MARCH MEMBERSHIP MADNESS!!
Read More

MARCH MEMBERSHIP MADNESS!!

Dear GTSC Members and Friends,

It’s that exciting time of year when I hammer your inboxes during our Annual Membership Drive! Excited?!

Well, it could all end – with your help.

As most of you know, GTSC was founded four years ago by small businesses that were concerned about their voice in homeland and national security. They felt that the organizations, opportunities, and engagements in the Federal market did not represent their needs or pain points.

Together with our initial and subsequent members, we have built – brick by brick – an authentic, devoted, mission-focused organization that represents the journey of a successful small business: initial launch, expansion and growth, success to join the mid-tier league of “other than small” and finally, graduation to a mentor-size company.

In addition to the trusted environment we’ve created around our commitment to your business success, we have also developed projects and opportunities to forward significantly the Federal homeland and national security mission. Personnel security clearance, data breaches, cyber security, information sharing, de-briefs, market research and the RFI process – all of these project areas reflect our member’s unique position as both a partner, and a part of the supply chain of our security.

Thank you to all of our fabulous members who have made this journey possible. We hope you will take this opportunity to refer new members and help us grow to meet the increased demands of our success. We will make it worth their while.

You can refer new potential members to me, or to Anne Crossman, President of Vertical Jobs, who has graciously offered to Chair our membership efforts.  And, if you’re the stellar member who refers companies who join in March — you may win an iPad Mini!!

Thank you again for your support and I look forward to a slew of new members during March Membership Madness!!

Yours,

Kristina

Beating the Cyber Security Drum
Read More

Beating the Cyber Security Drum

Every year, the Government Technology & Services Coalition beats the drum of cyber security – particularly during October’s Cyber Security Awareness Month.

We pull out the cute little monster virus icons, we parade a series of sessions, webinars and blogs about the perils of ignoring cyber security, and try to provide some tangible steps for small firms – or really ALL firms — to implement to be responsible partners to their Federal clients.

There is still quite a bit of complacency — but the threat – to our nation and to our assets is very real. Most recently, the Senate Armed Services Committee found that Chinese government hackers have repeatedly infiltrated the computer systems of major U.S. companies including government contracting firms of all sizes – to find out about the movement of U.S. troops and military equipment.

U.S. Transportation Command, or Transcom, was aware of only two of the intrusions. Gaps in reporting requirements and a lack of information sharing left the U.S. military largely unaware of the computer compromises of its contractors.

What the Senate Armed Services Committee really found – is that cyber security, information sharing, defending our systems MATTERS NOW.  And that protecting “our systems” is protecting a complex ecosystem of both public and private entities enmeshed through so many access points it is virtually impossible to untangle them all. Detecting the patterns of attack requires a complex collaboration between government and industry.

Although efforts to address cyber security are still “in process” – for contractors the writing is on the wall.

Currently – cyber security is still “voluntary.” To satisfy President Obama’s Executive Order on Improving Critical Infrastructure Cyber security – this year we saw the release of two reports that map out the future of cyber in procurement: The DOD- GSA report on Improving Cybersecurity and resilience through acquisition and the NIST’s Cyber Security Framework — a description of what should be in a cyber security program.

The “mandatory” is coming: late last year, DOD required companies handling ‘unclassified controlled technical information’ to implement security controls and report incidents within 72 hours of discovery. This is only the beginning.

Lawmakers are using the tools at their disposal to tighten up security through procurement — a provision was added to the annual National Defense Authorization Act to tighten requirements for defense contractors to report cyber attacks by known or suspected government actors.

So, everyone is – or should be — preparing. But there are still important questions like, “when are my systems ‘secure’? what happens when I am the victim of an attack? What if I’ve done all the right things?”

To find some answers, most contractors are watching the examples. USIS – a government contracting firm that performed background investigations for the government – is currently front page news. After detecting a breach, the company reported it to the Department of Homeland Security. Subsequently their contracts pertaining to background checks with both DHS and OPM were suspended.

At first blush, that sends an ominous message. However, the reality of “cyber” is that every company is vulnerable and every company from Lockheed Martin to the much smaller USIS have fallen victim to hackers, breaches, attacks of one kind or another.

What we are learning every day is that partnerships – BEFORE an attack – will make or break our success. And that “waiting” is not a strategy.

So you’re probably thinking, well that’s all well and good Kristina. What does it mean for me?

It means that if you are working with Federal clients, this is that moment when you look up from the weeds to see the trees:

FIRST: Join the FBI’s InfraGard – or have your CISO join. The public private partnership’s mission is to protect the critical infrastructure of the United States and its roots rest squarely in cyber – protecting our digital infrastructure. They provide invaluable alerts, lots of training and information to assure you are ahead of the curve and know who to call, when.

SECOND: Join an organization, network, information sharing exchange that will educate you about the cyber requirements coming down the pike. Learn what is required – and build your cyber security practices beyond that. Cyber security is a new cost of doing business with the Federal government and you need to be ahead of the curve.

