DOD procurement lead says software acquisition changes are yielding results

A top procurement official at the Department of Defense said Wednesday that recent changes to its framework for acquiring new software are yielding initial results.

The more flexible approach started with only a handful of programs, and the pilot is still being more fully evaluated, but initial results are positive, Stacy Cummings, acting undersecretary for acquisition and sustainment, said during a virtual conference held by the National Defense Industry Association.

The Adaptive Acquisition Pathway purchasing policy, which was established in October 2020, is intended to allow DOD to do what was once difficult, if not impossible: Buy software fast and keep it updated.

“You want to work at a pace that allows the users to deliver,” she said of software teams trying to bring new tools to the department. “Early trends look really good,” added Cummings.

The DOD’s traditional acquisition approach has until recently been designed around buying big pieces of hardware, like tanks. The department is currently in the process of revamping its approach for a number of major contracts.

Historically, contracting officers would write up long requests to industry to ensure that manufacturers meet specific requirements. This process does not allow for iterative software updates, much to the chagrin of developers in and out of the department.

“Countless past studies have recognized the deficiencies in software acquisition and practices within DoD, but little seems to be changing,” the Defense Innovation Board’s (DIB) 2019 report on software acquisition stated.

Cummings said also that “dozens” of other programs are ready to be transitioned over to the software acquisition pathway, which was recommended by the DIB study.

According to Cummings, there is support in Congress for other new changes that would help the DOD improve its software acquisition practices. One of the biggest changes acquisition leaders have been pushing for is a new software “color of money,” or budget activity in technical terms. The DOD currently has different types of money, or colors, for different types of programs that have different regulations. A software-specific color would give contracting officers even more flexibility, leaders have said.

In the most recent National Defense Authorization Act, eight programs were approved to pilot the new budget activity for software and the DOD is seeking to add more with Congressional approval.

Oversight leader says volume of datasets ‘biggest challenge’ in COVID-19 fraud prevention

Processing the high volume of datasets held by federal government departments is the “biggest challenge” in COVID-19 fraud prevention, according to a top oversight official.

Speaking Tuesday, Robert Westbrooks said the Pandemic Response Accountability Committee (PRAC) is working quickly to triage and process first the most significant datasets.

“We’re going dataset by dataset by dataset, acquiring them and ingesting them into our system, and trying to make sense of it and put them in context with other datasets.

“The biggest challenge is the volume, quite frankly. You have to prioritize, you can’t do it all immediately, so have to pick and choose: What are your priorities today, to have the biggest impact on the criminal side, and also more importantly for all of us taxpayers, on the fraud prevention side,” Westbrooks said at Informatica’s Data in Action Summit hosted by FedScoop.

Westbrooks is the executive director of PRAC, which is an independent oversight committee within the Council of the Inspectors General on Integrity and Efficiency.

PRAC is also working on cataloging lessons learned across all data-centric inspectors general fraud prevention work so that federal agencies are able to respond more effectively to future pandemics.

PRAC was created in the Coronavirus Aid, Relief and Economic Security (CARES) Act of 2020. It is tasked with overseeing funds distributed through the CARES Act and all follow-on pandemic relief legislation, which now totals over $5 trillion.

Nearly 40 defense companies were impacted in SolarWinds breach

Thirty-seven defense industrial base companies were hit by the sweeping SolarWinds supply chain hack attributed to the Russian government.

The companies reported their impacts to the Department of Defense, which said it was not breached itself in the hack.

The announcement came in congressional testimony Tuesday as DOD is trying to secure its supply chain from hackers. Previously, suspected Chinese hackers were able to gather reams of data on sensitive defense programs by attacking the networks of contractors and subcontractors that handle sensitive information, which has proven to be the weakest point in the DOD’s supply chain.

“I believe we had 37 companies that reported [specifically] 44 different reports,” Rear Adm. William Chase, the deputy principal cyber advisor for the DOD, told the Senate Armed Services Cybersecurity Subcommittee. The hearing focused on DOD’s defense industrial base policy.

Under the Cybersecurity Maturity Model Certification (CMMC) program, the DOD is working to shift its contracting cybersecurity requirements from simple self-attestation to having third-party assessors inspect contractor networks to ensure they are complying with requirements. The program has five levels of cyber maturity, with level one only requiring simple security measures and level five involving advanced and more-expensive cybersecurity operations to ensure networks can withstand persistent attacks.

