Agencies seek double the $1B allotted to the Technology Modernization Fund for projects
The Technology Modernization Fund Board has received upward of $2 billion in funding requests from agencies in 2021, more than double the amount appropriated by the American Rescue Plan Act.
As a result only a small subset of those proposals will receive Technology Modernization Fund (TMF) investments, when the board announces another round of funding likely next year, said Executive Director Raylene Yung.
The TMF Board has already looked at dozens of proposals and awarded money to seven, distributed incrementally as they complete project milestones, in September.
“You can see that the scale and pace and size, the number of proposals has increased significantly in the last six months — compared to the previous three years,” Yung said, during an AFFIRM event Wednesday. “That’s something that’s really been a big focus is: How do we evolve, scale up the TMF as an operation, as a team and engage with the board to meet this new demand?”
The board has prioritized investments in shared services and areas it hopes to advance governmentwide like zero-trust security architectures, she added.
Three agencies received TMF funds for their zero-trust projects last round, and there are probably similar proposals remaining that can’t all be funded, said Sanjay Gupta, chief technology officer at the Small Business Administration and alternate board member.
“Maybe we fund one or two of those initiatives, which will then hopefully help create some playbooks and/or lead to the creation of some best practices on the zero-trust architecture,” Gupta said.
The zero-trust model has been around awhile, and many agencies already have initiatives underway — although the Cybersecurity Executive Order issued in May may have refocused them.
Customs and Border Protection received funding in the first-ever TMF round back in 2018 to retire the mainframe functionality of its Automated Commercial Environment (ACE), used to ensure the legitimacy of imports and exports from agencies and other countries.
ACE processed $2.7 trillion in goods in fiscal 2021, but its interface still needs modernizing for compatibility with the CBP Cloud — moving the system toward a zero-trust paradigm, said Autumn Maxey, lead IT specialist in the Office of Information and Technology.
Until projects like the ACE modernization are finished, sharing of resulting playbooks and best practices has been limited, Gupta said.
The TMF Program Management Office did connect CBP with another agency that was ahead of the curve retiring its mainframe, and similar cooperation has been seen on the new zero-trust projects.
“The three agencies that we announced in this last round are actually actively collaborating already on seeing how they can learn from each other on their zero-trust work,” Yung said. “And how they can collectively produce some resources that would benefit all other agencies.”
DOD organizations plot implementation of ethical AI in new guidance
As the Department of Defense expands its use of artificial intelligence, two key innovation offices have developed implementation guidance for the ethical use of the technology for the department and its contractors.
The DOD’s Joint AI Center (JAIC) plans to deliver finalized departmentwide implementation guidance on the ethical use of AI by Dec. 15 to the deputy secretary of defense, center spokeswoman Cmdr. Sarah Flaherty told FedScoop.
Meanwhile, the Defense Innovation Unit this week released detailed artificial intelligence ethics guidance for contractors that want to work with it, the first such guidelines in the DOD procurement ecosystem.
The JAIC’s overarching implementation guidance document was due in mid-October, per a memo signed by the deputy secretary of defense. Around the same time that the center missed the original deadline, the JAIC’s chief of responsible AI, Alka Patel, departed the organization. She has since been replaced in the interim by Sunmin Kim, who also serves as the JAIC’s policy chief.
Both frameworks come after the JAIC issued ethical AI principles for the department in February 2020. Those principles — that AI should be responsible, equitable, traceable, reliable and governable — form the basis of the guidance for both organizations.
DIU’s 33-page document was developed in coordination with the JAIC and provides step-by-step guidance on what DIU wants to see from contractors that develop AI. The guidance applies only to DIU acquisitions, which make up a small fraction of the military’s procurement in the form of emerging technology prototype contracts.
“The DIU [Responsible AI] Guidelines are intended to operationalize the high-level, department-wide DoD Ethical Principles in a detailed, but adaptable way on acquisition programs run by DIU,” a DIU spokesperson told FedScoop.
