Act. It is the first law that aims to curb these harms by regulating the whole sector. If the EU succeeds, it could set a new global standard for AI oversight around the world.
But the world of EU legislation can be complicated and opaque. Here’s a quick guide to everything you need to know about the EU’s AI Act. The bill is currently being amended by members of the European Parliament and EU countries.
What’s the big deal?
The AI Act is hugely ambitious. It would require extra checks for “high risk” uses of AI that have the most potential to harm people. This could include systems used for grading exams, recruiting employees, or helping judges make decisions about law and justice. The first draft of the bill also includes bans on uses of AI deemed “unacceptable,” such as scoring people on the basis of their perceived trustworthiness.
The bill would also restrict law enforcement agencies’ use of facial recognition in public places. There is a loud group of power players, including members of the European Parliament and countries such as Germany, that want a full ban or moratorium on its use in public by both law enforcement and private companies, arguing that the technology enables mass surveillance.
If the EU manages to pull this off, it would be one of the strongest curbs yet on the technology. Some US states and cities, such as San Francisco and Virginia, have introduced restrictions on facial recognition, but the EU’s ban would apply to 27 countries and a population of over 447 million people.
How will it affect citizens?
In theory, it should protect humans from the worst side effects of AI by ensuring that applications face at least some level of scrutiny and accountability.
People can trust that they will be protected from the most harmful forms of AI, says Brando Benifei, an Italian member of the European Parliament, who is a key member of the team amending the bill.
After years of activists fighting to protect victims of image-based sexual violence, deepfakes are finally forcing lawmakers to pay attention.
The bill requires people to be notified when they encounter deepfakes, biometric recognition systems, or AI applications that claim to be able to read their emotions. Lawmakers are also debating whether the law should set up a mechanism for people to complain and seek redress when they have been harmed by an AI system.
The European Parliament, one of the EU institutions working on amending the bill, is also pushing for a ban on predictive policing systems. Such systems use AI to analyze large data sets in the interest of preemptively deploying police to crime-prone areas or to trying to predict a person’s potential criminality. These systems are highly controversial, and critics saythey are often racist and lack transparency.
What about outside the EU?
The GDPR, the EU’s data protection regulation, is the bloc’s most famous tech export, and it has been copied everywhere from California to India.
The approach to AI the EU has taken, which targets the riskiest AI, is one that most developed countries agree on. If Europeans can create a coherent way to regulate the technology, it could work as a template for other countries hoping to do so too.
“US companies, in their compliance with the EU AI Act, will also end up raising their standards for American consumers with regard to transparency and accountability,” says Marc Rotenberg, who heads the Center for AI and Digital Policy, a nonprofit that tracks AI policy.
The bill is also being watched closely by the Biden administration. The US is home to some of the world’s biggest AI labs, such as those at Google AI, Meta, and OpenAI, and leads multiple different global rankings in AI research, so the White House wants to know how any regulation might apply to these companies. For now, influential US government figures such as National Security Advisor Jake Sullivan, Secretary of Commerce Gina Raimondo, and Lynne Parker, who is leading the White House’s AI effort, have welcomed Europe’s effort to regulate AI.
“This is a sharp contrast to how the US viewed the development of GDPR, which at the time people in the US said would end the internet, eclipse the sun, and end life on the planet as we know it,” says Rotenberg.
Despite some inevitable caution, the US has good reasons to welcome the legislation. It’s extremely anxious about China’s growing influence in tech. For America, the official stance is that retaining Western dominance of tech is a matter of whether “democratic values” prevail. It wants to keep the EU, a “like-minded ally,” close.
What are the biggest challenges?
Some of the bill’s requirements are technically impossible to comply with at present. The first draft of the bill requires that data sets be free of errors and that humans be able to “fully understand” how AI systems work. The data sets that are used to train AI systems are vast, and having a human check that they are completely error free would require thousands of hours of work, if verifying such a thing were even possible. And today’s neural networks are so complex even their creators don’t fully understand how they arrive at their conclusions.
Tech companies are also deeply uncomfortable about requirements to give external auditors or regulators access to their source code and algorithms in order to enforce the law.
