The votes are in for the 2025 FedScoop.

See the winners!

Space Force starts transitioning cybersecurity professionals into its ranks

The Space Force started receiving its first cybersecurity personnel from other military services at the beginning of February, the chief of space operations said recently.

Most of those cyber personnel transitioning into the new force come from within the Department of the Air Force, which oversees the Space Force. In total, the force has brought in 2,400 of the 6,400 active duty cyber personnel it’s planning for, Gen. John Raymond, commanding general of the Space Force, told reporters during a Defense Writers Group media call

These Cyber Guardians — what members of the Space Force are called — will be protecting satellites and other space-based assets from hacking. While Space Force leaders often repeat they want to keep the newest branch of the military “lean,” cyber personnel is one category they are actively bringing onboard.

“There’s a spectrum of threats that are out there. Everything from reversible jamming of satellites and GPS satellites, communication satellites, GPS satellites,” Raymond said. “And there’s cyber threats.”

Civilian leadership in the Department of the Air Force has put greater emphasis on satellite security. At the DEF CON 2020 conference, the Air Force and Space Force partnered with ethical hackers to find better ways to harden their cyberdefenses. Working with outside experts helped the department to better identify vulnerabilities.

But now the force wants its own cyber personnel to boost its cyber expertise.

“They will be part of our crew force; they’ll understand the cyber terrain of space and will help us protect this critical domain from that threat,” Raymond said of the new cyber operators in the Space Force.

Space Force acquisition professionals have also been at work to increase cybersecurity by inking new deals with private security companies. One recent deal with Xage security will build a zero trust-style security system to protect space assets.

CDO Council issues first report to Congress

The Federal Chief Data Officers Council plans to begin member-developed projects advancing innovative data practices this year, according to its first report to Congress.

Projects include developing a framework for sharing decision-support dashboards across agencies, creating a data skills training program playbook, finding new ways to analyze public comments, and using data to better manage wildfire fuels.

The council began considering projects in May, and the Office of Management and Budget made final funding decisions in October.

“By delivering data and analytics solutions to our leaders and field employees, we can have a major impact on how federal agencies more efficiently and effectively serve the public,” Ted Kaouk, who chairs the council and serves as CDO of the U.S. Department of Agriculture, wrote in the report. “By implementing data governance, data workforce strategies, and data management best practices, we can enable access to high quality, timely data that will improve evidence-based policymaking.”

The report’s release corresponded with the public unveiling of the council’s new cdo.gov website for sharing updates on priorities, programs and events, as well as engaging on how to improve access and use of federal data.

Monthly meetings will continue in 2021 to support CDOs, still relatively new to their positions, and improve ties with other interagency councils. The council held 11 monthly meetings last year.

“The Council’s first year has been focused on setting up its governance structure, building a CDO community and relationships with other intergovernmental councils and groups, sharing best practices/lessons learned, strategic planning, and supporting CDOs in their implementation of the Federal Data Strategy (FDS) Action Plans,” reads the report.

There’s been no word on when the 2021 Action Plan will be released, the 2020 Action Plan having dropped in December of 2019.

The council’s short-term goals included developing a learning community, demonstrating its strategic value, establishing an operating model and creating an FDS roadmap. The body will continue to encourage data-sharing agreements between agencies and strong privacy protections moving forward.

The report further lays out the council’s tiered structure, membership and six initial working groups:

The council released the report in accordance with the Foundations for Evidence-Based Policymaking Act and is set to sunset in 2025, two years after the Government Accountability Office evaluates it, barring renewal.

CMMC model tweaks coming after industry feedback

The foundation of the Cybersecurity Maturity Model Certification (CMMC) — the Department of Defense’s new cyber requirements for contractors — will see some coming changes, its leaders recently said.

The DOD will make alterations to the highest level of the five-tier security model after receiving public comments on the recently issued CMMC Defense Federal Acquisition Regulation System rule.

The department issued an “interim final” rule in September instead of first issuing a proposed rule, which meant the rule took effect upon publication. But there was still a 60-day comment period for industry to weigh in. The Office of Management and Budget, which hosts the council overseeing acquisition rules, allowed for this because of “the threat to national security” embedded in supply chain vulnerabilities, Jessica Maxwell, a DOD spokeswoman said in a statement.

“We did not plan to make changes to the DFAR rule,” Maxwell said. She added: “We also recognize that as the threat is not static nor should our model not be static, we are always evaluating the best standards to implement to address relevant threats.”