DIU’s guidelines break down ethical AI development into three phases: planning, development and deployment. Each contains expectations for what developers should do to ensure proper outcomes for AI. Many of the steps focus on implementing best practices around protecting data from attack or preventing biases.
“More data is not always better: training an algorithm on historical data may recreate historical biases around sex or race,” the document states.
Other steps listed in the document include continuous validation and functional testing. Jared Dunnmon, DIU’s AI tech director, said the guidance can be incorporated into statements of work as well as contractual milestones as means to ensure it is followed.
The guidance is clear that DIU’s risk-friendly mindset does not apply to the ethical applications of AI.
“Some systems that are proposed for national security use cases may have no route to responsible deployment—deciding not to pursue an AI capability should be an acceptable outcome of adhering to the RAI Guidelines,” the document states.
As the central coordinator of ethical AI across the department, the JAIC is promoting a “bottom-up execution,” similar to what DIU has done, Flaherty said.
It’s unclear if other units are working on different ways to “operationalize” the ethics principles, but the JAIC will remain the central coordinator of policy and implementation guidance for the department, said Flaherty.
“The JAIC’s role is to scale these different efforts and ensure they are coordinated under the [Responsible AI] Working Council and forthcoming DoD-wide Strategy & Implementation Plan,” she said.
Cyber Talent Management System expected to produce results ‘within months,’ DHS leader says
The Department of Homeland Security‘s new Cyber Talent Management System rolled out on Monday is expected to produce results “within months,” according to an agency leader.
Undersecretary for Strategy, Policy and Plans Robert Silvers said Wednesday at a House Committee on Homeland Security hearing that he believes the new HR system will be an effective tool for fast-tracking new cyber talent into government.
“I regard the shortfall of cyber talent as a national security issue,” Silvers said. “We do need to streamline other processes, but I do believe the Cyber Talent Management System (CTMS) will show tangible results over a matter of months.”
DHS earlier this week launched the system, which is one of several recent measures intended to increase the pace of hiring of cybersecurity talent within the department. In July, the department also launched a 60-day cybersecurity workforce sprint, which resulted in 500 job offers and the appointment of about 300 cyber professionals.
The CTMS allows DHS to directly screen applicants for cyber positions based on demonstrated competencies, offer competitive compensation and reduce time to hire.
Employees appointed through the system will join the new DHS Cybersecurity Service, a team that is focused on protecting U.S. critical infrastructure and citizens from cyber threats, as well as increasing national resilience.
Speaking alongside Silvers at the hearing, CISA Executive Director Brandon Wales also told lawmakers he regarded the new talent management system as a powerful tool.
“Already this morning, 650 people have submitted applications through the portal,” he said. “We’re looking at the full process of bringing people on board to see if we can streamline it.”
TMF Board considering three projects from Department of Energy
The Department of Energy has submitted three projects for consideration by the Technology Modernization Fund board, according to the agency’s principal deputy CIO.
Speaking at an AFCEA Bethesda event Tuesday, Emery Csulak said the proposals relate to IT infrastructure and cybersecurity, and that they were submitted amid concerns about the state of the working capital fund at the Department of Energy (DOE).
“We have existing funds on projects that we had already initiated,” Csulak said. “Obviously we can continue those solutions, however new investments are all pending on the government [budgeting process],” said Csulak.
The TMF Board is shortly expected to announce a fresh round of funding awards, after federal CIO Clare Martorana in October said they would likely come “within weeks.” In September the board announced seven new projects in its first round of awards, since receiving a $1 billion infusion as part of the American Rescue Plan.
Speaking also at the event, Nuclear Regulatory Commission (NRC)chief information officer David Nelson said that the Biden administration’s cybersecurity and supply chain executive orders had forced agencies to reevaluate how they spend on risk reduction and data collection.
“The risk-based decisions we made in the past were based more on available funds,” Nelson said. “And now I think there’s a different appetite across the federal government as to how much risk we’re going to accept, how much information we’re going to collect.”
Agencies like NRC were only “just maturing” their supply chain resilience, when the Biden administration’s executive orders urged them to scale those efforts and implementation of zero-trust security architectures, Nelson said.
