Industry groups criticize ‘vague’ software supply chain amendment to House NDAA
Industry groups have written to lawmakers, warning that software supply chain proposals included in the House version of the 2023 National Defense Authorization Act are “vague” and “internally inconsistent.”
In a letter sent to House Armed Services Committee leadership from both parties, the Alliance for Digital Innovation, the Software Alliance, Cybersecurity Coalition and the Information Technology Industry Association criticized an amendment to the defense policy that would codify a software bill of materials in the federal procurement process.
If enacted in its current form, section 6722 of the NDAA would require holders of existing covered contracts and those responding to requests for proposal from the U.S. Department of Homeland Security to provide a bill of materials, certify the items in the BOM are free of vulnerabilities or defects and identify a plan to manage any identified vulnerabilities.
Executive Director of the Alliance for Digital Innovation Ross Nodurft said: “SBOMs can be a useful part of a larger program focused on secure software development. However, the process of producing and consuming SBOMs is not mature enough for it to be codified into law at this time.”
According to the industry groups, in its current form, the amendment does not specify whether the bill of materials is limited to software or relates to all components. Risk management guidelines included in the amendment are also at odds with guidance from the Office of the Director of National Intelligence, the National Security Agency and CISA, the trade groups added.
The missive follows a White House memo published earlier today that will require vendors to self-attest their compliance with NIST software supply chain requirements before providing their services to federal agencies.
The House passed its version of the 2023 NDAA in July. The Senate is still considering its own version of the annual policy bill, after which the two chambers will look to combine them in conference before sending the final NDAA to the president.
General Services Administration hires Dan Lopez as director of Login.gov
The General Services Administration has named Dan Lopez as director of the U.S. government-backed secure sign-in service Login.gov.
An agency spokesperson confirmed his appointment to FedScoop and said the technology leader started work in the new role on Sept.12.
According to LinkedIn, Lopez was previously director of software engineering for the city of Philadelphia and before that held a variety of private sector engineering leadership roles including at educational technology company Instructure and gatherDocs.
Following his appointment, Lopez will oversee the technology as an increasing number of federal agencies turn to the identity management platform. He takes over the role from outgoing Login.gov director Amos Stone.
In April, the Department of Veterans Affairs received an infusion of $10.5 million from the Technology Modernization Fund to support its transition to Login.gov.
An increasing number of government agencies have adopted the government-operated ID verification tool amid concerns over the use of opaque facial recognition technology by private sector companies.
For example, the Internal Revenue Service in February said it was committed to Login.gov as a user authentication tool after abandoning a requirement that taxpayers provide biometric data to verify their identify through a third-party platform.
In recent weeks, lawmakers have floated legislation that if passed could make it easier for technology like Login.gov to be shared between agencies at the federal, state and local levels.
News of Lopez’s appointment was first reported by Federal Computer Week.
CISA to develop ‘self-attestation’ cybersecurity standards for federal software vendors
The White House tasked the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to play a key role in deploying new cybersecurity guidelines the Biden administration rolled out Wednesday.
CISA will work with the Office of Management and Budget to create a “common form” that U.S. departments will use to show that software vendors have attested the technology they are selling to the government meets National Institute of Standards and Technology security guidelines.
The new self-attestation guidelines put the burden on the federal contractors to take additional steps to show their ware comply with supply chain security standards. CISA will have 120 days to create a form suitable for use by multiple agencies.
According to a White House memo, federal government departments will have 120 days to communicate to vendors the need to adhere to NIST standards, and to collect the relevant letters of attestation.
In addition, within a year CISA must establish plans for a governmentwide repository for software attestations and artifacts. Under the new guidance, CISA will also within 24 months evaluate requirements for the creation of a full federal interagency software artifact repository, and will publish updated guidance on software bill of materials for federal agencies if needed.
Software artifacts are the byproduct of software development and can help to describe the architecture, design and function of software. They can be used to provide an in-depth roadmap of the development process that can help establish the provenance of software.