“The current drafting is creating a lot of discomfort because people feel that they actually can’t comply with the regulations as currently drafted,” says Miriam Vogel, who is the president and CEO of EqualAI, a nonprofit working on reducing unconscious bias in AI systems. She also chairs the newly founded National AI Advisory Committee, which advises the White House on AI policy.
There’s also a giant fight brewing over whether the AI Act should ban the use of facial recognition outright. It’s contentious because EU countries hate it when Brussels tries to dictate how they should handle matters of national security or law enforcement. Several countries, such as France, want to make exceptions for using facial recognition to protect national security. In contrast, the new government of Germany, another big European country and an influential voice in EU decision making, has said it supports a full ban on the use of facial recognition in public places.
Another big fight will be over what kinds of AI get classified as “high risk.” The AI Act has a list that ranges from lie detection tests to systems used to allocate welfare payments. There are two opposing political camps—one fearing that the vast scope of the regulation will slow down innovation, and the other arguing that the bill as written will not do enough to protect people from serious harm.
Won’t this stifle innovation?
A common criticism from Silicon Valley lobbyists is that the regulation will create extra red tape for AI companies. Europe disagrees. The EU counters that the AI Act will only apply to the riskiest set of AI uses, which the European Commission, the EU’s executive arm, estimates would apply to just 5 to 15% of all AI applications.
Tech companies “should be reassured that we want to give them a stable, clear, legally sound set of rules so that they can develop most of AI with very limited regulation,” says Benifei.
Organizations that don’t comply face fines of up to €30 million ($31 million) or, for companies, up to 6% of total worldwide annual revenue. And experience shows that Europe is not afraid to dish out fines to tech companies. Amazon was fined €746 million ($775 million) in 2021 for breaching the GDPR, and Google was fined €4.3 billion ($4.5 billion) in 2018 for breaching the bloc’s antitrust laws.
When will it come into effect?
It will be at least another year before a final text is set in stone, and a couple more years before businesses will have to comply. There is a chance that hammering out the details of such a comprehensive bill with so many contentious elements could drag on for much longer. The GDPR took more than four years to negotiate, and it was six years before it entered into force. In the world of EU lawmaking, anything is possible.
While there’s no such thing as completely secure software, open source can make it stronger through the “power of the crowd,” said Lauren Knausenberger, the Air Force’s chief information officer.
The future of warfare could depend on the Defense Department’s ability to update weapons or communications systems with a software patch, and embracing open source software could help make that a reality.
That was a key point Lauren Knausenberger, the Air Force’s chief information officer, stressed Wednesday when testifying about the benefits of open source software.
“It is entirely possible that a future conflict to preserve our way of life is decided by features, fixes, and updates to software intensive systems that must take place in minutes or hours. And this means that we must learn quickly as a department and leverage the knowledge and best practices of the entire development community,” Knausenberger told the House Committee on Science, Space, and Technology Subcommittees on Investigations and Oversight And Subcommittee on Research and Technology on May 11.
While there’s no such thing as completely secure software, open source makes it stronger through the “power of the crowd,” Knausenberger said.
“The same concerns are there whether it’s commercial software or open source. But if it’s open source software, you have the power of the crowd looking at it and then you can also run your own tests internally because it is open code…you can redo the work yourself if you so choose,” she said.
Knausenberger prefaced her testimony on May 11, saying she was “bullish” on open source technology and noted that fewer eyes on commercial software’s source code could mean significant cybersecurity breaches go undetected for longer periods of time.
“With commercial software, you can’t see the source code. You do have situations where like with SolarWinds, you could have a sophisticated adversary come in, inject malware, and have it be months before anyone knows that there’s a problem,” the tech chief said.
“Whereas in the open source community we’ve seen with a number of examples that we just catch it faster, we can push it faster, we have more people trying to fix it faster and spread the word. Whereas the commercial side, you have some really smart companies working on it, but we might not know about it as soon.”
Brian Behlendorf, the general manager for the Open Source Security Foundation, a Linux Foundation project, testified that the open source community previously had a “buyer beware” reputation when it came to software security. And while things have changed culturally, resources will be needed to ensure proper oversight.
“Culturally speaking, there’s a greater emphasis on security in the open source software community. There used to be very much a perspective of caveat emptor: I’m just throwing this out there anyone who wants it is welcome to it, but buyer beware and let us know if you find any bugs,” Behlendorf said.
