National Geospatial-Intelligence Agency awards GDIT $4.5B data center contract
The National Geospatial-Intelligence Agency has awarded GDIT a five-year data center and IT services contract.
The company will provide user-facing and data center services on multiple networks and security domains, including across intelligence community cloud environments and desktop environments.
GDIT will carry out the work at multiple intelligence community and Department of Defense locations worldwide, and the contract has an estimated overall contract value of $4.5 billion. The National Geospatial-Intelligence Agency primarily serves DOD but also supports civilian agencies in areas like disaster response.
The procurement award is the latest large contract win for GDIT, and comes after the company last month was awarded an $829.9 million IT Helpdesk contract by the Defense Intelligence Agency.
In July, GDIT won a $396 million contract to maintain the lead data center at the Department of Homeland Security– Data Center 1 – which is located at a NASA facility in Mississippi.
DISA’s new HaCC office reflects hybrid cloud reality for DOD
While commercial cloud projects like the Joint Enterprise Defense Infrastructure (JEDI) cloud and its looming replacement the Joint Warfighter Cloud Capability (JWCC) have dominated conversations around defense IT in recent years, the Defense Information Systems Agency has created a new office that acknowledges commercial cloud is not the end-all, be-all for the military.
A more hybrid solution can sometimes be the right one.
DISA recently merged its Cloud Computing Program Office with its Service Enterprise Directorate and Ecosystem and other entities to create the Hosting and Compute Center.
The new office — the result of a larger restructuring across DISA — was formed to drive efficiencies and create better synergies the former offices alone, Sharon Woods, the head of the office, told FedScoop recently. In addition, by bringing together DISA’s cloud arm with its on-premise data hosting functions, the agency has also set itself up to best embrace the reality that the U.S. military does not just depend on physical data centers nor only services hosted in the commercial cloud, but increasingly a mixture of both.
“From a mission standpoint, for the Hosting and Compute Center, our vision is empowering the warfighter to execute at the speed of mission, and thinking about hosting and compute in terms of unified hosting and compute,” Woods said on a recent episode of FedScoop’s Let’s Talk About IT podcast. The conversation, she said, can’t be a “binary and zero-sum game” of cloud versus on-premise data centers. “The technology is not that simple. And the department’s mission has a lot of complexity. And so when you look at it, there’s this whole space in between of hybrid cloud of both environments.”
That space in between is where the new HaCC lives. While the center is in charge of the Department of Defense’s forthcoming commercial cloud acquisition, the Joint Warfighter Cloud Capability, it also accounts for those other services that by the nature of their sensitivity and classification must live in an on-premise data center.
“So the idea is it’s unified hosting and compute across a spectrum that also addresses cloud outside the United States, that addresses all classification levels, that addresses where our warfighters operate, which oftentimes, there’s, you know, terrible communications,” Woods told FedScop. “And so bringing it all together, rather than two groups of people sort of looking at each other across the river, it’s one group of people now. And that’s how we’re approaching the problem set.”
Woods pointed to the mission need for Joint All Domain Command and Control as a perfect example of this hybrid compute reality in which the DOD exists, bringing together disparate command and control systems, often at the far edges of the operational picture, with cloud interconnectivity and data analytics to power advanced decision-making.
The withdrawal from Afghanistan earlier this year was a prime example of such a complex environment. The former DISA cloud office was working with Air Mobility Command and U.S. Transportation Command to deliver a common operating picture using based on data housed on a highly sensitive, on-premise command and control system on the ground in Kabul using the cloud.
“That system is very sensitive. It’s collecting data, that because of the different security rules, it may always stay on-prem,” Woods explained. “But then there was this need to have a common operating picture of real-time, being able to track you know over 300 aircraft and the cargo, the number of people that were in each of those aircraft. The level of analytics and compute that you need for that is very hard to achieve and scale when we had, you know, hours notice that this needed to happen on-prem.”
According to Woods, DISA was able to use “a cloud-native application using platform-as-a-service to visualize the data that was coming from the C2 system” along with the “translation piece in between.”
