Log4J flaw causing Army to take second look at open source software

The Army has been watching the Log4J vulnerability closely as it looks to open source software as a way to cut licensing costs, Army CIO Raj Iyer said Thursday.

The Army already spends more than $2 billion a year on software licenses, and in a political environment where the department’s overall budget is likely to be cut, saving every dollar has become an imperative. Open source software is still an option, but more attention is needed on the provenance of code that the Army uses from the open source community, he said.

“We definitely are a believer in open source, but it means we have to put extra effort from a cybersecurity perspective,” Iyer said during AFCEA NOVA’s Army IT day.

The comments came as technology giants and federal agencies this morning met at the White House to discuss open-source software security in response to concerns over the widespread Log4j vulnerability.

Log4j is widely used open source logging software for websites. It was discovered in November that a vulnerability allowed attackers to remotely access networks through the software, causing concern across industry and the government. Other government agencies have been watching it closely and urging both federal agencies and private sector companies to patch their systems.

Open source tools offer the Army the possibility to reduce the cost of their system. To use it, though, Iyer wants a more robust governance system of how code is reviewed before it can touch Army tech. One of the biggest concerns is ensuring there is visibility on where the code comes from and that its origins are not in adversarial countries that could insert backdoors into software.

But if done right, Iyer sees an opportunity to reduce costs.

“It’s truly an imperative for me to bring down our bills,” he said.

Commerce seeks nominations for Internet of Things advisory board

The Department of Commerce is seeking nominations for a new advisory panel on the Internet of Things.

The 16-member Internet of Things Advisory Board was established to advise a recently established federal Internet of Things working group, which was set up by Commerce to identify new threats and opportunities presented by the technology.

The new advisers will provide evidence on matters including the identification of federal regulations and programs that may inhibit or promote the development of IoT, as well as situations in which such technology could deliver significant economic and societal benefits.

In opening the call for nominations, Commerce is complying with a requirement that was included in the National Defense Authorization Act for fiscal 2021.

The department is seeking to attract a range of potential candidates, including from academia and industry. Nominees can either put themselves forward for the position or be proposed by their peers by Feb. 28.

Secretary of Commerce Gina Raimondo said: “We would like this board to represent a broad spectrum of IoT experts from industry, academia and nonprofit organizations who can provide advice on IoT ranging from rural concerns to transportation, security and health care topics.”

EEOC pauses reentry plans, agrees to bargain with union on telework

The Equal Employment Opportunity Commission has paused plans for staff reentry to the office and agreed to bargain with a federal labor union on future changes made to telework policy.

In a statement Monday, the department said it had taken the decision to halt return-to-office plans in light of new COVID-19 omicron variant data and said it would give employees at least 30 days’ notice before any expected reentry.

“The EEOC’s COVID-19 coordination team is closely monitoring pandemic conditions, and is currently in the process of drafting a proposed Reentry Plan and, once cleared by the Chair of the EEOC, will present it to the union for review and comment,” the agency said. “The union will be offered every opportunity to bargain the impact and implementation of the initial reentry plan.”

The clarification comes after the American Federation of Government Employees (AFGE) filed two unfair labor practice complaints against the department in which it argued that the agency was refusing to bargain in good faith over proposed telework changes.

EEOC is one of many federal agencies deciding how to manage the return to office for staff and the changes to technology systems needed to increase flexibility for employees.

In December, the Environmental Protection Agency struck an agreement with its federal staff union so that employees within each bargaining unit will be required to come into the office just twice over the course of each pay period.

Commenting on EEOC’s decision to pause its reentry plans, Rachel Shonfield, president of AFGE Council 216, said: “We are very happy that employees can continue to work safely from home for now, especially given the transmissibility of the omicron variant.”

“The union recommends that the EEOC take advantage of the postponement to reset management’s posture toward bargaining obligations. For good-faith bargaining to occur, there cannot be lines in the sand for dates, phases, and telework,” Shonfield added.

White House says COVID-19 rapid test website to go live Jan. 19

A federal website for requesting COVID-19 rapid tests will go live Jan. 19, a senior Biden administration official told reporters in a White House briefing Friday.

“The USDS team has been following industry best practices, and they conduct load testing.  They are working to be able to scale to the demand.  They’ve been monitoring, they have monitoring tools in place,” the White House official said.

Tests will be limited to four per residential address and ship within seven to 12 days, though that timeframe should shorten long term.

The White House announced the site in December as part of its effort to make 500 million rapid tests available on the heels of the Omicron COVID-19 variant’s rapid spread.

The website is central to realizing the Biden administration’s effort to make 500 million rapid coronavirus tests available to the American public in response to surging COVID-19 cases following the arrival of the Omicron variant.

In addition, the Defense Production Act is being used to manufacture more tests, and new testing sites are being established. Efforts are also being made to support hospitals inundated with COVID-19 patients, and another vaccination push is underway to ensure people are getting booster shots.

