Subscribe to our daily newsletter.
Subscribe

Announcing the 2021 FedScoop 50 awards winners

Scoop News Group is thrilled to announce the winners of the 2021 FedScoop 50 awards.

The 10th annual FedScoop 50 awards honor the most impactful leaders in the federal government who strive each day to leverage technology to transform government. Scoop News Group received more than 700,000 votes across the eight categories in 2021.

The past year saw a whirlwind of transformation across the government and countless examples of how technology is vital to the many missions of federal agencies. Not only was there an administration change that brought with it new policy and new faces (as well as some familiar ones) into government, but there was also a continued emphasis on agencies using modern, digital technologies to better serve the American people in times of need.

This year’s recipients for the FedScoop 50 are brilliant leaders, innovative decision-makers and tireless workers dedicated to public service and making the federal government more efficient and effective through the use of technology. The winners, alphabetically by each category, are:

Golden Gov: Executive of the Year

Federal Leadership

Industry Leadership

Cybersecurity Leader of the Year

Disruptor of the Year

Tech Champion of the Year

Most Inspiring Up & Comer

Innovation of the Year

DHS releases roadmap to post-quantum cryptography

The Department of Homeland Security wants agencies to protect their data and systems from advancements in quantum computing, likely to break some widely used encryption methods, using a roadmap released Monday.

Agencies must transition to post-quantum cryptography, but first they need to identify the data they want to protect and inventory and prioritize existing cryptographic systems.

The National Institute of Standards and Technology is developing a post-quantum cryptography standard and partnered on the DHS roadmap in the meantime to share steps that will prepare agencies for the transition.

“Now is the time for organizations to assess and mitigate their related risk exposure,” said Homeland Security Secretary Alejandro Mayorkas in the announcement.  “As we continue responding to urgent cyber challenges, we must also stay ahead of the curve by focusing on strategic, long-term goals.”

The roadmap advises chief information officers to engage standards bodies on the latest algorithm and dependent protocol changes.

Agencies should inventory their most sensitive, critical datasets in need of securing for an extended period, according to the roadmap. Those are likely targets for decryption once a capable quantum computer is developed by, say, a foreign adversary like China. Traditional encryption methods that may become vulnerable currently protect customer data, business transactions and communications at agencies.

The roadmap further advises agencies to inventory cryptographic systems and flag those using public-key cryptography as quantum vulnerable. Prioritizing systems for transition will depend on agencies’ missions according to factors like:

Officials should flag acquisition, cybersecurity and data security standards that will need to be updated when NIST releases its post-quantum cryptography standard, according to the roadmap.

Lastly the roadmap recommends agencies develop pre-transition plans.

Mayorkas named post-quantum cryptography a cyber priority for DHS in March.

Army’s new Project Convergence capabilities lack cyber plans, IG says

A section of the Army’s contribution to the Joint All Domain Command and Control (JADC2) military framework lacks plans for how the tech would handle adversarial cyber attacks, an Inspector General report has found.

The Department of Defense‘s watchdog highlighted concerns with part of Project Convergence, known as Capability Set 21 Integrated Tactical Network. Ensuring a highly connected battlefield is secure has been a top concern for officials, as the more connected a network the more opportunities an adversary could have to poison data or move throughout a system.

The IG categorized the finding as “not appropriate.”

Following the report, the Army is working to develop a testing plan and will integrate threat-based assessments into future capability sets, according to the report.

The findings were included in a report analyzing Middle Tier Acquisition (MTA), an acquisition pathway designed to allow military departments to rapidly purchase, test and develop new capabilities. Over all, the report had glowing reviews for middle tier programs and said the authority allowed programs to save time and money.

“For the programs we reviewed, use of the MTA pathways increased efficiencies and effectiveness by streamlining acquisition processes and expediting prototyping and fielding efforts,” the report stated.

But, over the course of the investigation the IG found that despite saving time, those designing Capability Set 21 skipped steps to plan for a “cyber-adversarial assessment.” The program also lacked testing for an “operationally representative electromagnetic spectrum environment.”

Over all, the 11 programs reviewed showed progress as a result of using the middle tier authority. The report found the authority positively impacted acquisition culture, allowing program officers to be more agile.

