FedRAMP moves to coordinate with DHS security initiative

The Federal Risk Authorization and Management Program, or FedRAMP, issued a draft coordinating document Thursday that looks to further enhance the security of the government’s access to cloud computing.

In collaboration with the Department of Homeland Security, FedRAMP has created an overlay that integrates the Trusted Internet Connection, or TIC, program into its cloud security requirements, allowing agencies to streamline their efforts to secure their data in cloud environments while also securing network connections to the cloud.

Currently, someone wanting to access a federally approved cloud and also comply with TIC has to do so through an agency connection, which either needs to be designated as a TIC access provider or registered as a Managed Trusted IP Service. This creates a significant strain on agency networks while also cutting down on cloud’s inherent advantage: access to files anywhere, anytime or any device.

With these new requirements, FedRAMP and TIC have created a way for mobile users to access the cloud without the need for a TIC access provider or a Managed Trusted IP Service.

Cloud service providers can now prove they are “TIC Ready” along with meeting FedRAMP’s other security requirements, giving agency users the ability to connect to the cloud in a variety of ways.

In a release, FedRAMP was specific in saying that this overlay is a “first step,” and the office, as well as DHS, will be working to vet the requirements and make any necessary updates.

FedRAMP will be taking feedback on the requirements until May 2.

Find the new draft overlay on the FedRAMP
website.

NASA most innovative agency for 5th straight year

NASA continues to rake in honors for its workforce practices.

Not only is the agency the best place in government to work, according to the Partnership for Public Service, it’s also the most innovative for five years running.

The Partnership released its fifth annual “Best Places to Work in Federal Government” innovation analysis for 2014 on Wednesday. And each year since the index was launched in 2010, NASA has scored as the most innovative in the “Large Agencies” category.

Despite a decline in the governmentwide innovation score — from 59.4 out of 100 in 2013, to 58.9 in 2014 — NASA’s innovation score increased by nearly a point to 76.7 last year.

NASA’s regional space centers are also doing something right, according to the analysis. They took four of the top five rankings in the report’s “Subcomponents” category.

The innovations scores are calculated based on responses to three statements pulled from the Office of Personnel Management’s 2014 Federal Employee Viewpoint Survey: “I feel encouraged to come up with new and better ways of doing things,” “Creativity and innovation are rewarded” and “I am constantly looking for ways to do my job better.”

So what does NASA do so well? It empowers its employees by rewarding them for creativity, innovation and taking risks, according to the report. Specifically, it recognizes innovation through awards, like the Lean Forward, Fail Smart Award, given to those who are “responsible risk takers,” according to the agency.

Elsewhere in government, while nearly 90 percent of the workforce “said they are constantly looking for ways to do their jobs better,” the report said, “only 32.7 percent believe creativity and innovation are rewarded in their organization and just 54.1 percent feel encouraged to come up with new ways to do their work, responses that should serve as a wake-up call to government leaders.”

That means that though the workforce may be motivated to think outside of the box, there’s little incentive to risk doing so.

“Overall, the data suggests employees do not feel empowered in their work and are not being recognized for their efforts, two underlying conditions that need to change for an innovative culture to flourish,” the report states.

For medium-sized agencies, the Federal Trade Commission was the most innovative, and for small agencies, the Surface Transportation Board scored best.

Mobility: It’s not just about devices and apps

It was perhaps an unexpected remark for a government mobility conference.

“I thought about titling this presentation, ‘It’s not all about mobile,” said Phaedra Chrousos, an up and comer at the General Services Administration, as attendees of FedScoop’s MobileGov Summit chuckled.

Chrousos, an associate administrator of the Office of Citizen Services and Innovative Technologies/18F and GSA’s chief customer officer, leads a team of 230 engineers and technologists who help other agencies develop, learn about or buy technologies. And too often, she said at the event Wednesday, CIO shops come to her agency assuming that what they need is a mobile app.

Instead, agencies should focus on the users and determine what they need. The government, she said, needs to be device agnostic.

“We’re really looking to be responsive to our customers’ needs, not just focus on a mobile device or a mobile app, per se,” said Chrousos, who FedScoop recently named one of D.C.’s Top 50 Women in Technology.