THIRD: Use the free resources available to you to develop your cyber plan and educate your employees. GTSC has a slate of resources available to help small and mid-sized companies educate their employees and the FCC has developed a free cyber security planner for business.  StaySafeOnline.org has the resources and information to educate your workforce are there – you just need to use them.

Kristina TanasichukKristina Tanasichuk is CEO and founder of the Government Technology & Services Coalition. She is also President and founder of Women in Homeland Security and Executive Vice President of the InfraGard National Capital Members Alliance. She has worked in homeland security and domestic infrastructure for nearly 20 years.

When Businesses Encourage Family Preparedness, Community Resilience Improves
Read More

When Businesses Encourage Family Preparedness, Community Resilience Improves

Your business continuity plan could be compromised if your employees and their families are unprepared to keep their families and pets safe after a disaster. According to a 2012 poll by Adelphi University Center for Health Innovation, almost half of all Americans have no family disaster plan or supplies, making it very likely that some of your employees are unprepared.

Preparedness Gaps

  • 44% of Americans do not have a first-aid kit.
  • 48% of Americans do not have emergency supplies.
  • 42% of Americans don’t know the phone numbers of immediate family members.

Improving the Speed of Recovery

In order to return to normal as soon as possible after a disaster, communities need businesses open and employees at work. That’s why it’s vital that you work with employees, especially any that are essential for business continuity and resilience, to develop a family preparedness plan.

Most of the 48% of Americans without emergency supplies think it’s a good idea to have supplies and a plan, but they keeping putting it off. By incorporating family preparedness into the culture of preparedness you promote for the business, you provide people with information and a framework to make emergency planning a priority at home and at the office.

5 Ways to Encourage Employees to Develop a Family Emergency Plan

  1. Hand out checklists that employees can take home to make sure they have everything needed in an emergency.
  2. Distribute information about family preparedness as part of new employee orientation and post useful links on the company intranet.
  3. Conduct a lunchtime training session about family preparedness, where people can ask questions and share ideas.
  4. During your annual (or more frequent) business continuity planning review, send a reminder to employees and include the checklists and links. Remind everyone to inspect family go-kits for expired items.
  5. Ask any employees who are essential to your business continuity plan to confirm that they have a family plan and emergency supplies.

Strengthen your business continuity planning by encouraging family preparedness for your employees. Everyone will be better off for it.

Contributing Author

Lilly Harris is the CEO of MSA, Inc., a small, economically disadvantaged, woman-owned small business that delivers expertise and knowledge in Professional Services, Systems Test Evaluation and Support, and Emergency Management to more than thirty federal and commercial clients.

H.R. 5230: SECURE THE SOUTHWEST BORDER SUPPLEMENTAL APPROPRIATIONS ACT, 2014
Read More

H.R. 5230: SECURE THE SOUTHWEST BORDER SUPPLEMENTAL APPROPRIATIONS ACT, 2014

On Friday, August 1, the House voted 223-189 in favor of H.R. 5230, known as the “Secure the Southwest Border Supplemental Appropriations Act, 2014.” The $694M bill, now headed to the Senate, includes:

Funding Proposals

  • $405M for Department of Homeland Security (DHS) to boost border security and law enforcement measures.
  • $22M to accelerate judicial proceedings for immigrants.
  • $70M for National Guard border efforts: $35M for the federal deployment of the Guard, and $35M for reimbursing states for their use of the Guard on the southern border.
  • $197M for the Department of Health and Human Services (HHS) to provide temporary housing and humanitarian assistance to unaccompanied minors.
  • $40M in repatriation assistance to Guatemala, Honduras, and El Salvador (redirected from within existing foreign aid for Central American countries so that these repatriation activities are immediately prioritized).

Policy Proposals

  • Amends the Trafficking Victims Protection Reauthorization Act of 2008 so all unaccompanied alien children (UACs) are treated the same as Mexicans and Canadians for the purpose of removals. UACs who have a credible fear of persecution or who have been trafficked must appear before an immigration judge within 14 days of their initial screening and shall be detained until their appearance.
  • Provides authority for the Secretary of State to negotiate agreements with foreign countries regarding UAC, which include protections for children who are returned to their country of nationality.
  • Includes a “last-in, first-out” policy that prioritizes the removal of minors that most recently arrived.
  • Authorizes additional temporary judges to help address the increase in traffic on the southern border.
  • Changes the Immigration and Nationality Act to strengthen the law prohibiting criminals with serious drug related convictions from applying for asylum.
  • Prohibits the Secretary of the Interior or the Secretary of Agriculture (USDA) from denying or restricting U.S. Customs and Border Protection (CBP) activities on federal land under their respective jurisdictions.
  • Authorizes the deployment of the National Guard to the southern border.
  • Expresses the “Sense of Congress” that the Secretary of Defense should not house unauthorized aliens at military installations unless certain specific conditions are met.
  • Prohibits the housing of unauthorized immigrants on military bases if the use of the military instillation will displace members of the Armed Forces on active duty or interfere with military activities at the installation.

 

Read the full report here.

