The votes are in for the 2025 FedScoop.

See the winners!

Cybersecurity and IT top GAO’s High Risk List, yet again

Federal leadership regressed ensuring national cybersecurity the past two years, and IT acquisitions and operations continue to require “significant attention,” according to the Government Accountability Office.

Government’s leadership commitment to cybersecurity rating declined between 2019 and 2021 from “met” to “partially met,” according to GAO‘s biannual High Risk List report released Tuesday.

While the report doesn’t mention the massive SolarWinds hack that saw at least nine agencies compromised in 2020, it does flag missing components to the National Cyber Strategy and the unfilled national cyber director role.

“[A]nother silent battle is being fought in our IT networks by cyberattackers intent on stealing our intellectual property and undermining our national security,” said Rep. Carolyn Maloney, D-N.Y., during the House Oversight Committee’s hearing on GAO’s report. “The SolarWinds breach that came to light last December, as well as escalating and targeted cyberattacks that have drained millions of dollars from struggling hospitals, are just two examples of the threats we know about.”

The National Security Council‘s Implementation Plan, which accompanies the National Cyber Strategy, lacks goals and timelines for 46 of the 191 activities it recommends agencies undertake and fails to identify resources for 160 of them. Nor does the plan provide a means to monitor agencies’ progress, according to GAO’s report.

Of more than 3,300 cybersecurity recommendations GAO has made since 2010, 750 hadn’t been fully implemented as of December.

“[A]s the federal government responds to and mitigates the impacts of the recent SolarWinds attack, the effective cybersecurity leadership and coordination GAO calls for is critical,” Sen. Rob Portman, R-Ohio, ranking member on the Homeland Security Committee, said in a statement.

While the rating of IT acquisitions and operations remained unchanged since 2019 in the new High Risk List, the area continues to require “additional attention,” according to GAO’s report.

The government invests more than $90 billion in IT annually, and yet GAO found 21 of 24 Chief Financial Officers Act agencies haven’t fully addressed the roles of their chief information officers. Additionally, many agencies haven’t made IT modernization plans, or they’re missing accepted best practices.

Duplicative IT contracts abound, and the General Services Administration and the Office of Management and Budget lack the funds needed to lead the governmentwide movement to replace legacy systems. Although that could change with news that the Senate version of the American Rescue Act includes $1 billion for the Technology Modernization Fund.

More than 400 IT recommendations by GAO remain open.

Other areas of concern

Another area on the High Risk List that saw regression was the decennial census.

GAO cited the Department of Commerce’s request that the Census Bureau shorten data collection and response processing timeframes — despite COVID-19 halting operations for three months — for the rating downgrade.

“Compressing the time frame to collect data and process responses has increased the risk of compromised data quality,” reads the report. “The Census Bureau found data anomalies during the processing of census responses that have delayed the delivery of apportionment numbers, which as of February 2021 had not been delivered to the president.”

A new addition to the High Risk List is small business emergency loans, which the Small Business Administration continues to have trouble administering during the COVID-19 pandemic. Changing program requirements have forced SBA to adapt its E-Tran loan system with mixed results.

Hundreds of billions of COVID-19 relief funds have been provided by the Paycheck Protection Program (PPP) and Economic Injury Disaster Loans (EIDL) but not without “evidence of fraud and significant program integrity risk,” according to GAO.

At least 2 million approved PPP loans worth $189 billion were flagged as not in conformance with legislation, and more than 6,000 EIDLs worth $212 million were potentially made to ineligible borrowers, according to SBA’s independent auditor.

The Department of Justice is dealing with at least 90 cases of fraud tied to SBA’s COVID-19 loans — further proof more oversight and management is needed, according to GAO.

GAO Comptroller General Gene Dodaro recommended additional congressional action, commitment from agency leadership and involvement from OMB in High Risk List areas at Tuesday’s House hearing.

Government saw $225 billion in benefits from addressing High Risk List areas between 2019 and 2021, bit more resource investments are needed — as are regular meetings between the OMB deputy director for management, top agency leaders and GAO.

“[A]gency leaders need to do more to address the hundreds of open recommendations we have made to reduce the government’s high-risk challenges,” Dodaro said, in his House testimony. “OMB’s leadership role is especially important because many high-risk areas are government-wide or involve multiple agencies.”

Senate draft of COVID-19 relief bill proposes $1B for Tech Modernization Fund

A draft of the Senate version of the American Rescue Act includes $1 billion for the Technology Modernization Fund, according to a source familiar with the bill’s text.

