The Challenge of the Decade

Federal Acquisition Service Commissioner Sonny Hashmi brings his digital and data chops to tame the supply chain for 75 million products. 

Sonny Hashmi has long been a government information technology leader. He served as chief information officer for the District of Columbia before joining the General Services Administration, first as its cloud computing lead and then as chief information officer (CIO) and chief technology officer.

Voluble, approachable, and a technology evangelist, Hashmi was one of the best-known federal CIOs. Even after he left federal service in 2015, Hashmi stayed in the tech lane as managing director of global government strategy at cloud-storage and collaboration firm Box. He worked with federal, state, local and international governments on cloud and mobility strategy.

So, it came as something of a surprise when, in January 2021, GSA named him commissioner of the Federal Acquisition Service (FAS), overseeing the massive $75 billion schedules contracts and a range of buying programs.

Contract Management Editor in Chief Anne Laurent interviewed Hashmi in June 2022 to discuss his new venture in acquisition and how FAS is policing the provenance of its product catalog, applying digital modernization, and improving data and automated tools for contracting professionals. The interview has been edited for length and clarity.

Anne Laurent: You have been Mr. Information Technology in the federal government for years – you even have “Geek” in your LinkedIn profile. Now, you are thrust into the world of contracts. Can you talk about why you are the right person for this role leading the Federal Acquisition Service?

Sonny Hashmi: When I was first approached about taking on the responsibility, that was a question I asked myself as well. There are a few things to understand.

First, I believe most people think that the world of contracting is an old school, dodgy, documents-flying-back-and-forth, lots-of-legalese type of world. That couldn’t be further from the truth. Contracting and acquisitions are the primary way that the government engages with the private sector. 

As we go into the 2020s and beyond, more and more government services are going to be digital first. So, in government across the board – whether you are applying for veterans’ benefits, are a small business applying for a loan, need health care, or need recruitment – how the government engages with its citizens is going to be digital.

Second, through the pandemic there has been an outsized focus on digital modernization across government at all levels. I think most government agencies have realized that the only way to become resilient in our mission delivery, even in the face of a global pandemic, is to really, seriously, think about digital transformation.

The work that FAS has been doing for the last three years in the digital sphere has been growing at double-digit numbers, year over year, compared to the traditional modes. We need that expertise across FAS to be able to help our customers think through their options.

Third, procurement generally, and acquisition across the board, is a data problem because we are managing a global supply chain. We need to understand exactly where the needs are so we can help forecast needs one year, two years, and five years from now. We need to understand what the supply chain looks like. Who is the provider, what is their product, where is this product made, what is the carbon impact, what is its cybersecurity impact, who has a better solution to the problem, and how do we test these solutions? All of that becomes a massive data challenge.

It’s been fascinating coming into this role, because I get to play around with analysis, big data, machine learning, and all these things that I have been implementing on behalf of other organizations in my past life.

I have been immersed not only in analysis and data, but in figuring out how we automate and streamline our processes, how we do repeatability, and how we leverage technology to improve our user and supplier experience from the very beginning. And this is exactly the right moment for FAS to be tackling some of these longstanding challenges and opportunities because it is foundational to achieving our three North Star Goals:

1. Create tremendous value for our customers’ mission.
2. Make it dead easy to do business with FAS.
3. Curate a thriving, innovative, compliant, and equitable marketplace through our acquisition vehicles.

So, I’m thrilled that GSA had the foresight that we need this expertise in this role, and I’m just humbled that I am the one fulfilling it. 

AL: You talked about big data and machine learning and the need to learn how to analyze data. In the world of procurement, the federal procurement data system (FPDS) has not always provided data that has been as clean or as useful as it might have been over time. Are you saying that you are going to make more use, better use, different use of that data in building out FAS or sharing it with your customers?

SH: Yes, to all of that. That’s all part of making it easier to do business with us. In fact, some of that work is already underway. The federal procurement data system has been ripe for modernization for a long time. During the next two to three years, you will see a significant improvement in that system, and of course, the data underlying it, because there’s been a lot of work over the last two years to improve the completeness and accuracy of it.

Many years ago, contracting officers were responsible for logging in and inputting this data by hand, whenever an acquisition action happened. Now, 99% of that data is automated downstream from contract writing systems and other financial systems. That data is automatically uploaded and that improves the quality and completeness.

The problem still is that a lot of that FPDS data is not designed to be very usable. It’s hard to search and it’s hard to find the right answers. We’ve done a significant amount of work and now a lot of that data is feeding category management.

