NIH’s COVID-19 data enclave continues to evolve with the virus
Technology linking patient records across data sources while preserving their privacy is being prototyped by the National Institutes of Health as researchers attempt to understand the evolving COVID-19 virus and its variants.
The National Center for Advancing Translational Sciences within NIH launched the largest COVID-19 dataset in the U.S., the National COVID Cohort Collaborative (N3C) Data Enclave, in April. And now NCATS wants to use privacy-preserving record linkage (PPRL) to link data from its enclave with medical images, omics tools, electronic health records (EHRs), and social determinants of health to answer researchers’ lingering questions like why COVID-19 symptoms linger in some patients.
PPRL finds and links records on the same patient across independently maintained data sources using a cryptographic hash value to protect their identity.
“Combining the EHR data with prospective studies and COVID clinics is going to be really important to be able to follow people over time, do specific interventions and try to tease out the differences in these diseases,” Dr. Ken Gersing, director of informatics at NCATS, told FedScoop. “What we’re now calling ‘long COVID’ is surely a syndrome of groups of many different illnesses, rather than one particular illness.”
Multimodal analytics being implemented now will give researchers the ability to look at patient images with their lab results, but some of the data sources NCATS wants to link to the N3C Enclave are maintained by other agencies like the Centers for Medicare & Medicaid Services.
PPRL respects data ownership by temporarily linking datasets in a neutral, high-performance computing area long enough for researchers to complete their work. Duplicate information is eliminated in the process.
NCATS still has hurdles to clear before PPRL goes live, ideally in two to five months, Gersing said. PPRL needs to be financed, legal barriers must be navigated and there’s a question of how to truly de-identify data from omics tools.
NIH announced funding for its institutes and centers (ICs) to research long COVID using PPRL in late January, going so far as to contract with two vendors. Datavant is handling the PPRL technology, while Regenstrief Group agreed to serve as the honest data broker for matching records.
“We, as the holders of the data, don’t want to also be the linkage group for the patients’ benefit, for the institutions’ benefit and for our benefit also — that there’s no conflict of interest and for preserving privacy,” Gersing said.
Appointing a data broker further allows researchers to ask COVID-19 patients to participate in potential studies. Researchers flag hashes of interest for the broker, which has the local institution where they originated de-encrypt them for the purpose of reaching out. That way patient identities remain with local institutions alone.
About 1,900 researchers from nearly 300 institutions were working in the N3C Data Enclave, which contained data from about 800,000 COVID-19 patients as of March. ICs like the National Heart, Lung, and Blood Institute and the National Institute of Child Health and Human Development; agencies like the Food and Drug Administration and the Agency for Healthcare Research and Quality, and companies like Pfizer and IBM all use the enclave.
While generally these institutions consider each other competitors, NIH agreed to harmonize their datasets and make them available to all with rules against reselling, re-identifying, downloading and using for non-COVID research.
The N3C Data Enclave is a Palantir analytics platform with three subsets — synthetic, de-identified and limited datasets — that a Data Access Committee of federal officials may or may not grant researchers access to upon request.
Only the limited dataset, the hardest to obtain access to, contains true dates and ZIP codes. Meanwhile the synthetic dataset, the easiest to access, is a pilot in itself.
“If we can prove that the computer-generated data, modeled off of the limited dataset, is truly equivalent scientifically and privacy-wise, then there’s no reason this data can’t be shared across the world,” Gersing said. “Just put it out there as a file.”
NCATS paid for all the technical infrastructure, which normally researchers have to spend a portion of their grant money on, so they could focus on answering questions like: What medications alleviate COVID-19 symptoms better depending on case severity? And what variables can doctors use to predict how sick a hospital patient will likely get for resource and treatment planning purposes?
The Johnson & Johnson, Moderna and Pfizer vaccines have special RxNorm numbers in EHRs that will help N3C researchers study their efficacy over time.
NCATS’s data enclave is a Federal Risk and Authorization Management Program-certified environment that also requires dual authentication to access. The center’s security office monitors the enclave and also has an outside federal group run penetration tests, though it hasn’t really run into nefarious actor to date, Gersing said.
“If this data ever got out of the enclave, it would shut down a very valuable resource,” he said. “I’m not saying it’s job one, but it sure is close.”
Biden’s GSA administrator pick Robin Carnahan boasts strong tech credentials
President Joe Biden intends to make one of 2017’s “Top Women in Tech” the head of the General Services Administration, the White House announced Tuesday.
