Air Force crafts $1B cybersecurity contract for small businesses
The Air Force has decided to dedicate the third iteration of its “agile cyber technology (ACT)” contract vehicle completely to small businesses.
The Air Force Research Lab posted a pre-solicitation notice for the ACT 3 contract that could be worth nearly $1 billion for cybersecurity research and development.
“A review of the previous market research under ACT and ACT 2 in addition to the ongoing market research throughout the current contract has provided adequate justification for ACT 3 to be a total [small business set-aside],” the notice states.
In the $950 million contract, AFRL is looking fora wide-range of technologies to deliver cyber superiority, including cyber threat avoidance, full-spectrum cyber operations, network exploitation, and situational and mission awareness technologies. The deliverables can take the form of hardware, software, technical documentation and technical reports, according to the notice.
An initial draft request for proposals is expected to be posted in early August.
The Air Force has issued previous ACT contracts, which also reached nearly $1 billion in total value. Previous ACT vehicles were available for use by other agencies outside of the Department of Defense, including the Department of Justice and Department of Homeland Security. The Air Force has been outspoken about its push to advance cybersecurity technology both for its own force and to be able to better utilize the broader cyber workforce.
Other areas in which the Air Force is seeking technology to help it achieve mission success are cyber command and control, wargaming and cyber infrastructure. The Air Force anticipates roughly five years of work for the contract awardees. The ACT 2 contract was awarded to five small businesses.
“In order to receive from Industry the most novel and innovate approaches to solving user needs, it is anticipated that 4 to 6 Prime contractors are necessary under ACT 3,” the notice says. “Large Businesses are still encouraged to partner with SB.”
The notice includes thin details beyond the broad outline of the type of cyber defenses AFRL is seeking through the contract. It notes that contractors would need top-security clearances,
Lawmakers question SBA technology investments after loan system outages
House lawmakers Wednesday questioned recent Small Business Administration IT investments after issues with its loan portals have hampered applicants’ ability to receive economic relief amid the coronavirus pandemic.
SBA made technical improvements to lessen the demand on its overloaded E-Tran loan system, Deputy CIO Guy Cavallo told the Committee on Small Business’ Oversight Subcommittee Wednesday. But those changes aren’t a substitute for modernizing E-Tran, which SBA planned to replace back in 2015, said Rep. Judy Chu, D-Calif., the subcommittee chair.
“The agency can’t rely on a system that is incapable of meeting high demand in a crisis,” Chu said.
SBA’s Office of the CIO doubled E-Tran’s network connectivity a week or two before the agency began accepting Paycheck Protection Program (PPP) applications for forgivable loans up to $10 million to keep workforces employed during the pandemic.
The office also approved a “significant” hardware investment to improve E-Tran’s “horsepower” and built a lender gateway as a cloud-based app to lessen the front-end load — allowing small banks to apply for PPP loans more easily, Cavallo said.
“For something like E-Tran, that we can’t modernize overnight, what we’re trying to do is put a new front-end in front of it so that the small business owner or the citizen is able to more easily interact with the system,” Cavallo said. “We were able to do that successfully for a number of these programs.”
Still, the PPP portal went down for four hours during launch and crashed again when it reopened in late April. The Government Accountability Office foresaw such an occurrence in a 2014 report, where it warned SBA was “unprepared” for a large number of disaster loan applications at the beginning of a response.
SBA also ran into trouble with its Economic Injury Disaster Loan (EIDL) portal, when the personally identifiable information (PII) of about 8,000 applicants was potentially exposed for several hours. The overwhelming demand for EIDL loans, $1,000 per employee for up to 10 employees, also led to outages, so OCIO developed an interim, cloud-based solution to intake applications until the finalized portal was ready.
“However — while making multiple system changes in the middle of the night in such a short time — a mistake was made in one of the system’s configuration, which actually exposed PII data for some individuals,” Cavallo said.
The 6 a.m. error was discovered within three hours, reported to the U.S. Computer Emergency Readiness Team an hour after that, and fixed. The General Services Administration completed free credit monitoring for potential victims on March 29 and 30, with offer letters sent out once addresses could be validated.
Some recipients thought the letters themselves were a scam, and affected businesses were forced to reapply for EIDL loans and shut out of the program when SBA leadership decided to limit applications to agricultural businesses, Chu said.