She called that a great example of the power of hybrid cloud and JADC2. “Because imagine if that C2 system were interoperable with other C2 systems, and now you’re collecting more than just the aircraft data, right, you’re overlaying other data.”
Woods also wanted to dispel the misconception that anything on-premise is there because it’s old and outdated. “On-prem isn’t just about my application being too old to ever go in the cloud. There are very legitimate reasons, whether it’s for resiliency or because of the sensitivity of the data, that the application, the workload needs to stay on-prem.”
“That’s just an oversimplification of the problem,” she said. “And it’s just simply not true. And I think this very modern use case that provided supercritical information for the department really illustrates exactly what the HaCC is trying to push forward of a hybrid kind of cloud mentality where it’s a spectrum of hosting and compute — it’s not just one or the other.”
Modernization of JWICS a top priority for DIA, CIO says
The new CIO of the Defense Intelligence Agency, Douglas Cossa, has made it one of his top priorities to modernize the military and intelligence community’s top-secret IT network, the Joint Worldwide Intelligence Communication System.
DIA is undertaking a “huge effort … to modernize JWICS with the support of the Hill, [the Office of the Director of National Intelligence] and [the Office of the Under Secretary of Defense for Intelligence], and I’m really excited to offer a lot of those capability needs we have today and begin that discussion with our industry partners of where they can help,” Cossa said Monday at DIA’s annual DoDIIS Worldwide conference in Phoenix.
JWICS has evolved over its 30 years of use to become the “top secret network of the entire federal government,” said Cossa, who’s been CIO since July. The network was created to be a video teleconferencing system but really evolved in the early 1990s with the advent and addition of email.
“In doing that, it really grew legs. It’s kind of like a flywheel. We started getting the momentum moving and then we kept it moving faster and faster and faster,” Cossa said.
Today, there are “hundreds of thousands of users within the IC and DOD, and even more beyond that when you consider the other parts of the federal government, law enforcement, academia, our industry partners who have that need to share and collaborate on information,” he said. And JWICS must evolve to keep up with the speed of the national intelligence mission.
Cossa admitted that there have been conversations during his time as CIO about “whether or not DIA was going to keep JWICS as the executive agent. There were conversations about moving to other agencies,” he said, calling it “tough” to determine the best way to deal with the aging network.
“And I’m proud to say not only did we cement our role in leading JWICS as the executive agent … but we actually have now taken upon an approach supported by the Hill, the congressional staffing committees, the intelligence committees, ODNI, [the Department of Defense], and really the entire IC to modernize JWICS,” Cossa said.
Cossa has the support of his boss DIA Director Lt. Gen. Scott Berrier in retaining and modernizing JWICS. Berrier spoke at the conference about how the modernization of JWICS plays an essential role in DIA’s larger strategy to compete with China, Russia and others.
“I can’t do anything if the network isn’t as good as it can be,” Berrier said.
The modernization won’t stop there, though. Cossa also said DIA will look to modernize its Department of Defense Intelligence Information System (DoDIIS) — the local area network that the agency operates for itself and on the behalf of the combatant commands and others who handle top-secret information — as well as the global integration of networks with the nation’s Five Eyes allies.
DIA is looking to modernize DoDIIS “not only in terms of the equipment itself and replacing equipment, but really modernizing our local networks to take on the new capability needs for artificial intelligence and our ability to process a lot of data,” Cossa said.
On the global integration front, DIA operates a network called Stone Ghost to work with the other Five Eyes allies — Australia, Canada, New Zealand, and the United Kingdom. “That also requires modernization in terms of not only how do we share intelligence, but how do we operate within our native networks and connect together rather than creating independent, potentially redundant systems across the community,” Cossa said. “How do we have that more seamless integration and collaboration that’s enabled by new modernized network connectivity?”