Robin Carnahan founded and led the state and local government practice at 18F, GSA‘s tech consultancy, from 2016 to 2020, having previously been Missouri’s secretary of state.
Most recently, Carnahan co-founded the State Software Collaborative as a fellow at Georgetown University’s Beeck Center.
While at GSA, Carnahan helped state and local governments improve their digital services while cutting costs. Her practice taught non-technical officials about IT risk management, procurement and modernization projects.
As Missouri’s secretary of state Carnahan modernized online services for hundreds of thousands of customers related to both elections and securities. A Democrat, she also ran for one of Missouri’s Senate seats in 2010 but lost to Republican Roy Blunt.
Carnahan regularly testifies before Congress on government innovation, but Biden‘s nominee will still have to endure a Senate confirmation hearing before assuming the role of GSA administrator, which Katy Kale has been filling in an acting capacity.
Top Air Force IT leader has ‘mixed feelings’ about CMMC
The Air Force’s chief information officer has concerns about how the Department of Defense’s new cyber standards for contractors could harm small businesses trying to enter the defense market.
Lauren Knausenberger worries that the strictness of the Cybersecurity Maturity Model Certification, a program that requires third-party verification to a range of security controls, will limit small innovative companies from working with DOD. While she supports the need for better cybersecurity standards for DOD’s IT supply chain, CMMC may not be the best way to do it, she said.
“I have mixed feelings on it personally,” she said during an America’s Future Series webinar. “I think if we lock it down so that we are not going to do business with certain people because they don’t meet [CMMC], I think that limits our options.”
CMMC is a five-tiered system to increase cybersecurity controls that is being phased into contracts over the next five years. Contractors will be required to hire an accredited assessor to verify they meet one of the five levels, a process that remains in development as assessors are being trained and overseen by an independent accreditation body.
Knausenberger is not directly involved in the CMMC program, which falls under the undersecretary of defense for acquisition and sustainment’s authority. But her job as the top IT official in the Air Force gives her significant insight into the department’s technology needs and the potential impacts of barring some companies from its supply chain. She also was an investor and entrepreneur in the private sector before joining government, giving her insight into the challenges that may arise for tech companies.
For small companies hoping to work with the military, the costs of CMMC consultants, meeting the model’s security requirements and the fee for an assessor could be prohibitive. And if they fail to meet the CMMC level defined in a contract, the door to that opportunity is then shut.
“I would rather just say, ‘Hey let’s just give you some endpoint requirements,'” Knausenberger said.
While CMMC is all about the maturity of networks, Knausenberger said having some end-point security requirements and virtual means to connect into the department’s secure networks would likely cover necessary security needs.
“I don’t really care a whole lot about the other pieces” of the maturity model, she said.
Accreditation Body makes new industry council
Also Tuesday the CMMC Accreditation Body, the organization in charge of accrediting assessors and managing implementation of CMMC, announced a new industry advisory council. A group of a dozen industry executives will provide a “crucible for industry dialogue” on how CMMC will impact them, the group said in a news release.
Most of the members come from large defense contractors, like BAE Systems, Amazon Web Services and Accenture. One member, Nicole Dean, is a former board member.
“[J]ust like the volunteer professionals in the AB, the IAC volunteers have chosen to serve a higher cause,” CMMC-AB Board Chair Karlton Johnson said in a statement. “Their leadership, skill, and professional expertise will greatly contribute to the overall success of the CMMC program.”
The council mirrors previous groups the AB had during its initial creation. The volunteer board members led “working groups” of other volunteers from industry who worked on specific parts of CMMC implementation. The AB is looking for more volunteer members for the council to fill a diversity of perspectives, it said.
Joint Base San Antonio to focus on 5G for telemedicine
The Department of Defense is expanding its 5G technology experimentation to focus on medical capabilities, recent contracting documents show.
Joint Base San Antonio was selected last year as the Department of Defense’s test site for medical advancements powered by 5G. The National Spectrum Consortium recently released a statement of work shedding light on the new capabilities the DOD hopes to achieve like real-time virtual medical support, enabling remote forces to connect medical devices and ensuring the security of new 5G networks carrying medical data.
“There is a lot of opportunity to drive efficiency,” Randy Clark, vice chair of the National Spectrum Consortium, told FedScoop. The DOD awarded the National Spectrum Consortium a $2.5 billion contract in December to facilitate the military’s 5G pilots with the consortium’s member companies.