Now, he said, open source foundations formalize structured security or incident response teams for projects, sometimes using paid part-time or full-time security researchers dedicated to improving the underlying code, or utilize third-party audits before a product release.
“So it gives me a lot of hope. But there also is a very long tail that is getting longer and longer of very, very small components that … aggregated together create interesting things, but [are] where there’s perhaps less oversight.”
Behlendorf said there often aren’t enough “eyeballs” on open source projects, even the ones that are highly relied on, “so one thing we’re really trying to do is just make sure that we find the pieces that are critical, find the ones that are under-resourced then where we can direct resources of whatever form are required to increase the level of trust that we might have in that component.”
While it’s been discussed (if not urged) for many years, the Defense Department has been more vocal recently about embracing open source software. In January, DOD chief information officer John Sherman issued guidance on how to use open source software and the department’s security concerns, including the potential to create “a path for adversaries to introduce malicious code into DoD systems” alongside the “imprudent sharing of code developed for DOD systems.”
During her testimony, Knasuenberger said vulnerabilities are a fact of life in software design.
“If there are no bugs found in a particular piece of software, it’s because no one’s looking,” she said. “It’s not because it’s perfect.”
The new protocol is officially being added to the Budapest Convention—an arrangement between 66 member-states—after four years of negotiations.
The United States has signed onto a new protocol under the first international treaty on the prevention of cybercrime that would, among other things, allow law enforcement to seek information directly from service providers with access to electronic evidence that can be used to catch criminals.
The new protocol is “specifically designed to help law enforcement authorities obtain access to such electronic evidence, with new tools including direct cooperation with service providers and registrars, expedited means to obtain subscriber information and traffic data associated with criminal activity, and expedited cooperation in obtaining stored computer data in emergencies,” reads a press release from the Justice Department Thursday. “All these tools are subject to a system of human rights and rule of law safeguards.”
Representatives are signing onto the “second additional protocol” to the convention Thursday at the Council of Europe, amid an international conference on enhanced cooperation and disclosure of electronic evidence in Strasbourg, France. According to the press release, officials from the U.S. departments of Justice and State spent almost four years negotiating the addition to the convention, which was adopted back in November, 2021.
“The Budapest Convention is a truly remarkable international instrument. Its technology-neutral approach to cybercrime has created an enduring framework for cooperation that ensures law enforcement has the tools they need to respond to new criminal methods,” said Deputy Assistant Attorney General Richard Downing, who signed the agreement on behalf of the U.S. government. “It is our collective vision that every country that is serious about fighting cybercrime and that provides for the protection of human rights should become party to the Budapest Convention. The Convention strikes the right balance between imposing obligations on nations to have robust laws and capabilities and providing the flexibility necessary for nations with different legal systems to join.”
China and Russia, are notably not signed on to the Budapest Convention. The Justice Department release noted that the State Department’s Bureau of International Narcotics and Law Enforcement Affairs majorly funds the Council of Europe Cybercrime Program to increase the ranks of the treaty’s member countries.
The Budapest Convention was established in 2001. The first additional protocol added to the treaty concerned “the criminalisation of acts of a racist and xenophobic nature committed through computer systems.”
“As cybercrime proliferates, electronic evidence is increasingly stored in different jurisdictions,” Justice said. “The United States remains committed to the Budapest Convention as the premier international legal instrument for fighting cybercrime.”
With the release of Kubernetes 1.24 on May 4, for the first time, over five million Kubernetes developers can verify that the distributions they’re using are what they claim to be. That’s because with this release Kubernetes is adopting Sigstore for signing artifacts and verifying signatures. This is a major move forward for Kubernetes security.
As we all know, container supply chain security has become a critical issue. All too often software components are poisoned, and every program built on them wither and die with them. Introduced last year, Sigstore is a free software signing service. It improves software supply chain security by making it easy to cryptographically sign release files, container images, and binaries. Once signed, the signing record is kept in a tamper-proof public log. The sigstore will be free to use by all developers and software providers. This gives software artifacts a safer chain of custody that can be secured and traced back to their source.