“Acquisition personnel effectively leveraged the MTA pathways because DoD acquisition executives encouraged and supported the use of the MTA pathways, and program executive offices and program managers used the flexibilities provided by the MTA pathways” the report stated.

Peraton wins $2.7B DHS cloud modernization contract

Peraton has been named the winner of the Department of Homeland Security‘s latest data center and cloud optimization contract award worth $2.7 billion.

According to federal procurement records, DHS awarded the hefty cloud modernization contract late last week to Perspecta, which Peraton acquired in May. The department has been eyeing an acquisition to shift some of its data center operations to the cloud for several years now.

Under the scope of this indefinite-delivery, indefinite-quantity award, Peraton will manage and operate the DHS’s move to what it’s calling the Hybrid Computing Environment (HCE) — “a collection of enterprise computing resources including a data center, colocation sites, and commercial and private cloud services,” according to the solicitation issued in January. Peraton will also be asked to provide professional services “to automate, optimize, and modernize” the Hybrid Computing Environment.

DHS components can also place orders for service under the contract.

This award comes after General Dynamics IT won a $395 million contract in July to maintain service to DHS’s lead data center — Data Center 1, located at a NASA facility in Mississippi — until this larger data center and cloud optimization contract was awarded.

The $2.7 billion contract requires “core support services needed to drive a more efficient, responsive hybrid IT environment that serves as the foundation for the management and integration of on-premises, colocation, and cloud-based environments,” the DHS’s request for proposals says. “These support services must optimize and ensure continued [Data Center 1] operations while implementing and managing the future state HCE in support of the DHS mission and, where appropriate, the migration of infrastructure and applications within the HCE (e.g., from DC1 to [cloud service provdier] environments).”

In total, the contract has a potential 10-year lifespan — five base years and two optional periods of three and two years.

How finance regulatory agencies can help the sector mitigate security risks

John Checco is an information security professional providing security expertise across various industries. He currently resides as leader for the CISO Advisory Board on Financial Services for Proofpoint and President Emeritus of the New York Metro InfraGard Members Alliance (an FBI public/private partnership program).

Since the outset of the COVID-19 pandemic, financial institutions have launched a wave of cloud-based initiatives to support employees with remote access. But in addition to that, the way customers interact with institutions is driving those organizations to push forward digitization initiatives for “banking anywhere, mobile everywhere” that allowed them to engage with and maintain their customer-base during the pandemic

John Checco

John Checco, Resident CISO, Financial Services, Proofpoint

Due to the growing need to support a variety of remote users, maintain business resiliency and align with federal compliance, financial institution leaders and regulators must also contend with heightened security risks that may occur with these quick changes. In some cases, organizations that eased up on rigid security protocols to accommodate shifts in user demands may find themselves unprepared to ensure they are building resiliency against both internal and external security threats.

Security blind spots across finance networks

Cyberthreat actors are quickly adopting techniques, tools and procedures to exploit security blind spots that have resulted from expanding capabilities in the cloud, creating new avenues to infiltrate organization networks that financial organizations share to conduct daily business. Since 2020, Proofpoint has seen a significant jump in the number of cyberthreat actors targeting the networks we monitor, especially via cloud and supply chain vulnerabilities.

Some of these risks are exacerbated by the reliance on legacy transaction systems which continue to be used even though they are fragile systems with limited support and migration to the cloud may be infeasible. Due to their aging architectures, the security controls in many of these systems were often added over time and not designed to interact with today’s more modern systems — leaving them more vulnerable to financial fraud and insider threats. Additionally, we are seeing more sophisticated attacks leveraging socially engineered email tactics or credential dumps from prior hacks that leave employees susceptible to account takeover attempts.

The financial services (FinServ) sector is particularly unique because institutions make up a broad range of financial activities such as banking, investing and insurance that relies on an interconnected network of underlying service providers, including an institutions’ own competitors. As such, hackers have more opportunities to insert themselves in the middle of financial transactions and infiltrate a broader network of finance operations.

Security blind spots inside the network

Those concerns — and the risk of insider threats — have grown larger and more acute with the dramatic expansion of remote workers. Those could either be negligent users who may mistakenly violate policies while trying to perform their job remotely, or malicious users who wish to profit from or harm the organization. 