The tests are a part of an overall strategy from the DOD to offer its military sites as real-world places to test the new tech that could help modernize both commercial 5G development and DOD operations. The government has invested hundreds of millions of dollars in the program as 5G has become a technology critical in the competition against China.
“5G is going to play a critical role in the third offset,” a military term for the third generation of advanced technologies that will provide military dominance to whichever country fields them first, Clark said. “This is a part of a much larger initiative.”
Other military bases around the country have similar arrangements with private companies offering new tech in looser regulatory environments. But most of those focus on logistics and general connectivity.
5G could benefit medical providers by connecting hospitals in real-time with high-speed, ultra-wideband networks. Surgeons could get advice, even robotic assistance, from medical experts anywhere in the world with 5G, a capability currently limited by existing network capacity.
For the military, that could mean everything from more connected battlefield medicine and augmented reality training to digital twins of medical devices, Clark said.
“All of that wouldn’t necessarily take place without the investment,” Clark said of the hundreds of millions of dollars DOD is putting into its 5G testbeds.
Some of the specific enabling tech that the military wants to pilot in San Antonio includes artificial intelligence that can precisely modulate between radio wave frequencies, cybersecurity frameworks and alternative energy sources to keep powering the networks through blackouts. The testbeds are also generating new datasets for machine learning to extract information on when to set up networks.
“That is going to be disruptive in its own right,” Clark said of the power of combining AI with 5G.
Cybersecurity is a critical area of 5G research, Clark added. The new networks will require new practices to secure sensitive communications, especially if the military’s medical information is being transmitted. He stressed the importance zero-trust will play in securing 5G.
National Nuclear Security Administration awards $89.9M deal to Palantir for safety platform
The agency that maintains the U.S. nuclear weapons stockpile wants to allocate its employees and finances with safety in mind using a new data platform developed by Palantir.
The National Nuclear Security Administration awarded a five-year, $89.9 million contract to the Silicon Valley-based software company for a platform capable of measuring the health of its safety programs, Palantir announced Monday.
The platform will support NNSA’s Safety Analytics, Forecasting, and Evaluation Reporting (SAFER) project run out of its Office of Safety, Infrastructure, and Operations.
“Our work with NNSA illustrates Palantir’s mission to provide software to the world’s most important institutions in support of their most critical work,” said Akash Jain, president of Palantir USG. “We are excited to expand our work within the U.S. government and provide the NNSA with a high-tech solution to make the best possible use of its resources in support of the nation’s nuclear security missions.”
Palantir’s platform will integrate data across NNSA sites irrespective of the data or system type and will give the agency granular insight into safety metrics complete with visualizations.
The contract is Palantir’s first with NNSA.
While many of Palantir’s recent federal contracts have been tied to COVID-19 pandemic response systems, namely HHS Protect and Tiberius, the company started in the defense and intelligence space. One of the first tech startups explicit in their desire to aid national security agencies, Palantir landed its first Space Force contract almost a year ago and an Army network modernization contract in November.
DIU’s Mike Brown is Biden’s pick to head DOD acquisition
Mike Brown, the director of the Defense Innovation Unit, is set to be the Biden administration’s pick to head the Department of Defense’s acquisition and sustainment enterprise.
The White House on Friday indicated President Joe Biden’s intent to nominate Brown as undersecretary of defense for acquisition and sustainment.
Brown comes from a long career leading technology companies in Silicon Valley before he was tapped to bridge the gap between the DOD and his old tech community at DIU in 2018.
His expected nomination was one of three the White House announced for the Pentagon Friday, including picks of Michael McCord to be DOD’s comptroller and Ronald Moultrie to be undersecretary of defense for intelligence and security. Secretary of Defense Lloyd Austin gave a strong recommendation for the three.
“Each of these individuals is talented, experienced and highly qualified for the critical national security roles they will, if confirmed, undertake on behalf of the Department,” Austin said. “Their deep experience in national security will prove essential in guiding our efforts to defend this nation and secure our interests around the world.”
It’s unclear who will replace Brown at DIU. Once officially nominated, he will need to receive Senate confirmation.
Brown’s job at DIU focused on rapid prototyping and acquisition, handling a couple billion dollars a year. But his new job would focus on acquisition programs at a much larger scale worth hundreds of billions of dollars and that are often the opposite of rapid. Brown’s nomination represents a potential sea change for the department by putting a former technology official at the helm of acquisition. Brown’s predecessor Ellen Lord was a former defense industry executive when she took on the role in 2017.