The DOD is also looking to update its CMMC assessment guides as a part of the comment adjudication process. DOD’s authority to create the assessment guides, which will be used by CMMC assessors, was outlined in a recently released statement of work in a contract between DOD and the CMMC Accreditation Body (CMMC-AB), which is the organization charged with implementing the program and overseeing the assessors and CMMC ecosystem.

CMMC was designed to close the many cybersecurity gaps in DOD contractors’ networks through third-party verification. But the new rule won’t be widely adopted in contracts until fiscal 2025.

The biggest change under CMMC is that now contractors will need to get a third-party assessment for their networks. No longer can they perform a self-check to ensure they are meeting standards. Instead, they will need to hire an assessor to verify it.

DOD received comments from contractors and trade groups, many advocating for clear guidance on the reciprocity between the CMMC controls and other federal IT compliance programs, like the Federal Risk and Authorization Management Program (FedRAMP).

“As the Department moves forward with the CMMC, we believe that it is important to get its implementation right by developing and implementing those cybersecurity protocols that are necessary, while simultaneously guarding against actions and regulations that do not add security and result in harm to industry’s ability to innovate and partner with DoD,” trade group ITI wrote in its comments to DOD. ITI also recommended more clear guidance on how subcontractors will be handled with flow-down requirements.

It’s unclear exactly what changes DOD plans to make, but the announcement also comes after the publication of new protective guidance from the National Institute of Standards and Technology, SP 800-172. Maxwell said the process for adjudicating the comments is not related to the new publication, but Stacy Bostjanick, the acting director of supply risk management at the DOD, told InsideCybersecurity, which first reported the changes to the rule, that the department is also trying to “sync” CMMC levels four and five with NIST’s new guidance. Very few companies will need to meet those levels, DOD said previously.

GAO tells VA to stop rollout of $16B EHR program, but the VA ‘doesn’t plan to’

Editor’s Note: this story has been updated with comment from the VA

The Government Accountability Office has recommended that the Department of Veterans Affairs stop work on its new electronic health record (EHR) modernization program to conduct “critical” tests before launching at any more medical centers.

The EHR system has faced critical shortfalls and the VA hasn’t completed tests that could result in the failure of the system at the heart of the 10-year, $16 billion modernization program, the GAO states in a report released Thursday.

The system is currently live at a Spokane, Washington medical center with no major reported issues. But as the program continues to be rolled out, the VA’s new health care IT system could falter, the GAO report cautions. Thus, the GAO recommends that the VA “postpone deployment of its new EHR system at planned locations until any resulting critical and high severity test findings are appropriately addressed.”

While the VA responded to the report’s findings by “concurring in principle,” it told FedScoop that it doesn’t plan to stop the rollout.

“The Department of Veterans Affairs (VA) does not plan to stop the launch of VA’s new electronic health record system,” the VA said in a statement. “VA appreciates the opportunity to review the recent Government Accountability Office (GAO) report regarding the progress of VA’s Electronic Health Record Modernization (EHRM) program and the disposition of test findings in relation to subsequent deployments.”

The GAO had a stark warning for VA if it doesn’t properly test and evaluate the system.

“If VA does not close or appropriately address all critical and high severity test findings prior to deploying at future locations, the system may not perform as intended,” the report warned.

However, the VA said that its current rate of testing and risk mitigation strategy will suffice.

While the GAO doesn’t have the grounds to force the VA to do anything, its reports are used by lawmakers who can censure the department leadership in congressional hearings and require them to take action.

The VA apparently disagreed with some of the specifics in the GAO recommendations. After reviewing a draft version of the report, the VA asked the GAO to change some of the report’s language to soften its negative tone.

“Specifically, in the title [Office of Electronic Health Records Modernization] recommends changing the phrase ‘…but Subsequent Test Findings Will Need to Be Addressed’ to read ‘..and Test Findings are being Addressed,'” the report states.

GAO declined, saying its “recommendations are appropriate, as presented.”

At the time of the first “go-live” in October, congressional aides had concerns with the launch. One told FedScoop at the time the VA was only “5 percent” ready. The next leg of the rollout is scheduled to be at the Puget Sound Health Care System in the fourth quarter of fiscal 2021.

Despite congressional and GAO concerns, the VA remains confident in the systems it developed and its processes for dealing with future bumps in the road.