One app that exemplifies placing a premium on the “customer journey” is PTSD Coach, she said. Created by the departments of Veterans Affairs and Defense, the app is meant to help service members suffering from post-traumatic stress disorder. The app helps identify how stressed the user is and offers the user coaching sessions to relax. It also has an “SOS” feature for users who have a very high stress level.

In designing the app, developers mapped out how it should function with the help of psychologists who treat PTSD. Symptoms of PTSD can arise at any time throughout the day, so choosing to use an app made sense, Chrousos said.

“They really took the time to work with psychologists and work with end users to really understand their journey,” she said.

Earlier in the day, two representatives from Hewlett-Packard Co. also outlined the importance of understanding the customer. Raymond Holder, client executive for federal health care and mobility solutions for HP Enterprise Services, said agencies that up their mobile game have a seemingly unexpected benefit: They increase governance.

“If you provide the things people want the way they want, you get more people working with the system,” he said.

How mobile apps could help protect law enforcement

Imagine if, when a law enforcement officer gets shot, his vest could send out a signal telling dispatch where he’s been hit. Or, what if a sensor on an injured officer’s wristband could beam her vitals to EMTs en route to treat her?

It’s a future that Wolf Tombe, chief technology officer for Customs and Border Protection within the Department of Homeland Security, imagines for mobile applications in government: apps that build on consumer wearables in development that could help his agency better protect its agents.

“These technologies are out there,” he said at the MobileGov Summit at the Newseum Wednesday. They’re inexpensive and easily modified — and they’ll probably be better than what the request for proposals could yield, he said. “They offer the potential for real life saving.”

Typically when paramedics respond to a call, for example, they spend the first few minutes asking questions and taking vitals. But with data taken from a wearable, they could skip a step, Tombe said.

He added, “Minutes make all the difference between life and death.”

But Tombe said embracing mobility is also critical for day-to-day office operations. Indeed, he said he has a tablet that he can dock at a station at home or at work — “I’m always connected.”

Startup costs for any new tech framework are high, he said. But the long-term savings will dwarf those initial costs.

“Mobility is not a ‘nice to have;’ it’s a must-have. And we need to be smart about how we implement it,” he said at the event, produced by FedScoop.

But innovation in government applications won’t only come from agencies. People outside government have the potential to make it more efficient through apps as well, said fellow panelist Ted Henderson, founder of the startup Capitol Bells.

Henderson’s app reads the buzzers in the Capitol complex that tell lawmakers when it’s time to vote. It then uses that information to send out vote alerts to users. A former Hill staffer, Henderson said the app makes it easier for schedulers and other aides to track what is happening on the House or Senate floor so they can make more efficient use of their time.

His newest project, called Cloakroom, is a digital social network that lets Hill staffers anonymously talk shop. He said it’s an effort to break down communications barriers that have built up on the Hill.

Henderson said the volume of data released by the government gives civilians like him unlimited potential to help the government improve.

“I want to encourage a class of people – civic hackers – across the country” to tap that government data, Henderson said.

‘National emergency’: Cyber attackers face new sanctions

President Barack Obama signed a new executive order Wednesday that declares foreign-based cyber attacks against U.S. networks “a national emergency,” freezes the assets of hackers involved in attacks against critical infrastructure and blocks their entry into the U.S.

The new order “declares a national emergency with respect to the unusual and extraordinary threat to the national security, foreign policy, and economy of the United States posed by the increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by, persons located, in whole or in substantial part, outside the United States.”

Obama has authorized the Treasury Department to impose the sanctions on individuals or entities regardless of national origin. The order also covers foreign hackers responsible for, or complicit in, attacks that target corporate trade secrets or customer data belonging to U.S. companies, either for personal or commercial financial gain.

Special Assistant to the President and Cybersecurity Coordinator Michael Daniel told reporters the new order is part of the administration’s larger effort to confront the increasing number of cyber threats facing the U.S.

The order is designed to enable the U.S. to take action “against the worst of the worst … overseas actors” who often reside beyond the reach of U.S. legal authorities, Daniel said. “We will not certainly be using this to target free speech or going after the open Internet. It’s a very targeted and limited authority,” he said. However, it is broad enough to encompass any malicious cyber activity — regardless of country of origin — deemed to pose a significant threat to U.S. security.