The former CEO of cybersecurity company Symantec, Brown would also oversee critical cybersecurity programs to secure the defense industrial base, like the Cybersecurity Maturity Model Certification (CMMC). The program is currently under an internal review.
Brown has also been influential in his thoughts on U.S. technology competition with China. He has frequently spoken on the think tank circuit about Chinese tech development and co-authored an influential paper about economic competition and civil-military fusion in tech.
“National security follows economic security and prosperity,” Brown once said.
With a new CEO, CMMC AB board will boost focus on strategy, chairman says
It’s a busy time to be in supply chain cybersecurity, especially for the board chairman of the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body, Karlton Johnson.
At a time when the federal government is still reeling from the recent widespread SolarWinds hack, Johnson leads the volunteer organization charged with implementing the Department of Defense’s new CMMC standards for all defense contractors that many hope will stop the next pilferer of DOD data.
Now, Johnson’s leadership of the AB board is reaching a pivotal point: He is focused on hiring professional staff and transitioning what was a board of directors intimately involved in the day-to-day operations into one that can strategically guide a scaled organization.
In his first extended interview with FedScoop, Johnson said the board he leads will move from a body of “director do-ers” to become a “governing board.”
That means new faces on the board, new hires at the staff level and new ethics policies.
“I haven’t really seen the work changing significantly; actually I’d say it’s become more laser-focused,” Johnson said. “Especially bringing on the CEO.”
The board recently made one of its most important hires, bringing on Matthew Travis to be CEO of the AB. Johnson spoke highly of Travis, describing him as “sharp” and bringing necessary skillsets to the job. Travis is just the first major hire of many the AB wants to make in the coming weeks and months, filling out staff positions to carry out the massive undertaking before the organization, Johnson said.
“We are pretty excited because it’s a significant milestone,” he said of hiring Travis, who started last week. The most important part of the accreditation body’s developing role “is that professional staff we are bringing on,” Johnson said.
Johnson said Travis will take on some of the roles the chairman and other board directors currently fill, like managing the relationship with the CMMC Program Management Office and leading the daily operations of the organization.
The road ahead
The program the AB is implementing is DOD’s latest attempt in securing its manifold IT supply chain from hackers. The CMMC model has five levels of cybersecurity strictness— with level one being the most basic and level five including hundreds of complex controls — that all contractors will need to be certified against or risk losing access to DOD contracts.
Raising the army of assessors needed to inspect all the networks of the 300,000 defense contractors will be the AB’s responsibility. Beyond just credentialing assessors and assessment companies, the AB will also license training and testing providers, give stamps of approval to consultants willing to pay and generally oversee the quality of the complex CMMC ecosystem.
“I am focused on delivering that capability; I am focused on taking it to the next level,” he said.
To deliver the CMMC “capability,” more work remains for the board and the new staff alike. While consultants abound, contractors still await fully licensed assessors and Certified Third-Party Assessment Organizations (C3PAOs) who will be able to actually certify a company. Although full implementation of CMMC requirements will be phased in slowly through fiscal 2026, there is concern in industry over a demand crunch where assessments take more time than anticipated and there aren’t enough assessors to fan out across the defense industrial base.
Johnson says he is confident in the AB’s ability to meet demand. The AB has trained about 100 provisional assessors and cleared roughly the same number of assessment organizations through its initial application screening. But much remains to be done to turn them into fully credentialed assessors, like DOD completing its own assessment of assessors through the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
“We remain on target,” Johnson assured.
Johnson was reluctant to disclose current timelines or estimates the AB is using to determine what that target is, or how it will meet it. But he did commit to engaging with industry and the media more regularly when the AB makes those decisions.
“Today, [based] on what we were asked to do, we are able to meet that demand,” he said.
New faces, same concerns
The daunting task of making CMMC work has come with its share of controversy and consternation from those it will impact. One of the most consistent criticisms has been a lack of communication and questions over conflicts of interest with the volunteer board members.
Johnson partially attributes the latter to “malicious influencers” spreading falsehoods or context-less information about the volunteer board. Regardless, he said the board will continue to increase its public engagements and work directly with industry to answers questions.
He also hinted at adding new ethics policies.
“From day one we have had conflict of interest policies in place. Those policies not only continue to be in place, but we are strengthening those as we go,” he said.
AWS Leader Teresa Carlson leaving Amazon for Splunk
After more than a decade leading Amazon Web Services’ public sector business, legendary government IT leader Teresa Carlson is joining Splunk‘s leadership team as president and chief growth officer.