“VA has made significant progress over the last few months and we are well-positioned to continue moving forward while minimizing impact to providers and Veterans,” the VA told FedScoop. “VA is taking every precaution to deliver a safe and effective system for our clinicians and users and remains committed to getting this right for our Veterans.

The EHR system has faced previous delays due to inconsistencies in system performance and a need for more testing. VA staff leading the EHR program told FedScoop in October at the launch “we are getting positive comments,” despite some “usual jitters” among the staff about using the new technology.

The Department of Defense is also migrating its electronic health records system to the same Cerner Millennium cloud-based platform so that it can be linked to the VA system for the seamless transfer of records when service members retire.

NASA sends AI to space with first commercial edge computing system

When you need computing power at the edge, often that means buying extra hardware for far-flung offices or maybe loading a system on to a truck. But for some agencies, getting compute to the edge means going to infinity, and beyond.

Thursday, NASA and Hewlett Packard Enterprise announced that they will test the limits of the term “edge computing” with a new computer designed to deliver artificial intelligence in space. Later this month, the new Spaceborne Computer-2 will become the first high-performance commercial computer to operate in space on the International Space Station.

HPE says Spaceborne Computer-2 will allow astronauts to process data that used to take months in mere minutes. Once launched and assembled in space, NASA will use it for at least the next two years, giving astronauts the power to use AI and other advanced computing capabilities that were once out of reach in space.

Bringing this type of computing capability to space “is just the first step in NASA’s goals for supporting human space travel to the Moon, Mars and beyond where reliable communications is a mission critical need,” HPE said in its release.

“The most important benefit to delivering reliable in-space computing with Spaceborne Computer-2 is making real-time insights a reality. Space explorers can now transform how they conduct research based on readily available data and improve decision-making,” said Dr. Mark Fernandez, HPE’s principal investigator for Spaceborne Computer-2.

Getting and using computers in space is no easy task. First, just putting the hardware into orbit involves shooting it on a rocket — rattling, shaking and jolting through the atmosphere for minutes on end. Once in space, if the computer’s complex circuits still work, the zero-gravity environment and constant exposure to the sun’s radiation present further challenges. However, Spaceborne Computer-2 was built off a prototype launched into orbit in 2017. And HPE specially designed it to sustain operations in space, along with software coded for space-based work.

Astronauts will use the computer to process data from the space station, satellites, cameras and other sensors. Loaded with the necessary graphics processing units (GPUs), Spaceborne Computer-2 will be ready to process everything from photos of polar ice caps to medical images of the astronauts’ health, according to the news release. The GPUs’ processing power will be enough to fuel AI and machine learning capabilities, eliminating the need to send data back to earth for ground-based processing.

“Edge computing provides core capabilities for unique sites that have limited or no connectivity, giving them the power to process and analyze data locally and make critical decisions quickly,” said Shelly Anello, general manager of converged edge systems at HPE.

HPE partnered with Microsoft Azure to provide additional compute resources through its Azure Space cloud capability recently launched to support NASA, Space Force and other partners.

Krebs to Congress: Empower CISA’s shared services office

Congress should empower the shared services office within the Cybersecurity and Infrastructure Security Agency to centralize common, internet-facing services like email for all 101 civilian agencies, says former Director Chris Krebs.

For the idea to work, Krebs says, the agency’s existing quality services management office (QSMO) will need the authority to compel all .gov agencies to use the resulting govnet services. The recommendation, which Krebs made Wednesday during a House hearing, comes as the Biden administration is expected to eventually release a governmentwide cyber strategy as it continues to respond to the SolarWinds breach.

Civilian agencies will struggle to meet the Biden plan’s requirements, Krebs said, unless their chief information officers and chief information security officers are allowed to hand the keys to some of their services over to CISA.

“CISA can build those services through the quality services management office — like a hardened, secure, cloud-based email instance — and pull everyone in,” Krebs told the Homeland Security Committee. “As of now, there are 101 different instances of email across the civilian agencies; that’s just not a defensive posture.”

Dmitri Alperovitch, executive chairman of Silverado Policy Accelerator, summed up the idea by saying CISA should effectively become the operational federal CISO for .gov agencies, much like U.S. Cyber Command is for the Department of Defense.