‘Questionable’ investments
E-Tran is handling loan applicant traffic currently, but lawmakers wanted to know how SBA intends to avoid outages in the future.
SBA received an additional $2.1 billion to staff up during the pandemic, much of which has gone toward the IT help desk and network and security operations centers, Cavallo said.
“SBA has made some questionable IT investments into its contracting and business development programs, making various attempts to streamline application processes and enhance staff oversight and management of these programs,” said Rep Ross Spano, R-Fla., the subcommittee’s ranking member.
The agency also spent $27 million on its new certify.sba.gov identity authentication platform, which has yet to be “fully realized,” Spano said.
In its 2019 Federal Information Technology Acquisition Reform Act scorecard, SBA received a C grade for IT portfolio management and a D grade for cybersecurity.
Cavallo argued SBA still has the third-highest cumulative score in government. The agency is further helping the Department of Homeland Security implement the Continuous Diagnostics and Mitigation program in a new, cloud-based solution.
“We think the combination of those scores do not accurately reflect where we are today,” Cavallo said. “Otherwise DHS would not have selected us to pilot two critical cybersecurity pilots with them that have changed federal policy.”
DOD CISO Jack Wilmer to depart by end of the month
The Department of Defense‘s top cybersecurity official is slated to leave his post by the end of July.
Jack Wilmer, the chief information security officer and deputy chief information officer for cybersecurity, plans to leave DOD for the private sector, a DOD spokesperson confirmed to FedScoop. During Wilmer’s tenure, the DOD published a cyber risk reduction strategy and “Cyber Scorecard.”
Mark Hakun will take over Wilmer’s position in an acting capacity, according to a statement from DOD CIO Dana Deasy.
“Jack Wilmer has been an incredible asset to the CIO office,” Deasy said. “It goes without saying that Jack is a true leader in his field.”
Beyond technical and strategy achievements, Wilmer pushed for greater diversity in the IT workforce in the DOD and across government.
“When you look at what our adversaries are actually doing, the approaches they’re taking, they really do have some very clever and creative things they’re doing,” Wilmer said at FedScoop’s Workforce Summit in November. “And one of the things I certainly realized is one way of thinking about what they might be doing is not at all sufficient.”
Wilmer previously worked in the White House’s Office of Science and Technology Policy and as a senior officer at the Department of Homeland Security. Many of his assignments have focused on cybersecurity and IT modernization.
“I want to wish Jack well as he embarks on a new role in private industry,” Deasy said. “I have full confidence that the cybersecurity team will continue to drive digital modernization,”
The Army still mails software patches on disks — it’s trying to stop that by 2021
One of the Army‘s IT support commands still sends out physical disks on a quarterly basis to patch its software. But the hope is in the next year, it can build out a common repository to improve its software patching.
The Army’s Communications-Electronics Command (CECOM) relies on sending out physical disks with updated code to bases, a process that takes on average 90 days just to get the disk to the right soldier. And who knows if the disks are uploaded right when they arrive.
But now CECOM is working with the Defense Information Systems Agency (DISA) to push forward with work to host a common software repository that will allow for regular updates and patching to be done on the DOD’s internal networks.
CECOM oversees the Army’s command and control and reconnaissance systems and the supporting software. Typically, that code is custom-developed and requires longer patching cycles than commercial off-the-shelf applications. But even still, that’s taking too long, Maj. Gen. Mitchell Kilgo, head of CECOM, said recently during AFCEA’s Signal Conference.
“One of the things that frustrated me was the software preparedness of our operating systems and our combat systems,” Kilgo said. “We were typically well behind where we should have been.”
Rapid patching of software is proven to be one of the best ways to maintain quality cyber hygiene. Patches help fix errors in code that cause malfunctions in operation systems or provide gateways adversaries can exploit. Cyber leaders commonly call on users to update software and patch systems to avoid the exfiltration of data.
Tests are underway within some Army units. The goal is to have the software repository up and running for the whole service by mid-2021. The true test of the system’s effectiveness will be working in low-bandwidth environments, whether they are remote outposts or hostile battlefields, the general added.