A Huge Step
One reason this is such a big deal, Tracy Miranda, developer security company Chainguard‘s head of open source, explained is that it’s “a huge step in protecting the integrity of the Kubernetes ecosystem and demonstrates that code signing at an enormous scale is possible and frankly necessary due to the increase in supply chain attacks.”
It’s the ease of use that’s important here. We’ve long known that it was good security to cryptographically sign and verify programming elements, but most earlier cryptographic signature tools have either been too cumbersome or too confusing to use. Without easy-to-use tools to digitally sign their code, few developers are going to bother. That’s where Sigstore came in.
As Bob Callaway, a Google Staff Software Engineer and Sigstore project founder, said “We built Sigstore to be easy, free, and seamless so that it would be massively adopted and protect us all from supply chain attacks. Kubernetes’ choice to use Sigstore is a testament to that work.”
SLSA Compliance
The Kubernetes release team saw the importance of this effort. In early 2021, the crew began exploring Supply chain Levels for Software Artifacts, (SLSA, pronounced salsa) compliance to improve Kubernetes software supply chain security. SLSA is a security framework that includes a checklist of standards and controls to prevent tampering, improve the integrity, and secure the packages and infrastructure of your projects. Sigstore was a key project in achieving SLSA level 2 status and getting a head start towards achieving SLSA level 3 compliance, which the Kubernetes community expects to reach this August.
Sigstore Benefits
Sigstore also delivers a variety of benefits to the Kubernetes community, including:
Sigstore’s keyless signing gives a great developer experience and removes the need for painful key management.
Sigstore’s use of standards, such as support for any Open Container Initiative (OCI) artifact (including containers, Helm Charts, configuration files, and policy bundles) and OpenID Connect (OIDC), meant it could integrate seamlessly with other tools and services.
The active, open source, vendor-neutral Sigstore community gives confidence that the project will be rapidly adopted and become a de-facto industry standard.
“Security is a never-ending journey, but each step delivered to decrease attackers’ ability to undermine the integrity of our supply chains is an important one,” said Tim Pepper, VMware’s Head of Open Source Technology Center and Kubernetes Steering Committee. Sigstore’s adoption by Kubernetes in its next release is a big step forward.
Summary. Planning was one of the cornerstones of management, but it’s now fallen out of fashion. It seems rigid, bureaucratic, and ill-suited to a volatile, unpredictable world. However, organizations still need some form of planning. And so, universally valuable, but desperately unfashionable, planning waits like a spinster in a Jane Austen novel for someone to recognize her worth. The answer is agile planning, a process that can coordinate and align with today’s agile-based teams. Agile planning also helps to resolve the tension between traditional planning’s focus on hard numbers, and the need for “soft data,” or human judgment.
Planning has long been one of the cornerstones of management. Early in the twentieth century Henri Fayol identified the job of managers as to plan, organize, command, coordinate, and control. The capacity and willingness of managers to plan developed throughout the century. Management by Objectives (MBO) became the height of corporate fashion in the late 1950s. The world appeared predictable. The future could be planned. It seemed sensible, therefore, for executives to identify their objectives. They could then focus on managing in such a way that these objectives were achieved.
This was the capitalist equivalent of the Communist system’s five-year plans. In fact, one management theorist of the 1960s suggested that the best managed organizations in the world were the Standard Oil Company of New Jersey, the Roman Catholic Church and the Communist Party. The belief was that if the future was mapped out, it would happen.
Later, MBO evolved into strategic planning. Corporations developed large corporate units dedicated to it. They were deliberately detached from the day-to-day realities of the business and emphasized formal procedures around numbers. Henry Mintzberg defined strategic planning as “a formalized system for codifying, elaborating and operationalizing the strategies which companies already have.” The fundamental belief was still that the future could largely be predicted.
Now, strategic planning has fallen out of favor. In the face of relentless technological change, disruptive forces in industry after industry, global competition, and so on, planning seems like pointless wishful thinking.
And yet, planning is clearly essential for any company of any size. Look around your own organization. The fact that you have a place to work which is equipped for the job, and you and your colleagues are working on a particular project at a particular time and place, requires some sort of planning. The reality is that plans have to be made about the use of a company’s resources all of the time. Some are short-term, others stretch into an imagined future.
Universally valuable, but desperately unfashionable, planning waits like a spinster in a Jane Austen novel for someone to recognize her worth.