Isolate and stop cyber-risks by controlling privileged access

With the complexity of the IT landscape and the growing need to establish zero-trust environments, organizations are not only looking to implement identity-as-a-service (IDaaS) solutions but hone in on privileged access to ensure the right individuals have access to the right resources at the right time.

To mitigate cyber-attacks, any accounts with high levels of access to very sensitive and critical data need to be audited, monitored, and managed continuously and consistently.

A recent report produced by CyberArk and Deloitte, highlights IDaaS offerings that elevate control in a cohesive manner to provide better operational insight and improve organization’s ability to measure risk.

According to the report, “modernizing the delivery and consumption of identity security services can lower the overall cost of ownership in a world in which the innovation is accelerated. New services are developed faster, and modern organizations need to continuously refresh technologies to keep pace. Further, end-user access should occur with minimum privileges to enterprise resources at the time and be continuously analyzed by authentication and dynamic authorization.”

The report outlines how public and private sector organizations have used IDaaS to drive mission value.

Read more in the report, “Zero Trust as a Service Starts with Controlling Privileged Access.”

To learn more about the importance of developing and operationalizing privileged access controls with a long-term view at public sector agencies and institutions, hear more from CyberArk and Deloitte executives.

This article was produced by Scoop News Group for, and sponsored by, CyberArk.

Commerce launches pilot to understand vendors’ cyber capabilities

The Department of Commerce launched a pilot program to improve its understanding of vendors’ cybersecurity and related IT capabilities, as well as industry’s understanding of its mission needs.

Dubbed the Government and Business Exchange (GABE), the forum will consist of 30-minute sessions hosted by Enterprise Services-Acquisition to share existing and emerging cyber requirements and watch vendor demonstrations.

The launch of the pilot program comes a few months after the Department of Justice established a Civil Cyber-Fraud Initiative, which will hold vendors accountable for knowingly providing deficient cyber products, misrepresenting practices or failing to monitor or report cyber incidents using the False Claims Act.

The Department of Commerce (DOC) wants to see if structured dialogue around specified topics will improve overall acquisition.

“Successful acquisition outcomes depend on a clear understanding of industry dynamics and capabilities on the part of the government and a clear understanding of government mission and objectives on the part of industry,” reads DOC’s SAM.gov notice. “The GABE pilot program provides a forum for the exchange of information to enhance both government understanding of industry, and industry understanding of government.”

Vendor representatives must fill out a questionnaire to participate is sessions that will be scheduled on a first-request, topical-priority basis. DOC won’t guarantee every vendor will be assigned a session because the volume of requests may be high, and the relevance of certain cyber capabilities to the department’s mission may be low.

Vendors may provide read-ahead materials for the sessions, which will be conducted via teleconference, Microsoft Teams, Skype or another virtual format. In-person sessions may be held if COVID safeguards are established.

No vendor can engage with DOC more than once every six months to promote diversity, and the department will devote four hours per month to sessions — possibly more if a backlog develops.

“In order to preserve procurement integrity and to maintain the pre-established and authorized communication channels for active acquisitions, DOC will not use GABE sessions to answer any questions about acquisitions for which a draft or final solicitation has been publicized,” reads the notice. “Additionally DOC may refrain from fielding questions on any other acquisition matter in GABE sessions, in the interest of only providing such information in a public forum.”

Lawmakers seek information from agencies on CASES Act implementation

Lawmakers have written to five federal agencies requesting a status update on their work to comply with the 2019 CASES Act.

Reps. Gerry Connolly, D-Va., and Jody Hice, R-Ga., of the House Committee on Oversight and Reform are seeking to establish whether government departments have met an implementation deadline of Nov. 12, 2021, set by the Office of Management and Budget to begin accepting electronic identity proofing and authentication processes to release citizens’ personal data to lawmakers.

The lawmakers sent the request for information to the Internal Revenue Service, Social Security Administration, United States Citizenship and Immigration Services, the Department of Veterans Affairs and the Centers for Medicare and Medicaid Services.

“Please provide the status of your agency’s implementation of the requirement in the CASES Act and the OMB guidance that agencies accept ‘remote identity- proofing and authentication through digital processes,’ including the final date of implementation,” the lawmakers’ missive says.

The CASES Act was signed into law during the Trump administration with the intention of streamlining how members of Congress work with their constituents. As required by the law, OMB issued guidance requiring agencies to accept electronic identity proofing and authentication processes to release citizens’ personal data by the November 2021 deadline.

Before the CASES Act, privacy law required constituents to fax, scan or mail a sheet of paper to their congressional representatives simply to authorize the lawmaker to work with relevant federal agencies on their behalf. In particular, the Privacy Act of 1974 prohibits disclosure of federal agencies of any record contained in a system without the prior written consent of the individual to whom the record pertains.