Category management is a better, more structured way of doing purchasing across government. It relies on data, and a lot of that data comes from FPDS, but also from other sources. We have a very powerful set of dashboards that we’ve built so that our contracting officers can, at the point of need, identify prices paid, identify past performance, look at contracts, and look at contractor performance; all those things they need to do including price evaluation. FPDS is one of the data sources that helps them do that.

And those dashboards create tremendous value for our customers by allowing partner agencies to do macroanalysis: Where are trends going? What is the average price people are paying for a particular product across the board? How many vendors are avail-able in a particular market segment?

There’s a slight nuance to the data. FPDS data doesn’t go down to the price-per-item level. It’s primarily a contract-level pricing tool. We’ve been driving awareness, training, and making sure contracting officers across the government are increasingly using the category management data.

We know that we need to have pricing data at the item level or the transaction level. So, there’s work going on. One of the pro-grams is the transactional data reporting (TDR) program. It allows us to collect data at the transaction level, line-item level, so that we can have prices paid information at the product level. You should be able to do a price comparison for a product to say which vendor or which supply source offers the most beneficial pricing and so forth.

It’s hard sometimes for us to have an accurate line of sight into exactly who has bought and who is using the product. TDR al-lows us to do that. I’m hopeful that maybe later this year and into next year, we’re going to start seeing broader adoption of TDR and that data is available across the federal government.

AL: How much of what is now being done by human beings could be, or do you wish to see, automated in some way, and how do you see that affecting jobs?

SH: So, first of all, if you ever want to have a job for life, get into the 1102 track right now. The contracting officer, 1102, is probably going to be the most important, the most sought-after job series, for as long as I’m alive, at least. Contracting officers are going to be in high demand, and low supply, unfortunately. Humans are always going to be involved because complex contracting just is not something you can automate; it requires human intelligence. Crafting the right solution requires human innovation. Having said that, human intelligence and human effort need to be supplemented by machine efforts.

Too much of the contracting officer’s job today is to do routine things. That takes a lot of time, a lot of effort, and frankly, can be automated and streamlined so that the contracting officer can focus on customer engagement, designing solutions, negotiations – those things that only humans can do.

In FAS, especially in the contracting families that are scaled like the Multiple Award Schedule program is, contracting officers rely on tools. Those tools aggregate data and process them in a way that allows those contracting officers to make the right decisions.

Being a contracting officer is a very difficult job. Not only do they have to make sure there’s compliance with the FAR, but also new regulations, executive orders, and cybersecurity regulations. There also are new requirements for sustainability, for Buy America, for Trade Agreements Act (TAA) compliance, for country of origin, and for Section 889. The list goes on and on. And now, imagine a human who has to make a modification to a contract that has 10,000 contract line items. All 10,000 of them must com-ply with all these different regulations. The contracting officer needs to have perfect visibility to where this product was made, what the supply chain risk looks like, and more.

FAS is automating as much of that analysis as possible, so the humans get a dashboard – a tool that allows them to say, “This is green, this is yellow, and this is red. This price is out of deviation, this price is within deviation, or these items are identified as non-TAA compliant.” 

And so very quickly, you know exactly where to focus your energy. Out of the 10,000 line items, you only have to talk about the five that have an issue. You can go back to the vendor and have a conversation. That not only saves a tremendous amount of effort, but it also increases the consistency, and therefore the quality, of our vehicles.

That’s our vision – that a lot of the heavy lifting needs to be done through data sources, analyses, and systematic automation, so the end user, the contracting officer, the project manager, looks at it, identifies where the risks are, and then focuses their energies on addressing those risks.

AL: How do we get from this moment to that moment?

SH: It’s less about creating something and then browbeating people into using it; it’s creating something that solves a problem and making it so easy to use that it just makes sense for people to use that as a first choice.

For example, for some of the upcoming vehicles that we are bringing online over the next year to three years, whether it’s Polaris or others, we are baking in automation from the very beginning. Supply chain risk management and evaluations are baked in. Every vendor who gets on board is already in a monitoring process, so customer agencies don’t have to do that work themselves.

We are currently doing a lot of work on the electric vehicle supply equipment (EVSE) environment. All that infrastructure is network-connected. So instead of just saying, “Here are the 15 vendors that are available, go forth and prosper,” and our job is done, we took on the heavy work with each of these vendors, making sure that all these products are compliant.