The memo issued Wednesday morning and first reported by the Washington Post represents the latest policy initiative from the White House as the executive branch works to rapidly improve cybersecurity standards across federal agencies.
FedScoop previously reported details of the forthcoming guidance, which has raised concern among technology industry leaders.
White House cyber memo compels vendors to attest software meets security standards
Federal agencies will have to obtain self-attestation from software providers before deploying their software on government systems, according to a new memo issued Wednesday by the White House.
Under the guidance, federal departments must ensure that all third-party IT software deployed adheres to National Institute of Standards and Technology supply chain security requirements and get proof of conformance from vendors.
The memo represents the latest policy initiative from the White House as the executive branch works to rapidly improve cybersecurity standards across federal agencies. FedScoop previously reported details of the forthcoming guidance, which has raised concern among technology industry leaders.
The Biden administration has introduced an array of new measures to ensure agencies modernize their cyber defenses and implement zero-trust architectures since the publication of its cybersecurity executive order in May 2021.
This June, industry executives canvassed by FedScoop expressed a strong preference that the White House pursue a self-attestation requirement rather than a third-party verification process along the lines of the Pentagon’s troubled Cybersecurity Maturity Model Certification.
According to the new memo from the Office of Management and Budget, federal agencies within 90 days will have to inventory all software and create a separate inventory for critical software.
Within 120 days of the memo, agencies must also develop a consistent process for communicating relevant requirements and collect letters of attestation from software providers.
OMB will enforce the new guidance and manage extension requests for the implementation timeframe. It will also work with the Cybersecurity and Infrastructure Security Agency and the General Services Administration to establish requirements for a central repository for software attestations and artifacts.
A copy of the new memo was first obtained by The Washington Post.
NIST and Google sign agreement to produce open-source chips
The National Institute of Standards and Technology has signed an R&D agreement with Google to design and produce new open-source chips.
According to the agency, the deal is intended to boost public and private innovation by establishing a legal framework that eliminates license fees for the technology.
Under the agreement, NIST will create up to 40 different circuit designs for chips optimized for different applications in partnership with universities including the University of Michigan, the University of Maryland, George Washington University, Brown University and Carnegie Mellon University.
Securing the chip production supply chain and ensuring researchers have access to the technology needed for path-breaking research remains a core priority for the Biden administration. Last month President Biden signed an executive order to implement the funding for semiconductor technology included in the bipartisan CHIPS and Science Act of 2022.
The new chips will be paid for by Google and will be manufactured by Skywater Technology in Bloomington, Minnesota.
The R&D agreement is intended to support innovation by university and startup researchers, for whom the cost of developing such chips can often be prohibitive. NIST’s circuit designs will be open source, meaning that academic and small business researchers can use the chips without restriction or licensing fees.
Commenting on the new agreement, Under Secretary of Commerce for Standards and Technology and NIST Director Laurie Locascio said: “By creating a new and affordable domestic supply of chips for research and development, this collaboration aims to unleash the innovative potential of researchers and startups across the nation.” She added: “This is a great example of how government, industry and academic researchers can work together to enhance U.S. leadership in this critically important industry.”
According to DOC, the new chip designs will provide bottom-layer chips with specialized structures for measuring and testing the performance of components placed on top of it. This includes new kinds of memory devices, nano-sensors, bioelectronics, and advanced devices needed for artificial intelligence and quantum computing.
Google Public Sector CEO Will Grannis said: “Moving to an open-source framework fosters reproducibility, which helps researchers from public and private institutions iterate on each other’s work. It also democratizes innovation in nanotechnology and semiconductor research.”
The new chips will be produced as 200-millimeter discs of patterned silicon, which universities and other purchasers can then dice into thousands of individual chips at their own processing facilities.
Universities that will work with NIST on the chip designs include the University of Michigan, the University of Maryland, George Washington University, Brown University and Carnegie Mellon University.
The latest agreement comes after SkyWater Technology earlier this year received a $15 million infusion from the Department of Defense to develop an open-source design for a 90 nanometer fully depleted silicon on insulator technology.