NRC has focused early efforts on increasing log sharing in accordance with the Office of Management and Budget’s companion memo to the Cyber EO, while the National Nuclear Security Administration wants a better understanding of the people and machine identities on its network.
CISA working group assessing cyber risks to space infrastructure
The Cybersecurity and Infrastructure Security Agency established a cross-sector space working group that is performing an assessment of risks to both federal and commercial space infrastructure, said Assistant Director Bob Kolasky.
CISA’s primary concern is mitigating cyber risks to position, navigation and timing (PNT) services and GPS, Kolasky said, during an AFCEA Bethesda event on Tuesday.
The agency already examined all 55 national critical functions — ones government and the private sector perform that, if corrupted, would be detrimental to national security — as they relate to space.
“We have to think about space as a potential risk vector to national critical functions and space infrastructure as critical infrastructure,” Kolasky said.
CISA’s working group will leverage critical infrastructure sector partnerships, similar to how it’s done with pipeline operators in the aftermath of the Colonial Pipeline ransomware attack in May, he added.
The agency is also exploring ways to extend the benefits of investments in national security systems to commercial space missions working with the Department of Defense.
CISA continues to partner with DOD and the Department of Transportation to ensure redundant and terrestrial backup systems to space systems are resilient. Meanwhile the Department of Commerce’s Office of Space Commerce is teaming with DOD, DOT and NASA; industry; and academia to populate its Open-Architecture Data Repository of orbiting satellite and space junk locations.
The challenge to any efforts to harden space systems from earth after launch is they employ channels that foreign adversaries like Russia and China can also exploit.
“Space systems have a unique characteristic of things up there, right?” Kolasky said. “You don’t get many opportunities to replace them.”
Air Force’s Kessel Run and Platform One ink collaboration agreement
Two of the Air Force‘s premier software innovation groups signed an agreement to collaborate on technical and workforce issues and better use their limited resources to create a common tech-development stack.
Announced Tuesday, the agreement between the Air Force’s Kessel Run and Platform One lays out cultural and technical points the groups will work together on, including building common security authentication standards, enforcing policy and establishing cross-platform and cross-environment portability. The hope is to eventually enable sharing of code and tools that are often redundant.
The agreement is a part of a broader push to eliminate the deep silos created by the military’s budgeting and procurement process. The outcome, the two software units hope, will be a shared tech development stack that developers in both organizations can manage and use to build on faster.
“The agreement is really more focused on building a government-owned tech stack together,” Maj. Austen Bryan, chief operating officer for Platform One, said in an interview.
Capt. Dylan Brown, Kessel Run’s government engagement lead, told FedScoop the memo is meant to establish “a common set of values.”
It is also meant to dispel the perception that Platform One and Kessel Run are “pitted against each other,” Bryan said.
Even though the two groups work to achieve different goals — with Platform One creating a DevSecOps coding environment and repository, and Kessel Run being both a software development and acquisition unit — Bryan said the challenges they face are the same.
The memo states the two groups will build for “modularity and reuse” across systems in order to maximize the tools they can share.
“We don’t have to re-do things,” Bryan said.
Brown told FedScoop that one of the biggest changes from the memo is that it formalizes the sharing of failures so mistakes only happen once between the two organizations. “There’s an incentive for protectionism,” Brown said about the current project management structure in DOD.
Bryan said that much of the new document formalizes practices already in place behind the scenes through text messages and informal communities.
“We have always had backchannels where we have talked to each other,” Bryan said.
Brown said the two have been texting each other for more than a year. “It’s about increasing the capacity of organic DevOps,” he added.
Now with a formal agreement in place, the two can share things like technical roadmaps and organize timelines around the delivery of shared services. For example, if Kessel Run needs a new identity management tool from the Air Force, Platform One can be apprised of when that tech will be coming in and if it too can use it.
The organizations hope this is just a first step for the two in working together and that others will join in as well. Expanding partnerships is a top priority, Bryan said, adding that he hopes it doesn’t take negotiating a memorandum of agreement each time and that this collaboration will provide a roadmap for how other organizations can work together.
