| The Rules

The Rules #

Federal procurement involves a lot of rules. For the most part, unless you are an 1102 or a lawyer, you will not need to understand the nuances of the different rules. But 1102s and lawyers do need to understand the nuances; that’s their job.

From time to time, acquisition professionals may behave in seemingly irrational ways, and will usually blame that irrational behavior on the rules. A lot of the time, that’s because they are following seemingly irrational rules. As we’ll discuss more below, a lot of the rules in federal tech procurement are weird. Often though, acquisition professionals do things because they think they’re following the rules, but are actually just doing something “they way we’ve always done it.”

As a general principle, you should assume that the acquisition professionals and lawyers are making decisions based on the seemingly irrational rules, and to try and understand their reasons. Occasionally, though, the acquisition professional has more flexibility than they realize, but other constraints (e.g., internal politics, time, etc.) show up as blockers.

To help you begin to anticipate where and why the rules may play a role, this section will cover the major policy goals and practices behind federal tech procurement, and the three major sources of rules you’ll encounter.

The (competing) policy goals of the procurement system #

Suppose you want to buy a new car. How might you decide to do that? Initially, you would probably choose a type of car. In this hypothetical, let’s suppose you want a 4-door sedan.

Now, some of you might go straight to choosing the “make” of the car. Let’s slow that impulse and explore why you might choose a given make. Likely, you have a budget in mind. If you’re budget-conscious, you might be more interested in a brand like a Honda or Chevy, and likely not be interested in a brand like a Lexus or BMW. Price is a major criterion in any purchasing decision.

Beyond budget, though, there are likely multiple other criteria. For example, you might want an “American-made” vehicle (though, defining American-made is more complex than it may seem on first blush). Or, you might want a sedan that’s considered more reliable to enjoy lower-maintenance costs or a longer lifespan. Or, you might want a vehicle that has is likely to have a higher resale value. Or you might want a hybrid or electric vehicle. The point is that deciding on how to buy a car involves lots of different criteria and options.

The same is true for government procurement; buying the “right” thing can be complicated. But, in government, there’s a twist. Politics. While buying a car is a personal decision, involving implicit and explicit preferences, government purchasing involves policy choices about how public funds should be spent.

Making matters complicated, the policy choices associated with public procurement are often in tension with each other. For example, because political actors believe that market forces lead to lower prices and better quality, they have established rules and regulations requiring competition. But competition can be time consuming and burdensome, so political actors have established rules and regulations that are designed to promote efficiency. Sometimes bad actors try and cheat, and get caught, and as a result political actors establish rules and regulations around integrity and transparency.

Indeed, Professor Steven Schooner has outlined nine different goals that most public-procurement systems attempt to balance:

  1. competition
  2. integrity
  3. transparency
  4. efficiency
  5. customer satisfaction
  6. best value
  7. other policy goals, such as wealth distribution
  8. risk avoidance
  9. uniformity

Sometimes these policy goals support each other. Often, though, they conflict. And because they conflict and because government involves Capital-P Politics, the result is a rather complex set of rules and regulations intended to limit the discretion of individual purchasing officials.

Whether this result — limited autonomy of government purchasing officials — is inevitable or not is beyond the scope of this book. Suffice to say though, that our political system binds procurement officials to a large number of rules because of the propensity of political actors to challenge, in hindsight, individual purchasing decisions and for the procurement system to establish processes that are intended to defend the purchasing decisions from ex post scrutiny. This emphasis on auditability as a defense mechanism is a dominant theme in federal procurement.

The 3 Fs of tech procurement #

Moving from theory to practice, there are 3 major sources of rules that apply to federal tech procurement in 2021, which we call “the 3 Fs”: the FAR, FITARA, and FISMA. We’ll discuss each in turn.

The FAR #

The first “F” of federal procurement is the Federal Acquisition Regulations, or “the FAR.” The FAR is effectively the bible for Contracting Officers; it’s several thousand pages long, filled with “thou shalts” and “thou shalt nots,” and is the canon for federal procurement. It is the starting point for all conversations about what is possible, and what is prohibited, in contracts.