The $1 billion injection would be a favorable increase over recent appropriations into the fund — a central pot of money that agencies can apply for to fund impactful modernization projects under the stipulation that they’ll pay it back within five years. In fiscal 2020, the TMF received only $25 million. It also comes after lawmakers considered completely removing the fund from the relief bill in early February.

Still, it falls well short of the $9 billion the Biden administration proposed for the TMF as a core driver for IT and cybersecurity modernization amid the nation’s response to COVID-19.

If the provision makes it into the final version of the Senate bill and is passed, it must also make it through negotiations before becoming part of the final bill handed to the president. Historically, it’s been the Senate that’s most wary of doling out TMF money.

The need for TMF funding was pushed hard by several Democrats last summer. In a letter, a group of tech-minded lawmakers urged congressional leadership to consider government IT reform as a critical part of pandemic recovery. Signees included top Capitol Hill tech advocates Reps. Gerry Connolly of Virginia, Ro Khanna of California, Robin Kelly of Illinois and Rhode Island’s Jim Langevin.

“The fate of the world’s largest economy and millions of American households rely on the ability of government IT systems to deliver in an emergency,” says the letter. “In many respects, those IT systems have not delivered during the pandemic and that should galvanize us all to action.”

The Senate also drafted other IT- and cyber-related provisions in its version of the bill, which FedScoop reviewed, including an additional $650 million for the Cybersecurity and Infrastructure Security Agency (CISA) for “cybersecurity risk mitigation.” The U.S. Digital Service would also get a $200 million bump.

Many other agencies would see funding increases for tech, like the $25 million would be made available to the Department of Agriculture to improve the technology used in distributing food relief and Supplemental Nutrition Assistance Programs (SNAP) benefits. Several educational funding boosts also include technology allocations.

Meritalk was the first to report news of the draft.

Catalog management leads GSA’s planned federal marketplace updates for 2021

The General Services Administration is set to acquire a web interface for managing and improving the quality of data collected for GSA Advantage! customers in the spring.

The pre-solicitation for the Common Catalog Platform (CCP) will seek information from the 12 contractors on the current Chief Information Officer Modernization and Enterprise Transformation (COMET) blanket purchase agreement, followed by a request for quote.

CCP is part of the Federal Acquisition Service‘s effort to improve catalog management so customers can more easily search, compare and buy needed offerings on GSA‘s online purchasing service, called GSA Advantage!, and elsewhere.

“We’re continuing to streamline and improve how we manage data associated with the more than 50 million products and services offered through the federal marketplace,” wrote Sonny Hashmi, commissioner of FAS, in a blog post Monday.

CCP will also reduce the time it takes suppliers to manage their catalogs by replacing the Schedules Input Program for Multiple Award Schedules (MAS) contract holders. And FAS workers will have an easier time reviewing and approving catalogs.

Catalog management is one of the four pillars of FAS’s Federal Marketplace (FMP) Strategy, a framework for making continuous improvements to GSA’s buying and selling experience. Numerous updates were announced in an FMP Strategy winter release.

Another catalog management improvement is faster catalog load times for suppliers via an Authoritative Catalog Repository, which also ingests data for new MAS produces for CCP.

And GSA continues to onboard manufacturers to the Verified Products Portal (VPP), containing specifications for commercial-off-the-shelf products. GSA will update the MAS solicitation in April to allow authorized resellers of VPP products to use that data without providing a letter of supply. The changes are intended to help customers avoid buying counterfeit or noncompliant products, standardize contractor catalogs, reduce the burden on resellers and FAS workers find and remove unauthorized products.

SAM.gov

Also part of the FMP Strategy is the improvement of the Integrated Award Environment (IAE), at the heart of which is beta.SAM.gov. The website will eventually be a one-stop shop for all federal award information, and will lose the “beta” part of its moniker this spring when the original System for Award Management (SAM) is merged into the IAE.

“This is exciting for many reasons, not the least being suppliers and buyers will find it easier to get things done,” Hashmi wrote. “No longer will you have to log on to two sites to conduct business; everything will be housed on the new SAM.gov.”

That business includes registering to deal with government, find exclusion records, search for contract opportunities, find wage determinations — all under a single sign-on.

Expect changes to the look and feel of beta.SAM.gov shortly before the merger, Hashmi wrote.

T-Mobile brings 5G to Miami VA medical system

The Department of Veterans Affairs has added another 5G hospital to its growing list of medical facilities enabled with the next-generation wireless network.

T-Mobile announced it has deployed its Ultra Capacity 5G service “in and around” the Miami VA Healthcare System, providing in-building coverage with average speeds of 300 Mbps and peaks at 1 Gbps.