On top of all of this network modernization, Cossa said DIA is prioritizing a multicloud mindset — “looking at what is that right cloud capability for the right function that we’re performing” — and creating a DevSecOps ecosystem that will streamline governance, accreditation and security of applications.
“I’m looking to set up a DevSecOps environment that adds governance, that creates a single pipeline, not only for DIA but also for the customers we support, to migrate to the cloud, to build applications, to make sure that all of the audit controls, the data standards we need for interconnectivity, the cybersecurity standards we use for accreditation — everything goes through the same process and we have complete visibility of all of these capabilities and techniques in one place.”
Biden administration again looks to increase AI R&D funding at civilian agencies
The Biden administration proposed once again increasing funding for artificial intelligence research and development at civilian agencies, in a supplement to its fiscal 2022 budget request.
At $1.7 billion, the requested funding represents an 8.8% increase over enacted fiscal 2021 civilian AI R&D investments of $1.5 billion.
The Networking and IT Research and Development (NITRD) program — consisting of 25 member and 60 participating agencies coordinating federal R&D investment in advanced digital technologies — developed the request alongside the National AI Initiative Office launched in January.
“President Biden has proclaimed the need to advance American [science and technology] leadership for generations to come,” wrote Eric Lander, director of the Office of Science and Technology Policy, in the supplement‘s introduction. “The nation needs cutting-edge technologies that are made in the United States by U.S. workers and new solutions that will propel market-driven change and jump-start economic growth.”
NITRD member investments support 12 technical R&D areas, including AI, known as program component areas (PCAs). Electronics for networking and IT — which covers investments in micro- and nanoelectronics in NITRD’s core networks and silicon and non-silicon hardware — is a new PCA for fiscal 2022.
Of the $1.7 billion in requested funding for civilian AI R&D, $1.1 billion is for federal AI programs, and $561.7 million is for AI-related efforts among the other 11 PCAs.
The National Science Foundation separately funds AI education at $73.6 million and supports 18 National AI Research Institutes, with the help of other agencies, which together requested $68.1 million in fiscal 2022. Additionally the Air Force and Department of Veterans Affairs operate their own AI institutes, which requested $40.2 million for a total of $108.3 million — a 0.5% increase over the $107.8 million allotted to all AI institutes in fiscal 2021.
Among the 12 PCAs, AI would receive the third-most funding, at 14% of the budget request, behind high-capability computing infrastructure and applications at 22% and large-scale data management and analysis at 15%.
NSF would receive the most overall funding among agencies, at 27% of the budget request, followed by the National Institutes of Health at 27% and the Department of Defense at 17%.
DOD’s budget would still decrease $96.3 million largely in large-scale networking, cybersecurity and privacy, and enabling R&D for high capability computing systems. Similarly the Defense Advanced Research Projects Agency’s budget would decrease $40 million primarily in large-scale networking.
NSF would see the largest budget increase of $494.1 million “to enhance fundamental R&D and strengthen U.S. leadership in emerging technologies,” according to the supplement. The next-highest budget increase would be $108.8 million at NIH mostly for increased clinical research using structured electronic healthcare and related data.
The budget shifts reflect NITRD’s efforts to address challenges presented during the COVID-19 pandemic like the high cost and low availability of computing and health resources, climate change, industries of the future, diverse workforce development, and the long-term health of the U.S. science and technology R&D ecosystem.
NITRD also features 12 interagency working groups (IWG), including one introduced in August: the Information Integrity R&D IWG.
“For FY2022, the NITRD program anticipates greater involvement with many of the [National Science and Technology Council] committees and greater focus on data and equity issues in creation and delivery of digital services,” reads the supplement.
DOD CIO updating cyber reciprocity guidance after audit finds weaknesses
The Department of Defense said it will take steps to strengthen reciprocity guidance for IT systems security authorization after the department’s inspector general found its existing processes to be lacking.
In an audit published Tuesday, the DOD IG found that the department’s CIO did not oversee components’ reciprocity efforts as required by the DOD Risk Management Framework (RMF). Instead, the CIO looked to the components themselves “to manage the system authorization process and use reciprocity to maximize the reuse of testing and assessments results developed during prior system authorizations,” the audit says.