Carlson’s first day with Splunk will be April 19. In her new role, she will focus on growing the company’s business transformation efforts, accelerating growth and advancing its cloud initiatives.
“I am thrilled to join the passionate and talented team at Splunk, and motivated by this opportunity to bring exciting cloud and data solutions to global customers across all industries,” Carlson said in a statement. “Together, we will build on Splunk’s legacy of innovation as one of the fastest-growing companies in the history of enterprise software.”
Since joining Amazon Web Services in 2010, Carlson has grown the company into a leader in public sector cloud sales, particularly in its work with the federal government. In 2013, she oversaw AWS’s deal with the CIA to provide classified cloud services to the intelligence community — a contract that would cement the firm as a leader in providing cloud services for highly sensitive government workloads.
Meanwhile, Carlson’s departure isn’t the only change AWS must endure. CEO Andy Jassy was recently promoted to lead the entire Amazon portfolio after founder Jeff Bezos stepped down in February.
At Splunk, Carlson will report to CEO Doug Merritt, who said “she’ll be an excellent addition to our team.”
“Teresa has an incredible record of leading category-defining, high-growth companies at global scale to even greater success,” Merritt said. “Beyond bringing deep industry, software and cloud knowledge – which will be invaluable to Splunk as we continue to build on our strong foundation and rapid expansion – it is clear that Teresa embodies the values that define our strong Splunk culture.”
Carlson is a recipient of several FedScoop honors, including FedScoop 50 and Best Bosses in Federal IT awards.
Cloud access management guidance is coming from the Office of Governmentwide Policy
Guidance for agencies on single sign-on, cloud identities and a digital identity risk management process is coming in the next year from the Office of Governmentwide Policy.
The Federal Identity, Credential and Access Management (FICAM) architecture hasn’t changed during the COVID-19 pandemic, mostly because the Office of Management and Budget already released a memo that should help agencies implement remote access.
But agencies still have questions about how to modernize their infrastructure and securely allow remote access as “a lot” of them migrate to the cloud, which the new guidance should address, said Ken Myers, chief federal ICAM architect within the General Services Administration.
“To this point all federal employees are required to have a [Personal Identity Verification] card, but sometimes for that to work that means you have to be on the agency network,” Myers said, during an ATARC event Thursday. “With remote work that may not always mean your access type changes, so within OMB Memo 19-17 it talks about setting up pilots to use alternative or different authenticators.”
That could mean implementing single sign-on and federating access using a one-time personal identification number (PIN) or a hardware token, Myers added.
OMB’s memo tells agencies to conduct a digital identity risk assessment to look at the impact of allowing access, determine the assurance level and then pick the right authenticator for the job — a process OGP, which sits within GSA, will flesh out in forthcoming guidance.
FICAM doesn’t always align with specific solutions agencies are using because it’s a governmentwide architecture, but OGP is open to collaborating with them on updates to its guidance, Myers said.
For instance, the Cybersecurity and Infrastructure Security Agency‘s Continuous Diagnostics and Mitigation (CDM) Program approves products and implementation architectures using FICAM as a reference. OGP, in turn, may refer to CDM as it updates privileged access management (PAM) guidance.
PAM refers to protecting accounts with elevated privileges like Windows domain administrators, Linux superusers and cloud-based global administrators, and it’s traditionally been handled separately from ICAM.
That could be changing.
“It is deprecated,” Myers said. “But we are looking at updating it because privileged access management is such an important topic today.”
JAIC looking for ‘data readiness’ services for military
The Department of Defenses’ Joint Artificial Intelligence Center is looking for companies to help curate and enhance the military’s ability to use its data.
JAIC released a solicitation for Data Readiness for AI Development (DRAID) services, carrying a $240 million ceiling. Under the five-year contract, JAIC wants to enable “decentralized ordering” on the contract for parts of the military looking to use their data for AI development.
“The Government intends to issue multiple BOAs resulting from this solicitation to the responsible Offeror(s) whose submission(s) conforms to the solicitation and will be the most advantageous to the Government,” the solicitation states.
The JAIC recently shifted its focus to be an enabling force for AI across the military, not just an AI development office. This solicitation appears to fit neatly into that new vision the JAIC has of itself, searching for services that can be used across the military.
Some of the specific types of data readiness services the JAIC is looking for include Extract Transform Load (ETL) and data engineering, database design and development, data analysis, and project and outreach management, according to the statement of work.