But executives are wary of planning because it feels rigid, slow, and bureaucratic. The Fayol legacy lingers. A 2016 HBR Analytics survey of 385 managers revealed that most executives were frustrated with planning because they believed that speed was important and that plans frequently changed anyway. Why engage in a slow, painful planning exercise when you’re not even going to follow the plan?
The frustrations with current planning practices intersect with another fundamental managerial trend: organizational agility. Reorganizing around small self-managing teams — enhanced by agility methods like Scrum and LeSS — is emerging as the route to the organizational agility required to compete in the fast-changing business reality. One of the key principles underpinning team-based agility is that teams autonomously decide their priorities and where to allocate their own resources.
The logic of centralized long-term strategic planning (done once a year at a fixed time) is the antithesis of an organization redesigned around teams who define their own priorities and resources allocation on a weekly basis.
But if planning and agility are both necessary, organizations have to make them work. They have to create a Venn diagram with planning on one side, agility on the other, and a practical and workable sweet-spot in the middle. This is why the quest to rethink strategic planning has never been more urgent and critical. Planning twenty-first century style should be reconceived as agile planning.
Agile planning has a number of characteristics:
frameworks and tools able to deal with a future that will be different;
the ability to cope with more frequent and dynamic changes;
the need for quality time to be invested for a true strategic conversation rather than simply being a numbers game;
resources and funds are available in a flexible way for emerging opportunities.
The intersection of planning with organizational agility generates two other paramount requirements:
A process able to coordinate and align with agile teams
Agile organizations face the challenge of managing the local autonomy of squads (bottom-up input) consistently with a bigger picture represented by the tribe’s goals and by cross-tribe interdependencies and the strategic priorities of the organization (top-down view). Governing this tension requires new processes and routines for planning and coordination.
Consider the Dutch financial services firm ING Bank. It restructured its operations in the Netherlands by reorganizing 3,500 employees into agile squads. These are autonomous multidisciplinary teams (up to nine people per team) able to define their work and make business decisions quickly and flexibly. Squads are organized into a Tribe (of no more than 150 people), a collection of squads working on related areas.
ING Bank revisited its process and introduced routine meetings and formats to create alignment between and within tribes. Each tribe develops a QBR (Quarterly Business Review), a six-page document outlining tribe-level priorities, objectives and key results. This is then discussed in a large alignment meeting (labelled the QBR Marketplace) attended by tribe leads and other relevant leaders. At this meeting one fundamental question is addressed: when we add up everything, does this contribute to our company’s strategic goals?
The alignment within a tribe happens at what is called a Portfolio Marketplace event: representatives of each of the squads which make up the tribe come together to agree on how the set goals are going to be achieved and to address opportunities for synergies.
The ING Bank example shows how the planning process is still necessary and essential to an agile company although in a different fashion with different processes, mechanisms and routines.
As more and more companies transform into agile organizations, agile planning will likely become the new normal replacing the traditional centralized planning approach.
A process that makes use of both limitless hard data and human judgment
Planners have traditionally been obsessed with gathering hard data on their industry, markets, competitors. Soft data — networks of contacts, talking with customers, suppliers and employees, using intuition and using the grapevine — have all but been ignored.
From the 1960s onwards, planning was built around analysis. Now, thanks to Big Data, the ability to generate data is pretty well limitless. This does not necessarily allow us to create better plans for the future.
Soft data is also vital. “While hard data may inform the intellect, it is largely soft data that generate wisdom. They may be difficult to ‘analyze’, but they are indispensable for synthesis — the key to strategy making,” saysHenry Mintzberg.
Companies need first to imagine possibilities and second, pick the one for which the most compelling argument can be made. In deciding which is backed by the most compelling argument, they should indeed take into account all data that can be crunched. But in addition, they should use qualitative judgment.
In an agile organization, teams use design thinking and other exploratory techniques (plus data) to make rapid decisions and change the course on a weekly basis. Decision making is done by a team of people, offsetting in this way the potential biases of a single person making a decision based on her individual judgement. To some extent, an agile team-based organization enables the possibility to leverage qualitative data and judgement — combined today with infinite hard data — for better decisions.