 

Contributing Author

Spencer KingSpencer King is the GTSC U.S. Intelligence Community Fellow.  Spencer studied at Audencia Nantes Ecole de Management and at Shenandoah University, where he graduated Cum Laude.  Spencer was the president of the Student Government Association at Shenandoah University.  At Shenandoah University, he worked for the university president’s office on lobbying, governance, and special projects.  Spencer also interned at Wolf Trap, where he facilitated strategic planning, government relations, special initiatives, and board relations/operations.

OIG: Contractor Increases Vulnerabilities in Medicaid Processing System
Read More

OIG: Contractor Increases Vulnerabilities in Medicaid Processing System

The Office of the Inspector General (OIG) released a report entitled “Weaknesses in Molina Medicaid Solutions’ Information System General Controls Over Idaho’s Medicaid Claims Processing System Increase Vulnerabilities”.  The OIG inspection of the Idaho Department of Health Welfare Medicaid in the spring has extended to one of its contractors, Molina Medicaid Solutions.  OIG highlighted 19 weaknesses in different parts of the Idaho Department of Health and Welfare Medicaid Solution claims processing system this April.  Similar to the Idaho audit, OIG found 21 weaknesses in the Molina system controls and distributed 6 consolidated findings into 3 categories: access controls, configuration management and security management.

In terms of access controls, OIG found issue with user authentication for remote network access, inadequate password history policy, and inadequate encryption of network passwords.  In response to the OIG report Molina said that it had proper authentication methods but would focus on encrypting passwords.  OIG found Molina’s policy and protocols for network access and configuration for devices appeared to be deficient.  The OIG identified a total of 9 weaknesses in the configuration management department, so Molina decided to review its device and network configurations as well as patch management procedures

The report exposes and reports that Molina does not have a system for taking portable device inventory. Molina will now have employee security education/training updates, and change background check policies as well.  While OIG does not think that the addressed weaknesses have been exploited at this point, such weaknesses could lead to compromised patient data within the Medicaid system at some point if the issues are not resolved.  OIG made 6 recommendations that Idaho must impress upon Molina.  These recommendations were:

  1. Implement stronger user authentication for remote network access, strengthen password history policy, and use a secure method to store encrypted network passwords
  2. Implement secure configuration settings for network devices
  3. Implement policies and procedures to secure Medicaid claims database
  4. Implement policies for its patch management program
  5. Implement policies and procedures to periodically review and account for inventory of all portable devices and identify the custodian of the devices
  6. Implement policies and procedures for annual security awareness training and adequate policies and procedures for terminated and transferred employees and for background checks of employees

 

Read the full report here.

Contributing Author

Gabriella Miroglio is the GTSC Government Affairs intern.  Gabriella studied at the University of California, Santa Barbara,w here she earned a B.A. in Political Science with an emphasis in Comparative Politics.  During college she interned with Boxer and Gerson LLP and volunteered with Phi Alpha Delta, the pre-law fraternity.  In addition to internships, she has also worked for UCSB’s Annual Fund and the Disabled Students Program.  Gabriella was also a National Honors Scholar in high school, and completed over 100 hours of community service.

Privacy and Civil Liberties Oversight Board Releases Report on NSA Data Collection Program
Read More

Privacy and Civil Liberties Oversight Board Releases Report on NSA Data Collection Program

The Privacy and Civil Liberties Board (PCLOB) released their report on telephone record surveillance under Section 702 of the Foreign Service Intelligence Act.  The report was precipitated by a public hearing held after the release of a report on Section 215 telephone records program and the operation of the FISA court. The analysis is based upon the evaluation of compliance with the statute of Section 702, and the Fourth Amendment. Additionally, attempting to address the treatment of non-U.S. persons in U.S. surveillance programs, the Board reviewed the International Covenant on Civil and Political Rights (ICCPR) and Presidential Policy Directive 28 on Signals Intelligence (PPD-28). The Board identified several areas where privacy could be threatened, and made 10 recommendations:

  1. Targeting and Tasking: The NSA’s targeting procedures should be revised to (a) specify criteria for determining the expected foreign intelligence value of a particular target, and (b) require a written explanation of the basis for that determination sufficient to demonstrate that the targeting of each selector is likely to return foreign intelligence information relevant to the subject of one of the certifications approved by the FISA court. The NSA should implement these revised targeting procedures through revised guidance and training for analysts, specifying the criteria for the foreign intelligence determination and the kind of written explanation needed to support it. We expect that the FISA court’s review of these targeting procedures in the course of the court’s periodic review of Section 702 certifications will include an assessment of whether the revised procedures provide adequate guidance to ensure that targeting decisions are reasonably designed to acquire foreign intelligence information relevant to the subject of one of the certifications approved by the FISA court. Upon revision of the NSA’s targeting procedures, internal agency reviews, as well as compliance audits performed by the ODNI and DOJ, should include an assessment of compliance with the foreign intelligence purpose requirement comparable to the review currently conducted of compliance with the requirement that targets are reasonably believed to be non-U.S. persons located outside the United States.
  1. U.S. Person Queries: The FBI’s minimization procedures should be updated to more clearly reflect actual practice for conducting U.S. person queries, including the frequency with which Section 702 data may be searched when making routine queries as part of FBI assessments and investigations. Further, some additional limits should be placed on the FBI’s use and dissemination of Section 702 data in connection with non–foreign intelligence criminal matters.
  1. U.S. Person Queries: The NSA and CIA minimization procedures should permit the agencies to query collected Section 702 data for foreign intelligence purposes using U.S. person identifiers only if the query is based upon a statement of facts showing that the query is reasonably likely to return foreign intelligence information as defined in FISA. The NSA and CIA should develop written guidance for agents and analysts as to what information and documentation is needed to meet this standard, including specific examples.
  1. FISC Role: To assist in the FISA court’s consideration of the government’s periodic Section 702 certification applications, the government should submit with those applications a random sample of tasking sheets and a random sample of the NSA’s and CIA’s U.S. person query terms, with supporting documentation. The sample size and methodology should be approved by the FISA court.
  1. FISC Role: As part of the periodic certification process, the government should incorporate into its submission to the FISA court the rules for operation of the Section 702 program that have not already been included in certification orders by the FISA court, and that at present are contained in separate orders and opinions, affidavits, compliance and other letters, hearing transcripts, and mandatory reports filed by the government. To the extent that the FISA court agrees that these rules govern the operation of the Section 702 program, the FISA court should expressly incorporate them into its order approving Section 702 certifications.
  1. Upstream & “About” Collection: To build on current efforts to filter upstream communications to avoid collection of purely domestic communications, the NSA and DOJ, in consultation with affected telecommunications service providers, and as appropriate, with independent experts, should periodically assess whether filtering techniques applied in upstream collection utilize the best technology consistent with program needs to ensure government acquisition of only communications that are authorized for collection and prevent the inadvertent collection of domestic communications.
  1. Upstream and “About” Collection: The NSA periodically should review the types of communications acquired through “about” collection under Section 702, and study the extent to which it would be technically feasible to limit, as appropriate, the types of “about” collection.
  1. Accountability and Transparency: To the maximum extent consistent with national security, the government should create and release, with minimal redactions, declassified versions of the FBI’s and CIA’s Section 702 minimization procedures, as well as the NSA’s current minimization procedures.
  1. Accountability and Transparency: The government should implement five measures to provide insight about the extent to which the NSA acquires and utilizes the communications involving U.S. persons and people located in the United States under the Section 702 program. Specifically, the NSA should implement processes to annually count the following: (1) the number of telephone communications acquired in which one caller is located in the United States; (2) the number of Internet communications acquired through upstream collection that originate or terminate in the United States; (3) the number of communications of or concerning U.S. persons that the NSA positively identifies as such in the routine course of its work; (4) the number of queries performed that employ U.S. person identifiers, specifically distinguishing the number of such queries that include names, titles, or other identifiers potentially associated with individuals; and (5) the number of instances in which the NSA disseminates non-public information about U.S. persons, specifically distinguishing disseminations that includes names, titles, or other identifiers potentially associated with individuals. These figures should be reported to Congress in the NSA Director’s annual report and should be released publicly to the extent consistent with national security.
  1. Efficacy: The government should develop a comprehensive methodology for assessing the efficacy and relative value of counterterrorism programs.

Read the full report here.

Contributing Author

Spencer KingSpencer King is the GTSC U.S. Intelligence Community Fellow.  Spencer studied at Audencia Nantes Ecole de Management and at Shenandoah University, where he graduated Cum Laude.  Spencer was the president of the Student Government Association at Shenandoah University.  At Shenandoah University, he worked for the university president’s office on lobbying, governance, and special projects.  Spencer also interned at Wolf Trap, where he facilitated strategic planning, government relations, special initiatives, and board relations/operations.

 

The New Paradigm of the Government Market:  Plan, Prepare, Position, Partner
Read More

The New Paradigm of the Government Market:  Plan, Prepare, Position, Partner

I recently attended a small business Match Making event sponsored by the Government Technology Services Coalition for small business and prime contractors to meet, greet and exchange information on each other in hopes of identifying potential government contracting opportunities. This event showcased a three person panel of small business program office directors from the Small Disadvantage Business Offices of three different agencies.

I have attended many of these match-making sessions and recently asked the question in one of my Linkedin discussion groups: is attending these events valuable time well spent or a waste of time? I received various comments both positive and negative. However, I must say that this particular event was one of the best that I have attended and my reason is based on the content that the government panelist shared with the small businesses.

There is no question about the changing state of the government contracting market. There is definitely a new paradigm. The landscape has and is continuing to change significantly.

What does this mean for small business? Well, it means that they are being presented with opportunities greater than they have ever been presented within the history of small business contracting in the federal market.

With the implementation of the President’s Job Act coupled with new legislation and regulation that are favoring increased small business participation for contracts and better oversight on Prime/sub-contracting relationships, larger and longer multiple year contracts are being offered to small businesses. To support these initiatives Agencies are increasing their market research activity by sending out more RFI’s and Sources Sought announcements with the intent of identifying more small business  to contract with.