This allows medical providers in the hospital to “quickly access high bandwidth files such as imaging results, labs and medical charts without having to be tethered to a computer,” T-Mobile said in a release. T-Mobile claims to have the “fastest 5G network of any provider.”

“We set out to do good with our 5G network and right now healthcare is more important than ever,” said Mike Katz, executive vice president of T-Mobile for Business.

The Miami VA Healthcare System is no tiny hospital. It serves veterans in Miami-Dade, Broward and Monroe counties in southern Florida, with an estimated veteran population of 149,704, providing 372 hospital beds, according to the VA. The Bruce W. Carter Department of Veterans Affairs Medical Center, the main facility, sits on 26 acres of land and is connected to several outpatient medical facilities and counseling centers.

“Groundbreaking collaborative partnerships like this play an important role in our success moving forward and we are grateful to T-Mobile for their continued commitment to the partnership with VA,” Deborah Scher, executive advisor to the VA secretary, said in a statement.

T-Mobile has also partnered with the VA to provide 70,000 lines of wireless service to doctors, nurses and staff and free unlimited access to online telehealth for veterans, a service that has surged during the COVID-19 pandemic.

Last month, the VA announced a similar partnership with AT&T at the VA Puget Sound Health Care System in Seattle to pilot 5G and multi-access edge computing in its facilities. A Silicon Valley VA hospital has also been experimenting with 5G provided by Verizon to power augmented reality visualization.

The Department of Defense too is trying to get a head start on bringing 5G to some of its bases around the country through a series of commercial-driven pilots focused on providing services like smart warehouses, virtual reality and more.

Air Force turns to VR for suicide prevention training

The Air Force is turning to virtual reality technology to train its airmen to recognize and help others at risk of self-harm.

The service is using VR training to put airmen in life-like situations to practice how to get a distressed person help. With social distancing requirements, in-person training and face-to-face conversations pose a greater risk for COVID-19 transmission, a risk reduced by VR training with users communicating through a headset.

The Air Force has also embraced VR for other training, like flying and maintenance.

The rate of airmen dying by suicide has increased in the past few years, up from a 2018 rate of 18.5 per 100,000 to 25.1 per 100,000 in 2019, according to recent DOD data. Conclusive data on the rate in 2020 is not available, but initial reports indicate a further increase during the first months of the coronavirus pandemic.

“We are excited and highly motivated to be the catalyst for this innovative suicide prevention program,” Brig. Gen. Norman West, Air Mobility Command surgeon general, said in a release. “The VR scenario is very realistic and this is the type of training we need to save lives in the real world. One life lost to suicide is too many.”

The technology was recently used in a training session at Travis Air Force Base in California at the behest of the Air Mobility Command leader, Gen. Jacqueline Van Ovost. New modules were tested featuring clips of actors and on-screen prompts for what trainees should say, according to a video posted by the Air Force. Other modules are in development for instructors and other members of the Air Force working on suicide prevention.

The technology works by guiding airmen through a training session and then into a role-playing scenario where they speak directly with an actor who displays distress signs. A coach listens in on the session, and if trainees are not following procedures, they are reminded of specific questions they are supposed to ask, like “Do you have a gun in the house?” or “Are you thinking about harming yourself?”

“We believe this training will not only save lives but prepare our Airmen for tough conversations that will build a more resilient force,” said Victor Jones, AMC Suicide Prevention program manager.

Leaders overseeing the program are also using the tech to pick up on subtleties in how airmen interact with the VR experience.

“[W]hen someone needs to say something tough, they don’t say it as loud as the rest of what they say,” according to the release. That’s a data point trainers are using to encourage airmen to be confident in getting others help.

Spouses of airmen are also being offered the training and it is expected to continue as more modules are created by Moth and Flame, the VR studio contracted to make the content.

If you or someone you know needs help, call 1-800-273-8255 for the National Suicide Prevention Lifeline. You can also text HOME to 741-741 for free, 24-hour support from the Crisis Text Line

Basic cybersecurity standards must start with procurements, experts say

Government must do a better job of setting minimum cybersecurity standards when buying IT to avoid more breaches like the ones agencies suffered after the SolarWinds hack, say cyber experts.

Large procurements, in particular, should be used to drive modern security architectures that better protect entire systems, said Jeanette Manfra, director of government security and compliance at Google and a former top official with the Cybersecurity and Infrastructure Security Agency.

If agencies consider the risks of introducing software like SolarWinds Orion to their networks during the procurement process, they’ll also avoid introducing vulnerabilities.