VA plans to award sole-source training contract to support Oracle Cerner EHR migration
The Department of Veterans Affairs has issued a notice of intent to sole source a technology training contract for the agency’s Office of Information Technology to support of the transition to a modernized electronic health record.
In an update published on SAM.gov, the VA said it seeks to purchase Amazon Web Services, Red Hat and ENCOR training for staff from technology skills education company Global Knowledge Training.
According to the VA, the training will help OIT employees be better equipped for migration to the Veterans Health Administration’s modernized electronic health record system, which is operated by Oracle Cerner.
Under the contract, Global Knowledge will provide training to VA Office of Information Technology staff in three key areas: ENCOR Implementing and Operating Cisco Enterprise Network Core Technologies, architecting on Amazon Web Services and Red Hat System administration.
Under subpart 5.2 of the Federal Acquisition Regulation, when procuring a sole-source procurement, agencies are required to issue a statement so that all responsible sources may submit a capability statement, proposal or quotation.
The purchase order is expected to be in the amount of $54,000 over a base period of about two months.
VA’s implementation of the Oracle Cerner EHR system has been plagued with issues since its initial rollout in the fall of 2020. An investigation by FedScoop last month found that the system has recorded almost 500 major incidents and at least 45 days of downtime since it first went live.
Senators petition ICE to curtail ‘Orwellian’ use of facial recognition, surveillance technology
Democratic Senators on Tuesday called on Immigration and Customs Enforcement to stop using facial recognition and surveillance technology and to end the purchase of private information from data brokers.
In a letter sent to agency Acting Director Tae Johnson, Sens. Edward Markey, D-Mass., and Ron Wyden, D-OR., cited a Georgetown Law Center on Privacy & Technology investigation into the use of data for immigration enforcement. The study found that ICE in the past decade has gained access to driver’s license and home address information for three-quarters of American citizens.
The missive is the latest instance of Congress seeking to rein in the purchase of Americans’ personal data by law enforcement and intelligence agencies. Last month, House leaders sent a letter to U.S. law enforcement agencies probing their purchases of private data sets to circumvent warrant requirements.
“According to a recent report, ICE has used facial recognition and other technologies, and purchased information from data brokers, to construct a ‘dragnet surveillance system’ that helps ICE carry out deportation proceedings,” the Senators wrote in the letter.
“Much of this effort, which has enabled ICE to obtain detailed information about the vast majority of people living in the United States, has been shrouded in secrecy,” the Senators added.
The Georgetown investigation was conducted by submitting hundreds of Freedom of Information Act requests and by carrying out a comprehensive review of ICE’s contracting and procurement records.
The lawmakers’ missive comes after documents obtained by the American Civil Liberties Union earlier this year revealed that partnership with one data broker provided ICE with access to location data from about 250 million mobile devices. In total, the partnership gave the agency access to more than 15 billion location points per day.
Those ACLU documents in July showed how millions of taxpayer dollars were spent by the Department of Homeland Security and ICE to buy access to cell phone location information being aggregated and sold by two controversial and opaque government contracted data brokers, Venntel and Babel Street.
“This surveillance network has exploited privacy-protection gaps and has enormous civil rights implications,” the Senators wrote in their letter to Johnson. “ICE should immediately shut down its Orwellian data-gathering efforts that indiscriminately collect far too much data on far too many individuals.”
‘The Fourth Amendment Is Not For Sale Act,’ introduced by Sen. Ron Wyden, D-OR., and Sen. Rand Paul, R-KY., in April 2021 sought to force the police and certain federal agencies to obtain a court order before purchasing people’s personal information through third-party data brokers.
Commerce identifies 15 vendors likely to win spots on $1.5B IT contract
The Department of Commerce identified 15 vendors likely to win spots on its $1.5 billion-ceiling enterprise IT contract, in a preaward notice issued Monday.
Each vendor appears to have made a successful offer to receive task orders on the maximum 10-year Commerce Acquisition for Transformational Technology Services (CATTS) contract.