Chase said there is a chance a CMMC level five could have stopped the SolarWinds hack had they been in place, but the program is still in its infant stages.

“Neither the department nor the defense industrial base may never be able to completely secure industry’s networks and controlled information, but our goal must be to complicate and frustrate adversary planning and operations such that they cannot conduct them with impunity or at scale,” Chase added.

National lab’s data tools are homing other agencies’ COVID-19 response efforts

The National Preparedness Analytics Center developed a series of data tools to help agencies identify where the socioeconomic impacts of the COVID-19 pandemic are most severe.

Situated within the Department of Energy‘s Argonne National Laboratory, NPAC spent the last year gathering data from agencies and private sources used to create interactive indices, analyses and maps made public on May 12.

About 20 agencies, including the Federal Emergency Management Agency, use the tools to plan their COVID-19 response down to the county and demographic levels, and in the coming months they’ll help monitor pandemic recovery over time.

“FEMA recognized the need for a lot of data and analysis to inform that long-term recovery perspective,” Iain Hyde, deputy director of NPAC, told FedScoop. “How were they going to deliver critical services to communities?”

Within the initiative’s first month, NPAC collected between 100 and 150 data sources from departments like Commerce, the Treasury and the Interior. The center launched a web portal with the first set of analyses from its interdisciplinary team of 20-plus economists, emergency managers, attorneys, infrastructure specialists, and data analysts.

The County Economic Impact Index shows the change in local economic activity throughout the pandemic, relative to pre-pandemic levels in January 2020. A quick scan of the latest monthly map shows every county in Connecticut has one of the least stable economies, which could make the state the target of future federal relief efforts.

Meanwhile, the Housing Stability Index quantifies the decreased stability of both renter- and owner-occupied housing due to missed or deferred rent or mortgage payments or serious delinquency during the pandemic. The Department of Housing and Urban Development can use the information to understand the risk of eviction and foreclosure among vulnerable populations.

Still, other indices examine the pandemic’s impact on state and local government revenue and internet access.

NPAC updates the indices monthly as, say, the Bureau of Labor Statistics releases new unemployment numbers.

FEMA’s 10 regions, in turn, refer to the indices before deciding how to engage the most affected communities.

“The No. 1 decision that our resources have been able to help with is: How do the various agencies engage with their communities to understand impacts and support that locally driven recovery effort?” Hyde said.

NPAC is far enough along with its work that now agencies are requesting specific analyses. The Minority Business Development Agency and the National Endowment for the Arts separately asked for in-depth reports on how the pandemic is affecting minority-owned businesses and the arts and culture sector respectively.

Additional resources for the territories of Guam, American Samoa and the Northern Mariana Islands are forthcoming, as are lessons learned from NPAC’s COVID-19 data initiative — intended to inform future disaster response efforts, Hyde said.

One thing NPAC hasn’t done is tapped into the National Labs‘ high-performance computing facilities for its work.

“However we have required a fair amount of computing power to be able to capture those impacts on a county basis; we’re covering approximately 3,200 counties,” Hyde said. “In some cases, we’re capturing indices down to a census tract level, so about 77,000 census tracts.”

How automation tools add resiliency to DOD’s IT workforce

The continuous rotation of officers and enlisted personnel is a vital part of maintaining military readiness. However, preserving institutional knowledge of thousands of existing IT systems — as well as new ones still being established — remains crucial to keeping Defense Department and military IT systems operating securely, says a new report.

That is why military leaders should be looking more proactively at automation technology, that performs repeatable tasks and reduces the risks and costs associated with staff turnover.

“Automation not only helps preserve the institutional knowledge often lost when technical personnel leave for new assignments, it also helps streamline orientation and training when new personnel take over, allowing them to get up to speed faster and focus on more critical tasks,” said Eric Hennessey, staff consulting solutions engineer for national defense accounts at Splunk.

The report, produced by FedScoop and underwritten by Splunk, takes a closer look at how advanced security orchestration, automation and response (SOAR) tools offer a more productive approach for DOD organizations to support their IT and communications personnel.

SOAR tools, such as Splunk’s Phantom platform, “provide the means to monitor a wide range of existing technology systems and applications; identify their health in real time; and apply prescribed remedies all in an orchestrated, automated and controlled approach,” says the report.