We want to make sure that they’re pre-vetted and pre-authorized, with essentially a provisional authority to operate (ATO) available, so each agency doesn’t have to go through a full ATO process and compliance process. FAS did all that heavy work. So now when the agencies transact, they can transact much faster. That’s the value we bring to our customers’ mission. 

AL: You’ve given a lot of the buying proposition for why agencies should use GSA. But there is reluctance. How do you break that down?

SH: It’s a human instinct to go with what you know. It’s basically the cow paths that have been trodden over and over again. People say, “This is how we do things here. We have our own governmentwide acquisition contract (GWAC); we want to make sure that we use that first.” Or, “We have a certain way of doing things.” And that’s okay.

But the challenge that I will make to everybody is, “What is better for the mission?” If using a GSA vehicle gets you better pricing, or, if pricing is not the primary consideration, it gives you more confidence that this product is more compliant. It reduces the work you have to do to ensure all the new executive order compliance. If a GSA vehicle gives you more options and more competition, is designed with the right products and services, and gets you there faster, isn’t that better for the mission? And if it reduces your risk of protest, for example, if all that risk is taken upfront by us, that should be the solution.

Let’s add diversity for the right reasons. If that’s leading to things that are delivering on that mission better, I 100% support it. But let’s not do it just because it’s the way we’ve always done it. 

AL: You’re not saying, I trust, that there should be no other competitive contracts across government than GSA, right?

SH: Of course not. I think competition breeds innovation and drives organizations to do better things.

You have to be thoughtful about where competition is going to actually add value, and where it’s duplication.

If the data shows that the competition is driving down pricing and increasing outcomes for the government, I am the first per-son to be convinced. But I don’t see that data. We don’t have the data – at least I haven’t seen the data – that says that having multiple GWACs is actually further driving down pricing and improving outcomes.

AL: You’ve been talking about supply chain. What should customer agencies expect of GSA to help them meet the increasing need to find out the provenance of goods and services way down the supply chain?

SH: This is going to be the challenge of the decade – supply chain risk and overall supply chain management; not just risk, but resiliency and availability. Every product we consume in our private lives, and in the government, is an amalgamation of our global supply chain. Parts and pieces come in from all over the world, are assembled somewhere, and then ultimately made avail-able in certain markets.

Our adversaries have figured out ways to leverage this global reliance to work against us, whether it’s intentional, such as malicious code being injected into software supply chains or chipsets that are pre-programmed with firmware to exfiltrate data, or just in terms of global pressure.

We manage about 75 million products in our catalog. Seventy-five million products cannot be individually evaluated by individuals asking, “Is this a safe product, a good product, is it not misrepresented, not secretly owned by a foreign country that is an adversary?”

We need to have a different strategy. Contracting officers are already burdened, and they cannot possibly vet every single product that’s being offered on contracts.

The first step in this process is segmentation. Certain parts of our overall catalog have a higher risk than others. If there’s a supply chain risk in the availability of office chairs, I am less concerned about that because an office chair does not connect to the internet, at least not yet, and there are many options available. It’s a commoditized product, and if there’s a supply issue with one manufacturer, I can sustain mission through other options.

However, if there’s supply chain risk in surveillance cameras, I’m very concerned because those cameras are being used in se-cure facilities. If there’s a trust issue with the firmware in that camera, or the software in that camera, or compliance standards, then I’m very concerned.

Segmenting our world’s supply chain into areas of concern, areas that require further investigation and analysis versus others, is Step Number One. Step Number Two is that in those areas where there are cybersecurity and other supply chain concerns – availability, resiliency, etc. – we need to understand the suppliers in a much deeper way. That’s where category management comes in.

The category managers across those areas need to not just track who the assemblers and final assembly manufacturers are, but where the supply chain comes from for chipsets, for firmware, etc.

I’ll give you an example. There are a lot of building control systems available in the marketplace. Humidifiers, temperature control units, thermostats and so forth. A lot of those chipsets come from companies and countries where we probably don’t want to do business. We don’t want to use those products in secure facilities, for example, because we don’t have trust in those chipset supply chains.

A few years ago, we had similar issues with drones. Drones are becoming increasingly useful in federal applications, and agencies are going out and buying drones. So, we partnered with the DoD to create the Blue Unmanned Aerial System (UAS) Program. Certain manufacturers are vetted and products disassembled to be sure of their security.

We have had conversations with these manufacturers and made sure that internally, their processes were secure so that they couldn’t be breached. They couldn’t be used as a vector for a foreign country to exfiltrate data. And then we approved certain products, and those are the only products that are available through our marketplace. We may have to do similar things in other categories.