CATTS is an indefinite-delivery, indefinite quantity contract covering chief information officer support, digital document and records management, managed services outsourcing and consulting, IT operations and maintenance, IT services management, and cybersecurity.
DOC released a request for proposals in November for the contract intended to reduce its investments in three- to five-year technology refreshes by increasing its agencies’ use of cloud-based, as-a-service offerings, but the department missed its target award date of Sept. 9.
“The government will not consider subsequent revisions of proposals,” reads DOC’s most recent notice. “Please note that no response is required unless a basis exists to challenge the size status [of] an apparently successful offeror.”
According to DOC, successful offerors include: BrightPoint, Centuria, CW-LTS, dotIT, Enterprise Solutions and Management Corp., Halvik, Koniag Management Services, MetrolBR JV, NOVA-Dine, ProGov Partners, Reston Consulting Group, RIVA Solutions, SONA Networks, T and T Consulting Services, and VentechSNAP JV.
The agency has sought vendors that could increase its cloud footprint as much as possible.
The contract consists of one base year and nine option years, and task orders will be awarded on a firm, fixed-price or time-and-material/labor-hour basis and may be performance-based.
DOC anticipates that CATTS will be used to purchase artificial intelligence, DevSecOps, and Federal IT Acquisition Reform Act program support services, as well as Cybersecurity Maturity Model Certification support potentially.
VMware pays $8M to settle SEC cease-and-desist proceedings over prior revenue disclosures
VMware has agreed to pay a civil penalty of $8 million to settle cease-and-desist proceedings brought against it by the Securities and Exchange Commission over prior order backlog and revenue management disclosures.
In legal documents published Monday, the regulatory body said the matter related to the technology company’s omission of material information in quarterly and annual results disclosures during its 2019 and 2020 fiscal years.
VMware has not admitted or denied any of the SEC’s findings as part of the settlement.
In its cease-and-desist complaint, the SEC said VMware had controlled the timing of certain revenue recognition by placing discretionary holds in selected sales orders. The regulator added that as part of this practice the delivery of license keys to clients was delayed.
“VMware employed discretionary holds when business objectives – including those for ‘bookings’ and revenue – had been achieved, in order not to exceed the company’s revenue guidance by too much and as a way, in the words of VMware personnel, to start the next quarter with a buffer or more momentum than it might have had otherwise,” the SEC argued.
According to the regulator, without omissions that resulted in quarter-end backlog reductions for the fiscal year 2020, VMware would have missed rather than met guidance and analyst consensus estimates for total revenue and guidance for license revenue. It would also have missed guidance for license revenue in the second quarter of that fiscal year, the SEC said.
The Securities Act of 1933 prohibits any person from directly or indirectly obtaining money or property by making any untrue statement of a material fact or any omission to state a material fact necessary to statements made.
VMware and the SEC did not respond to a request for comment.
Christopher Adams to join Treasury as CISO of Departmental Offices bureau
The Treasury Department will next month install Christopher Adams as Departmental Offices bureau CISO, as it works to strengthen its cybersecurity program.
A department spokesperson confirmed the appointment to FedScoop and said the IT leader would start work in the new role on Oct. 10.
The Departmental Offices bureau at Treasury provides leadership in economic and financial policy, terrorism and financial intelligence, financial crimes, as well as general management.
Adams will bring over 15 years of IT experience to the role. According to LinkedIn, he spent more than a decade within the U.S. Air Force, including a stint as the chief information officer of the National Space Defense Center. He also spent more than a year in the private sector as a senior cybersecurity specialist at telecom giant AT&T.
The mission of the cyber security program at the Treasury Department is to develop and implement security policies to secure the federal government’s financial infrastructure. These include the production of coin and currency, the disbursement of payments to the American public, revenue collection and the borrowing of funds necessary to run the federal government.
The Treasury Department has a $829 million cyber budget in 2022 and Congress is expected to increase this to approximately $970 million for 2023 based on the Treasury’s budget request.
Adams has received multiple master’s of science degrees in IT and digital forensics from Trident University International, according to his LinkedIn, and a Bachelor’s degree in Psychology from Chapman University.