Finance regulatory agencies will need to play a significant role in how the FinServ sector adapts to new workforce requirements because certain compliance regulations were established based on the assumption that in an office setting there are certain physical and logistical separations. 

While easing regulations during the pandemic allows institutions to continue operating, this unintentionally causes larger issues with security and compliance. As a result, new solutions are needed to help institutions ensure their employees continue to meet compliance standards. For example, during Y2K we saw how easements were lifted to allow organizations deal with that challenge. But what regulators and institutions discovered later was more widespread cases of non-malicious collusion amongst firms.

By working to set new compliance standards around zero-trust security practices, the finance sector can implement a series of tools and policies that help mitigate risks across the network. 

For example, establishing multi-factor, risk-based authentication and conditional access across the enterprise can be paired with other tools that isolate internal-facing browsers to limit data leakage, similar to tools that isolate external facing browsers. And today, modern insider threat management solutions can look at user behavior analysis and anomaly detection go beyond basic triggers such as bandwidth usage and login attempts, to include more advanced detection capabilities which indicate when a security threat needs to be investigated. 

Adopting a data-informed people-centric security approach

Cybercriminals are getting more organized and sharing information obtained from multiple breaches and known visibility gaps. Consequently, the FinServ sector needs to improve its information sharing practices. While the federal government has been supporting strong collaboration practices across the sector since 2018 under the Analysis and Resiliency Center (ARC), the exponential rate that threat actors are working to compromise networks requires a stronger response from both federal regulators and the industry.

At Proofpoint, we believe that taking a people-centric approach to security can better equip organization leaders with insights on both the cyber attacker and the profile types of employees who are being targeted. This risk-based approach allows for targeted security spending where it makes the most sense.

We work with a global network of customers every day to detect and block advanced threats, leveraging over 8,000 gateways across both public and private organizations to gather information on which entities within a specific sector are being targeted and creating contextual security awareness for our customers.

Our ability to share security data behind the scenes, not only give organizations a better chance to extend the visibility of their cyber risk but also to get ahead of, or predict, future threats. 

And we can strengthen the security posture of our clients with a variety of other security tools. For example, domain-based message authentication, reporting and conformance (DMARC) solutions allow organizations to identify the email domains from their trusted suppliers and set policies for incoming emails that block traffic from senders that don’t have an approved IP address or bear the right cryptographic signature. Organizations can also manage access internally with tools like Nexus People Risk Explorer alerts security teams when employees may have too much access or are currently being targeted. 

Finally, my biggest recommendation to FinServ sector leaders and regulators leaders is to just take a moment and breath. The pandemic has brought about a lot of challenges that are both in our control and outside our control. But as long as we continue to work openly and collaborate across the industry, the finance sector will be able to come out stronger in the end.

Learn more about how Proofpoint can help protect federal agencies, and their people, against malicious attackers.

FISMA reform bill would require agencies to notify Congress of cyber breaches within 5 days

A new bill to reform the Federal Information Security Modernization Act (FISMA) would require leaders of U.S. government agencies to notify Congress of cyber breaches within five days of an incident occurring.

The proposal is part of wide-ranging proposed legislation issued Monday by Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio.

Other notable measures in the draft bill include the requirement that agency leaders carry out an initial analysis of an incident — and where necessary inform citizens that their data has been compromised — within 30 days. It mandates also that federal IT leaders provide a briefing on the threat within seven days.

Action to reform FISMA comes amid pressure from the White House for departments to improve their cybersecurity systems and to move towards a cloud-based zero-trust architecture. In recent weeks, government technology sources speaking to FedScoop have described FISMA reform as key to clarifying the degree of urgency with which senior leaders at government departments must address cyber concerns, as well as the chain of command when a breach occurs.

Lawmakers through the draft legislation also are seeking to impose new reporting responsibilities for federal government technology contractors, which would force them to notify agencies faster when a breach occurs. The reform would also introduce new cybersecurity training requirements for staff and enhance requirements over how cyber incidents are logged.

In addition, Cybersecurity and Infrastructure Security Agency features heavily in the reform proposals. If enacted, the bill would boost the enforcement powers of the agency’s director and require the agency to establish new quantitative cyber metrics. Director Jen Easterly, along with the director of the Office of Management and Budget, must also come up with a new definition of what constitutes a major cyber incident, under the draft legislation.