The report details multiple benefits of automating IT tasks. One of the most significant benefits, according to the report, is in reducing the risk of errors that often occur performing repetitive tasks. Another is the ability to codify workflows, to reduce training requirements. Automation also helps security teams detect, investigate and respond to threats at machine speed.

Hennessey points to one example of how personnel are constantly rotating in and out of assignments, and the need for user accounts to be constantly created and removed. “Those types of processes are pretty straightforward and repeatable and very easy to automate. By taking that workload off the service desk staff, they can concentrate on other more important things,” he said.

From the military’s perspective, IT workforce automation is both fundamental and essential to meet the scale and scope of their needs as they push towards digital modernization and data-driven readiness.

According to Anthony Perez, Splunk’s global solutions architect, automating IT processes is also about to take on much greater importance for defense contractors as well.

In order to meet certification requirements for the Pentagon’s Cybersecurity Maturity Model Certification (CMMC), “DOD contractors will need to deploy and adopt proven enterprise-grade technology that can be iteratively tailored and extended,” explained the report.

“From the contractor perspective, I envision organizations leveraging [Splunk’s automation tools] to automate the self-evaluation of their cyber security maturity, identification of gaps, and generation of the bulk of their technical evidentiary package for C3PAO [third-party] auditors to use in their evaluation and CMMC-audit and accreditation process,” says Perez.

These experts expect the need for powerful IT automation platforms to continue to grow as DOD officials place increased strategic importance on digital modernization as part of the National Defense Strategy. That means greater focus on data, cloud, artificial intelligence, C3 and cybersecurity — as well as the right skills and experience to ensure these programs flourish.

Find out more on how automation and orchestration tools can accelerate the performance of the IT workforce.

This article was produced by FedScoop and sponsored by Splunk.

EY appoints new government and public sector practice leader

Consultancy giant Ernst & Young has named Gerry Dixon as managing partner of its U.S. government and public sector division.

He starts work in the role on July 1 and takes over from Michael Herrinton, who retires from the consultancy firm in June next year.

Dixon has worked at EY for over 30 years, most recently as leader of its East Coast consultancy division, and is a founding member of the company’s risk practice.

Commenting on the appointment, EY Vice-Chair and East Coast Managing Partner Richard Jeanneret said: “I believe that Gerry’s proven leadership has well equipped him to lead our Government & Public Sector practice teams to serve clients as they navigate our ever-changing world.”

EY’s government and public sector practice provides consulting and audit advice to the federal government, including on technology, operational improvement, and strategy.

In 2020, the company worked on projects including the revamp of unemployment systems, cybersecurity, and the distribution of the Coronavirus Aid, Relief, and Economic Security (CARES) Act relief funds.

Last November, EY won a contract to audit the financial statements of the U.S. Navy worth up to $263 million, with options to extend the contract for an additional four years.

Continuous monitoring of critical infrastructure absent from cyber executive order

The cybersecurity executive order issued by the Biden administration last week doesn’t require the relevant agencies to increase their visibility into critical infrastructure, a lingering weakness for the federal government, security experts told FedScoop.

When the May 7 ransomware attack on Colonial Pipeline Co. occurred, the Cybersecurity and Infrastructure Security Agency lacked any knowledge of the incident until it was notified by the FBI. While the new executive order gives the Office of Management and Budget 60 days to increase contractual threat and incident information-sharing requirements for service providers of operational technology (OT), both private sector companies and lawmakers expressed concerns following the attack that Department of Homeland Security agencies like CISA and the Transportation Security Administration aren’t doing enough to continuously monitor the cybersecurity of OT for pipelines and other critical infrastructure like the U.S. electric grid.

“Departments and agencies who have the responsibility for overseeing critical infrastructure often rely on information that is voluntarily shared,” Jake Olcott, vice president of government affairs at BitSight, told FedScoop. “And the infrequency of some of this data sharing contributes to a lack of broad situational awareness.”

A national response is needed, apart from the cyber executive order, establishing real-time data collection on the effectiveness of OT security controls, amount of malicious activity within systems and remediation of vulnerabilities at scale for every U.S. critical infrastructure company, Olcott said.

Advocacy group Protect Our Power meanwhile called for $22 billion during the next five years for funding power grid security and short-term vulnerabilities, in particular.