“The government is a very large consumer,” Manfra said during a Center for Strategic & International Studies event Friday. “They need to be driving what those security standards are that they want to see through their procurements.”

While the government should also establish minimum cybersecurity standards for the private sector, experts agreed they should be voluntary and not become a check-the-box activity for companies.

The SolarWinds software supply chain attack began in March and was massive in scale at nearly 18,000 intrusions. At least nine federal agencies were compromised, with the extent of the damage still being assessed.

While the hack was detected in December and widely reported to have been committed by Russia, the reality is that true attribution is ongoing, said retired Lt. Gen. Ed Cardon, senior counselor at the Cohen Group.

All of this points to gaps in information sharing between government and the private sector.

“Info sharing is a pretty broad term,” Cardon said. “Just simple things like worldwide collection of DNS logs, it’s amazing how if we would just do that we could do a lot with attribution. But often those are missing; they’re not collected.”

CISA, which Manfra left in November 2019, continues to make inroads with companies to determine who has the information it needs to avoid specific cyberattacks, she said.

The agency was established to be the central clearinghouse on the civilian side for threat information from the private sector, said Rep. Michael McCaul, R-Texas.

The ranking member on the House Foreign Affairs Committee said he’s planning to introduce legislation establishing a mandatory breach notification system. Breach data could be easily anonymized to protect the companies involved and liability protection ensured, so companies wouldn’t withhold information for fear of lawsuits, McCaul said.

“Some companies don’t report this at all,” McCaul said. “And it’s important we have that threat information to share it not only with the private sector, where 80% of this resides, but across all departments within the federal government.”

DISA’s Vice Adm. Norton retires

Vice Adm. Nancy Norton left one of the military’s top IT jobs Friday as she retired from her directorship of the Defense Information Systems Agency and command of Joint Forces Headquarters-Department of Defense Information Network (JFHQ-DODIN).

Lt. Gen. Robert Skinner of the Air Force replaced Norton at a change of command and directorship ceremony Friday.

Norton leaves at a critical time for DISA as it prepares to issue an $11 billion IT services contract, lead a major consolidation of support agency IT networks and continue investigating the SolarWinds hack. DISA will also maintain its own pivot to maximum telework and continue supporting DOD’s adoption of the Commercial Virtual Remote environment.

“We have done an amazing job,” she said during a virtual roundtable with reporters Thursday. “The thing that was most important, is how we have treated each other as people.”

Supporting the military’s shift to telework was not the first major crisis she steered DISA through. Under her watch, DISA was almost eliminated by Congress in 2018, a move she helped thwart. She said that “telling the DISA story” and increasing the transparency of the agency was what helped save it from the chopping block.

“It is pretty amazing if you think about what would have happened in 2020 if that had happened,” she said of the potential cutting of DISA’s funding.

Amid the response to a global pandemic, Norton also helped oversee the response to the recent SolarWinds breach. As commander of the Joint Forces Headquarters-Department of Defense Information Network, Norton leads the operation and protection of the military’s IT networks, which were targets of the suspected Russian hackers who led the larger cyberespionage campaign. DISA said it did not find any bad actors on DOD networks, but investigations remain ongoing.

Norton joined the Navy as an officer in 1986 and rose to become the first female director of DISA in 2018. While leading the DOD’s IT support agency, she pushed for more diversity and inclusion in the military technology community.

Network consolidation

DISA’s plan to make itself the single service provider for defense support agencies, dubbed the Fourth Estate network optimization initiative (4ENO), is a massive undertaking involving technical consolidation, personnel shifts and workforce restructuring. With Norton at the helm, DISA broadened its mission with the project.

The process is already underway with the Defense Technical Information Center already transitioning help desk and IT personnel into DISA, Norton said. More migration is expected to happen under Skinner’s directorship.

A part of the migration will be the award of the Defense Services Enclave (DES) contract for a single vendor to help with the technical integration of disparate networks — a deal that’s worth up to $11 billion.

The contract will be an indefinite-delivery, indefinite-quantity vehicle with task orders issued for specific work. The agency anticipates a 10-year work period, but the contract will have an initial four-year base with three optional two-year extensions.

“The concept of making DISA the single service provider is really something new,” Norton said. “That is really exciting.”

Pandemic pushed National Cancer Institute to commercial software for telemedicine, CIO says

Prior to the COVID-19 pandemic, the National Cancer Institute relied on “expensive and not user-friendly” custom systems for its telemedicine. But as the need to see patients remotely grew over the past year, the institute turned to commercial software that could more easily support its scaling needs, CIO Jeff Shilling said.

