First TMF award of 2021 comes hours after watershed $1B appropriation
The Department of Labor received $9.6 million from the Technology Modernization Fund to update its enterprise data platform, less than a day after lawmakers put a historic $1 billion into the funding vehicle.
DOL will use its funds to improve the availability and accessibility of data for other agencies, developers and researchers, as well as improve evidence-based decision making across its enforcement, compliance and unemployment insurance missions.
The TMF award is also a win for the three-year-old fund itself, which had only garnered $150 million in total appropriations prior to President Biden signing the American Rescue Plan Act into law Thursday.
“Technology is a key enabler for government in providing better services to the American public,” said David Shive, chief information officer at the General Services Administration and a TMF Board member, in the announcement. “The news of the Technology Modernization Fund getting a $1 billion boost from the American Rescue Plan couldn’t have come at a better time, and the TMF Board looks forward to receiving more project proposals like this one from DOL to consider for investment.”
The TMF serves as a streamlined way for agencies to get the money they need to upgrade aging and obsolete information technology.
DOL received one TMF award previously to make its paper-based work visa application process digital in 2018 for a $2 million annual savings.
The latest award comes on TMF’s third anniversary, having funded 11 modernization projects across government to date.
“With this first project approval of 2021, the TMF Board is reinforcing its commitment to invest in federal technology modernization initiatives that enable agencies to better deliver their services to the American public,” said Maria Roat, deputy federal CIO and TMF Board member, in a statement.
How CDM data can drive federal cyber strategies
When the federal government launched its Continuous Diagnostics and Mitigation program, it was intended to give agencies the tools they needed to know definitively who and what assets were operating on their networks, with the goal of reducing cyber risks.
A growing number of agencies, however, are on the cusp of gaining a far more powerful view of their network operations and overall cybersecurity posture, says Frank Dimina, vice president, America and public sector, at Splunk, in a new report.
Read the full report.
What agencies and program leaders are starting to appreciate now, he says, is how the CDM program is generating a treasure trove of dynamically-integrated IT operating and security data, capable of helping agencies establish a more comprehensive view of their security posture.
“The added integration and analytics capability of CDM, compared to the underlying monitoring systems, is equivalent to going from looking at snapshots from a point in time, to having the fidelity of a live video feed,” says Dimina, in the new report, “Leveraging CDM to federal cyber strategies.”
The report, produced by FedScoop and underwritten by Splunk, features a series of articles and commentary perspectives that highlight how CDM is poised to help agencies improve their IT operations as well as their security.
One of the ongoing challenges agencies face — and where CDM’s automation capabilities are seen as a potent solution — lies in managing the explosion of data flowing into security and network operation centers from a widening array devices, sensors and applications, says Michael Guercio, business development and strategic program manager at Splunk. That leads to a related challenge of how to remediate a growing number of vulnerabilities.
“Remediation is still a manual process that requires IT teams to allocate valuable time and resources,” he says in the report. “That’s where one of CDM’s underappreciated capabilities comes into play. In addition to the ability to stitch together information from multiple sources, CDM’s tools also provide the ability to automate the execution of identification and potential responses, based on agencies’ most critical threats, their risk posture and their risk threshold.”
Guercio points to Splunk’s Phantom platform as example of the kind of tools available through the CDM program that are available to help agencies with those challenges.
Phantom provides an orchestration automation and response technology to help correlate data and create a single picture of the agency’s cybersecurity posture. “It also can automate remediation processes and augment existing NAC technologies across the tool stack,” he says.
“It doesn’t matter if an agency is using ForeScout, or if they’re using Cisco ISE, or even within a more federated agency’s IT organization. Phantom provides the automation of these tools into one service so that agencies have a single, easy-to-interpret view with checks and downstream actions initiated without human intervention.”
The report also highlights how CDM has helped agencies reduce operating costs, by identifying under-utilized assets and software licensing costs.
Read more about how CDM data integration and security analytics are enabling real-time visibility and operational efficiencies at federal agencies. And learn more about Splunk’s “Data-to-Everything Platform” capabilities for the public sector.
This article was produced by FedScoop and sponsored by Splunk.
Top Army general vows for new cyber talent management system
As the Army rethinks talent management, it wants to ensure that uniformed cybersecurity experts have a quick path to promotion and that they don’t end up being pushed out by the service’s strict physical standards, its top general said Thursday.
The Army wants its new talent management system to focus on skills and career paths like cybersecurity that are not necessarily related to physical combat. Gen. James McConville, chief of staff of the Army, told reporters Thursday during a call with the Defense Writers Group that the Army is in the process of evaluating the Army Combat Fitness Test (ACFT) and rank promotion process in part to make sure that tech talent can stay in uniform longer.