The result was a mixed bag for the DOD components the IG investigated with some taking advantage of security authorization reciprocity — that is, accepting and using another organization’s review of security controls for information sharing to save time and money — and others failing to do so. The U.S. Transportation Command and the Defense Health Agency, for instance, leveraged reciprocity when going through the RMF process, but the Defense Logistics Agency (DLA) and Defense Human Resources Activity (DHRA) did not.
The DOD uses a risk compliance tool called the Enterprise Mission Assurance Support Service (eMASS) to coordinate and share information across the defense enterprise during the RMF process.
The reciprocity concerns for DLA and DHRA involved their use of this platform. DLA did not appoint “reciprocity users” in the system to review existing systems and authorization documentation, and “did not consider the DoD’s RMF and reciprocity policy and implementation guidance to be a priority.”
DHRA similarly did not appoint reciprocity users, which it attributed to a reorganization having not yet assigned “cybersecurity roles and responsibilities for implementing RMF and reciprocity requirements,” the audit says.
“The DoD could achieve even greater cost savings and efficiencies if all DoD Components maximized the use of reciprocity when authorizing their systems through RMF,” the audit says. “DoD Components can increase reciprocity by making systems and authorization documentation available to other DoD Components in eMASS, appointing eMASS reciprocity users, and identifying and authorizing common controls.”
The IG recommended that the DOD CIO update its eMASS system registration process to require users to select a justification when a system is not made available for reciprocity. It also called on the CIO to revise its guidance or issue new guidance requiring system program managers to ensure they considered reciprocity before considering another authorization or reauthorization.
A member of the DOD CIO’s Office acting on behalf of the CIO agreed to the changes, saying the changes will be made by the end of the second quarter of fiscal 2022.
Digital ID verification company Socure is landing spot for Burris
The former chief of staff to the Federal CIO has taken a new private sector role at digital ID verification company Socure.
Jordan Burris joined the New York-headquartered company as senior director of product market strategy for public sector business.
Burris left government last month, after serving as chief of staff in the office of the Federal CIO since July 2019. He initially joined the White House as a senior cybersecurity adviser in 2017, and before then worked as a cybersecurity consultant at Deloitte.
Commenting on the new appointment, Burris said: “I joined Socure to promote a more equitable and inclusive identity verification standard for the American public and transform the way public sector benefits and services are accessed and delivered.”
The company’s technology is “vital for supporting the government’s digital transformation, stopping fraud, and creating a safe and seamless experience for all,” Burris said.
Socure uses a predictive analytics platform to verify user identity in real time. The company was established in 2012 in New York.
CISA ordered to automate collection of cybersecurity metrics by April 2022
The White House is calling on the Cybersecurity and Infrastructure Security Agency to establish a strategy for automating the collection of federal agencies’ cybersecurity metrics by April of next year.
In new FISMA guidance issued Monday, the Office of Management and Budget also orders CISA to set timelines for collecting the data. By December 2022, OMB expects to begin grading agencies with a compliance scorecard based on the data.
The system will include machine-readable automatic cybersecurity incident reporting, which is part of the bedrock of zero-trust IT architecture. OMB and the National Institute of Standards and Technology will assist CISA with the project.
The guidance comes amid a push to improve the transparency of agencies’ cybersecurity posture and the speed of incident reporting that began with President Biden’s cybersecurity executive order in May.
“OMB’s updated FISMA guidance is designed to help agencies focus on practical security outcomes by measuring the use of rigorous multi-layered security testing, automation of security and compliance controls, and progress in adopting a zero trust architecture,” Federal CISO Chris DeRusha said.
CISA’s strategy must include “a set of metrics (supplementing the existing CIO metrics) based on NIST Standards (e.g., NIST SP 800-53) for controls that can be reported in an automated manner, and will set forth a timeline for when these metrics will be collected automatically,” OMB said.