And that could also mean foreign companies, Daniel said. “There are companies that hire hackers to steal intellectual property,” he said. But Daniel added that the administration would have to be able to “make the case” that any such attack rose to the level of posing a threat to the nation’s security or economic stability.

Department of the Treasury Acting Director for the Office of Foreign Assets Control John Smith said the order will allow the U.S. government to put a name to those hackers who have hidden behind their online anonymity, but it is not designed to police the Internet or stifle innovation.
“While this authority is powerful, it is a piece of the U.S. government response,” Smith said. “We intend to use this tool judiciously.”

Daniel said that the order has been in the works since the 2014 attack by North Korea against Sony Pictures Entertainment and that the administration’s proportional response to that attack assisted the administration in crafting the language of the order.

The order is the first of its kind that moves a sanctions regime beyond specific nations or foreign individuals, “allowing us to target the activity itself wherever it arises,” Smith said.

The order targets what the White House refers to as the most significant cyber threats the nation faces, “whether they are directed against our critical infrastructure, our companies, or our citizens.”

Specifically, the order takes aim at individuals or entities that engage in cyber attacks or activities designed to:

• Harm or significantly compromise the provision of services by entities in a critical infrastructure sector.
• Significantly disrupt the availability of a computer or network of computers (for example, through a distributed denial-of-service attack).
• Cause a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information, for commercial or competitive advantage, or private financial gain (for example, by stealing large quantities of credit card information, trade secrets or sensitive information).

Smith said the sanctions would freeze the assets of targeted individuals or entities, impose a Visa ban and prevent Americans from doing business with or supporting those individuals or entities.

Beyond imposing the sanctions, the order is also designed to provide a deterrent effect for those who might consider conducting such attacks in the future, Daniel said.

Daniel said the sanctions are likely to have a significant impact due to the size and reach of the U.S. financial system. “We also hope that some of our allies consider joining us,” he said.

Copyright Office needs to justify its $7M funding request – report

About a month after intellectual property lawyers implored Congress to help the Copyright Office modernize its IT systems, a new report found that the agency hasn’t adequately justified the $7 million it requested for improvements.

“Specifically, it has not identified the business needs they are intended to meet, expected costs, or how they align with the agency’s strategic plan, as called for by Library IT investment management policy,” according to the Government Accountability Office report out Tuesday.

At the same time, the report is quick to acknowledge that the Copyright Office faces organizational challenges: While the Copyright Office deals in intellectual property, it falls under the purview of the Library of Congress, not the U.S. Patent and Trademark Office.

“[T]he Library has serious weaknesses in its IT management, which have also hindered the ability of the Library and the Copyright Office to meet mission requirements,” according to the report, which was commissioned by the Senate Appropriations Committee. The $7 million was requested for fiscal years 2015 and 2016.

The report also noted that the Library of Congress has not had a permanent chief information officer for more than two years. (Though, in a separate GAO report out Tuesday that also found “significant weaknesses” in the Library’s IT management, Librarian of Congress James Billington said a permanent CIO would be on board at the agency by September.)

One IT product of particular frustration is the Copyright Office’s primary registration system, Electronic Copyright Office, or eCO, the report said.

Agency staff complained that the system crashes multiple times a day, requiring the staff to restart the system or their computers, a major productivity drag. The system got low marks from external users as well. More than a third of eCO users reported in a recent survey they weren’t satisfied with the system’s ease of use.

“One respondent stated that ‘this is, hands down, the worst site I have ever had to navigate’ and noted that it took the individual 4 hours to submit the registration application,” according to the report.

In a response to GAO’s findings, Maria Pallante, U.S. register of copyrights, questioned whether it made sense to house the Copyright Office under the Library of Congress.

“[W]e should consider whether a steering committee comprised of Library managers tasked with making Library-wide decisions … is the right solution for the kind of evolution expected by copyright stakeholders,” she said.

Gender-based STEM gaps in government declining — OPM

Though there are significant gaps between the employment of men and women in science, technology, engineering and mathematics fields within government, a new Office of Personnel Management report said those gaps are narrowing.