Commenting on the proposals, Sen. Peters said: “This bipartisan bill will help secure our federal networks, update cyber incident reporting requirements for federal agencies and contractors to ensure they are quickly sharing information, and prevent hackers from infiltrating agency networks to steal sensitive data and compromise national security.”

Portman added: “This bipartisan bill provides the security the American people deserve and the accountability necessary to resolve longstanding weaknesses in federal cybersecurity by clarifying roles and responsibilities and requiring the government to quickly inform the American people if their information is compromised.”

Supreme Court denies Oracle appeal over JEDI protest

The Supreme Court on Monday denied a petition from Oracle to keep its protest of the Pentagon’s now-canceled Joint Enterprise Defense Infrastructure (JEDI) cloud contract alive.

It comes after the technology giant earlier this month called on the Supreme Court not to throw out its appeal, arguing that concerns over the award of the $10 billion cloud contract exist also with its replacement, the Joint Warfighter Cloud Capability.

Legal sources previously told FedScoop that Oracle’s appeal was unlikely to succeed because the court would consider the company’s arguments over JWCC to be separate from its prior JEDI lawsuit. Oracle was seeking certiorari, a writ or order by which a higher court reviews a decision of a lower court.

In a brief filed last Friday, the technology company argued its case should not be declared moot simply on the basis of the Department of Defense ending the contract. In its submission to the court, Oracle argued that cases do not become moot “simply because a defendant issues a press release claiming to have ceased its misconduct.”

When a federal court deems a case to be moot, the court no longer has the power to hear the legal claim and must dismiss the complaint.

Oracle’s protesting of the JEDI contract began in 2018 with a denied complaint sent to the Government Accountability Office. It has argued that the Department of Defense unlawfully structured the contract as a single-source award, rather than a multiple-award solicitation, which the new JWCC contract will be. Oracle also failed to convince the U.S. Court of Federal Claims the contract was illegal.

GSA’s Carnahan calls women in tech to public service

General Services Administration leader Robin Carnahan has called women working in the technology industry to public service during a speech in which she described the current gender balance of technologists in the federal government as “not good enough.”

Speaking Thursday at the Grace Hopper Celebration of Women in Computing conference, the administrator encouraged attendees to consider applying to the newfound U.S. Digital Corps and underscored the myriad opportunities for purposeful work within the federal government.

Women currently make up less than one-quarter of all technologists working in the federal government.

“The problems we face today are big, they didn’t materialize overnight and it’s going to take your creativity, your fresh set of eyes, and your technical skills to reimagine the future and then build the solutions that the American people deserve,” said Carnahan.

Late last month the White House launched the U.S. Digital Corps, which is a two-year fellowship designed to place early-career software engineers, data scientists and other technologists at federal agencies.

Carnahan was installed as the administrator of GSA by the Biden administration earlier this year. She founded and led the state and local government practice at 18FGSA‘s tech consultancy, from 2016 to 2020, having previously been Missouri’s secretary of state.

Most recently, Carnahan co-founded the State Software Collaborative as a fellow at Georgetown University’s Beeck Center.

EIS vendors ‘concerned’ some agencies won’t make 2022 deadline

The vendors responsible for providing modernized telecom and network services to agencies under the General Services Administration‘s $50 billion Enterprise Infrastructure Solutions (EIS) contract are “concerned” that some won’t make the 2022 deadline to transition to the new vehicle.

Allen Hill, who has been the General Services Administration’s point person managing the EIS transition, said this is the feedback he’s gotten from those nine vendors, telling FedScoop they are “rightfully concerned” that some agencies might not fully transition their services off of expiring contracts by Sept. 30, 2022.

The vendors “do not expect them to be able to make it in such a short period of time because we’re talking about years of network infrastructure out there” that must be transitioned over the next year, Hill said on a recent episode of FedScoop’s Let’s Talk About IT podcast. Hill serves officially as deputy assistant commissioner for category management in GSA’s Office of Information Technology Category.

As of August, few agencies had disconnected 50% of their legacy services from expiring contracts, like EIS’s predecessor Networx, which GSA also manages. Agencies were supposed to have reached that milestone by March 31.