Agency Collaboration and the need to reduce redundancy and budget cuts are responsible for this new trend. With that said, the small business community has to change its thinking and their desire to go it alone when pursuing contracts.

The main theme presented by the government panelist was the lack of preparation by the small business community in pursuing contract opportunities. Some specifics were:

  • Presenting too many capabilities “jack of all trade” scenarios
  • Limited knowledge of agency mission
  • Inability to clearly present their core skills and solutions relevant to the agency mission
  • Not responding or poorly responding to RFI’s and Sources Sought announcements
  • Failure to present their value proposition as it relates to the agency request for support

Considering these things, the take away from this event boils down to the following:

Plan

Plan by performing an internal assessment of your company, who are you, what business are you really in, what are you best qualified to do – not what you want to do. Do your market research to establish where your skills and solutions best fit the agency problems you have targeted and refine your pitch based on your research and knowledge of the agency’s mission.

Prepare

Prepare by creating a compelling story of who you are and why your company is best suited to solve the agency problems based on your research and understanding of the agency mission. Responses to the RFI’s and Sources Sought should be focused on how your skills or solutions support the agency mission. Follow the congressional legislative and regulatory initiatives, and agency news. This information will provide you with great insight into the agency mission and the problems they are encountering in carrying out their mission

Position

Use your research to position your company. The more information you know about the legislative, regulatory initiatives and agency news, the easier it will be for you to communicate with agency program managers and department heads. The more knowledge you can share with them will provide them with a level of comfort that you have a understanding of their issues. This will be the basis of establishing a rapport which will lead to trust.

Partner

Performing a formal assessment on potential partners you have identified to team with is essential. The dynamics of the market demand that you spend ample time to do this. There are more contract opportunities that are multiple 8-10 year contracts and this requires thorough knowledge of who you will be spending that time with.

Compatibility, integrity, culture, vision, goals and trust will be the key factors for you to assess and consider in your selection. These criteria should be used regardless of whether or are considering a Prime or subcontractor relationship. Casual teaming is not the best way to go in the new market.

Contributing Author

Earl HollandEarl S. Holland III is the President and CEO, Growth Strategy Consultants, Strategic Advisor with the Government Technology Services Coalition and former Vice President of the Washington Chapter of the Association of Strategic Alliance Professionals.  You can reach him at: [email protected]www.growthstrategyconsultants.com

 

Mitigating the Insider Threat Through Personnel Surety Counterintelligence
Read More

Mitigating the Insider Threat Through Personnel Surety Counterintelligence

The Department of Homeland Security in coordination with US Customs and Border Protection are at the forefront of preventing insider threats within its law enforcement operations. These threats take the form of overt actions because of gaps in coordination and process mistakes that lead to self-created but preventable vulnerabilities.

To assure this continued success, a Personnel Surety Counterintelligence mission must be put in place through a management and implementation functionality that will meet the following objectives:

• Assess and audit the effect of the insider threat through risk analysis threat algorithms

• Establish a collaborative information-sharing personnel surety data base system that tracks action requirements and assigns accountability on a continuous basis

• Build a personnel surety counterintelligence business process into each law enforcement mission area, both operational and technologically supported through stakeholder collaboration

• Create a culture built around a robust personnel surety plan to ensure that a need to share for operational success supersedes the need to protect information

• Identify the insider threat and vulnerabilities through a continual monitoring system of checks and balances

• Counter the inadvertent mistakes that lead to the insider threat through the deployment of technologies that drive mission success and efficiencies

 

Coordinating the Government’s Personnel Surety Mission

The multi-faceted challenges of working in today’s mission-critical environmental and multiple enterprise coordination formats require innovative approaches that stress stakeholder creation and participation with built-in accountability, under an umbrella set of governance parameters. This is especially true in the world of counter-intelligence / insider threat in light of the number of initiatives currently underway to protect the United States government information infrastructure. It is imperative that the following initiatives be established:

• Establishing a government-wide personnel surety process and management discipline supported by standardized and relevant technologies

• Coordinating the activities of multiple operational centers, including sharing information about malicious activity and establishing common operating standards and procedures to: track information sharing, require acknowledgement of information received, and provide reports of counter-actions taken

• Deploying technology advancements in order to counter the threats both from an IT and behavioral perspective

• Engaging the private sector, as a partner, to extend the envelope of protection beyond the government’s firewall in a manner that is clear and manageable to that sector

These initiatives are designed to break the pattern of information silos and to overlay new paradigms that will mandate sharing and accountability to protect lives and critical mission information while providing stakeholders tangible metrics for their participation.

They also address the technology aspects required to support this new paradigm by ensuring that the most appropriate tools are in place, under the most cost-effective basis.

Establishing Enterprise-Level Governance

As recent events have proven, internal barriers may well be the biggest stumbling blocks to “connecting the dots” on a threat and preventing violence.

