Lawmakers look to create cyber training programs at CISA, VA

Lawmakers want to create cyber training programs at the Cybersecurity and Infrastructure Security Agency and Department of Veterans Affairs to bolster the federal workforce, through legislation introduced Friday.

The Federal Cybersecurity Workforce Expansion Act would launch a registered apprenticeship program at CISA and a veteran training pilot at the VA with costs to be determined.

Recent supply chain attacks like the SolarWinds hack, targeting agencies through a government contractor, underscored the lack of cyber talent at the federal level on down, with more than 500,000 job openings nationally, according to the National Institute of Standards and Technology.

“In order to bolster our cyber defenses and protect our critical infrastructure, we need to increase the number of cybersecurity professionals in the federal government,” said Sen. Maggie Hassan, D-N.H., in a statement. “This bipartisan bill will also help address the workforce challenges in the veteran community by standing up a cyber-training program at the VA to help veterans secure good-paying, stable jobs, and I urge my colleagues to join me in supporting this legislation.”

Hassan, who chairs the Subcommittee on Emerging Threats and Spending Oversight, is cosponsoring the bill with Sen. John Cornyn, R-Texas.

Should the bill become law, CISA would have two years to establish at least one apprenticeship program leading to employment at the agency or a company contributing to national cybersecurity and mostly funded by an contract, grant or cooperative agreement with the agency. The program must also meet CISA’s cyber work role needs and be registered with the Department of Labor’s Office of Apprenticeship or a similar state agency.

DOL, NIST, the Pentagon, National Science Foundation, and Office of Personnel Management would be expected to share resources with CISA, which may issue grants or cooperative agreements to companies or other entities to execute the program.

CISA would also need to report to Congress on the results of the program, including continued employment rate, every two years, as well as submit annual performance reports.

Under the act, the VA would have one year to create a pilot program providing cyber training using virtual platforms, hands-on skills labs and assessments, and federal work opportunities. Graduates would receive cyber credentials.

The program is expected to align with NIST’s National Initiative for Cybersecurity Education (NICE) Workforce Framework, and the VA would work with the Pentagon, Department of Homeland Security, DOL and OPM to make it a reality. Veterans and retiring active duty military personnel would be eligible.

A 2019 report from the Government Accountability Office examined the shortage of federal cyber talent. In May 2021, DHS announced a 60-day sprint to hire 200 cyber employees — 100 of them at CISA.

DOD may be underestimating risk in major IT systems, GAO report finds

The Department of Defense could be taking an overly optimistic approach to assessing cyber risk on several of its IT programs, according to the Government Accountability Office.

In a report published on Wednesday, the oversight agency said it had found at least 10 instances in major business IT programs audited, where independent assessments conducted by the DOD underestimated the level of cybersecurity risk.

The office has recommended that the DOD review how it conducts risk assessments across its IT system and warned that until it does so the department’s oversight of programs could be proving over-optimistic.

IT programs that the GAO says should be classified as having elevated risk levels include the DOD’s defense travel system, enterprise accounting and management system, logistics chain management systems, and the Marine Corps’ global combat support system.

GAO’s review also found challenges in DOD’s implementation of agile software practices. Among the concerns raised by the report were the inability of the department to hire the requisite staff and to manage the technical environments that are needed for agile software development.

The department has been trying to update its software practices to include agile development, which follows the principle of iterating and quickly updating code, and replaces the traditional waterfall method of IT development.

Former GSA chief acquisition officer Salmoiraghi joins HR consultancy

Jessica Salmoiraghi has joined human resources consultancy firm Golden Key Group as a vice president.

In her new role she will be responsible for leading shared and managed services at the company. She moves to the private sector after previously working at the General Services Administration as chief acquisition officer, a role that she left in January this year.

Salmoiraghi joined GSA in 2018 as associate administrator at the Office of Governmentwide Policy and chief acquisition officer. Before this, she was the director of federal agencies and international programs at the American Council of Engineering Companies.

The GSA has recently welcomed a new Administrator Robin Carnahan, who on Wednesday was confirmed in the role by Senate lawmakers by a voice vote.