NCI began using Microsoft Teams to communicate with and administer telemedicine to patients in clinical trials. This let both the NCI doctors and researchers and the patients stay safe while continuing care.

People had their doubts about using commercial software for such a highly sensitive mission set. But it was a crisis, and NCI was forced to go into crisis mode to make the move.

“Never let a good crisis go to waste,” Shilling joked during an SNG Live session Thursday. But on a more serious note, he said of people’s concerns using Microsoft Teams for sensitive communications, “Listen, we’ve got to talk to these people. We have many people dying of cancer — many, many millions of people dying of cancer — we can’t worry about some of these things.”

NCI did work with Microsoft to “make sure that everything was encrypted properly, everything was a unique connector,” Shilling said, adding that Microsoft did everything “really well,” rising to the occasion because it too was in crisis mode.

At the end of the day, the new model was successful, Shilling said, because the commodity IT was ready to scale immediately and it was user-friendly from the start — and, perhaps more importantly, it was cheaper.

“The doctors don’t use special medical computers, they use Macs and PCs, just like everybody else,” he said. “So they have all the benefit of using these commodity tools. And so we think we can use these commodity tools in telemedicine as well. And that’ll extend past the patient, to radiology, to pathology, all these things that we can start to use the standard tools, it’ll make it just much, much more portable. And we need that. We need it because we need more medicine for more people. And the only way we can do it is to make it less expensive.”

Dr. James Gulley, director of the Medical Oncology Service at NCI, and his team were some of the first to make the move to Microsoft within the institute last spring. He said in an interview published by the National Institute of Health that his team “quickly got used to the platform, and it became our preferred means of communication between team members, other collaborators and patients.”

“This has opened up opportunities for us to communicate more effectively with patients at home,” Gulley said. “Phone conversation can get some of the information however much of communication is nonverbal. This also provides improved efficiency for patients and healthcare providers and decreases costs in both money, time and potential exposure to SARS-CoV2.”

How open technology and process help the public sector innovate

SBA adapting IT systems providing COVID-19 relief amid program changes

The Small Business Administration continues to adapt its IT systems processing COVID-19 relief applications to address changing program requirements.

The Biden administration announced a two-week window starting Wednesday where only small businesses with less than 20 employees may apply for Paycheck Protection Program (PPP) forgivable loans to keep their workforces employed during the pandemic.

As new legislation and executive mandates attempt to provide relief where it hasn’t yet been granted, SBA is scrambling to make changes to its E-Tran loan system and program portals.

“We’ve been obviously faced with a tremendous scaling challenge…in terms of the volume of transactions we are processing,” said Sanjay Gupta, chief technology officer at SBA, during an ATARC event Thursday. “But also more importantly the velocity at which we are processing this higher volume.”

Businesses went under because initial PPP loans dragged into the summer as SBA struggled to process requests for $400 billion in relief funds and adjust E-Tran to shifting rules for eligibility, financial institutions, terms and conditions, and transferring loans into grants.

SBA also responds to disasters, and President Biden declared Texas’ snowstorm a major disaster earlier this week. The declaration will mean a workload surge for SBA on top of dealing with PPP and Economic Injury Disaster Loans for the pandemic, Gupta said.

Fortunately, SBA’s cloud migration began in 2017, allowing it to scale with increased employees better than it would otherwise. But in March the agency accelerated implementation of a cloud-based secure connector, in lieu of its traditional virtual private network, to improve security and visibility into traffic and performance.

Conditional access which throttles users’ access if they fail to meet certain conditions related to things like where they’re connecting to the network — has proven helpful during the pandemic. The same is true for geofencing, which took six hours to implement in March and took care of traffic from foreign countries trying to access pandemic loan portals, Gupta said.

SBA is relying on native capabilities more heavily when it comes to cybersecurity tools, anomaly detection and machine learning.

“We are automating these things,” Gupta said. “So a year from now you’ll see a higher resilience posture.”

Uniquely identifying virtual machines on SBA’s network continues to be a challenge however, Gupta said. He led SBA’s 90-day Continuous Diagnostics and Mitigation modernization effort in coordination with the Cybersecurity and Infrastructure Security Agency, and together they developed a model for identification.

Virtual machines are instantiated as needed and may need to be created and destroyed in microseconds. SBA’s model attempts to track and manages those machines in a cloud environment and was published in a report, but the CDM team has yet to release guidance.

“I’m sure it’s in the works,” Gupta said.