Deployment of a CBP Enterprise Program Management Office (EPMO) is a successful methodology that will enable CBP to break through such barriers and establish an enterprise-level governance functionality that will assure the success of the insider threat mission. An insider threat EPMO will allow CBP to:

• Coordinate the Counterintelligence Mission Focus across all of the Federal Mexican Police Department

• Deploy technologies that drive mission success and efficiencies

• Establish performance metrics and measurable outcomes linked to meeting the counterintelligence insider threat mission

 

Successfully Deploying the EPMO

A successful Counterintelligence EPMO will require the following focus to its activities:

• Developing and documenting a clear understanding of the mission

• Establishing an executive Governance Board

• Organizing with a focus on meeting the counterintelligence mission

• Deploying operations that protect the mission from internal/external threats

• Leveraging technology to enable the counterintelligence mission

• Establishing a disciplined standards-based foundation

It is critical that CBP establish an EPMO to serve as a central program management body, one which both manages and coordinates core insider threats and counterintelligence activities. The EPMO performs much of the program management related work for individual programs as well as the organization at an enterprise level, while still valuing the individual program contributions and objectives.

Establishing and sustaining this focus for the EPMO will require that four themes be addressed: statutory and other mandatory drivers, organization and supporting processes, technology requirements, and cultural change.

1. Statutory and Other Mandatory Drivers

Any EPMO is responsive to the statutory and / or regulatory drivers that established the mission for a sponsoring agency, augmented by internal agency directives or other mandated requirements. It is critical that information on these be gathered, analyzed, and clearly understood. After this it must be coalesced into a charter statement that all stakeholders will commit to support and follow under a program organization that has been developed and accepted in a collaborative process. Specific mission performance objectives may then be developed. Successful implementation of these is a function of establishing a common operating environment that has two components: process and supporting technology.

2. Organization/Process

The processes defining the EPMO’s operating framework must promote the effectiveness, efficiencies, and collaboration necessary to successfully meet the established counterintelligence insider threat mission. Once established, these characteristics must be sustained by adopting a regular process or review through which the operational and control processes of the EPMO are assessed, revised and opportunities for improvement are incorporated. The effective EPMO deploys Key Performance Indicators (KPIs) measuring key processes, especially those that touch the counterintelligence insider threat customer.

The EPMO monitors the KPIs to identify reductions in performance, and as a result, to proactively deploy revised and improved processes. Incorporation of standards and ratings to insure ongoing performance maturity is essential in order to ensure that the stakeholders of the EPMO are receiving the best information and are participating in decision-making as appropriate.

3. Technology

Even while most EPMOs operate in a highly automated environment, the successful counterintelligence insider threat EPMO team understands the use of technology is not the answer to all problems. That team also understands that well-deployed technology remains a critical, but supporting, component to highly qualified personnel and a well-run EPMO organization.

These technologies should be “smart”, scalable, flexible, extensible, and self-monitoring. The requirements for deployment must be based on the automation of a collection of previously manual processes and should provide short-term tactical efficiencies in response time, effectiveness, and productivity. It cannot disrupt processes, unless it is part of a well-understood process improvement strategy. It must be well understood and require users and customers to be well-trained and able to quickly incorporate the technology capabilities into the responsibilities assigned to them.

4. Culture

The EPMO must be staffed by program, change, technology, and counterintelligence professionals who are directly accountable to the counterintelligence mission and to the Department’s strategic objectives. The individuals in the EPMO must have the necessary credentials, as well as managerial, consultative and functional counterintelligence experience, necessary to operate a Department level counterintelligence program office. While necessity often requires that personnel and resources are gathered from other parts of the Department, once those resources are assigned or brought into the EPMO, the mission of the EPMO takes precedence; any adherence to previous cultural and organizational barriers become of secondary priority.

The above four goals must be addressed via a specific implementation process consisting of three primary phases: Initiation, Planning, and Execution, coupled with ongoing Assessment and Update once all facets of the EPMO have been deployed. Each phase has its own input requirements and results in deliverables which are critical to day-to-day execution of the mission objectives.

The advantages of this phased approach are multiple:

• An over-arching mission definition is established, to ensure that all participating agencies are operating to the same goals and objectives

• Agency and other users are provided hands-on guidance to support them through collaborative / facilitated involvement and integration into the counter- intelligence program

• EPMO establish standards, processes and performance measures as well as measuring tools

• Agencies left with flexibility in the management of individual counter- intelligence activities while adhering to enterprise business rules

• Some impact on organization and may require changes in organization structure and / or roles and responsibilities

• Relieves agencies and program teams of much of the responsibility and details of program management-related activities

• Allows users to focus on the counterintelligence activities, resolution of technical issues, and threat adjudication under a common set of ground rules and information-sharing environments

Conclusion

The need for a successful counterintelligence program demands a direct approach to establishing coordination. Therefore, the Counterintelligence / Insider threat EPMO would provide the most robust construct for securing enterprise wide coordination and help break down the organizational silos preventing success. The EPMO will provide a personnel security program as well as counterintelligence / insider threat coordination to the entire enterprise:  from the Executive level to managers, to Federal Officers, to professional staff, to security personnel, to IT personnel, and finally, to IT Security personnel down to administrative and clerical staff.