Commenting on Salmoiraghi’s appointment, Golden Key Group CEO Gretchen McCracken said: “Jessica’s recent experience at GSA will be crucial to GKG’s growth as we expand our Shared and Managed Services practice in support of our federal clients.”

GSA, along with the Office of Personnel Management and the White House COVID-19 Response Team, has helped lead the Safer Federal Workforce Task Force, which is shaping the policies of federal agencies for getting staff back to the office.

Rep. Hice calls on IGs to assess telework’s impact on agency performance

Rep. Jody Hice, R-Ga., has called on inspectors general to assess the impact of remote working on federal agencies’ missions and the performance of their employees.

In a statement Thursday, Hice said it was “clear” that the increase in the number of federal employees working from home had contributed to delays, inefficiencies, and declines in performance.

“I’m calling on inspectors general to investigate the overall impact telework had on our federal agencies during this pandemic and report back to Congress so we can accurately assess how to move forward before rushing into foolhardy reforms,” the lawmaker said.

The congressman has written to the inspectors general of 10 agencies, including the departments of Defense, Justice and Homeland Security, asking them to look into the impact of mass telework over the past 16 months. Hice is a ranking member on the Subcommittee on Government Operations, which is part of the House Committee on Oversight and Reform.

Agencies across the federal government have been given a July 19 deadline by which they must finalize plans to get staff back into the office, a process that is being overseen by the White House-backed Safer Federal Workforce Task Force.

However, according to new guidance issued as part of the return-to-office program earlier this month, agencies have been instructed to consider embracing a more virtual workforce.

A joint memorandum sent by the Office of Management and Budget, the Office of Personnel Management and the General Services Administration said that such a move should be taken “where possible and appropriate.”

Pentagon installs Garstka as acting CISO for acquisition and sustainment

Former U.S. Air Force officer and long-time cybersecurity specialist John Garstka has taken up the role of acting CISO for acquisition and sustainment at the Department of Defense, FedScoop has learned.

In the new post, Garstka will be responsible for leading the integration of security and cyber efforts within the Office of the Under Secretary of Defense and work to ensure security within the department’s technology supply chain. According to sources, he takes over the role on an interim basis from Katie Arrington.

Garstka is a Pentagon veteran, having worked in military research and development since 1984, including over a decade within the space division of the U.S. Air Force. Since 2012, he has held leadership roles within the Office of the CISO at the DOD, most recently as director of cyber programs. Between 2000 and 2002 he was CTO for the Joint Chiefs of Staff.

It is not immediately clear how much of a role Garstka will play in the management of the Cybersecurity Maturity Model Certification Program (CMMC). Recently-installed Deputy Assistant Secretary of Defense for Industrial Policy Jesse Salazar in May told Congress that he now has oversight of CMMC.

One of the core responsibilities of a CISO for acquisition and sustainment at the DOD is to ensure the digital security of weapons systems across the military.

Services have struggled with cybersecurity risks within the defense supply chain. In 2019, a landmark report by the Department of the Navy found that the service had failed to account for the fact that defense companies it contracts with would be aggressively targeted by foreign hackers for their valuable data.

The DOD, in response, has ramped up its implementation of measures such as the CMMC program.

In November last year, the Department of Defense appointed Dave McKeown, a long-time government IT and security official, as chief information security officer. He replaced former CISO Jack Wilmer, who departed in July to lead a private security company.

The DOD declined to comment.

Navy CDO Sasala says service has a ‘massive’ data duplication problem

The Navy will spend the rest of 2021 inventorying its data and solidifying management roles and responsibilities because making department-wide data policy is currently daunting, said Chief Data Officer Tom Sasala on Thursday.

Like other departments, the Navy is drawing on the Federal Data Strategy 2020 Action Plan and its Department of Defense Data Strategy Implementation Plan to focus its efforts. But the department didn’t meet the 2020 Action Plan’s six-month target for inventorying its data because of its size and scope, Sasala said.

Just how quickly the action will be completed is unclear because data quality and, more specifically, duplicate sets of low-quality data remain a problem for the Navy.

“We’re finding just massive, rampant data duplication,” Sasala said, during an AFFIRM event. “And so that’s actually hurting us much more than the quality itself.”

The data exists across multiple systems, and users have been allowed to “quote unquote innovate” with it without the Navy having a handle on its pedigree or provenance, he added.

