Senate passes bill to limit China tech influence

The Senate passed a bill Tuesday that would create about $190 billion in additional funding for research and development if it becomes law.

The bipartisan U.S. Innovation and Competition Act package was yesterday approved in the Senate. The proposed legislation is likely to go to undergo a reconciliation process at a joint conference committee before it will be voted on by House lawmakers.

The extra funding would come in addition to more than $200 billion in R&D spending proposed as part of Biden’s infrastructure initiative, and a 35% hike in funding for clean energy R&D included in budget proposals published last month.

China-specific provisions in the bill include a section that would forbid federal employees from downloading the social media app TikTok on government devices. It would also block the purchase of drones manufactured and sold by companies backed by the Chinese government.

Curtailing the technological influence of China is one of a few areas where Democrat and Republican lawmakers have found common ground. In addition to extra funding for R&D, the legislation would separately approve $54 billion in spending to boost the production of semiconductors and telecommunications equipment.

If passed, the proposed law would provide a $2 billion boost to the manufacturing of chips used by carmakers.

Lawmakers have previously sought to introduce similar legislation. Rep. Ro Khanna, D-Calif., in the last sessions of Congress introduced the Endless Frontier Act, inspired by the work of Massachusetts Institute of Technology professors Jonathan Gruber and Simon Johnson.

The Innovation and Competition Act includes aspects of the Endless Frontier Act and is designed to preserve the place of the U.S. as the world’s leader in science and technology.

Commenting on the passage of the act, Khanna said: “Bipartisanship is rare in Washington, but this filibuster-proof vote shows there is wide support, not just from the White House or Congressional Democrats, but from the many Republicans who want to see this vision for America’s innovation future become a reality.”

“The legislation will create millions of jobs in America and ensure we remain the world’s leader in science and technology in the 21st century,” he added.

President and CEO of the Semiconductor Industry Association John Neuffer said: “Senate passage of USICA is a pivotal step toward strengthening U.S. semiconductor production and innovation and an indication of the strong, bipartisan support in Washington for ensuring sustained American leadership in science and technology.”

HHS to issue timeline for health care data sharing guidance in coming months

The Department of Health and Human Services will publish a timeline in the coming months for the release of its long-overdue framework for the seamless sharing of electronic health information.

Dubbed the Trusted Exchange Framework and Common Agreement, or TEFCA, it aims to achieve the network interoperability that has been lacking as health care providers attempt to share clinical information for treating patients and state and local governments attempt to share public health information for monitoring disease outbreaks.

Interoperable networks are critical for sharing real-time data nationwide on disease outbreaks that could help HHS prevent the next pandemic before it starts.

The 21st Century Cures Act passed in 2016 required the creation of a common set of data standards, but only with the onset of the COVID-19 pandemic did gaps in the public health data system become readily apparent.

“By all accounts it was very, very far from meeting the mark that all of us would’ve hoped for,” said Micky Tripathi, national coordinator for health IT, during an ACT-IAC event Tuesday.

With TEFCA, the HHS Office of the National Coordinator for Health IT wants to create a more integrated environment where the federal government can not only pull data as needed on demand but also send information to state and local governments and clinical settings on the frontlines of response efforts.

The Health IT for Economic and Clinical Health (HITECH) Act of 2009 spurred $40 billion of spending over the last decade on “pretty highly functional” electronic health record (EHR) systems — with adoption among hospitals and ambulatory providers jumping from around 15% to 90%, Tripathi said.

The HHS technology executive added that the way in which private vendors connect their systems with state and local health information exchanges is one of the hardest issues needing to be addressed. According to Tripathi, it is also a key reason why a clear timeline is necessary.

“How do all of those connect up in a way that it doesn’t require people having to think about connecting to four or five different networks, which is a little bit of the challenge today,” he said.

Tripathi added also that federal agencies including the Department of Veterans Affairs and the Department of Defense can help accelerate interoperability efforts by opening up their own platforms and adopting Fast Healthcare Interoperability Resources Release 4 (FHIR R4) standards ahead of government’s December 2022 deadline.

Meanwhile, private sector providers have until October 6, 2022 to make notes, narratives, scanned images and other unstructured data part of the electronic health information they share.

ONC continues to work on TEFCA to make it appetizing to more participants, but the framework remains voluntary until timelines are released.

Pentagon chief Hicks pursuing workarounds to fast-track military tech acquisition

 

DISA issues RFI to obtain advice on zero-trust procurement

The Department of Defense’s IT agency wants industry feedback for a planned move to zero-trust architecture model on its networks.

In a request for information, first published May 27 but recently updated, Defense Information Systems Agency’s (DISA) seeks guidance on how to approach the purchase of software and other technology systems in a manner that enhances network security. DISA operates networks for other combat support agencies and is leading the DOD’s broader modernization push through its Thunderdome program.