Relying solely on hard data has unquestionably killed many potential great businesses. Take Nespresso, the coffee pod pioneer developed by Nestle. Nespresso took off when it stopped targeting offices and started marketing itself to households. There was little data on how households would respond to the concept and whatever information was available suggested a perceived consumer value of just 25 Swiss centimes versus a company-wide threshold requirement of 40 centimes. The Nespresso team had to interpret the data skillfully to present a better case to top management. Because it believed strongly in the idea, it forced the company to take a bigger-than-usual risk. If Nestle had been guided solely by quantitative market research the concept would never have gotten off the ground.
The traditional planning approach needs to be revisited to better serve the purposes of the agile enterprise of the twenty-first century. Agile planning is the future of planning. This new approach will require two fundamental elements. First, replacing the traditional obsessions on hard data and playing the numbers-game with a more balanced co-existence of hard and soft data where judgment also plays an important role. Second, introducing new mechanisms and routines to ensure alignment between the hundreds of self-organizing autonomous local teams and the overarching goals and directions of the company.
Alessandro Di Fiore is the founder and CEO of the European Centre for Strategic Innovation (ECSI) and ECSI Consulting. He is based in Boston and Milan. He can be reached at adifiore@ecsi-consulting.com. Follow him on twitter @alexdifiore.
Making the decision to engage your business in government contracting at the local, state or national level can admittedly be overwhelming, particularly for those new to the process. However, the potential benefits should outweigh the hesitations. According to an American Express OPEN survey, 57 percent of businesses noted their revenue grew significantly because of government contracting, at an average rate of 61 percent. This advisory provides a high-level overview of the process with a focus on federal government contracting, which is far and away the largest source of government contracting.
United States federal government contracting is an enormous business both nationwide and internationally, with total contract spending value in the hundreds of billions annually. In fact, the U.S. government is the single largest procurer of goods and services in the world. While the Department of Defense (DOD) accounts for most of the federal service and product acquisitions, there are myriad industries that are engaged in contracting with the U.S. government, providing products and services that range from paper clips to missile defense systems. Nevertheless, to take part in this seemingly endless source of opportunity, your business will want to make sure it is well prepared prior to embarking.
Complete Regulatory Basics
Any business legitimately (and legally) capable of doing business with the federal government must have a few basic regulatory tasks initially completed. To start, the government requires any potential contractor register its business with Dun & Bradstreet (D&B) and the System for Award Management (SAM).
The D&B system utilizes a nine-digit unique identifier number to manage a company’s credit profile so lenders and potential customers or business partners can better ascertain a company’s reliability and financial stability.
The SAM is the government’s central registration repository for all businesses, both large and small. However, before a business begins completing the D&B or SAM registrations, a business needs to be aware of its North American Industrial Classification System (NAICS) code. The purpose of the NAICS is to provide the government with a uniform method of classifying its purchases so it can track spending for reporting, funding and budgeting. Prior to tendering a bid or proposal, a prospective contractor must register with the SAM.
Broadly speaking, the SAM will require a contractor to:
Register under the company’s Data Universal Numbering System (DUNS) number;
List the NAICS Code applicable to the type of work the contractor performs;
Complete representations and certifications contained in the Federal Acquisition Regulation (FAR);
Identify the contractor’s bank account; and
Provide background information regarding the contractor.
Notably, a company’s information included on the SAM must be updated annually or when previously provided information deviates.
Furthermore, any contracts awarded by the federal government must first be approved by the federal government’s Contracting Officer (CO). A CO will only approve, in its discretion, what it determines to be responsible contractors. Specifically, the government will not enter into a contract with any business that:
owes back taxes
has a current or pending legal judgment with the government
does not have a checking account
is on the government’s excluded parties list
hasn’t completed the basic regulatory requirements for doing business with the government
Before moving on to the next step, potential contractors will want to ensure they have completed the above-mentioned registrations and completed a self-diagnostic on their business to identify and address any potential hindrances, including those listed above, that may currently exist.
Finding an Opportunity
The process for seeking business from the federal government is largely comparable to the process of obtaining business in the private sector. As in the private sector, marketing a service or product to the government depends on identifying relevant markets and potential government customers suited to your businesses capabilities.