Sasala said his priority is identifying “authoritative” datasets and where they come from while establishing who can use them and for what purposes.

Previously the Navy sought to establish authoritative systems, but not all data in a system is authoritative for the purpose the system was created. For instance, the Navy Enterprise Resource Planning financial management system serves as a general ledger for components, but not all users or even the department’s organizational structure.

At the same time, the Navy has created deputy data officer positions for the Navy and Marine Corps, which didn’t previously exist, and is working on establishing associate data officers for every command. Fortunately most commands already had associate data officers acting under different titles like “data analytics for the command” or “command data officer,” confusing because the acronym is CDO.

Sasala is in the process of appointing people to those roles and delegating statutory responsibilities from the OPEN Government Data Act to them, as well as creating a mechanism for holding them accountable for the work.

The Navy has also taken “great strides” injecting data and data professionals into its acquisition review process, known as Gate 6 reviews.

“Rather than allowing something to go into production that doesn’t have APIs and it doesn’t have data standards and is a closed ecosphere — that we can’t get access to the data and all this other stuff — we’ll have some say in some regard about whether or not we want to make that investment,” Sasala said.

What government CIOs need for AI to succeed

Kirke Everson is a principal in KPMG’s Federal Advisory practice, focusing on technology enablement, intelligent automation, program management, process improvement, cyber security, risk management, and financial management. He currently serves as the government lead for Intelligent automation for KPMG in the U.S.

Federal and state government leaders are witnessing the expansion of artificial intelligence all around them. From back-office automation, that can help reduce backlogged work, to cognitive platforms, that can identify and respond to natural language requests to better serve the public, AI and automation have become a driving force in addressing mission and business objectives.

That’s clearly evident in speaking directly with federal and state government CIOs in multiple roundtable discussions over the past several weeks. Based on the use cases they described, it’s clear that agencies are making significant headway in putting AI to work.

At the same time, there are a variety of issues where government CIOs also need broader support. The issues they and their executive teams face, in many ways, are not that different from previous technology breakthroughs that tended to upend familiar work processes. The technology component — like the disruption of mobile and cloud technology — is only part of a larger equation involving processes, policy, culture, governance and ethics. That said, government is already seeing the value of AI, especially in light of unprecedented citizen demands for agency services during the pandemic.

CIOs in these roundtable discussions expressed a collective optimism and determination for how government can and must put AI to work. There was a broad consensus that they cannot delay integrating AI into their operations. “It’s not a question of when, but how we allow AI to come into our processes,” said one leader.

What’s critical now for agencies is to address these larger policy issues. At the same time, they also need to assess and select the right technologies for more advanced use cases; establish the means to scale AI solutions; and improve the quality of, and access to, clean and digestible data.

It’s getting to the “how” that CIOs are now wrestling with. Here’s a partial list of what many of them say their organizations still need from their leadership to ensure AI will live up to its promise:

Clearer use cases — We have already seen how AI is helping government agencies to analyze data, automate responses through robotic process automation and augment employee workloads. But agencies have all kinds of opportunities to build upon those successes to develop more advanced use cases, where more complex AI components can be applied to drive innovation and strategic decision making for better mission outcomes. Fortunately for government, AI’s application in commercial sectors — for detecting fraud, for example — are demonstrating tangible results and offer a helpful roadmap for what’s possible.

Greater data preparation — The ability to readily identify useful patterns in government data depends on having clean and reliable data to work with. Given the volume and velocity of data agencies generate, CIOs need modernized IT infrastructure, more robust data management applications and the resident skills to capitalize on them. Here is where automation and AI solutions can be part of the solution, to help access, consolidate, normalize and cleanse data.

Commitment to trustworthiness — This was one of the top concerns among CIOs in these discussions. It is vital that senior leadership establish and implement an ethical and responsible approach to AI, that adequate controls be put in place, and that agencies execute against an ethical AI framework. Without those safeguards, agencies run the risk of relying on untrustworthy or biased data or undermining the productivity gains AI promises.

Greater governance — Decisions need to be made on how agencies will manage the application of AI, which use cases to pursue and how to implement, scale, monitor and evaluate the impact of AI. CIOs can’t do that alone. Governance will also play a key role in building in proper checks and balances and guidance on how AI is ultimately put to work — and ensuring that AI initiatives conform with wider accepted practices.