Congress made a “critical move” allowing CISA to threat hunt on agency networks without their permission in the fiscal 2021 National Defense Authorization Act, Alperovitch said at Wednesday’s hearing, but now it needs to provide the agency with additional resources.

A senior member of the committee expressed support for expanded CISA authorities after the hearing. Ranking Republican John Katko of New York highlighted Krebs’ QSMO idea in a news release and urged Congress to ensure CISA has the workforce, funding and authorizations it needs to respond to the SolarWinds incident.

“At its core QSMO is about creating a center of excellence for shared cybersecurity services within CISA,” Katko told FedScoop. “Building and expanding upon this centralization is foundational to the efforts I have long been pushing to ensure CISA has increased visibility to nimbly respond to threats.”

CISA will also need to strike information sharing agreements with .gov agencies’ on software with elevated privileges and sensitive data, Krebs said. SolarWinds, which has been attributed to a Russian intelligence agency, should be a loud wake-up call, he said.

“I’m hoping that … the Russian espionage campaign, is enough for Congress to take bold action and change the way that the federal government does business to secure its own networks,” Krebs said. “Centralize authorities; provide capabilities that are hardened and more defensible than leaving it up to the 101 different agencies.”

CISA’s QSMO, designated in April 2020, is already producing products for other federal agencies. It is expected to award a contract this year for a protective Domain Name Service capable of blocking access to malicious websites, when translating their people-friendly domain names into the numerical Internet Protocol addresses computers use. The security control will be one of the QSMO’s first marketplace offerings to civilian agencies.

IRS officially makes Nancy Sieger CIO after nearly two years on the job

The IRS named Nancy Sieger its official CIO, a role she’s served in an acting capacity since June 2019.

Sieger oversees the hundreds of IT systems operating the U.S. tax infrastructure, as well as the nearly 7,000 employees maintaining them.

Not only are IRS systems — some of which are 40 to 50 years old — critical to processing millions of tax returns annually, but they’ve been leaned on to issue pandemic stimulus checks.

“Nancy has done an exemplary job as acting CIO supporting delivery of two rounds of Economic Interest Payments totaling more than $420 billion, along with individual tax refunds of more than $320 billion during the pandemic,” said IRS Commissioner Chuck Rettig in Tuesday’s announcement. “She is a remarkable person and enjoys tremendous support from our entire IT team and throughout the IRS.”

Prior to taking on the CIO role, Sieger was deputy CIO for filing season and tax reform in charge of making technology changes to modernize IT in compliance with the Tax Cuts and Jobs Act.

Sieger graduated from the IRS 2004 Executive Development Class, promotes workplace diversity and received a FedScoop 50 award for federal leadership.

For contractors seeking CMMC certification, start with a self-check, DOD says

The Department of Defense is imploring contractors to get ready for Cybersecurity Maturity Model Certification requirements in contracts, and for now, they’ll have to do that on their own.

There are no companies yet officially accredited to do the assessments needed for a contractor to receive an award. That means most of the work to test network security and comply with the new standards will fall on contractors themselves, at least for now, said Stacy Bostjanick, a top official in the DOD’s office running the CMMC program.

Bostjanick said she anticipates that by early summer, a handful of companies will have earned the accreditation needed to audit contractors’ networks for official assessments under the new five-tiered CMMC model.

“Today as we sit here, there is not a [Certified Third Party Assessor] that is ready to come out to your company,” Bostjanick said during AFCEA NOVA’s IC IT day.

The balance is a tricky one between the DOD, which will put CMMC requirements into its contracts, and the CMMC Accreditation Body (CMMC-AB), the third-party entity that issues the accreditations to assessors. The AB needs to work fast enough to meet DOD’s timeline to ensure there is enough of a supply of assessors to meet the demand of the department’s roughly 300,000 contracts that will eventually need an assessment. To ensure there isn’t a crunch on the market, the DOD is phasing its rollout slowly, with only 15 contracts anticipated to have CMMC requirements in fiscal 2021.

Bostjanick recommended contractors work based on the public CMMC model the DOD released a year ago to start ensuring they are up to standards. For many small businesses without a full-time cybersecurity staff, that may require getting outside help.

The AB has already started giving its stamp of approval to consultants and provisional assessors that can help companies get ready for assessments. While it’s not required CMMC consultants get a “registered practitioner” certification from the AB (and pay the requisite $500), AB members have said their stamp of approval lends credibility.