The command is also developing a software scorecard to have Army units track the status of their software readiness. The scorecard will help units keep track of software patches and overall cyber readiness, Kilgo said.
The Army’s challenges with code extend beyond its outdated system of shipping disks around the world. Getting an authority to operate (ATO) for software updates can take months, time that is often wasted while new updates are iterated in the private sector.
Former FDA CIO gets new job as head of DevSecOps for the VA
The Department of Veterans Affairs has appointed Todd Simpson its new head of DevSecOps — the software methodology that aims to bake cybersecurity into every step of the application development lifecycle.
Simpson, whose official title is deputy assistant secretary for DevSecOps, was sworn in by the VA CIO James Gfrerer, according to the VA’s Office of Information and Technology LinkedIn page.
He brings decades of government IT experience to the VA. Previously he served as CIO of the Food and Drug Administration and associate CIO of the Department of Transportation.
Most recently, Simpson was the chief product officer of the Department of Health and Human Services. In February, he described his role at HHS as finding “solutions beyond the desktop” and leading projects to collect data into a central hub.
“We are trying to answer questions that were previously unanswerable,” he told Government Matters of his work with deep data and advanced analytics.
The VA is larger than Simpson’s previous agencies. The department has a more than $100 billion annual budget with almost $5 billion proposed to be dedicated to IT in the budget request for fiscal 2021. The VA has been pushing for modernization across its different services, including a massive overhaul of its electronic health record system.
Simpson’s new job at the VA appears to focus primarily on software development. DevSecOps is growing in popularity with other IT offices in federal agencies creating offices around it, like the Department of Defense. The Army just launched a software factory that aims to bring “true DevSecOps” after a GAO report found minimal use of the development practice.
Simpson will also bring the experience of being a veteran himself. He served in the Air Force for three years of active duty and three years in an active reserve capacity.
CDM is securing agencies involved with coronavirus response, including vaccine research
The head of the Continuous Diagnostics and Mitigation (CDM) cybersecurity program says it is working to improve network visibility and data protection at agencies central to the coronavirus response, including vaccine research.
The CDM program’s parent agency, the Cybersecurity and Infrastructure Security Agency, has been “deeply engaged” with the different operational divisions at the Department of Health and Human Services, said Kevin Cox, the program’s manager. Intelligence has shown U.S. adversaries are looking to spy on U.S. vaccine research, and the Department of Justice announced Tuesday it had indicted two Chinese nationals on charges of conspiring with China’s intelligence agencies to steal data from organizations working on a medical breakthrough.
Cox also said the program is aiding the Small Business Administration, which is tasked with distributing loans to companies affected by the pandemic, and other agencies that took on similar jobs during the crisis this year.
“We’re helping to ensure they have a better understanding of what their networks look like — everything that’s connected,” Cox said, speaking during the launch of the Advanced Technology Academic Research Center‘s Security Working Group. “If they don’t know what’s on their network, they can’t protect it.”
CDM is also providing those agencies visibility into whether users are authorized or not and, to the extend the cloud is involved, working with providers and CISA’s Trusted Internet Connections and EINSTEIN teams to ensure proper security protections, Cox said.
“Number one, the system is protected as much as possible,” Cox said. “But should there be a compromise on the system, even if an adversary gets the data they can’t do anything with it.”
CDM deploys network monitoring tools to give agencies a better sense of who is inside and why. Increased telework during the pandemic has uncovered new gaps, and CDM is helping agencies address those, as funding allows, because the current environment could stick around “for some time,” Cox said.
Unrelated to its work around the coronavirus, CDM launched a data quality management initiative in the fall and finalized a plan in May that agencies are now implementing. CDM works to certify an agency’s cybersecurity data elements, and once they’re ready, the agency can use the Agency-Wide Adaptive Risk Enumeration (AWARE) algorithm to get a sense of its security posture and eventually use that information for risk management.
One CDM “tiger team” helped agencies understand how AWARE works, and a second is helping them understand their threat attack surface to be able to mature the algorithm to that risk management point.
“The holy grail here is getting ongoing authorization in place, where we no longer have to manually assess each of our systems every three years,’ Cox said. “Rather we can use near real-time tools and, in some cases, real-time tools to help show that our systems are secure.”