Broader training — Artificial intelligence is more than the technology that creates it. It is a powerful set of outcomes that requires care, calibration and control — beginning with the data that goes into it and for the decisions that come out of it.  Not unlike the fields of medicine or building design, AI will require specialized and continuous training at many levels across every organization endeavoring to integrate AI into its operations.

There’s no question, AI promises to be an incredible force-multiplier in helping government better serve the public. CIOs have a unique perspective and a critical role to play in all of these areas.  But AI’s promise also hinges on agency leaders focusing on the mission or business, developing clear use cases, and then applying the technology, not the other way around.

Learn more about how KPMG can help your organization harness AI more effectively.

CMMC uncertainty threatens small contractors, business leaders warn

Small business owners warned members of Congress on Thursday that uncertainty over the costs and timeline of the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program could push their enterprises out of the defense industrial base.

In testimony given to a House Committee on Small Business subcommittee, they also raised concerns over the department’s communication strategy for the scheme, saying it has allowed information to trickle out through social media, rather than contacting affected contractors directly.

“There is no consistent method or message from DOD,” said Michael Dunbar, a small business president who testified on behalf of HUBZone Contractors National Council. “A lot of small businesses have been ignored.”

CMMC will require third-party certification that contractors meet a five-tiered range of security controls. Critics say that the cost of meeting those standards could fall unfairly on small businesses because they have fewer resources to deploy on cybersecurity than large defense firms.

Dunbar said during the hearing that much of the communication around the implementation of the scheme had been conducted through LinkedIn and urged the DOD to formalize its communication with industry with official policy documents.

“It’s basically been kept to a very small group of people that are running all of this and then we get told later on what is happening,” he said.

In testimony, the CEO of professional services contractor T47, Tina Wilson, warned that uncertainty over costs and the implementation timeline for the regime had left many small businesses fearful of being shut out of the defense industry.

“The fear could be real,” she told lawmakers. T47 provides policy procedures and analysis services to agencies within the DOD.

Jonathan Williams, a partner at law firm PilieroMazza, warned that the DOD must clarify which of the five levels of CMMC contractors would qualify for. He noted also that one potential avenue for reducing the cost of certification to small businesses would be to ensure prime contractors are largely responsible for ensuring subcontractors adhere to cybersecurity requirements.

“If we can keep as many small businesses as possible at level one, that will strike the right balance,” Williams told the committee.

The attorney said also that the DOD must explain how it intends to meet a self-imposed 2026 deadline to make CMMC a requirement in all contracts.

In response to the concerns, subcommittee Chair Rep. Dan Meuser, R-Penn., called for the creation of a platform through which the DOD can hear concerns over the implementation of the scheme.

“I think we can conclude that these measures are overly harsh and we do need to create a forum to have this discussion with DOD,” he said.

The hearing on Thursday came after electronics manufacturer trade group IPC earlier this week published a study that found 24% of industry respondents anticipate being pushed out of the defense industry due to the costs and burdens of CMMC.

A separate report published by the Alliance for Digital Innovation on Tuesday also warned about the risks of implementing “expensive but emerging requirements that are not ‘fully baked’” in the federal acquisition space.

“A clear example is the rush to impose the emerging standards of the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) requirements into civilian agency procurements,” the study said.

Lawmakers push DOJ to investigate China Initiative after engineer’s mistrial

Democratic lawmakers urged the Department of Justice to investigate FBI misconduct under an initiative for prosecuting people stealing trade secrets, hacking or spying for China, in a letter published last week.

The note specifically asks DOJ Inspector General Michael Horowitz to look into the failed prosecution of Anming Hu, a former engineering professor at the University of Tennessee, who was fired after FBI agents told his employer he was suspected of stealing government secrets for the Chinese military.

Hu was the first person prosecuted under the Trump administration’s China Initiative, the methods of which are being questioned after a jury deadlocked in his trial June 16 — following testimony from the investigating FBI agent that he spent 21 months surveilling Hu but doesn’t believe he was ever a spy, reported the Knoxville News Sentinel.