According to OMB, an estimated 47% of incidents reported in the fiscal 2020 annual FISMA report were reported by agencies through a webform on the CISA-managed US-CERT website. Historically, agencies have needed to manually compare their incidents with accounts on US-CERT in order to ensure the accurate reporting of information.
OMB’s memo gives CISA and agencies some flexibility in meeting the requirements under the existing Continuous Diagnostics and Mitigation (CDM) program, which monitors threats and vulnerabilities on federal networks. Those tools are generally acquired under General Services Administration’s IT Schedule 70, but OMB is allowing for exceptions if agencies can provide “significant justification.”
Network resiliency is goal of new capacity enhancement guides from CISA
The Cybersecurity and Infrastructure Security Agency is continuing to centralize federal network resiliency efforts with the release of its first capacity enhancement guides.
The seven CEGs released in November advise agencies on how to expand the abilities to counter phishing; guard against malvertising; authenticate users; remotely patch vulnerabilities; protect remote printing; and secure mobile devices.
Rather than mandate that agencies buy specific technologies — as they implement zero-trust security architectures, per the May cybersecurity executive order — the evolving documents encourage a culture shift in building the right cyber stack.
“Anytime that somebody is talking about cyber in this realm, at this level, it’s beneficial, and agencies are going to take notice,” Tony D’Angelo, vice president of public sector at Lookout, told FedScoop. “Depending on where you are as an agency, [the CEGs] will either be a checklist, an affirmation of where you are, or a pretty strong recipe for getting where you need to be.”
The CEGs offer “pretty comprehensive” guidance, and agencies looking for a place to start should consider the counter-phishing recommendations, D’Angelo added.
Phishing and ransomware pose the two biggest threats to agencies, with the former on the rise on mobile devices via text messages as a way to harvest federal credentials. CISA‘s CEG on phishing recommends technical capabilities for hardening email systems, web browsing and mobile endpoints against such attacks.
“If you focus on that threat specifically, you’re going to pick solutions in your security stack that address a lot of the things we’ve been talking about — whether it’s a cloud-based [secure access service edge] solution or down to the endpoint,” D’Angelo said.
The inclusion of mobile device security checklists for organizations and consumers is refreshing because that aspect of cybersecurity went largely unaddressed prior to the rise of remote work during the pandemic, he added.
Bring-your-own-approved-device (BYOAD) initiatives are on the rise, both at civilian agencies and the Department of Defense. But whether an employee is using government-furnished equipment (GFE) or their personal mobile device, management is needed — in the form of a mobile device management (MDM) or mobile application manager (MAM) solution — as is mobile threat defense.
Between 65% and 75% of GFE and personal mobile devices on federal networks lack the latter, which can ride on top of either an unmanaged device or an MDM or MAM solution, D’Angelo said.
The CEGs do a good job of introducing such concepts, although the harder part is getting employee buy-in for BYOAD initiatives.
“That’s always one of the biggest challenges in a BYOAD scenario, is convincing that end user that you’re not spying on them — that you’re only there to protect the device,” D’Angelo said. “And that comes in a couple of different flavors whether it’s phishing; maybe app vulnerability; app scanning; the actual vulnerabilities of the [operating system] itself, whether it’s iOS or Android; and then things like network-based attacks; or free Wi-Fi in coffee shops, airports, things like that.”
Amazon launches second region dedicated to ‘Top Secret’ government work
Amazon Web Services has expanded its support of the federal government’s most classified work with the launch of a second “Top Secret” cloud region, the company announced Monday.
AWS’s Top Secret-West region will add to its existing top-secret capabilities supported by its Top Secret-East region based out of Northern Virginia since 2014. Like that first region, this one will also be air-gapped with multiple “availability zones” comprised of “discrete data centers with redundant power and networking.”
Together, the two sites will allow AWS’s defense, intelligence community and national security customers to “deploy multi-Region architectures to achieve the highest levels of resiliency and availability essential to their most critical national security missions,” Max Peterson, vice president of worldwide public sector for AWS, wrote in a blog post Monday.