CISA issues cybersecurity incident, vulnerability response playbooks for federal agencies
The Cybersecurity and Infrastructure Security Agency has issued new playbooks to guide federal agencies’ response to cybersecurity incidents and software vulnerabilities.
The documents, which were published Tuesday, reinforce the Department of Homeland Security component agency’s work to formalize the communications processes and action plans federal agencies turn to when a cyberattack is discovered.
Much of the new guidance is focused on the preparation required from federal departments in anticipation of future cyberattacks, which includes the monitoring of multiple sources of threat intelligence, including alerts from CISA’s EINSTEIN intrusion detection system and Continuous Diagnostics and Mitigation (CDM) program.
The new playbooks call also for civilian agencies with advanced defensive capabilities and staff to establish active defense capabilities, such as the ability to redirect an adversary to a sandbox or honeynet system.
According to CISA, such defense systems allow it, along with other law enforcement agencies, to gain a more in-depth understanding of attackers’ methodologies, which can substantially increase the efficacy of the government’s response.
The new playbooks also underscore the importance of having plans to coordinate the response to a cyber incident or vulnerability internally and between agencies on out-of-band platforms. Staff will need to communicate by phone or chat rather than by email and ensure these systems can remain operational, even when core systems are taken offline.
“These playbooks provide federal civilian executive branch (FCEB) agencies with a standard set of procedures to identify, coordinate, remediate, recover, and track successful mitigations from incidents and vulnerabilities affecting FCEB systems, data, and networks,” said CISA. “Building on lessons learned from previous incidents and incorporating industry best practices, CISA intends for these playbooks to evolve the federal government’s practices for cybersecurity response through standardizing shared practices that bring together the best people and processes to drive coordinated actions.”
Agencies should invest in dedicated workforce for human-centered design, study shows
Investing in a dedicated workforce for human-centered design and user experience is key for agencies looking to improve customer experience and equity of policies, according to the Partnership for Public Service.
In a report published Monday, the nonprofit conducted a study of 15 agencies, and found that those with recently-appointed product design and user research expertise were more effective at improving customer experience.
According to the nonprofit, the Department of Federal Student Aid was able to improve user experience by formalizing the processes it used to build and launch new products, and to create consistency and cohesion.
The Partnership for Public Service (PPS) found also that the Department of Veterans Affairs (VA) has relied on greater contact with user research experts across an advisory consortium in order to remodel its clinical contact centers.
User-centered design has received a high level of attention from government user design leaders during the pandemic, as agencies were forced to adapt to collecting project evidence through telework consultations.
Earlier this month, VA Deputy Chief Experience Officer Barbara Morton said that so far remote consultations appear to have increased the range of views from veterans that the agency is able to sample.
The study was carried out in partnership with Accenture Federal Services.
Editor’s note: This story was updated to correct references to a prior report.
Army CIO says everyone who needs email will have it in transition to Office 365
The Army’s CIO has defended his decision to buy fewer Microsoft Office 365 licenses than the number of people in the Army, saying that no one will go without email services and that the move could save the branch $150 million.
Army CIO Raj Iyer told FedScoop that the service is working on alternative solutions for junior enlisted members and others who will not get access to the full suite of services in the Army’s transition to a new Microsoft Office 365-based back-office enterprise cloud system. He also said the decision to buy only 1.2 million licenses for the roughly 1.4 million people who work in the department was intentional to save money and buy only what he said will be used.
“Every user in the Army would have access to some form of communications,” Iyer said of the decision.
The Army is transitioning away from the current Defense Enterprise Email system that is set to expire in March 2022 as the Department of Defense adopts remote work-capable back-office enterprise systems across the military. It’s been branded as DOD365 — and Army 365, in the Army’s case — as the system is largely based on Microsoft’s popular Office 365 product, but with additional cybersecurity measures in place.
The DOD created its first remote work platform based on Microsoft cloud software with the creation of the Commercial Virtual Remote environment, a temporary measure to allow remote work during the early days of the COVID-19 pandemic. The transition to Office 365 tools was started years ago through the development of the Defense Enterprise Office Solution (DEOS) cloud contract. The DOD sunset the CVR environment over the summer in anticipation of moving users to the more robust 365 environments.