“As members of the House Judiciary Committee, we are deeply troubled by the alleged misconduct of the [FBI] in the unsuccessful prosecution of University of Tennessee at Knoxville associate professor Anming Hu,” reads the letter. “The FBI allegedly falsely accused professor Hu of being a Chinese spy; falsely implicated professor Hu as an operative for the Chinese military; and used false information to put professor Hu on the federal no-fly list — among a number of other actions.”

Reps. Ted Lieu, Calif., Mondaire Jones, N.Y., and Pramila Jayapal, Wash., want Horowitz to determine if the China Initiative pressures personnel at DOJ, which includes the FBI, into racially and ethnically profiling people.

During his testimony, FBI Agent Kujtim Sadiku couldn’t recall who tipped him off Hu might be a spy and said he’d encouraged Hu to attend a symposium in China and report back on security concerns, reported the News Sentinel.

When Hu refused, FBI surveillance began, Hu’s bosses were informed and he was ultimately charged, not with espionage, but fraud for concealing his affiliation with Beijing University of Technology while receiving NASA funding — an accusation Hu denies.

Chinese universities are considered to be incorporated under Chinese law. As such, U.S. laws that prevent high-ranking federal employees from working for Chinese companies can also prevent them from working at Chinese universities.

The letter asks Horowitz to investigate whether false information was used against Hu and whether false accusations were made. It also calls for clarification over whether the Department of Justice was aware of concerns over false accusations, and whether racial or ethnic profiling occurred.

In the missive, lawmakers also seek to determine whether the decision to open an investigation was based on adequate facts and whether the China initiative pressures DOJ personnel into profiling people.

The Department of Justice did not respond to a request for comment.

Navy looks to onboard 472,000 users to new virtual environment by end of September

Now that the Department of Defense has transitioned away from its temporary virtual collaboration environment developed to support remote work during the pandemic, the Navy has launched its own more secure long-term solution and is working to onboard hundreds of thousands of sailors and Marines to the new platform.

Called Flank Speed, the new virtual collaboration environment is built around Microsoft Office 365 cloud software — much like the DOD’s now-retired Commercial Virtual Remote (CVR) environment launched in the early days of COVID-19 telework — but with added security, Mike Galbraith, Navy’s chief digital innovation officer, said Tuesday at VMware’s Public Sector Innovation Summit, produced by FedScoop.

The CVR environment, which was taken offline June 15, “was a godsend, but it wasn’t perfect. If it was perfect, we’d still be using it,” Galbraith said, explaining that CVR was only authorized for data transmission at the IL2 level for any information cleared for public release. The Department of the Navy‘s Navy-Marine Corps Intranet (NMCI) instance of Office 365 will also expire Oct. 1.

Flank Speed falls under the larger DOD365 cloud collaboration platform being rolled out across the department and is authorized up to IL5, accomodating controlled unclassified information that may deal with national security systems. The environment will offer access to Microsoft Teams, a terabyte of OneDrive cloud storage, and access to Microsoft 365’s Excel, Word, OneNote, and PowerPoint.

“It’s secured. It is cloud-based, like CVR. But in a very secure and defendable place where CVR had a couple of holes,” Galbraith said, later emphasizing the importance of “weaving that thread of security through everything — securing our data, securing our devices, securing our networks and our transport.”

He also called Flank Speed a “catalyst for our zero-trust architecture, which is built into that network and transport model that we have designed.”

Galbraith said it’s called Flank Speed — based on the Navy term for a ship’s maximum speed and given as an order to escape danger — because “we are moving very quickly” to give some 472,000 users access to the platform before the close of fiscal 2021.

The Navy began transitioning users to the new environment June 1, selecting an initial set of “260,000 current users of CVR and NMCI O365” who have begun moving over first, according to a release. As network performance gets better over time, more users will be gradually added.

Moving to CVR last year was “bumpy,” Galbraith said, and moving to Flank Speed will be no different.

“There’s some cultural change that’s going on,” he said. “So very similar to CVR where it was bumpy to begin with, our Flank Speed implementation in the Department of Navy, it’s going to be a little bumpy as well as we migrate users in a phased way, as we migrate and bring technical capabilities into that environment a piece at a time. And it’s happening very quickly, with every day new capabilities being added by the team.”