“DISA plays a critical role in providing network and security services across the Department of Defense (DOD), and will architect and deploy zero trust concepts to enable secure, conditional and continuous access,” the RFI states.

Zero Trust was mentioned in a recent executive order signed by President Biden urging that all government agencies begin to migrate to the new security model.

Zero-trust architecture assumes that hackers have already breached a network, and check users’ credentials at multiple points. This replaces legacy system structures in which credentials were checked only at the edge of a network, such as an entry point where users log in.

DISA is looking to obtain secure access service edge (SASE) and software-defined wide area networks (SD WAN), which are both cloud-based systems that the agency says will improve security. Other tech that the agency has been working to develop is enterprise identity, credentialing and access management (ICAM), a key part of identifying users on a network.

In the RFI, DISA said it’s considering using an Other Transaction Agreement (OTA), a type of contract that navigates around the Federal Acquisition Regulations (FAR) and can make purchases happen on shorter development cycles. DISA wants the tech up and running six months with several minimum viable products has been made by the selected contractor, it said.

UK government homepage knocked offline by Fastly glitch

The homepage of the U.K. government was among websites affected early Tuesday by an outage at content delivery network Fastly.

Gov.uk was unavailable to some users for more than an hour, along with those of major news organizations including the New York Times, Bloomberg, and the Financial Times.

Content delivery networks are a key part of the global internet infrastructure and provide servers that improve the performance and availability of web services to users in different locations. Media content is often cached at a CDN server so that it doesn’t have to be fetched on the original server every time a user loads a web page.

Fastly’s services had fully recovered as of 7am eastern time on June 6. In a blog post, Fastly Senior Vice President of engineering and infrastructure Nick Rockwell said the global outage had been caused by an undiscovered software bug that surfaced when it was triggered by a valid customer configuration change.

“This outage was broad and severe, and we’re truly sorry for the impact to our customers and everyone who relies on them,” said Rockwell.

Commenting on the outage, Matt McDermott, a senior officer at technology policy consultancy Access Partnership, said the incident served as a reminder that government agencies should have a rapid response plan in place for dealing with such outages.

“Organizations and government bodies need to look at implementing the steps that look to assess, stabilize, improve and monitor to ensure this issue do not pose further problems in the future,” he said. “Assessment is needed to determine the server’s bottleneck then stabilizing the issue with implementation of quick fixes will mitigate impact to broader stakeholders and users.”

Speaking with FedScoop, McDermott said that depending on the nature of the issue, automated early warning systems can allow serious cyber incidents to be averted.

“Even just a few minutes’ additional warning of a coming outage can help to preserve critical services. In these situations, it becomes very difficult to keep up everything, but emergency capacity can be used to protect key assets,” he said.

A spokesperson for the U.K. government’s digital service said: “We are aware of the issues with gov.uk which means that users cannot currently access the site. This is a wider issue affecting a number of other websites. We are investigating this as a matter of urgency.”

Veterans Affairs awards $725M EIS contract to AT&T

The Department of Veterans Affairs has awarded a $725 million task order to AT&T to modernize the agency’s data communications platform.

AT&T has already begun work improving the security, scalability, availability and resiliency of VA‘s Internet Protocol-based data network with cloud infrastructure.

VA made the maximum 12-year task order as part of the the $50 billion Enterprise Infrastructure Solutions contract for federal government enterprise telecommunications and networking solutions.

“VA is continuing to explore and innovate with advancing technologies to help us provide
exceptional customer service to our nations veterans,” said Daniel Mesimer, a director within the agency’s Office of Information and Technology.

AT&T is providing wide area networks (WANs), virtual private networks (VPNs) and managed network services as part of the deal. The VA says that WANs will allow care providers access veterans’ health-care records in near-realtime on connected devices to eliminate paper and save time.

VA needs a high-speed urban and rural data network to provide care and benefits to about 18 million veterans and their families out of 1,255 facilities comprising the largest integrated health-care system.

“We’re thrilled to complement our broad array of AT&T programs that benefit veterans with an advanced data communications platform and capabilities that will power VA’s mission for years to come,” said Chris Smith, vice president of civilian and shared services at AT&T Public Sector and FirstNet.

CISA launches platform to allow hackers to report flaws in federal tech

The Cybersecurity and Infrastructure Security Agency (CISA) has launched a vulnerability disclosure platform (VDP) that will allow federal agencies to identify cybersecurity flaws with the help of ethical hackers.

The platform will be available to all civilian agencies overseen by CISA, and is intended to allow government departments to take advantage of the skills of civilian cybersecurity experts, often known as white-hat hackers.