Army repurposes cyber planning office to focus on digital modernization strategy
The Army has changed one of its cyber planning offices to a “strategic operations” team to focus more on the digital modernization of warfighting systems and linking multi-domain operations, its director said during a Tuesday media roundtable.
What used to be known as the Department of the Army’s Management Office-Cyber (DAMO-Cy) became the DAMO-Strategic Operations (DAMO-SO) in February. The team will guide the Army’s Operations and Plans Directorate, designated G-3/5/7, on digital modernization.
The shift marks the importance the Army is placing on thinking broadly about its digital future and how operations beyond just cyberspace will be affected by technology, said Brig. Gen. Martin Klein, the director of DAMO-SO. The directorate now has a broader portfolio, including electronic warfare and new domains like space.
Here’s what it means for anyone who keeps tabs on the Army’s digital capabilities: The directorate is working on tactical edge cloud data migration, an electromagnetic spectrum strategy and other battlefield digital transformations. It also is working within the Army on its “Project Convergence,” the Army’s multi-domain operations effort.
Beyond the Army, the directorate also will run point in linking with the Joint Staff and other military services on IT and emerging technology projects, including the new network-of-network system called Joint All Domain Command and Control, or JADC2. The Air Force has taken the lead on designing the common data architecture and doctrine of JADC2, but the Army’s DAMO-SO is working closely with the Joint Staff on the program, Klein said.
It’s not the only office to take up the mantel of trying to shift the Army from the “information age” to the “cognitive age” where emerging technology will both enable and replace human decision making. But DAMO-SO’s work is uniquely targeted as a cross-functional team working to plan data migration to the cloud and strategizing for war-fighting operations supported by digital tools.
The directorate serves as the lead for “Army warfighting transformation by integrating, prioritizing, and synchronizing multi-domain, data-enabled warfighting systems,” according to a July 21 release.
“What we are doing is really reckoning the new dynamics in the information environment,” Klein said.
Cloud Efforts
The office is focused on tactical edge cloud computing that can share data with warfighters in “denied and degraded” environments with limited bandwidth. Those efforts are happening in partnerships with Army Futures Command and the CIO’s office, which are working with the private sector to find and migrate data to new cloud solutions. Cloud migration and broader data sharing has been transformative for the directorate, Klein said.
Currently DAMO-SO is working to bring “cloud-agnostic” software to operations to be able to transition tools to whichever cloud service provider the Army and Department of Defense decide to go with for an enterprise system. The DOD’s Joint Enterprise Defense Infrastructure (JEDI) has been stalled in protests and delays, but Klein said his directorate is working to be able to use whichever service provider the DOD CIO decides to go ultimately launch for the Pentagon.
DAMO-SO is “trying to build those cloud agnostic tools so that as a department we can immediately lift in various levels,” Klein said.
While Klein is pro-cloud and said being able to share more data is critical to the success of the Army he cautioned against cloud over-hype.
“I don’t believe that the cloud is a panacea,” he said. “It will not solve all things.”
USPS’s Informed Delivery transforming mail experience for Americans
Thanks to the U.S. Postal Service’s adoption of modern technologies like cloud, predictive analytics and artificial intelligence, Americans can now get a digital preview of their household’s incoming mail before it’s delivered.
The program is leading to a growing level of digital engagement with U.S. consumers and mailers and helping to generate new revenue streams for USPS. Called Informed Delivery, the USPS program delivered 12 billion digital images to 24 million consumers in 2019 with a growth rate of more than 200,000 customers a week. Along with that, Informed Visibility also offers “a wealth of real-time information to our customers and employees about the movement of mail through our network,” according to the Postal Service’s annual report.
The pilot for the program started in 2014 in the Northern Virginia region with about 10,000 users, said Bob Dixon, USPS’s director of product technology innovation. The vision for Informed Delivery was to offer Americans a more digital, responsive experience with their mail.
“We were seeing consumers starting to expect a digital experience with just everything they did to engage a brand,” Dixon said. “It wasn’t just about getting email marketing or banner advertising. It was an expectation by consumers to have some digital portion of every experience.”
Getting to that point, however, required investments in information and technology capabilities. Some were as simple as an “intelligent mail barcode” found below the address on business mail, while others involved more modern technology, like updating imaging devices to all mail processing equipment.
