On March 21, 2019, USAID posted to the Federal Registry a proposed rule that would amend the USAID Acquisition Regulation (AIDAR), which is derived from the Federal Information Technology Acquisition Reform Act 2015 (FITARA) and OMB Memo M-15-14.
The proposed rule has a revised definition of “information technology” that would include all ICT4D activities, regardless if they are designed for external constituents, our internal organizational needs, or USAID’s internal systems.
This is an exponential increase in USAID’s Chief Information Officer’s role on ICT4D programs.
Proposed AIDAR Changes
Chris O’Donnell has summarized the 31 pages of proposal rule changes for us, which include things like:
- Require USAID/CIO approval of all contracts and subscontracts that include IT assets and services
- Require Legislative and Public Affairs’ evaluation and approval of third-party web sites
- Impose a software license addendum that takes precedence over existing licenses agreements
- Require all ICT services to meet Federal accessibility and inclusivity requirements
- Require information security staff to complete specialized IT security training
- Restrict information technology systems access to US citizens & resident aliens only
AIDAR Change Impact
The clauses of this proposed rule would significantly delay approval of digital development activities and bypass USAID missions’ capacity to provide necessary approvals for our work.
In addition, the clause that eliminates access of US non-resident aliens to government information technology system means that the FSN, TCN and PSC non-resident aliens hired by the 149 institutional contractors stated in the announcement would be denied access to USAID information systems like the Global Acquisition and Assistance System and Phoenix financial management system.
Submit Your Comments
If you disagree with any aspect of this proposed rule, you can explain why this proposed rule would be inappropriate, ineffective, or unacceptable without a change.
Address your comments to Carol Ketrick, Bureau for Management, Office of Acquisition and Assistance, Policy Division, using the Federal eRulemaking Portal. You’ll need to identify your comments with:
- Title: AIDAR: Security and Information Technology Requirements
- Regulatory Information Number: 0412-AA87,
Comments must be received by May 20, 2019.
This is draconian… who actually thinks/thought this was a good idea?
Agree this is an important and overdue policy change. Pollyanna-ish development types miss the harm their tech can do in terms of dual usage or hacking of beneficiary data. A few years US NGOs in a pool for cheap Internet via RU. Hello? No idea bigger picture of their actions
Wayan—
Actually this is not all that new. USAID has had a review process on the books for all programmatic ICT investments over $100K for over two decades. This is captured in their “ADS Chapter 548 – Program-Funded Independent Verification and Validation (IV&V) Reviews”. It’s available on the Internet and I see it was updated as recently as May of last year.
When I was working at USAID in the mid-late 1990s, this was very active—a team would review on the order of +/- 300 transactions a year. My sense is that this has fallen off the radar screen in recent years, but really don’t have any current inside information as to continuing-current compliance.
Darrell
In digging through the details, I don’t see anything really scary here. This looks like a pretty standard update more geared towards contractors supporting USAID’s IRM functions, w/additions of cloud stuff to the IT definition, and the ability to better oversight over IT staff.
The IT staff oversight seemed geared to stop a future Snowden episode. Again, not seeing cause for concern in digging through the links, other than the fact that whitehouse.gov has tons of broken links to OMB circulars.
I also searched directly for any ICT4D language. Couldn’t find it. Would love to see. There were 8 instances of ICT, but many of those were word-fragments. The parts referring to Information Communications Technology seemed pretty much like standard faire and nonscary updates.
So I was on a conference call with CIDC/PSC to review this new rule and I have to say that this article overstates the issue, though there are some legitimate concerns because the language is too vague and broad. Anyone else on the call should add in their comments as well. If anyone wants to be connected with the folks at PSC taking the lead on this, let me know.
First of all, from the conversation, it sounds like the OCIO is only primarily concerned with technology investments that are covered by FISMA/FITARA – those that touch USAID’s systems, and/or are considered systems of record. These systems have already very strong review and security requirements, including having a CISSP on staff, having a privacy protection officer, etc. (btw, Sonjara can provide this level of support, if needed – our CTO is a CISSP and we have two staff going through privacy training).
Project based websites and programmatic ICT investments are NOT intended to be covered by this new regulation – they still have to follow 508 compliance and branding guidelines of course, as they always have. We are currently undergoing an System Accreditation & Authorization for a USAID website. It is a long, costly, and highly complex process. USAID has said that they do NOT want all ICTs to be subjected to these costs and delays.
However, the language does not make that clear. One of the recommendations we had was that USAID provide clear use cases where scope and jurisdiction are applied/not applied – i.e. a USAID contract builds a mobile app to collect data in a host country would NOT be subjected to these regulations, vs. a website like program.net, learning lab, or data.usaid.gov WOULD be…
Secondly, these regulations would apply only to contracts, I believe, and not cooperative agreements.
Thirdly, there was always a regulation that stated that CIO needed to review *programmatic* technology investments over $100K within contracts – it is in ADS 548. https://www.usaid.gov/ads/policy/500/548
We have heard that USAID CIO is sunsetting this office/approach, with no intention of replacing it at the moment.
Fourthly, LPA’s web governance board always reviews the plans for “stand-alone websites” before they are allowed to be started, regardless of whether they are under contracts or cooperative agreements. https://www.usaid.gov/info_technology/xweb has more information.
Finally, these proposed regulations are an improvement over current guidance that is being used by USAID in the interim; we heard stories of how Contracts Officers and CORs are requiring that all technology purchases, including a laptop for field staff, go through OCIO for approval, which this is definitely NOT what the OCIO wants.
I do recommend that folks post comments on the regulations that ask for greater clarity on the scope and jurisdiction, as well as mention the potential cost (in funding and time) and the fact that IT security staff are both hard to find and expensive.
A final comment – at the ICT4D conference next week, USAID will be announcing their “Considerations for Managing Data Responsibly”, to help give *voluntary* guidance to USAID staff and IPs on how to manage programmatic data in light of concerns about privacy/security, openness and transparency, and ever increasing demand for data for decision-making/adaptive management. The Considerations were written by the Lab and reviewed and had input from CIO, LPA, PPL and many of the bureaus so it informally reflects current thinking on how to approach data.
My firm, Sonjara, was the lead researcher on this activity so we can help folks understand what the Considerations mean and how to apply them to their work.
Thanks so much for this detail. I asked around to try and get more detail when Chris O’Donnell initially altered me to this change, but I couldn’t find anyone who had a deeper understanding of the CIO’s intention, and as you say, the language is very vague.
I am relieved that this isn’t an expansion, but more an update to their efforts.