Bill to create supply chain risk training program for federal employees clears Senate

The Senate has passed new legislation that would create a standardized training program for federal personnel responsible for acquiring technology systems.

Senators unanimously agreed Tuesday to pass the Supply Chain Security Training Act with one amendment. The bill is intended to improve government employees’ awareness of growing threats to national security presented by hostile actors seeking to interfere with government technology systems and help them to mitigate such risks.

The legislation now moves forward for consideration in the House.

If signed into law, the legislation would direct the General Services Administration, in coordination with the Department of Homeland Security, the Department of Defense and the Office of Management and Budget, to create a supply chain security training program for federal officials with supply chain risk management responsibilities. The program would be administered through the Federal Acquisition Institute.

The legislation also would require the Office of Management and Budget to develop guidance for such training and on how to select which officials that should be required to participate.

The bipartisan legislation is co-sponsored by Sens. Ron Johnson, R-Wisc., and Maggie Hassan, D-N.H. It is based on a bill previously introduced in 2019, which was also focused on improving cybersecurity training to remedy supply chain risk for federal agency IT systems.

Supply chain risk within the software used by federal government agencies came into sharp focus following the 2020 SolarWinds hack when the systems of at least nine agencies were compromised.

In October, House lawmakers passed a bill that would require the Department of Homeland Security to demand a software bill of materials (SBOM) from all contractors providing the department with software. That bill has yet to be considered by lawmakers in the Senate.

Navy not reaching ‘full potential’ on emerging tech, says top admiral

The Navy’s top admiral wants to push his service to be better in 2022 after what he described as repeated failures to respond to key challenges, including the adoption of emerging technologies, he said Tuesday.

Chief of Naval Operations Adm. Michael Gilday said the Navy has failed in adopting modern and emerging technologies and facing broad cultural and leadership challenges across the force. His remarks reiterated a “Charge of Command” letter sent to Navy leadership Tuesday that stressed the need to improve to meet strategic goals like improving connectivity and embracing new technologies.

“Despite the momentum that we are building, we also have to be honest with ourselves: We are not operating to our full potential,” Gilday said Tuesday during the Surface Navy Association’s National Symposium.

Gilday’s vision shows a  continuation of some of the tenets in the service’s guiding plan for 2021, which was known as NavPlan21. The document called for increasing capabilities and capacity through a more connected force, incorporating unmanned systems and promoting operations across all domains of warfare.

But in his speech, Gilday criticized commanders’ lack of self-assessment and ability to solve complex problems, like the ones laid out in NavPlan21.

“We need to get real and we need to get better,” he said.

For the Navy to reach its full potential, that means building new tech at sea and ashore, Gilday explained. The CNO floated the idea of having tactical clouds on “every single ship” that can connect back to data lakes in the U.S. He sketched a vision where ships can receive constant application updates but also have the resources to operate disconnected for weeks or months in conflict.

“While America’s need for sea control and power projection hasn’t changed, how we compete and what we fight with has,” the NavPlan21 states. “Emerging technologies have expanded the modern fight at sea into all domains and made contested spaces more lethal.”

Despite the scathing tone of the speech, Gilday did highlight a few bright spots in the Navy’s latest tech projects, saying that the Fifth Fleet’s new Task Force 59 unmanned systems group is “catching fire.” The task force plans to hold the largest unmanned exercise to date in the coming months, Gilday said.

He also said Project Overmatch — the Navy’s contribution to the Joint All Domain Command and Control (JADC2) strategy, which connects sensors and shooters to create a military Internet of Things — will deliver a joint tactical grid at the strike group level by 2023.

“When we talk about innovative areas like [artificial intelligence] and [machine learning] … we talk about Overmatch,” he said.

Many of the changes Gilday wants to see come down to fixing the Navy’s “outdated approach to institutional learning and problem solving,” he said. To improve that, Gilday said he wants to overhaul talent management to promote sailors that are self-assessing and have skills to face future conflicts.

Former Justice CTO joins Hewlett Packard

The former chief technology officer at the Department of Justice started a new job as director of leadership high-performance computing at Hewlett Packard Enterprise this month.

Ron Bewtra will help global customers meet their exascale and post-exascale computing needs as pertains to analytics, simulations, the Internet of Things and artificial intelligence, according to his updated LinkedIn.

Bewtra left DOJ after six years and government after 17 on Dec. 17, having led his last department’s technology strategies for AI and cloud and data management.

“It has been a privilege to support the missions of NOAA: National Oceanic & Atmospheric Administration, the U.S. Department of Justice, and the federal government,” he wrote on his LinkedIn at the time.

Bewtra co-chaired the Federal Chief Information Officers Council’s innovation committee and, prior to joining DOJ, served as CTO of NOAA.

Before that held senior computer engineering roles at Raytheon and SGI.