This is, again, a data problem. We have sources of data available to us, in partnership with the intelligence community and others, that broadly allow us to monitor certain companies and certain products. We can track their parts and who their suppliers are. So, when you go two or three or four layers deep, a company that’s based in the United States and is manufacturing products in the United States, you can see where the chipsets are coming from, where raw materials are coming from, and where they’re sourcing subassemblies and parts from.

That information can identify red, yellow, green risk analysis for certain things. We’ve done that very recently, and by doing some pretty deep data and analytics, we removed tens of thousands of products from the schedules.

By leveraging these third-party data sources, we were able to identify not that those products necessarily were malicious, but we didn’t have the confidence that they met the security and compliance requirements of the federal government. It could be a chair, but if it’s misrepresented to be made in America, when you find out that it’s not made in America, then that’s a misrepresentation that you need to act on.

AL: Where some government contracting officers are not inclined to, or can’t for whatever reason, use a GSA Schedule, they’re supposed to perform this level of analysis themselves?

SH: Unfortunately, yes. And increasingly more things are coming down the pike. We’re going through four different rule-making processes in the cybersecurity space alone. And those are going to require vendors to certify that they have software bills of materials available, that they have notification processes in place. So yes, the contracting officer will be required to make sure those regulations and all those clauses are included in the contract. But that’s the easy part. You can say, “Here are the new clauses, guys. Either you choose to sign this contract or not.” The concern becomes, how are you going to validate that their representation is accurate?

We’ve seen many companies, some of them large companies, either knowingly or unknowingly misrepresent according to the clauses that are in a contract. Sometimes, we have to tell them, “Actually, this product that you’re making available and representing a certain way, is not made in the country that you think it’s made in.” And when they do the internal analysis, they realize that. So, ultimately, you can have all the clauses in that contract, but the contracting officer still is responsible for making sure that there’s an adequate amount of trust in the representation that’s been made by the company.

So, you’re not going to use GSA for everything, I get that. In that case, we certainly do need to continue to build a community of partnering officers to make sure that everybody is aware. GSA also has a role for the government by policy, and we hold many, many, many classes, and training sessions for contracting officers to be brought up to speed on everything from artificial intelligence to cybersecurity, to supply chain risk management. And that’s a burden that contracting officers continue to have to be educated on.

Again, where we can use tooling and data to reduce such burden, that’s the right thing to do. So instead of a contracting officer having to collect all this data and make sense of it, if tooling can say, “We’ve looked at this offer, and processed it through multiple lenses, and these are the things that are red and these are the things that are green,” it gives the contracting officer a leg up. They can focus and should only focus their energy on things that are high risk.

I’m hopeful that, over time, the tooling that GSA is building can also be made available to other contracting officers.

AL: Let’s talk specifically about cybersecurity. The Department of Defense has Cybersecurity Maturity Model Certification (CMMC), now CMMC 2.0. It’s been a messy and difficult process, and companies are not thrilled by it. On the civilian side, are you hearing that there’s going to be something similar? Is this even the right way to go about it?

SH: I think in some ways it’s too early to tell. Let’s start with some basics. The responsibility of the government to be much better at how we manage our cybersecurity is real. Nobody can argue that. I would say that this administration has been very, very aggressive in all the right ways, to really make this a priority, more so than it’s ever been before.

NIST’s job is to identify and develop the right standards. They’re doing that job. A standard exists for what secure coding looks like, for what ethical artificial intelligence looks like, for what the authentication of the user looks like. The challenge becomes how you implement the standards consistently and in every single case.

The cybersecurity executive order is a huge step in the right direction. It provides a real focus, and money, on transitioning agencies to zero trust architecture to encourage and ensure that coding standards are secure. It ensures that it’s not a problem that the government has to own, that the private sector is also held accountable for secure coding and supply chains. Then, when breaches happen, we can have insight into exactly how to identify the surface area and then what to do about it. These things never existed before, so it’s going to be painful for a lot of companies, and for government agencies. When I say painful, what I mean is that it will require change. It will require companies to take on new responsibilities within their organizations such as breach notifications, sharing more data at a more granular level when breaches happen, making sure that when they’re doing software releases there’s adequate testing and validation in the supply chain, and making sure they maintain software bills of materials. They will need to do those things for all software companies and even companies that leverage certain software. It’s the right thing to do, but it’s going to take some time and some effort to get there.