Since the
release of the Federal Employee Viewpoint Survey in October, OPM has periodically been highlighting themes in federal employment and hiring using the survey’s data. After releasing earlier reports on millennials and education trends in government, OPM’s latest report explores the state of women in federal government, published the same day as FedScoop’s Top 50 Women in D.C. Tech feature.

“According to OPM’s analysis, there are more opportunities for women now than there were a decade ago,” the report states.
Of note for the federal IT community, the report highlights that the number of women in STEM-related positions is growing in the federal government and the percentage gaps between men and women “have been steadily narrowing.”

Still, the gaps are pervasive. Of all federal engineers in 2014, just 16.9 percent were women. Women hold just 30.1 percent of technology-related jobs and 33.3 percent of science jobs. And though women seem most interested in math, making up 35.3 percent of the federal workforce, there’s still a nearly 30 percent gap between male and female mathematicians in government.

But those gaps are progressively narrowing, according to decade-old FEVS data. “In 2005, the gap between these men and women in science jobs was about 47 percent,” the report said. “By 2014, the gap was 33.4 percent, a 13.6 percent decline.”

Many federal IT leaders gave advice to women pursuing a federal career in STEM as part of
FedScoop’s Top 50 Women in Tech list.

OPM plans to act on this data with its Recruitment, Engagement, Diversity, and Inclusion, or REDI, Roadmap,
announced earlier this month, to bring more gender equality to the entire federal workforce. Women currently make up 43.3 percent of the federal workforce compared to 46 percent in the private sector.

“We’re working hard to remove the barriers to women having seats at decision tables at every level of Federal service,” OPM Director Katherine Archuleta said in a statement. “This report will help inform our efforts as we work to help women progress in their careers.”
To attract more women to the workforce, the federal government is promoting a more flexible work-life balance using tools like telework, alternative work scheduling and a new presidential memorandum that modernizes leave policies for childbirth. OPM is currently developing a handbook for guidance on the latter
policy.

“Our work-life policies are continually evolving to make the balance of caring for families and pursuing a career complementary, rather than contradictory,” Archuleta said.

One place the federal government already excels in comparison to private industry is appointing female leaders. While only 14.6 percent of civilian senior leaders are women, according to a March 2014 report by the Center for American Progress, 34 percent of the federal senior executive service are women. And OPM claims that growth is “particularly evident among younger women who recently entered the workforce,” the report says.

UK government taking lead on cyber insurance

Insurance companies in the U.K. are beginning to use the British version of the U.S. cybersecurity framework to certify cyber risk reduction efforts throughout the small- and medium-sized business community — a significant advancement compared to the U.S. market, where cyber insurance remains largely focused on data breaches.

In the U.K., insurers will now look to include Cyber Essentials certification as part of their small- and medium-sized enterprise, or SME, cyber risk assessment, according to a report released last week by the U.K. government and London-based insurer Marsh Ltd. The Cyber Essentials scheme is the U.K. equivalent of the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology in the U.S.

The news comes as government officials in the U.K. and the U.S. have expressed concerns about the lack of cyber insurance adoption by small- and medium-sized businesses. Although the cyber insurance markets in both countries have grown significantly in the past year to more than $2 billion, that growth is primarily attributed to large enterprises. Most companies not only assume they have more cybersecurity coverage than they actually do, but many don’t even know where to start to obtain coverage.