“We’re behind,” Hill said. “There’s about 7 million services still remaining on the legacy contracts to transition. So that’s a lot of inventory to move. And we have right now still remaining… 66 solicitations that still have no task order words as of July 31,” adding that there have been some awards since then that haven’t been reported.

GSA in 2019 decided to give agencies an extension to transition their Networx contracts — originally set to expire in May 2020 — until May 2023. But Hill emphasized that the intent of that extension was to give agencies a buffer for transition — not to wait to award new task orders und EIS, as many have done.

Still, GSA is doing what it can to help those laggards, Hill said. “We have some agencies that are out there that are completing their transition, which is great. And they got out there in front and did what they needed to do. But we’re also doing some things to help those agencies that haven’t.”

That includes creating the Risk Assessment For Transition (RAFT), a process GSA is offering to “help agencies make a realistic assessment of how long their transition will take.” And when it looks like agencies will overrun the deadline with those transitions, GSA helps them explore contingency options.

“The RAFT provides really more of a best-case scenario for them, the perfect-world type scenario that if you did all these things, this is the timeframe,” Hill said. “And even going through that process, agencies are like, ‘Whoa, it’s going to take some time.'”

“It takes time to replace those old technologies with new technologies,” Hill said. Also compounding that challenge, he said, is that “we also have to be concerned about where we’re at today with the pandemic, there are challenges with supply.”

What GSA is not going to do, however, is extend any more deadlines, Hill shared.

“There are no plans to change any dates,” he told FedScoop. “When we have special mission requirements that need special support we address those things in a separate fashion. But we’re not going to change any dates.”

And as of Oct. 1, GSA will no longer allow agencies to make modifications to their legacy contracts.

“What we’re trying to do is not allow an inventory to grow on legacy contracts,” Hill said. “We’re trying to make sure that they’re leveraging EIS to meet their mission requirements.”

Navy deployed a COVID-19 tracking app to ships in five weeks

The Navy deployed a COVID-19 health tracking application across select aircraft carrier and amphibious assault ships within five weeks, after crew members aboard the USS Theodore Roosevelt becoming sick in April 2020.

Defense Digital Service created the app in the Amazon Web Services Impact Level 4 cloud, but running it remotely on eight ships required use of the company’s AWS Snowball data transport solution.

AWS Snowball facilitated temporary, end-to-end deployment of the app at sea in record time and then regularly connected and synced data on sailors’ temperatures and symptoms to the cloud.

“Five weeks deploying a pretty significant software system to a U.S. ship is unheard of,” said Fernando Cancel, lead architect on the Universal Naval AI Core Environment (UNACORN) project, during the AWS Summit on Wednesday. “Normally it takes years to go through all the wickets.”

Sailors used DDS’s app to self-report their health from hotels or ships, where they were quarantining, via personal devices or the ships’ computers. UNACORN had dispensations allowing Wi-Fi-enabled devices to connect to AWS Snowballs and complete the containerized app’s surveys on ships.

That data was then replication synchronized, or repsynced, off ships to the AWS GovCloud using Niagara Files (NiFi) for continued analysis by medical and health professionals and data scientists.

When Navy ships turn it hinders bandwidth, but UNACORN lived within its communications bandwidth budget and managed to send data to the cloud almost continuously with repsyncs to the minute.

“We also proved to Navy security that the only data coming off the ship was the data we wanted to come off and send straight to an endpoint, an S3 bucket at GovCloud,” Cancel said.

Ships never connected to any networks for cybersecurity, so instead they used a single AWS Snowball’s application programming interfaces to sync back to the cloud.

“The browser would only let you do one thing on the Comcast server, which would only let you do one thing in the database, and that database was being dropped on S3, which could only send certain data out S3 secure critical transport back to the cloud, and that was a cloud endpoint,” Cancel said. “So with every one of those steps, none of those systems or resources could do anything more than what it was supposed to.”

Sailors couldn’t surf the web using the browser, for instance.

AWS Snowballs costed $92,000 for eight, and the success of the COVID-19 Health Tracking one-off has programs using UNACORN for long-haul projects.

With the pandemic easing, deinstallation of the app off ships began in February. The last kit was pulled off the USS Ronald Reagan in March.

“We’re hoping the pandemic is not a permanent thing,” Cancel said. “So we had an integrated test plan and very specifically said it was a limited time to collect the data.”