Contributing Author:

BillCarrollBill Carroll is a co-founder and the President of the EnProVera Corporation, a Service Disabled Veteran Owned Small Business and Native American Owned Small Disadvantaged Business.  Prior to EnProVera, he was the Managing Partner of Strikeforce Consulting.  Bill has over 40 years of experience in law enforcement, in the U.S. Government, and in the Government Contracting Industry.  He retired from the U.S. Government in 1998 after a distinguished career in the Immigration and Naturalization Service (INS).  Bill was the Director of the INS Washington District Office and Deputy Director of the Los Angeles District Office. 

 

 

DOJ Aggressively Pursuing False Claims Act Violations: States Follow Suit
Read More

DOJ Aggressively Pursuing False Claims Act Violations: States Follow Suit

Over the last decade, False Claims Act (“FCA”) litigation has exploded, and actions asserting new theories of liability are resulting in increasingly large recoveries. Last year the U.S. Department of Justice (DOJ) announced that it had recovered $3.8 billion under the federal FCA in FY 2013. From all appearances FY 2014 promises to be another “banner year for civil fraud recoveries,” and the DOJ has already put up impressive numbers, particularly against pharmaceutical and medical device companies, including a massive $2.2 billion settlement with Johnson & Johnson, as well as settlements with Endo Health Solutions Inc. ($192.7 million), Halifax Hospital Medical Center ($85 million), and Amedisys, Inc. ($150 million).

While the DOJ continues to vigorously pursue FCA cases against companies in the health care and other sectors, cash-strapped states are now following suit. State Attorneys General (AGs) have increasingly pursued novel and creative FCA actions, as have private plaintiffs, who are authorized by qui tam provisions to stand in the shoes of states to sue and receive part of any recovery. A driver of this action was the Deficit Reduction Act (DRA) of 2005, which authorized states to receive, in addition to their own recoveries, 10 percent of the federal government’s share of recovered Medicaid funds if their FCAs are at least as robust as the federal FCA. As a result, since 2005 nearly a dozen states have either enacted false claims statutes or have amended existing statutes to make them equally or more robust than the federal FCA, including incorporating qui tam provisions and broadening the circumstances under which companies can be found liable for violations.

For example, late last year, in response to the DRA, New York state amended its FCA (New York State Finance Law § 187, et seq. (NY FCA)), to bring its false claims law more in line with the federal FCA. The New York statute now includes a “reverse false claims” provision that imposes liability as broadly as the federal FCA, providing that a person may be held liable for violating the NY FCA if that person “[k]nowingly conceals or knowingly and improperly avoids or decreases an obligation to pay or transmit money or property to the state or a local government, or conspires to do the same….” (NY FCA § 189(1)(h)). The New York amendments also allow the state, as intervenor in a qui tam case, to relate back to the qui tam plaintiff’s filing date for statute of limitations purposes, expanding the period for which the state can seek recoveries. In addition, the law provides attorneys’ fees for successful qui tam plaintiffs, incentivizing the plaintiff’s bar to partner with the state or pursue their own cases under the NY FCA.

Recent developments in California also have made California False Claims Act (CFCA) cases more likely. In October of last year, California Governor (and former AG) Jerry Brown signed into law amendments to California’s general whistleblower statute (Cal. Labor Code § 1102.5) extending already existing whistleblower protections to employees who report illegal behavior internally to supervisors or those responsible for compliance. The amendments also imposed liability on any person working on an employer’s behalf who retaliates against an employee who engages in protected whistleblowing activity. In addition, a California appellate court, in San Francisco United School District ex. rel. Contreras v. First Student, Inc., No. A136986, Cal. Court App. (1st Dist. Mar. 11, 2014), recently expanded liability under the CFCA by approving the “implied certification” theory, holding that “a vendor impliedly certifies compliance with express contractual requirements when it bills a public agency for providing goods or services.” As a result, government contractors that do business with the state of California are now exposed to CFCA liability if they knowingly submit an invoice while in breach of a material contract term, whether or not they expressly certified compliance with material contract terms.

California and New York are just two high-profile examples of a national trend. Florida AG Pam Bondi worked with the legislature to significantly amend the Florida FCA last year to expand its scope and provide new subpoena powers and penalties. In Vermont, AG Bill Sorrell worked with several state senators to introduce a new FCA patterned on the federal act, after the state collected more than $23.5 million since 2010 through cooperative work with the DOJ on Medicaid fraud cases.

Because many states are facing substantial budget pressure, FCA activity, in particular Medicaid fraud cases, are likely to substantially increase in 2014 and beyond. In January Texas AG Greg Abbott announced that Hi-Tech Pharmacal Co. will pay $25 million to settle claims that it submitted inflated pricing information for certain prescription drugs from 1995 to 2013. In April Texas settled a state FCA lawsuit against HEB Grocery Co. for $12 million, settling claims that HEB overcharged the Texas Medicaid program for prescription drugs. Florida also reached a $7 million agreement recently with All Children’s Health System to settle allegations that the hospital violated the federal and Florida’s FCA by submitting illegal Medicaid claims.