“Many businesses are overestimating the extent to which their existing insurance provides cover for cyber risk,” Francis Maude, U.K. minister for the Cabinet Office and paymaster general, wrote in the introduction to the report.
Working with Marsh and other insurance companies, the U.K. government discovered that 52 percent of chief executive officers believed they had proper cyber insurance coverage, when less than 10 percent actually did. The report blamed the disconnect on the complexity of existing cyber insurance policies.
“Traditional insurance products have not been designed to protect clients against cyber risks. In addition, underwriters of traditional insurance business lines have, in some cases, reacted to the emergence of this new class of risk by introducing cyber exclusions,” the report states. “The result for clients is a complex picture, with a mix of implicit and explicit cover as well as a number of exclusions to contend with. It makes it an exercise in and of itself to ascertain the true level of cover for any given cyber-risk scenario.”
In addition, half of the CEOs surveyed did not realize that cyber risks could even be insured. To help increase awareness, Lloyd’s of London, the Association of British Insurers and the U.K. government have agreed to develop a guide on cyber insurance and to host it on their websites.
“At present, within the insurance sector, the cyber threat is not well defined, with confusion surrounding definitions based on different causes and consequences,” the report states. “Insurers tend to conflate cyber with data breach given the well-developed demand for that cover driven by US regulation; however, UK firms have broader concerns about possible damage from cyber risk, including business interruption, damage to property, and theft of intellectual property.”

Marsh “has arranged for a type of cyber insurance cover for SMEs that pays for the cost of Cyber Essentials certification to reflect the risk reduction that accreditation represents,” the report states. “This should help lead to large firms and banks expecting Cyber Essentials from the SMEs they deal with.”

More data needed

One of the biggest challenges identified by the U.K. government report is the lack of data to help insurance firms better understand the risks different firms face and how to price policies in a way that not only covers that risk but also keeps pressure on firms to maintain minimum security safeguards.

“A paucity of data makes attempts to model cyber exposure difficult. Not only do traditional impact tests such as ‘value at risk’ suffer through a lack of data, they also focus on solvency (size of loss) rather than liquidity, which is the more likely cause of failure from a cyber event,” the report states. “In addition to reducing pricing differentiation, the scarcity of data forces insurers to use over-conservative assumptions. Any form of data pooling among underwriters would therefore benefit their customers.”

In a blog post published March 28 on LinkedIn, Tom Finan, senior cybersecurity strategist and counsel at the Department of Homeland Security, said data pooling by insurers could have larger beneficial impacts.

“Such loss data pooling most likely would involve the sharing of claims information generated from existing cybersecurity insurance policies,” Finan wrote. But to expand those policies to include new areas where little or no coverage exists, including critical infrastructure loss and cyber-related business interruption, sharing of more “raw” loss data is necessary, he said.

“In my view, any form of data pooling about cyber incidents among private and public sector organizations, whether cybersecurity insurance is involved or not, would have a similarly beneficial effect,” Finan wrote. “Analysis of voluntarily shared raw cyber incident data — including loss data — could help inform not only the risk mitigation strategies and investments of chief information security officers but also the risk transfer calculations of insurers that are seeking more solid footing before expanding their current policy offerings beyond the well-established data breach market.”

D.C.’s Top 50 Women in Tech 2015

Click here to see the entire list of D.C.’s Top 50 Women in Technology 2015.

America has always been a nation driven by innovators. But the need to encourage more women into the fields known for spurring innovation — including technology, science, engineering and math — has become a pressing national priority.

That’s why FedScoop has once again sought to recognize 50 women whose vibrant energy, determination and imagination are making a monumental difference in the federal government IT community, and whose impact is being felt across America.

We call it D.C.’s Top 50 Women in Technology. But in reality, we believe these women are the leaders of our time who will inspire a new generation of women about the possibilities of embracing technology, just as
Rear Adm. Grace Hopper did a generation ago with her pioneering work developing the precursor to COBOL and later standardizing communication between different computer languages.

This year’s list reflects an impressive range of talent and accomplishments, with diverse backgrounds representing government, Congress, the commercial sector, defense and academia.

Women like Arati Prabhakar, who leads some of the most forward-leaning technology developments in the world for the Defense Advanced Research Projects Agency; Megan Smith, who headed Google’s business development before becoming chief technology officer of the United States; Secretary of Commerce Penny Pritzker, whose has become a champion for harnessing data for U.S. innovation; Margie Graves, who as deputy chief information officer at the Department of Homeland Security has been a voice of continuity for agile development, mobile and cloud technologies; and Lynda Pierce, the second-highest-ranking IT leader in the Navy.

But the list also includes many others whose behind-the-scenes presence is equally noteworthy for the billion-dollar IT budgets they oversee, the influence they wield over data and cybersecurity standards, and the impressive ranks to which they’ve climbed in the public and private sectors in and around Washington.