“The [Biden] administration has pledged to make further hardening our nation’s electric grid against cyberattacks a key part of comprehensive infrastructure legislation,” said Jim Cunningham, executive director of Protect Our Power, in a statement. “Timing is now more urgent than ever for the federal government, the utility industry and the states to come together and provide a national solution to address this looming national problem.”

BitSight rates organizations’ security performance by considering factors like malware infections, patching rates and vulnerabilities. The Boston-based cyber company evaluated the 2,000 largest U.S. oil and energy businesses and found 52% were performing below its “excellent” benchmark score of 750 as of April 30.

Those companies “may be at risk” for a hack similar to the one Colonial Pipeline fell prey to, and such incidents will only increase with time, Olcott said.

DHS holds lead authority for protecting critical infrastructure, in accordance with the Homeland Security Act of 2002, and within the department, TSA is the lead federal agency for transportation, hazardous material and pipeline security.

Because Colonial Pipeline shut down about 5,500 miles due to the ransomware attack, resulting in intermittent gas shortages in cities along its East Coast route, TSA is expected to respond.

“TSA will continue to work in close coordination with government and pipeline partners to evaluate the key factors garnered from the cyber incident and determine opportunities to reduce and mitigate risk across the sector,” said a TSA spokesperson.

The agency primarily handles pipeline security by reviewing pipeline operators’ security programs to ensure their cybersecurity measures comply with TSA Pipeline Security Guidelines. But TSA can’t require a private company to take action on its recommendations.

Data on high-risk corporate pipeline systems which underwent security reviews are reported quarterly to meet DHS and OMB performance reporting requirements, but such sensitive information isn’t made public.

Still, TSA’s point-in-time assessments don’t meet the federal need for continuous monitoring of all U.S. pipeline companies, Olcott said.

The Government Accountability Office in 2018 found TSA has “significant weaknesses” in its management of pipeline security and subsequently reviewed its process for updating cyber guidelines.

To date, TSA has completed seven of 10 GAO recommendations, including the complete revision of Section 5 of its Pipeline Security Guidelines regarding the identification of critical facilities. “A lack of clear definitions” caused one-third of the top 100 U.S. pipeline systems to report no such facilities previously, according to GAO.

Meanwhile, CISA’s National Risk Management Center and the Department of Energy also got involved in a 2019 effort to craft recommendations for increasing pipeline cybersecurity in coordination with industry, dubbed the Pipeline Cybersecurity Initiative.

“There’s so many different agencies out there that have partial responsibility for various sectors,” Olcott said. “And it’s led to confusion about roles and responsibilities and who’s supposed to have insight and what insights are available.”

TSA increased pipeline security staffing from six to 34 positions since 2018 across headquarters operations, policy and the field to advance its pipeline cybersecurity mission.

A 20-member Pipeline Security Assessment Team has field offices around the U.S. to conduct TSA’s operator assessments.

“Select PSAT staff have attended comprehensive cybersecurity training through Idaho National Labs in partnership with CISA and are undergoing additional cybersecurity training and certification in support of TSA’s expanding pipeline cybersecurity mission,” said the TSA spokesperson.

DISA issues zero-trust reference architecture for Defense Department

The Pentagon’s IT support agency recently issued an initial zero-trust reference architecture to put the entire Department of Defense on the same page implementing modern cybersecurity practices.

The Defense Information Systems Agency (DISA) released version 1.0 of the reference architecture in February but just recently made it public. Former DISA Director Vice Adm. Nancy Norton teased the launch of the document late last year, attributing the move to mass telework during the pandemic as an accelerant for the DOD’s move to zero trust.

It also comes as the Biden administration last week issued an executive order that, among other things, has mandated civilian agencies to create plans for the adoption of zero-trust architectures. The mandate falls under a larger push to modernize federal cybersecurity in the wake of the recent cyberattacks that have compromised federal agencies through the exploitation of software made by contractor SolarWinds and flaws in Microsoft’s Exchange software.

DISA’s 163-page reference architecture sets out the strategic purpose, principles, associated standards and other technical details for the DOD’s large-scale adoption of zero trust, which shifts from network-based defenses to a data-centric model and doesn’t grant implicit trust to users to prevent potential malicious actors from moving around a network. The department’s adoption of zero trust is based on three foundational guidelines: “Never trust, always verify; assume breach; and verify explicitly.”