“We for the first time had the ability to show consumers a digital aspect of their mail, just from what was in the mail stream already,” Dixon said. “We leveraged those investments that had been designed and implemented to facilitate mail processing, and turned those into a product that we that we could give to our consumers.”
Particularly important to the program is a cloud environment that USPS will use to process incoming image files and generate millions of daily digest emails. This environment can be easily scaled depending on the volume of images in a given day, said Pritha Mehra, USPS’s vice president of IT.
Informed Delivery is going through a new set of pilots using containerization and serverless technologies to compare the performance and costs of the various cloud deployment options, Mehra said.
“Containerization makes the code more portable between cloud platforms and container management services allows the platform to automatically scale to the capacity that’s needed,” said Mehra. And through serverless technology, she explained, USPS provides the code and the cloud providers deliver the ability to manage the underlying infrastructure.
The Postal Service also saw a business opportunity to increase revenue through marketing content, allowing senders to include calls to action or other materials with the mail previews — “something that we can give to our mailers as an opportunity to really keep mail relevant and engage with a modern consumer,” Dixon said.
In a world that’s becoming more and more digital-driven, Informed Delivery is about more than a black-and-white preview of mail for the USPS. It gives the service a chance to make the physical medium of mail more responsive.
“Could we get consumers to respond more to a physical piece of mail if we added these digital aspects to it?” Dixon said of the pilot. “Our initial testing was designed to gather that data and it showed strongly that when we include an image in the daily email to a consumer and we gave them a response channel, they were far more likely to respond to that physical mail than they were if it were just the physical mail piece alone. And so for that reason, we started to continue to explore and further the program.”
It was a success. Between 57% and 65% of the email sent through the program was opened, often within an hour of receiving it. Additionally, 93% of consumers say they are satisfied or very satisfied with the service; and 94% would recommend it to friends, family or colleagues.
And to improve customer satisfaction even more, USPS is enlisting artificial intelligence, analytics and customer relationship management tools to predict package delivery events and why people are reaching out to its call centers.
The question is: “What do we need to do to basically solve the issue before they ever have to make a phone call?” Mehra said. “And so we are doing deep analysis and have developed AI models to precisely predict when a package will be delivered.”
At the end of the day, Informed Delivery “is about mailer participation,” Dixon said. In addition to driving “consumer satisfaction,” he said, it was important to USPS to continue demonstrating its value and utility in the modern mailing industry.
“In order for us to continue to be relevant, we need to serve both audiences. And the more mailers that participate and get value out of informed delivery, the better we’re doing,” Dixon said.
NSF to disburse $75M between 3 new quantum computing institutes
The National Science Foundation plans to disburse $75 million between three new institutes created to advance quantum information science (QIS) research and development.
Established by the White House Office of Science and Technology Technology Policy, in partnership with NSF, the Quantum Leap Challenge Institutes will also train an emerging quantum workforce.
Universities are hosting the institutes, which will leverage the resources of the Department of Energy‘s National Laboratories and industry to craft in-person and online curricula for students and teachers from primary school to professional development.
“Through the Quantum Leap Challenge Institutes, NSF is making targeted investments,” said Director Sethuraman Panchanathan in an announcement Tuesday. “Within five years, we are confident these institutes can make tangible advances to help carry us into a true quantum revolution.”
Those five years will be critical to answering “some fundamental research questions,” Panchanathan said.
The Institute for Enhanced Sensing and Distribution Using Correlated Quantum States will be led by the University of Colorado and develop sensors for precisely measuring everything from radiation levels to the effects of gravity.
A second Institute for Hybrid Quantum Architectures and Networks will be hosted by the University of Illinois, Urbana-Champaign and build interconnected networks of small-scale quantum processors for numerous applications.
The final Institute for Present and Future Quantum Computing will be hosted by the University of California, Berkeley and design large-scale quantum computers and algorithms for new platforms with the goal of proving they can outperform the best classical computers.
OSTP released the first national strategic plan for QIS in 2018, the same year the National Quantum Initiative Act, investing in QIS and coordination, became law.
The White House established the National Quantum Coordination Office in 2019, and the Trump administration’s fiscal 2021 budget proposal committed to doubling QIS investment by the following fiscal year.