In the realm of federal government contracting, there are numerous sources available to help pinpoint opportunities suited for your business. Below are some of the main portals of entry into federal government contracting opportunities.
GSA Schedule Obtaining a General Services Administration (GSA) schedule contract is perhaps the most common form of federal government contract. The GSA is the “acquisition arm” of the federal government, playing a key role in connecting the private sector with the relevant federal agency seeking a fulfillment need. Any person/entity interested in selling their products and services to the federal government should prepare by making sure they have satisfied the applicable requirements and registering in the appropriate systems. Any prospective vendor who wishes to be included on a GSA Schedule can find more information here. The primary contract vehicle is the GSA Schedules, or Multiple Award Schedules, program. Additionally, any prospective vendor should develop a sales and marketing strategy for how that vendor will be targeting specific government contracts.
To be eligible for a GSA Schedule contract, a vendor must have been in business for at least two years and be able to provide two years’ worth of financial statements. In this regard, a company must be able to demonstrate it has measurable past performance. If a company does not have previous federal contracting experience, it may use federal and non-federal references from six or more previous customers, in part to obtain a past performance and evaluation Open Ratings report through Dun & Bradstreet.
FedBizOpps Federal Business Opportunities (FedBizOpps) is a point of entry for business to seek out federal government contracting opportunities with a value of over $25,000.
GWACs The federal government is a massive purchaser of hardware, software and related services through Governmentwide Acquisition Contracts (GWAC).
Subcontracting Another way to get involved in federal government contracting, albeit indirectly, is to serve as a subcontractor for a company that has been awarded a government contract (known as the “prime contractor”). Agencies may provide information on their websites about firms to which they have awarded contracts. As an example, the GSA and SBA maintain subcontracting directories and databases. Subnet is another database of subcontracting opportunities. Other potentially useful sources of information include trade and business publications, the SAM website, company websites, and the Federal Procurement Data System (FPDS). Information obtained from these resources might indicate which companies have received, or plan to receive, government contracts.
One note before moving ahead: take the time to thoroughly research a potential contract opportunity and plan your “elevator pitch” and capability statement for said opportunity before making an offer. It will pay off in the long run.
Offering on a Contract
After you have completed the necessary registrations and found an opportunity that fits your business, you are ready to jump into the offer pool. There are two types of offers when it comes to government contracts – bids and proposals. Bids are generally used in sealed bidding purchases, while proposals usually involve contract awards to be made following a negotiation process. Three of the main offer types are briefly described below:
Request for Quotation (RFQ): An RFQ is generally used for proposed contracts with a value of less than $150,000. The benefit is that this method is usually relatively simple and focuses mainly on price and delivery capabilities.
Request for Proposal (RFP): Typically for acquisitions sought with larger values than an RFQ, a potential contractor will be required to provide additional details about how they would be able to complete a specific project or develop a specific product.
Invitation for Bid (IFB): In a similar vein to an RFP, an IFB is generally used for projects with a value of over $100,000. Potential contractors submit a sealed solicitation/bid for government procurement. This process typically does not involve any outside negotiation between a potential contractor and the government vendor seeking the acquisition.
It is crucial that the information provided in an offer (whether it is for an RFQ, RFP, IFB, or otherwise) is factually sound and inclusive of any pertinent material a CO would need to make its evaluation. A company will want to provide as much information as possible without overwhelming the CO. However, make sure not to overpromise on any proposal, particularly related to technical specifications (if required), as this will become part of the contract in the event your proposal is selected.
Submit an Offer
Once you have identified an opportunity, double-checked everything included in your bid and/or proposal and have satisfied all the rules for the submission process, you are ready to submit your offer. As a parting word of advice, do not make the mistake of assuming offering the lowest price is the key to winning a government contract. A company’s experience and history of providing excellent service in its respected field is as important, if not more important, than the actual offer value.
The evaluation and award process begin when a government procurer receives bids/offers. This process can vary greatly regarding timing (often between 30 and 120 days) and ultimate acceptance of a bid. Stay patient, be prepared to provide any necessary follow-up information, keep in regular contact with the assigned CO (without being too pushy), and continue to set your business up for success should your offer be accepted.
The information provided in this advisory is a starting point to prepare your business for contracting with the federal government.
healthcarereimagined 