Iyer said he came to his decision to buy fewer licenses than the number of personnel after he spoke with enlisted soldiers on his recent travels, concluding that many in the Army don’t use their email tools or prefer other communication methods like chat. Iyer said data shows that about 150,000 Army email inboxes had not been accessed by users over the past six months.
“Giving everyone a full-fledged Office license is not the best way to go, because it is way too expensive,” Iyer said. “Depending upon the role that you are in, you are going to get a certain type of software to get your job done.”
In the place of Office 365 licenses, the Army is working on an alternative email-only solution to provide email services to anyone who wants them, he said, adding that those alternatives might not be Microsoft-based.
Iyer estimates the Army will save $150 million by segmenting which services users are given. That money is going to be redirected to implement the service’s zero-trust strategy and new cybersecurity tools to allow users to access email and office tools from non-government devices.
While some users will be on different email systems, especially until Defense Enterprise Email sunsets next year, “there should be no issues with them communicating with each other,” Iyer said, because the Army established a global address directory database to ensure seamless connections across the different systems.
In November 2022, the Army is going to be moving to a consumption-based pricing model for services that Iyer hopes will save even more.
BYOD; cloud-enabled
Iyer told FedScoop the Army is also developing a Bring Your Own Device policy that will allow soldiers, civilians and contractors to use their own laptops and phones to check email when working remotely. The Army is going to prioritize reservists and National Guard members in fiscal 2022 so they are not forced to report to a government building just to check email.
By moving to a BYOD policy, more people will have access to email and collaboration tools, and save money on device purchases, Iyer said.
“Once we get a BYOD solution in place, we no longer need to procure laptops,” he said.
On top of this, the Army is moving its email infrastructure to the cloud. Making these new systems cloud-based means the service’s email can bypass the DOD’s Non-classified Internet Protocol Router Network (NIPRNet), Iyer said.
Instead of in on-premise data centers, the systems will be hosted on the Army’s cARMY cloud system, supported by the Army’s Enterprise Cloud Management Agency (ECMA).
Department of the Treasury signs cybersecurity partnership with Israel
The U.S. Department of the Treasury and Israel’s Ministry of Finance have agreed to a new cybersecurity partnership to protect critical financial infrastructure and to counter the threat of ransomware.
On Sunday, the U.S. government announced the new bilateral agreement, which is included as part of a wider U.S.-Israeli task force on fintech innovation and cybersecurity.
Through the partnership, both countries will work to develop a memorandum of understanding to support the sharing of information relating to the financial sector, including on cybersecurity regulations and threat intelligence.
The new memorandum is intended also to address staff training and cross-border cybersecurity exercises.
According to the Treasury, the task force will also launch a series of technical exchanges on policy, regulation and outreach to support fintech innovation.
“Harnessing both the power of international cooperation and of technology innovation will position us to support economic competitiveness, prosperity, and to combat global threats including ransomware,” said Deputy Secretary of the Treasury Wally Adeyemo. “As the global economy recovers and ransomware and other illicit finance threats present a grave challenge to Israel and the United States, increased information exchanges, joint work, and collaboration on policy, regulation, and enforcement are critical to our economic and national security objectives.”
The agreement was signed following the counter-ransomware initiative meeting that took place at the White House in October with the European Union and more than 30 countries, including Israel. At the meeting, Adeyemo underscored the importance of international cooperation on the issue.
Commenting on the new agreement, threat intelligence expert and former National Security Agency technical lead Adam Flatley noted that such bilateral relationships are critical for mitigating the threat of ransomware, but that the U.S. also would likely pursue multilateral agreements.
“The US and Israel have long worked closely and effectively together on critical security issues of common interest,” he said. “Other [agreements] will be multilateral, with collaboration being governed by what collective trust level the group has. Such level of trust is usually less than a bilateral relationship but can foster broader sharing of less sensitive things more quickly.”