The new site will also give users located away from Northern Virginia and the D.C. Metro area a new and potentially closer site to store their data, making for less latency. Amazon did not, however, say specifically where the new region is based, revealing only that it is 1,000 miles from the Top Secret-East region.
Peterson wrote that the launch of the new Top Secret region shows Amazon’s dedication to security and supporting organizations, like those in the defense and intelligence communities, that work with some of the nation’s most sensitive information.
“At AWS, security is our top priority,” he wrote. “AWS customers benefit from data centers and network architecture built to meet the requirements of the most security-sensitive organizations. … Today, with the launch of AWS Top Secret-West, we continue our support for mission workloads that span the full range of U.S. government classifications.”
While Amazon is the clear frontrunner in terms of serving the federal government’s most sensitive mission sets at the Secret and Top Secret classification levels for several years now, other cloud providers like Microsoft have made progress, too. Microsoft announced in August that its Top Secret offering is generally available with multiple geographically separate regions.
Amazon’s launch of a second Top Secret region should support its cause for more upcoming work on some of the federal government’s most prominent cloud contracts. The company late last year won a spot on the intelligence community’s Commercial Cloud Enterprise (C2E) contract, under which it will vie for task orders with other cloud giants like Microsoft, Google, IBM and Oracle to support the IC’s classified mission sets. Additionally, it’s been invited to bid on the Pentagon’s forthcoming Joint Warfighter Cloud Capability (JWCC), which, like C2E, will ask contractors to compete for task orders, often dealing with highly classified national security information.
Give $100M to DOD for innovation fund, top GOP appropriator says
The top Republican on the House Defense Appropriations Subcommittee said he wants to give the Department of Defense $100 million in open investment money to help sustain the department’s ongoing work with innovative companies.
Rep. Ken Calvert, R-Calif., said the proposed funds would be meant to help transition emerging technologies from seed investments into larger procurements, bridging the so-called “valley of death” where companies often struggle to receive major, follow-on funding from the DOD after receiving research or pilot grants.
Calvert said the fund would pick companies with ideas that could fill capability gaps and provide funding to keep them afloat until they earn a production contract, which can take years.
“We can pick a number of people we want to succeed and get them through that valley of death so they can actually get to procurement,” Calvert said during the Reagan National Defense Forum Saturday.
The valley of death is a challenge DOD innovation and acquisition leaders have been grappling with for years. Many startups that want to work with DOD typically start with small research grants worth up to a few million dollars. But after that, they struggle to win larger, meaningful production contracts.
Calvert said that a pool of funding that DOD can spend freely could help ease the gap between those two phases of acquisition.
“It’s frustrating as hell,” he said. “I’m hoping we can do that as soon as possible.”
The idea is included in the fiscal 2022 National Defense Authorization Act, which still awaits congressional passage but has passed in the House.
Calvert’s idea does have support from a very important leader in the DOD: Heidi Shyu, the department’s chief technology officer. Shyu has been pushing for a similar innovation funding mechanism called the Rapid Defense Experimentation Reserve (RDER) that aims to achieve the same goal.
The reserve funds ideas submitted by the services and combatant commands for technologies that are ready for testing to fill joint capability gaps. It’s overseen by a new innovation steering group chaired by Shyu and has requested funding in the DOD’s fiscal 2023 budget request.
“That’s exactly the path we have to be on,” she said of innovation funds that navigate around the traditional budget process.
The traditional Planning, Programming, Budgeting, and Execution (PPBE) process has been the bane of innovators and acquisition reformers for years. But so far little structural change has been made. The DOD was given tools to navigate around that slow-moving process in Other Transaction Agreements, but most contracts remain planted in the regulations that require years of planning before money can be sent to a contractor.
“We don’t have a lack of innovation; we have a lack of innovation that’s actually in the hands of the warfighter,” Gen. Charles Brown, chief of staff of the Air Force, said during the forum.