OMB Memo Forces Agencies to Rethink Procurement Oversight

Officials say the Office of Management and Budget’s new memo to consolidate control of IT contracts under CIOs can make government IT more efficient and effective, but CIOs must shift their mindset.

“This formalizes something strong CIO shops were already pushing toward, but it raises the bar,” Knox Systems CISO and former Department of Homeland Security CISO and acting CIO Hemant Baidwan told GovCIO Media & Research. “With CIO approval now required across the board, the model has to shift from reactive oversight to embedded decision-making. If approvals become a bottleneck, the policy fails.”

The March 31 memo, M-26-10, aims to consolidate IT acquisition and “procure best-in-class technology solutions, achieve economies of scale, and better serve the public while conserving Americans’ tax dollars,” OMB Chief Russ Vought wrote in the memo.

The memo is part of the White House’s efficiency agenda aimed at helping agencies leverage buying power more effectively. It targets a fractured procurement system that often sees agencies — or even bureaus within the same agency — paying vastly different prices for the same software, according to OMB.

Understanding the M-26-10 Mandate

Federal CIO Greg Barbaccia has framed the crackdown as an end to one-off buys, where vendors bank on agencies not sharing pricing data. To address the issue, M-26-10 establishes three key requirements for covered CFO Act agencies:

• CIO review and approval: Before an agency spends money on an IT contract, the CIO must review and approve the purchase to ensure technical alignment.
• Monthly centralized notification: Beginning this month, agency CIOs must submit monthly logs of all IT contracts to the Office of the Federal CIO at OMB.
• Shared pricing transparency: Future contracts must disclose utilization and pricing information, which will be shared across the federal government to prevent price gouging.

The directive requires agencies to submit their logs by the 10th of every month. While the initial requirement sunsets in October, OMB officials said it might continue if efficiencies are not fully realized.

Empowering the CIO

Experts said the memo gives CIOs legal backing for battles they’ve been fighting internally for years. Gary Barlet, federal chief technology officer at Illumio and former CIO at U.S. Postal Service Office of Inspector General, said that when he joined the agency, IT spending was scattered across the organization with virtually no centralized approval process.

“Just about anybody could go buy whatever they wanted, however they wanted. There was no centralization. There was no approval process,” Barlet told GovCIO Media & Research. “That was one of the first efforts that I undertook. The first thing I did was centralize the authority for purchasing, not the money, just the authority that things had to go through me before somebody could buy it.”

Barlet said the changes saved money through bulk purchasing, eliminated incompatible licenses and reduced administrative burdens on program managers who no longer had to track individual renewals. But he said the effort was difficult and that current agency CIOs now have a formal mandate to support similar changes.

“It took a lot of convincing on my part,” Barlet noted. “It really would have been really nice as a CIO to have that memo to point to.”

Barlet also suggested that many CIOs support the consolidation to save money and extend efficient buying.

“I think a lot of CEOs out there are kind of silently cheering,” Barlet said. “They are going to be able to take this to their agency heads and say, ‘Remember when I told you that this is a good idea?’”

Financially, Barlet said the mandate makes sense in tight budget environments common across federal agencies.

“The CFO was very happy for the fact that I was actually saving money by consolidating software purchases,” he added.

Operationalizing the Shift

While the intent of the memo is efficiency, the operational reality for massive, federated agencies like DHS is more complicated, Baidwan said. Agencies must handle the mandate carefully to avoid grinding mission-critical work to a halt, he said.

“The only way this works is if agencies operationalize it with pre-approved architectures, standard patterns and clear guardrails, so components can move quickly within a defined lane,” Baidwan said.

The shift requires moving from “reactive oversight” to “embedded decision-making.” In a federated model, different DHS components — such as FEMA, TSA and the Coast Guard — have historically operated with significant autonomy to meet urgent mission needs, Baidwan noted.

Scaling challenges could emerge at large agencies, according to former War Department Principal Deputy CIO Leslie Beavers. While the Pentagon is excluded from the memo, other large agencies could see these transparency efforts as significant “structural challenges,” she told GovCIO Media & Research. For frontline staff at some agencies, she said, critical needs may not be met if agencies prioritize scaling already purchased tools.

“Ultimate decision-makers at the departmental level are far removed from the workforce using the software. This distance is problematic when attempting to evaluate the functional necessity or effectiveness of a tool for a specific mission,” Beavers said.

Exposing the Vendor Underbelly

One of the most anticipated outcomes of the memo is the exposure of hidden costs in federal contracts, Baidwan said. He expects that the new level of scrutiny will reveal licensing models designed to look affordable initially, but become prohibitively expensive as they scale.

“You’ll see more clarity around licensing models that don’t scale cleanly, especially where vendors charge based on data ingestion, API calls or user tiers that expand over time,” he said.

Beavers added that acquisition consolidation could also affect tool quality and reduce opportunities for nontraditional vendors. She cited licensing agreements where one fee structure may include 24/7 engineering support and enhanced security hardening while another covers only base software seats.

“The administrative burden of disclosing utilization rates and pricing will likely cause the software supplier list to coalesce around a select few ‘safe’ vendors who can handle the compliance load, stifling the innovation typically provided by smaller, agile tech firms,” Beavers said.

Baidwan added that duplication will become more visible, allowing leadership to tie costs directly to mission value rather than administrative preference. CIOs will now have data to identify situations where multiple bureaus are using different products to solve the same problem, Barlet said.

The Data Quality and Security Paradox

The requirement for monthly reporting to the federal CIO also introduces a significant technical challenge around data normalization, Baidwan said.

“In federated environments, each component tracks spend, assets and usage differently. Pulling that into a consistent, enterprise-level view on a monthly cadence is not trivial,” Baidwan said.

Beavers said that there are long-term upsides to the memo’s data reporting requirements. In addition to the “more standardized digital architecture,” agencies will likely have a better real-time status reporting structure.

“By reducing the diversity of platforms that the CIO must oversee, [agencies] can more effectively compile and analyze acquisition and utilization data in the machine-readable formats required,” Beavers said. “This standardized environment allows for real-time status reporting across formerly disparate bureaus, enabling the CIO to identify waste and ensure that IT investments are strategically aligned with the department’s broader operational objectives.”

Baidwan said that there is also burgeoning concern about the security implications of the transparency required by the memo. While having a “bird’s eye view” of the entire federal IT landscape is beneficial for management, that same dataset is an incredibly high-value target for adversaries.

“Detailed data about system usage, dependencies and cost structures can become sensitive if exposed. It can give adversaries insight into where systems are heavily relied upon or where there may be gaps,” Baidwan said.

A Short Timeline

With reporting starting this month, agencies are being forced to make major organizational shifts at an increased speed, Barlet said. Large-scale organizational change typically requires “prepping the battlefield,” forming relationships and winning over skeptical program managers who fear losing control over their budgets, he said.

“This is a very in-your-face, start now [approach],” Barlet told GovCIO Media & Research. “This is one of the few instances where I’m probably going to find myself saying the government may be moving too fast.”

The danger of moving too fast is that it can exacerbate internal “territorial battles” and lead to “unintended consequences” like an increase in shadow IT, Barlet said. If users find the new centralized processes too slow or restrictive, he added, they may resort to using less secure personal devices or unauthorized software “by hook or by crook” to get their jobs done. Barlet added that larger agencies, in particular, will find it nearly impossible to meet these goals in a matter of months.

“I just don’t think that the CIOs have been given the appropriate amount of time that it’s going to take to really pull this off,” he said.