FCA cases are not limited to health care. New York AG Eric Schneiderman, who as a state legislator sponsored a substantial 2010 expansion of the NY FCA, has pursued a ground-breaking FCA reverse false claims case against Sprint Nextel Corporation for allegedly under-collecting and underpaying more than $100 million in New York state and local sales taxes. In late February a New York appellate court upheld a lower court’s decision denying Sprint’s motion to dismiss the case. FCA cases have also recently been brought against or settled with technology providers and construction firms for providing allegedly defective products and services or inflating their billing, energy companies for underpaying royalties, and mortgage lenders for alleged false applications for HUD-sponsored insurance and federal loan financing.

State FCAs have also become fertile ground for creative plaintiff’s attorneys. Prominent plaintiff’s firms have long cultivated relationships with AGs as they sought to represent the states in civil lawsuits such as the tobacco litigations of the 1990s and more recent consumer protection and public nuisance suits against the pharmaceutical and other industries. Plaintiff’s lawyers have also taken notice of the potential for large automatic recoveries in qui tam suits. 647 federal qui tam suits were filed by private plaintiffs in 2012 alone, compared to only 30 in 1987. This upward trend is likely to continue as plaintiffs increasingly assert multiple state FCA claims alongside federal claims and attempt to work alongside AGs in pursuing such cases.

There are steps companies can take to reduce their potential exposure to FCA actions brought by the federal government, AGs, and/or qui tam plaintiffs. Any company that provides goods or services to the government, or even subcontracts to do so, should do the following:

(1) Create and update its compliance program to ensure current compliance with all applicable legal requirements and to flag potential problems early before they give rise to an FCA claim.

(2) Establish appropriate and continuous training programs that inform employees of key legal obligations, and encourage employees to bring problems to the attention of supervisors and compliance officers.

(3) Periodically audit business activities to ensure those activities conform to the company’s compliance program by conducting interviews, surveying employees, and providing employees with opportunities to provide feedback regarding potential wrongdoing.

(4) Fully and seriously investigate all allegations of impropriety, no matter how unlikely, and regardless of the whistleblower’s credibility or motivations.

(5) Carefully consider the ramifications of strategies that impact taxes or royalties remitted to the government and whether such plans might become the basis for reverse FCA claims.

More broadly, companies involved in supplying goods or services paid for by the government should familiarize themselves with, and even develop relationships with the DOJ authorities and AGs who are authorized to bring FCA cases or oversee qui tam litigations. Given the increasingly innovative ways FCA claims are asserted, companies cannot risk hiding their heads in the sand regarding their potential exposure. Knowing the government authorities responsible for such cases can provide critical insight to understanding their priorities, their complex relationships with qui tam plaintiffs, and the future directions and likely developments in this increasingly important area of the law.

Contributing Authors:

DeLancey_Merle_Portrait_LRMerle DeLancey primarily represents healthcare clients involved in a broad spectrum of government contracting issues and litigation. He also formulates strategies for expanding contracting opportunities using the General Services Administration (GSA) and Department of Veterans Affairs (DVA), Federal Supply Schedules (FSS), and other government-wide acquisition and indefinite delivery, indefinite quantity contract vehicles. Merle also has substantial experience in complex, multidistrict litigation in federal district courts throughout the United States.

Nash_Bernard_Portrait_LRBernard Nash joined Dickstein Shapiro in 1988 and leads the firm’s State Attorneys General Practice, where he represents clients in complex state and federal legal and legislative matters. Bernie’s work typically involves cases of first impression, matters having public policy implications and/or a governmental interest, and complex litigation. He routinely counsels major private sector clients on a wide range of matters involving State Attorneys General and also has represented states in significant policy disputes.  According to Chambers USA: America’s Leading Lawyers for Business, Bernie is “the leading practitioner in the country” who has “cornered the market” in representing clients before State Attorneys General and is known as “the godfather of State Attorney General work.”

Smith_Andrew_Portrait_LRAndrew Smith is an associate in Dickstein Shapiro’s Government Contracts Practice. Andrew focuses on complex civil litigation matters relating to antitrust, unfair trade, mass torts, product liability, and general commercial law. He also has represented and counseled clients in government investigations and government contract matters, including False Claims Act investigations and litigation, and claims and bid protests before the U.S. Government Accountability Office. Additionally, Andrew has been actively involved in providing pro bono legal research assistance to the American Antitrust Institute.

Allen_Christopher_Portrait_LRChristopher Allen joined Dickstein Shapiro in 2007. Chris is an associate in the State Attorneys General Practice. He represents clients primarily in connection with state government investigations and complex public policy issues, including outreach, negotiations, and litigations involving consumer protection, pharmaceutical products, data breach, information security compliance, antitrust, and environmental issues.