In the private sector, white-hat hackers use their skills to identify and report weaknesses in companies’ cyber defenses.

The launch of the platform is designed to help agencies comply with a directive, which was published by CISA in September last year, requiring that agencies develop a procedure for reporting cybersecurity flaws and to clarify what types of security testing are allowed.

Under the directive, agencies must also provide a system for the anonymous reporting of weaknesses and commit to not pursing legal action against security research conducted in good faith.

CISA did not comment on which agencies would join the VDP first, or the timeline for onboarding.

The platform is being administered by private contractors Bugcrowd and EnDyna, through CISA’s Quality Service Management Office (QSMO).

Speaking to FedScoop, Bugcrowd CEO Ashish Gupta said the platform would allow government departments to speed up the sharing of information about a high number of vulnerabilities.

According to Gupta, in a similar program working with a large financial institution, Bugcrowd was able to identify a vulnerability that affected more than 250 domains and over 5,000 URLs.

CISA’s executive assistant director for cybersecurity, Eric Goldstein, said: “A key component of any organization’s cybersecurity program should be a transparent and clear way for security researchers to report vulnerabilities, which is why CISA issued a directive last year to require federal civilian executive branch agencies to implement a vulnerability disclosure policy.

“As we work to raise the baseline of cybersecurity across the executive branch, CISA will continue to work with federal agencies to ensure they have the support they need to strengthen their cybersecurity operations, including by quickly identifying and mitigating vulnerabilities,” added Goldstein.

CISA initially awarded Bugcrowd and EnDyna the platform contract in September, however, a series of protests delayed its first of three initial shared services being offered by its QSMO until now.

The use of VDPs could even become widespread for federal contractors should California Democratic Rep. Ted Lieu‘s Improving Contractor Cybersecurity Act, introduced on June 1, become law.

The SolarWinds hack, discovered to have compromised at least nine federal agencies in December, prompted President Biden‘s cybersecurity executive order pushing new investments in zero-trust security architectures.

More recently the Supreme Court narrowed the scope of the Computer Fraud and Abuse Act, in part, to protect well-intentioned, white-hat hackers from being unfairly prosecuted for investigating vulnerabilities.

Army clarifies that it does not have a policy banning smart devices

The Army has overturned its May 20 policy, instructing soldiers and civilians either to switch off or remove all Internet of Things (IoT) devices from their home telework offices.

A service spokesperson told FedScoop that the policy had been removed for additional “staffing and review,” and that it would need to be further assessed before being officially implemented.

At the time of the initial edict last month, all Army personnel including contractors working for the service were required to follow the guidance.

“Current teleworking policy does not specifically address IoT, but employees are provided [with] tools to allow secure network access and guidance to use best practices to prevent vulnerabilities and maintain readiness in a maximum telework environment,” the spokesperson added.

IoT stands for internet of things, or devices like TVs, refrigerators and other “things” now connected to the internet and there for hackable. Many of them have functions that constantly listen to user’s voices, waiting for them to use keywords like “Hey, Google,” to prompt action.

Federal Claims Court judge sides with AWS on JEDI lawsuit timing

A federal claims court judge has granted Amazon Web Services’ requested timeline for hearings in ongoing Joint Enterprise Defense Infrastructure (JEDI) cloud contract litigation.

According to court documents, Amazon is seeking the disclosure of additional internal communications from the Department of Defense — including emails and Slack messages — which lawyers representing the government say cannot be disclosed because of national security concerns.

Both the U.S. government and contract winner Microsoft were seeking to expedite the case schedule. Lawyers for the government said its implications for national security also merit that the case be fast-tracked, while lawyers for Microsoft say it should be sped up because of the large financial losses the technology giant stands to accrue. The company declined to comment further.

Under the schedule put forward by AWS, the cloud services company will file a renewed motion to complete the administrative record by June 18. The U.S. government and Microsoft will then have until July 9 to respond, and Amazon will have until July 16 to file another reply.

It represents the latest stage in the legal challenge, which was launched by Amazon after the Joint Enterprise Defense Infrastructure contract was awarded to Microsoft in 2019.

Pentagon officials have previously indicated that they may be willing to drop the cloud computing project, which has been slowed by the litigation.

In March this year, a federal judge refused a request by the DOD to dismiss much of Amazon’s case, and Deputy Defense Secretary Kathleen Hicks said the department would review the project.

In a statement to FedScoop, a DOD spokesperson said: “We are aware of the Court’s decision relating to the protest; however, it does not affect the DoD’s commitment to establish an enterprise-wide cloud capability.”

AWS did not immediately respond to a request for comment.

USCIS seeks information on contract cybersecurity personnel