[More to come]


To those of us who work in federal procurement every day, FITARA was a huge game changer. Leading up to its passage as part of the National Defense Authorization Act in 2014, there was endless lobbying, jockeying for position, and speculation about what it would mean for how the government buys IT. In the end, as with most procurement legislation, it contained ambitious goals and left the specifics to be ironed out by Executive Branch components. Unlike most legislation, FITARA had teeth and it has worked to transform cultures and save billions.

Technology changes quickly. The government does not. Of the approximately $70 billion the government spent on information technology (IT) in Fiscal Year (FY) 2013, about half went to maintaining legacy systems. Capabilities and functions were duplicated across agencies and within agencies. There was very little central management and very little strategic investment planning. There was no way to tell if the money being spent resulted in any benefit to the taxpayer. The 1996 Clinger-Cohen Act tried to address some of this, but did not produce results.

Congress passed FITARA to streamline technology acquisition, make oversight more efficient, and help agencies align investments to objectives. Its goal was to drive down IT costs by reducing redundancy and waste. It mandates collaboration, effective management of investment, consolidation of duplicate software licenses, and standardization of procurement approaches across agencies. Here are some of the important components of FITARA:

  1. Appoint a single CIO at 16 of the most important agencies - the CIOs report directly to the agency heads and have specific authority over budget planning and hiring
  2. Establish the CIO Council as the forum for improving investment decisions, the effectiveness of which is evaluated by the Government Accountability Office (GAO)
  3. Identify a Federal CIO (Administrator of the Office of E-Government & Information Technology at OMB) who is mandated to optimize the use and cost of data centers
  4. Create a government-wide inventory of IT assets (DoD not included)
  5. Identify and consolidate government websites
  6. Promote the benefits of transition to cloud computing
  7. Create a mandatory approval process for creating new contract vehicles through the Administrator to Federal Procurement Policy (FFP)
  8. Mandate collaboration on and standardization of requirements for procurement of commonly used IT infrastructure and applications
  9. Designate Assisted Acquisition Centers of Excellence (AACEs) with authority to make and implement best practices and assist agencies in procurement
  10. Require a comparative value analysis when purchasing items that are included in the Federal Strategic Sourcing Initiative through other avenues
  11. Allow executive agencies to establish price in advance on firm-fixed price (FFP) contracts, allowing vendors to compete only on non-price factors
  12. Provide additional information on IT investments to the public
  13. Provide guidance on the validity of open-source software as an option without a bias for how the software is developed or distributed and require standards to include guidelines for effective adoption of open source software.

These objectives were truly transformative. They addressed longstanding issues with technology management and acquisition in the government with sweeping reforms. As with big changes in any large organization, the devil is in the details. Specifically, government agencies have different cultures, different needs, and different missions. Consolidation and standardization is hard and reaping the promised benefits can sometimes be hindered by the need to focus on what each agency is created to do.

Surprising precisely nobody, implementation has not been smooth or even across all agencies. In fact, the August 2020 FITARA scorecard was the first in which all agencies with a passing grade of C+ or above.


The third “F” of federal procurement is the Federal Information Security Management Act, or “FISMA” (pronounced “FIZZ-mah”). Although there are multiple aspects to FISMA, the impact on federal tech procurement is relatively straightforward. FISMA requires that an “information system” used by the government implement certain security controls and maintain an “authority to operate” (or “ATO”) for the system.

Depending on the agency and the nature of the information system in question, obtaining an ATO can be an expensive and laborious effort. That’s because, to obtain an ATO, the information must implement and sufficiently document security controls that meet the standards set forth in a document called NIST 800-53. Which specific controls are implemented will depend on the agency’s assessment of risk and based on a framework called “FIPS 199.” Under FIPS 199, systems should be classified as a Low, Moderate, or High impact system.

To help promote the use of cloud-based technologies, GSA operates a program called FedRAMP, which reviews contractor’s security controls to ensure compliance with NIST 800-53 and FIPS 199 and provides a “provisional ATO” that agencies can formally adopt. Although FedRAMP is not typically a legal requirement at the outset of a contract, some agencies require that systems be approved by FedRAMP.

Although most folks involved in tech procurement will not need to understand the specifics of FISMA, it is important to understand that technology systems will need an ATO, and that the agency will have a process that is intended to ensure FISMA compliance. Planning for FISMA compliance will save significant headaches during acquisition.

Category management #

[More to come]

Procurement Integrity #

[More to come]