There have been several instances of companies overselling their ability to provide CMMC services, Bostjanick and others have pointed out. With the uncertainty of the process and looming deadlines, opportunities have emerged for cybersecurity companies looking to take advantage and make fast cash off of the program. But Bostjanick implored all DOD contractors to keep their eyes on the official list of CMMC assessors and assessment organizations: the AB’s marketplace.

The good news for companies that plan to bid on the initial pilot contracts that will include CMMC requirements is that the AB will put those contractors “at the front of the line” to get certified, Bostjanick said.

“It’s going to be a select group,” she said of the initial pilot contracts, most of which have been announced.

Army focuses on tactical networks in 2021 tests of Project Convergence

The Army is focused in 2021 on testing new tactical networks to send more data to artificial intelligence-enabled systems — a critical part of its Project Convergence.

The tests began earlier this year and will continue in both a lab-based virtual environment and later through live demonstrations in the field, combining new software, weapons and tactical networks.

Project Convergence is the Army’s contribution to the military-wide Joint All Domain Command and Control (JADC2) concept where data is fused across the land, air, sea, cyber and space domains. To achieve that, the Army is now turning its attention to beefing up its tactical networks.

The Army’s first major stab at testing JADC2 and Project Convergence took place in September 2020 when it was able to target and shoot things faster with the assistance of software. Now in 2021, the Army is taking those lessons learned to new simulated environments at Aberdeen Proving Ground in Maryland to improve the networks the data runs across.

“One of the things we learned out of [Project Convergence tests in 2020] was that it’s critical to integrate early and often,” Col. Curtis Nowak, U.S. Army Joint Modernization Command’s JADC2 director, said in a release. “[Aberdeen Proving Ground] has unique lab facilities that allow us to do lab-based risk reduction on technologies we had in the desert without having to fight through challenges in the field.”

The virtual tests will take place in the Joint Systems Integration Lab (JSIL), which can simulate networks and the constraints they will operate in, according to a news release from the Army. One of the key challenges the Army is trying to overcome is how to transmit more data with less bandwidth. The Army anticipates future fights will take place in “constrained” environments, where cyberattacks, interference and lack of infrastructure could degrade or limit network capabilities.

One of the first workarounds tested in the lab is the use of commercial radios as a transport for data in targeting.

“The radios provided a mobile ad-hoc networking technology mesh network, which enabled information exchanges between sensors, decision-making agents and weapons platforms,” according to the release.

The new network arrangements and mobile networks will continue to be tested for their ability to transmit data and link into AI-enabled systems to comprehend that data. The Army says it will keep testing in virtual environments before moving to major field tests in the desert of Yuma, Ariz., later this year.

“We have been focused on readiness and the ability to ‘fight tonight,’ but Project Convergence is all about fighting tomorrow or the day after,” Nowak said.

DOD to get ‘entire spectrum’ of AI testing in upcoming JAIC contract

The Department of Defense‘s Joint Artificial Intelligence Center plans to issue a multiple-award contract for testing and evaluation services to support all of the department’s AI testing needs.

The contract, expected to be awarded sometime in February, will not just be for the JAIC but rather a mechanism for all of the DOD offices working on AI to access private sector support when testing their systems.

“What we are looking for is the entire spectrum of support,” Jane Pinelis, the JAIC’s head of AI testing and evaluation, said Tuesday during an AFCEA DC event. That could mean testing an algorithm for bias or checking that it can integrate across systems, Pinelis said.

JAIC leaders have said the center should be a leader in testing, given that many of its AI systems will be applied to lethal missions. Pinelis said the JAIC has some of its own internal tools for testing models, but it needs help automating parts of the process, like updating algorithms and software interoperability. Other areas of need include human integration testing, human-machine trust and simulating real-world environments that AI could be deployed in.

The contract’s design for whole-of-DOD use comes after the JAIC recently shifted its core mission away from building products and fielding AI to be an “enabling force” in support of the many offices across the DOD working on AI. Part of that “JAIC 2.0” mindset is to ensure the services it procures from industry can also be leveraged by other parts of the DOD’s AI ecosystem.

This multiple-award contract will be one way for the JAIC to make a connection with industry that others across the department can later use, Pinelis said.

“That was a very important setup for us,” she said of the larger department’s benefit from the contract. “The JAIC is about enabling the department to achieve scale, and the only way we can do that is if we come up with these contract vehicles that others can use as well.”