“If you are a cyber whiz, maybe you do not have to have a 600 on the test,” he said, referring to the top score for the new ACFT. “[W]e are going from an industrial age personnel management system to a 21st-century talent management system.”
Under the ACFT, introduced late last year, fitness requirements are set by occupation, one change made to move towards a system that can retain soldiers with a diversity of skills.
McConville also said the Army needs new ways to reward and promote cyber personnel in the enlisted ranks. He described a soldier he met as “one of the best in the world at cyber,” but added he was only a sergeant, a rank he felt did not reflect his experience and talents.
McConville sees changing compensation and promotion based on domain-specific talent as the future for the Army.
“We don’t want to disenfranchise any of these people in the Army,” he said of soldiers with technical skills who can run into roadblocks in a system designed to promote those with battlefield strengths.
The Army has a talent management task force charged with finding ways to promote and retain new skill sets to meet new challenges. The task force is also working to eliminate unconscious bias in promotions. It has already rolled out changes for field-grade officers, like colonels and majors, that can guarantee certain career paths to not waste talent. Now, it is piloting new ways to promote enlisted soldiers including new rubrics for testing and interviews and shifting authorities to local commanders that have a better sense for squad cohesion.
Other ongoing Army talent initiatives include new technology education options for officers, like courses in artificial intelligence and machine learning.
ATARC intends to merge agency and vendor zero trust working groups
The Advanced Technology Academic Research Center’s parallel zero trust working groups for federal agencies and vendors intend to merge once the government side establishes use cases.
A merger will allow the more than 15 agencies and 15 vendors participating to begin zero trust logistics and building and showcasing proofs of concept, said Gerald Caron, director of enterprise network management in the State Department‘s Bureau of Information Resources.
Caron co-chairs the agency working group and developed a zero-trust architecture that subgroups are using to define use cases.
“While the government is doing their deliveries and getting level set on requirements and architectures and definitions and concepts and use cases … we are feeding that to the vendors, so they can get started,” Caron said during an ATARC event Thursday.
Caron helped stand up ATARC’s Trusted Internet Connection 3.0 Demonstration Center, a physical test environment allowing federal agencies to try out cloud and infrastructure solutions for securing their networks.
With ATARC’s TIC 3.0 Working Group deemed a success, its members were grandfathered into the Zero Trust Working Group “because we believe TIC fits into the overall architecture of zero trust,” Caron said.
Continuous Diagnostics and Mitigation (CDM) Program Manager Kevin Cox has further agreed to join the working group and work with its members as his program transitions toward a zero-trust concept. That way the CDM program will get direct feedback from government officials and vendor representatives.
And Federal Chief Information Security Officer Chris DeRusha will have someone from his office participate in the working group as well.
“Having those two entities, I think, makes this working group pretty powerful — for lack of a better term,” Caron said. “It’s great participation, and we’re really influencing the government at this point.”
The working group will demystify zero trust by providing technical requirements agencies can use, said Trafenia Salzman, security architect at the Small Business Administration.
“It’s really helpful as an architect or an engineer or an analyst to be able to implement that in your environment,” said Salzman, who co-chairs the Zero Trust Working Group.
Salzman’s team at SBA is currently inventorying security tools and gathering information on processes before it implements a zero trust plan for the agency.
Meanwhile Caron is helping implement zero-trust infrastructure at the State Department and also serving as acting chief information officer for the Department of Health and Human Services Office of Inspector General.
HHS OIG is also inventorying security tools with plans for a multi-year, multiple project zero trust program.
“I’d rather be effective than compliant, so I think zero trust really focuses on effectiveness because you focus on what you want to protect,” Caron said. “I really believe in that, and compliance can fall into place as you go.”
Biden promises federal website for finding COVID-19 vaccines on May 1
Editor’s Note: This story has been updated with information on the U.S. Digital Service’s involvement and federal technology teams supporting vaccination scheduling.
President Biden teased a new federal COVID-19 vaccine website, capable of showing users places with vaccines available nearest them, during his first prime-time address Thursday.
Biden directed all states, tribes and territories to make all adults eligible for vaccination no later than May 1, when the site will launch.
The existing Department of Health and Human Services-run vaccines.gov provides general information on who is eligible for a vaccine and when they might expect to get vaccinated, but it can’t help users find places with vaccines available.