“The intent and focus of zero-trust frameworks is to design architectures and systems to assume breach, thus limiting the blast radius and exposure of malicious activity,” Brandon Iske, DISA Security Enablers Portfolio chief engineer, said in a statement.

DISA worked with the DOD Office of the CIO, U.S. Cyber Command and the National Security Agency to develop this initial reference architecture.

“From start to finish, the development of this initial DOD ZT Reference Architecture has been a true team effort,” said Joe Brinker, the DISA Security Enablers Portfolio manager. “The partnership we’ve fostered through this process with our NSA, Cyber Command and DOD CIO mission partners was integral toward the development of a comprehensive reference architecture that was unanimously approved by DOD senior leadership.”

Brinker said that “DISA will continue to partner with DOD components in planning the implementation of [zero trust] across the department and the development of [zero trust]-aligned enterprise capabilities.”

Last month, acting DOD CIO John Sherman revealed that the department is also developing a zero-trust strategy to be released later this year. During remarks at the Billington CyberSecurity Defense Summit, Sherman explained that while zero trust is a cybersecurity and technology model, it more so represents a mindset shift for the DOD.

“This is not about technology, it’s about strategy,” he said.

Lawmakers urge DOD to go big on cyber in 2022 budget

Lawmakers are urging the Department of Defense to go big in budgeting for cybersecurity in fiscal 2022.

During a hearing on the cyber posture of U.S. forces Friday, members of Congress voiced support for a larger cyber budget and for finding new ways to elevate the importance of cybersecurity in the DOD.

“I just want to encourage you to be bold and provide something that really helps move us into the 21st century,” Rep. Elissa Slotkin, D-Mich., said during a Subcommittee on Cyber, Innovative Technologies, and Information Systems hearing.

Slotkin nor others referenced a specific dollar amount, but she said she would support a “truly transformational” cyber budget.

Meanwhile, the Biden administration has yet to issue a full budget request, which traditionally kicks off Congress’ appropriations process. This has left lawmakers in the dark on the fiscal priorities are for the new administration.

Witnesses Gen. Paul Nakasone, commander of U.S. Cyber Command and director of the National Security Agency, and Mieke Eoyang, deputy assistant secretary of defense for cyber policy, did not give any hints on what DOD’s cyber budget request will look like.

Other lawmakers expressed a willingness to reorganize the civilian leadership chart to elevate cyber’s importance within the military. Subcommittee Chair Rep. Jim Langevin, D-R.I., questioned why the traditional domains of warfare have service secretaries but cyber’s top-ranking civilian is four-rungs bellow a service secretary.

“Candidly, it’s frustrating that the people in this room both members and witnesses seem to be fighting an uphill battle to put cyber front-and-center in the department,” Langevin said.

He also expressed frustration over how different cyber duties, from electromagnetic spectrum management to information operations, are spread out in different portfolios.

DIU is making an Uber-like app for talent management in DOD

The Defense Innovation Unit is building a talent-on-demand app for service members with digital experience to be matched with jobs they can apply their skills to.

“Gig Eagle” is like an Uber for talent, as Sarah Pearson, contractor and commercial artificial intelligence commercial executive for DIU, described it. The military has members across different components, from enlisted members to reserves and the National Guard, that give them time to spend in the private sector when they are not on active duty. Those different experiences they gain while outside of the military can now be used through Gig Eagle, said Pearson, who served in the Navy before working in the Silicon Valley.

“We are creating a gig economy for the Department of Defense,” Pearson said during an AI Week SNG Live panel. “You could think about it almost like an Uber but for the DOD.”

But, instead of connecting riders with cars, the DOD can connect commanders and program managers with shorter-term needs with military personnel ready to work on assignments within their skillset.

The DOD has a very regimented way of assigning roles to service members. Sometimes, that leads to putting those with cyber or tech skills in non-technical roles. It’s an opportunity wasted in the eyes of senior leadership that has struggled to retain technical members who often have greater opportunities in the private sector.

“We are ultimately trying to connect a highly technical highly skilled workforce within the department,” Pearson said.

Gig Eagle is a new way to address that, especially for part-time service members who have full-time day jobs. Pearson noted an example of a reservist who works at a venture capital fund, and when the time comes to put their uniform, they can bring that financial experience with them.

DIU is not the only one working on this. The Army has been testing new ways to retain talent and have a more modern management system that rewards digital skills.