What they all have in common is their passion for putting technology to work — and for leading and mentoring others — in an effort to make government and public service more innovative.
As we did last year, when we launched
D.C.’s Top Women in Technology for 2014, FedScoop’s editorial staff sought recommendations from across the federal government and the IT community to develop and ultimately narrow down this year’s list of 50 women. We then interviewed each one about what drew them into public service, what they’ve learned about leadership and what inspires them in their current roles.

We know by limiting our list to 50, we had to leave out many other deserving women. Our hope in highlighting these 50 remarkable women, however, is to shine a bright light on the incredible trails these women are blazing in and around Washington’s technology community — and hold them up as examples for the next generation of women to follow.

The following FedScoop staff editors contributed to this report: Wyatt Kash, Corinne Lestch, Billy Mitchell, Greg Otto, Dan Verton, Jake Williams, Whitney Blair Wyckoff with additional help from Ryan Verhey and Emma Whitehead.

(Megan Smith photo by David Sifry via Flickr.)

DHS wants better wearables for nation’s first responders

Police officers wearing ballistic plates that double as lithium-ion batteries. 3-D printed knobs that attach to radios so firefighters can manipulate their communications while wearing gloves. Lifesaving devices for EMTs that can be powered by human movement.

Those were some of the ideas discussed earlier this month at a South By Southwest Interactive workshop aimed at cultivating ideas for how wearables can be used by first responders hosted by the Department of Homeland Security’s Science and Technology Directorate.

Over the course of the workshop, directors from DHS’s S&T office talked about the need for advancing a national conversation on how these ideas can make the country safer while also changing the way federal, state and local government procure their products.

DHS Deputy Undersecretary for Science and Technology Robert Griffin emphasized the need for people to “think creatively” as they come up with ways first responders can leverage the Internet of Things.

“How can we use existing infrastructure in different ways at a price point that will allow us to jump up forward with some of this capacity?” Griffin asked the attendees. “That’s the type of innovation the Internet of Things can offer to us. It’s only bound by your innovation and curiosity.”

In order to cultivate that innovation, the directorate recently launched its
EMERGE! accelerator program, which looks to help the development of wearable technologies and provide a path to introduce them to a variety of markets.

In a partnership with DHS’ Center of Innovation, the U.S. Air Force Academy and the nonprofit Center for Innovative Technology, the accelerator will help develop and launch ideas into companies by providing early market validation, mentoring and access to private investment.

Reginald Brothers, DHS’ undersecretary for science and technology, wants to use this accelerator to create a “defense industrial base” for first responder wearable technology.

“What we are trying to do is not go with the 50 companies that give almost 50 percent of the federal R&D budget right now; we want to get beyond that,” Brothers said. “We understand what the market actually is and how we can make a business case for these types of things.”

At the SXSW panel, a number of people who advise startups argued that the government market is lucrative and continues to trend upward.

“There used to be two sectors venture capitalists would tell you not to ever go into: education and government. That is starting to change,” said John Miri, who has spent 15 years working with state and local governments on various technology issues.

Now working as chief administration officer for the Texas-based utility company Lower Colorado River Authority, Miri told entrepreneurs in the room that the state government IT market alone is $95 billion per year.

Yet even with that number, the advisers were quick to point out the maze for anyone looking to land their product in the hands of government-backed enterprises.

Gabriella Draney, CEO and co-founder of Tech Wildcatters, a Dallas-based startup accelerator, drove home the point that even with billions coming from states, most local first responders operate on an extremely tight budget. While EMTs and volunteer firefighters do have technological needs, their budget constraints are a problem startups also have to take into account.

“It’s not about what’s the cool technology. It’s not even about what’s your problem. It goes deeper than that,” Draney said. “What’s your problem and how much are you willing and able to pay to solve that problem? Start thinking about what problems they are facing beyond running into a burning building.”

Whether the hurdles be technological or financial, David Ihrie, CIT’s chief technology officer, said he and DHS are willing to hear any ideas that could further their mission.

“We are actively looking for companies,” Ihrie said. “If you have an idea, bring it to the table. If you know somebody who has an idea, let us know about it.”