“America’s future depends on our continued leadership in the most cutting-edge industries of tomorrow,” said Michael Kratsios, U.S. chief technology officer, in a statement.
Industry pushes for $1B for TMF in ‘Phase 4’ coronavirus stimulus bill
Industry experts argued Monday that the coronavirus pandemic presents Congress with a chance to exceed annual allocations and invest in the Technology Modernization Fund (TMF) at a level that will enable multi-agency IT improvements.
Testifying before the House Government Operations Subcommittee, Matthew Cornelius said Congress and White House Chief of Staff Mark Meadows, who previously served as the House Oversight Committee’s ranking member, should ensure the TMF receives $1 billion in the next coronavirus relief bill. Negotiations on that “Phase 4” bill are expected to intensify this week.
The Alliance for Digital Innovation executive director said only then can the Office of Management and Budget and the General Services Administration shift from supporting agency-specific IT projects to governmentwide ones. The TMF — housed within GSA and overseen by that agency and OMB — gives agencies money for long-term IT modernization projects, but it has struggled to win attention from Congress.
“Frankly, outside of an emergency situation like this, where Congress can go above and beyond the 302(b) allocations that they have on the normal [fiscal year] appropriation cycle, you’re never going to get that amount of investment that is necessary so that OMB and GSA and agencies can really start to transform the government’s IT,” Cornelius said.
In Cornelius’ time with OMB, government could only make “small-bore” project delivery decisions because the TMF received a “wildly inappropriate” $150 million over three years for about 50 projects costing $600 million.
The Health and Economic Recovery Omnibus Emergency Solutions (HEROES) Act submitted by House Democrats currently proposes $1 billion for TMF. The last TMF appropriation of $25 million was “simply meaningless,” said Rep. Gerry Connolly, D-Va., the subcommittee’s chairman.
“Modern, reliable IT is not just a nice thing to have,” Connolly said. “Our federal government’s consistent failure to prioritize IT modernization and program delivery prevented the public from receiving the assistance Congress authorized to help the nation weather one of the worst global pandemics in 100 years.”
For example, the Small Business Administration still hasn’t provided a “full postmortem” on timeouts of its E-Tran system, tasked with processing applications for $750 billion in pandemic-related loans, nor has the IRS delivered tens of millions of economic impact payments, Connolly said.
Legislative fixes
Lawmakers like Connolly want agencies to retire legacy systems in favor of new commercial technologies more quickly and are attempting to give them the tools legislatively.
Included in the first group of amendments to the National Defense Authorization Act, which came to the House floor on Monday, is the FedRAMP Authorization Act. The legislation would codify and fund the Federal Risk and Authorization Management Program, which helps agencies quickly adopt new cloud services.
Congress can do more by overhauling laws to include metrics for cloud adoption, FedRAMP authorization and reuse, and acquisition of commercial items. The Federal Acquisition Streamlining Act established a commercial-first framework for new technology, but commercial-off-the-shelf systems continue to take a backseat to “bespoke, agency-specific” systems at many agencies, Cornelius said.
“The issue is that everybody is an IT worker, and the mission users they know what they want,” said Gordon Bitko, senior vice president of policy at the Information Technology Industry Council. “And what they frequently want is not the commercial product but something that’s been customized in some way, and the result when that happens is you take a lot of time taking the commercial product and customizing it into something that then becomes a legacy system that’s difficult to maintain and support.”
Bitko, who previously served as the FBI’s chief information officer, said the agency’s time and attendance system started out as a commercial offering but was customized for congressional reporting and internal use. Upgrades now take months or years to develop in ways that prevent the system from “catastrophically failing,” and it still runs on a restricted network — making it inaccessible from outside an FBI office.
The Department of Justice began data center consolidation in 2014, which included constructing a new center inside an existing Idaho facility. The request for proposals was posted in October 2016, groundbreaking occurred a year later, and the center opened in November with plans be fully operational in September 2020. The center is already outdated, Bitko said.
“Government’s limited technical and contract expertise, risk aversion, process inefficiencies, unpredictable funding, and inflexible construction processes all contribute to timelines much longer than commercial best practices,” Bitko said. “At the same time the lack of multi-year modernization funding ensures legacy applications endure.”