Our job is that as we go to the policymaking realm on this, we work with the industry to make sure we don’t just arbitrarily demand or mandate things that are unrealistic or very painful, and that we have the right runway, the right onboarding mechanism for companies to catch up and then have enough time to invest in the right things. We cannot do it without the industry.

Is CMMC the right model? I don’t know. CMMC is a model. In certain cases, CMMC may be the right model because the consequence of a breach is so high, or the consequence of the loss is so great, for certain kinds of data.

However, it’s very difficult to scale. We cannot apply it to tens of thousands of companies offering hundreds of thousands of products. You cannot possibly go through that level of documentation, scrutiny, review, personnel oversight, for every single thing in the GSA catalog. So, we need a different model that scales better for a vast majority of software suppliers in the government. I don’t know exactly what that model is, but right now, that model is being driven through the cybersecurity executive order.

AL: What’s your concern that the implementation of CMMC, or anything else, is a barrier to entry into the federal market?

SH: On one hand, you want to have more innovation and more small businesses coming into the marketplace. You want to create more onramps, more opportunity for new companies to enter and bring their innovation. On the other hand, we have an instinct to continue to increase the compliance of products, and therefore only the largest of the large companies can meet that bar. There’s no silver bullet answer here, unfortunately, but it just needs to be balanced better.

Both may have a place. Things like CMMC may be relevant in very specific circumstances. But at the same time, that can’t be the barrier to entry to do any business in the federal government. Because then we’re going to be left with a very small handful of companies that can meet a certain bar. And frankly, even if they can meet the bar, the process takes too long.

There’s a lot of innovation going through the Small Business Innovation Research (SBIR) program, and other innovation re-search and development programs. For example, the Defense Innovation Unit (DIU) program in DoD and the Air Force Research Lab. There are many different entry point programs for truly emerging tech companies to come into government either through grants or early seed investment type mechanisms.

We want to make sure that those companies also have a clear path to do business with the government. So, we’re working with DIU right now to provide for any company that graduates through DIU’s process to have a pathway to get onto the GSA Schedules. Similarly, for companies that go into the SBIR Phase I and Phase II, we’re working very actively to create contract vehicles for them to go through Phase III awards and quickly get access to other market opportunities. It’s bridging that valley of death issue that keeps coming up in the SBIR program.

When these companies get ready for SBIR Phase III, we white-glove handhold them through the contracting process so that first contract activity, which becomes very problematic for a lot of these companies, is somewhat easier.

We’re interested in building a government-wide capability so Phase III companies that have a line of sight into the market and opportunities lined up can go to contracting once and then can be reused.

Many contracting officers don’t even know the SBIR program exists. Many of them have never had to do a Phase III contract be-fore. They’re not used because many contracting officers don’t know how to use this mechanism. We can help bridge that gap.

AL: Two last questions for you both start with “i.” The first one is inflation.

SH: That is definitely affecting our supply base. When you look at 8% inflation, give or take, the cost of goods sold is increasing significantly. The historical policies to manage price fluctuations are getting in the way. So, about three months ago, we issued a deviation that allows companies on GSA contracts to do a fair price edit, or fair price changes, so that we get some level of justification where companies can show that their cost of doing business has gone up. 

We’re allowing them to do those modifications out of cycle. And historically, we’ve limited that to 10% changes, but we’ve waived that 10% ceiling. That has provided some relief for companies that truly are losing business or losing money. We have a deviation that is allowing companies to do a price adjustment not only on their schedule contract, but also on GWACs. And we are processing those every day.

AL: Now, innovation. On the Defense Department side of government, the innovation imperative is critical, and it seems quite broadly understood. The same level of crisis, if you will, the burning platform, does not seem to apply on the civilian side. Is there less need?

SH: No, I don’t think there’s less need at all. 

Civilian agencies have been using machine learning for many years. It’s not a new thing anymore. We’ve been using the cloud for 15 years, so it’s not a new thing anymore. 

The civilian side of government is not one thing. There are many different agencies with different missions. For example, some of the most innovative work in the entire country is going on in the U.S. Department of Veterans Affairs (VA) to improve the veteran experience. Everything from machine learning to artificial intelligence, making sure that digital first is incorporated. The VA is seeking out new ways to engage veterans using mobile capabilities, deploying 5G, and doing telemedicine.

There’s tremendous innovation going on in the U.S. Department of Agriculture where drones are being used to estimate crop yields. And satellite imagery is being used through machine learning to forecast weather patterns. So, there’s tremendous innovation going on. It just happens in a different way. It happens to align with different agencies’ missions, and different agencies have different mechanisms to move that forward. CM.