“At the time that everyone is eligible in May, we will launch with our partners new tools to make it easier for you to find the vaccine and where to get the shot — including a new website that will help you first find the place for you to get vaccinated and the one nearest you,” Biden said. “No more searching day and night for an appointment for you and your loved ones.”
The U.S. Digital Service, government’s fix-it team, “is engaged on the effort” but can’t provide additional details at this time, a spokesperson told FedScoop.
A call center will be stood up alongside the website to accommodate people without internet access or technical savvy.
The website will not let users schedule vaccinations, and instead the federal government will bolster state and local efforts on that front.
“Since so many Americans use their state and local websites to schedule vaccine appointments, the administration will also deploy technology teams to help to improve these systems,” said Jeff Zients, White House COVID-19 response coordinator, during a briefing Friday.
In the meantime VaccineFinder.org, which the Centers for Disease Control and Prevention works with regularly, began showing locations for COVID-19 vaccines in late February, a CDC spokesperson told FedScoop.
The locations shown are either part of the Federal Retail Pharmacy Program or in Alaska, Indiana, Iowa, New York (excluding New York City), Oklahoma, Tennessee, and Utah. Provider information includes the types of COVID-19 vaccine available, contact information, hours of operation and instructions on how to get vaccinated.
White House officials anticipate having enough vaccines for every adult in the U.S. by May’s end.
“We need to make it easier for every American to get vaccinated,” Zients said. “Too often it’s too difficult, too time consuming and too frustrating for people to identify where vaccines are available and where to schedule an appointment.”
Report: CISA hasn’t reached full operating capacity yet
The Cybersecurity and Infrastructure Security Agency won’t be fully up and running until it implements its third and final phase of organizational changes, according to a new report.
While the CISA Act of 2018 elevated the agency and saw it create a new organization chart and consolidate incident response centers and infrastructure security points of contact, 57 planned tasks were incomplete as of mid-February, the Government Accountability Office reported.
Until CISA’s organizational changes are finished, it will remain “difficult” for the agency to confront national cyber incidents like the SolarWinds hack that compromised at least nine federal agencies, reads GAO’s report.
“Until it establishes updated milestones and an overall deadline for its efforts, and expeditiously carries out these plans, CISA will be hindered in meeting the goals of its organizational transformation initiative,” the report states. “This in turn may impair the agency’s ability to identify and respond to incidents, such as the cyberattack discovered in December 2020 that caused widespread damage.”
CISA planned to finish the initiative in December, and all major tasks were completed by then, according to the agency. But CISA has yet to finalize mission-essential functions of its divisions or issue a memo defining incident management roles and responsibilities.
The agency’s deputy director and chief of transformation told GAO in November that delays were due to a need to obtain buy-in from government, including Congress, and industry. Coordination between Department of Homeland Security leadership and the Office of Management and Budget also took longer than expected, delaying later tasks dependent upon earlier ones.
Tasks affecting CISA employees need to be done right, and the COVID-19 pandemic has had “minimal impact” on completion, according to officials.
GAO recommended CISA set new expected completion dates for 42 tasks past their planned deadlines while prioritizing mission-critical ones. CISA already plans to create an updated, prioritized task list and reset its overall deadline for March 2021, the agency responded.
CISA generally addressed four reforms around using data and evidence, but five around workforce planning were only partially addressed.
“Workforce planning is especially important for CISA, given the criticality of hiring and retaining experts who, among other things, can help identify and respond to complex attacks,” reads GAO’s report. “CISA did conduct an initial assessment of its cybersecurity workforce in 2019; however, it is still working on analyzing capability gaps and determining how to best fill those gaps.”
A recommendation to ensure CISA’s employee performance management system aligns with the agency’s new organizational structure and goals remains unaddressed, despite officials’ assertion to the contrary, according to GAO.
GAO recommended CISA address outstanding reforms, to which the agency responded it’s working to create performance measures and a comprehensive workforce planning strategy.
Select government and industry partners across 16 infrastructure sectors — banking and financial institutions, telecommunications, and energy among them — told GAO they had challenges coordinating with CISA.
A total of seven partners reported a lack of clarity on organizational changes, seven a lack of involvement developing guidance, five a lack of timely response, three an inconsistent distribution of information, and three a lack of access to actionable intelligence.
CISA is tracking stakeholder inquiries for timely responses and holding tailored intelligence briefings, but it needs to address the three outstanding infrastructure challenges, GAO recommended.
Soldiers getting ‘constant’ practice with new robotic vehicles
In the Army’s hot pursuit of integrating autonomous vehicles into its forces, the service wants to ensure soldiers will trust and know how to work with new artificial intelligence “teammates.”
Even the most advanced technologies on the battlefield will mean very little if operators do not know how to use them or trust them. Recent research into the military’s AI investments found a critical lack of examination of human-machine trust, something that the Army appears to be trying to improve upon with exercises designed around soldier-robot interactions.
For its next-generation ground vehicles and future robotic vehicle development, the Army is following a mantra of “soldiers must touch the equipment,” Maj. Gen. Ross Coffman said during a virtual event hosted by the Center for Strategic and International Studies. Coffman leads the cross-functional team working to field the next-generation ground combat vehicle, a major effort to replace decades-old combat vehicles with technology-enabled systems.
“Without those soldier touchpoints, we fully understand we would not be serving our customer,” he said. Coffman said there was a “platoon of robots” sent to Fort Carson in Colorado that every day underwent integration into soldier training for six weeks. For those who can work directly with robots, Coffman added there are exercises at least “once a quarter.”
Other initiatives go beyond in-person training with virtual exercises to familiarize soldiers with robots that can’t be sent to them.
“That doesn’t mean it’s over a camera. They are actually learning how to fight and use them in a computer-simulated game,” he said.
It’s unclear which robotic vehicles the Army is using in its testing exercises, but many autonomous vehicles are in the works. Some of the new vehicles the Army is designing range from small voice-activated robots for bomb disposal and reconnaissance to large “optionally manned” troop-carrying vehicles designed to follow other vehicles in convoy. Many will still rely on human directions, be they broad voice commands like “go look inside that building” or following a human-driven vehicle.
But despite all the money going into developing the technology itself, a research paper from the Center for Security and Emerging Technology (CSET) found little evidence of developing the machines to interact well with humans.
“If the person doesn’t trust the system that is providing recommendations, then we are losing a lot of money that went into developing these technologies,” Margarita Konaev, lead author on the paper told FedScoop in October. She added that DOD-backed research on it was “something that we were expecting to see, but it really was not something that we found.”
USPTO business units begin picking their automations
Business units have started identifying processes they want to automate within the U.S. Patent and Trademark Office, now that its CIO is managing the infrastructure and licensing.
The Robotic Process Automation Governance Team within the Office of the CIO handles configuration management and cybersecurity vetting to standardize the credentialing of bots, while business analysts pick the automations.
Analysts need only fill out an RPA intake form, the first step of the governance process, which asks nine questions before calculating the necessary bot’s complexity and expected time savings.
“We’ve reached a point with our maturity where we’re really encouraging different business units to come to the table with their own ideas for automation,” said Jacob Feldman, program analyst at USPTO, during an ACT-IAC event Wednesday. “This is implementing a federated model of development.”
Initially, USPTO attempted to automate whatever project was proposed, often using bots with if-then scenario logic. But the agency has since learned that some RPA candidates are better than others, and bots reliant on yes-no logic or linear decision-making can be implemented faster, Feldman said.
USPTO built its intake form with Microsoft Power Apps by combining a bot complexity assessment from UiPath, which also supplies the agency with RPA licenses, with a different method from the federal RPA Community of Practice. The form helps select better RPA candidates and has already been shared with the National Institute of Standards and Technology and the Department of Commerce more broadly, Feldman said.
Rather than allow standalone bot licenses, USPTO automations must be done through orchestrator software. The orchestrator has different tenancies for each business unit so patent bots are classified in the patent tenancy.
Bots are developed in a formal qualification testing environment. This prevents rogue bots by thoroughly vetting them before deploying them to a quality assurance or production environment. Governance was set up this way after a mishap that required data cleanup, Feldman said.
The RPA Governance Team doesn’t permit unattended bots yet, as it hasn’t yet addressed the USPTO cyber team’s concerns. But solutions like SailPoint and CyberArk are being considered for giving bots active accounts in the agency directory. Cyber experts within each business unit will determine what’s best for the systems they secure, Feldman said.
USPTO’s Office of the CIO initially kept bot development in-house, but now business units are more actively addressing their needs. The Office of the Chief Financial Officer is using a mix of government and contract personnel to develop bots, while the trademarks business unit is currently acquiring contract support, Feldman said.
The trademarks unit is currently looking to automate suspension checks, where the trademark process is halted to determine if it conflicts with others. Trademark attorneys and their legal support staff assess thousands of trademarks in this way daily.
“This is something a bot can do,” Feldman said. “It can fly through and take a look at any type of associations and then make a determination about whether to re-suspend or remove from suspension.”
The business unit is also looking into one intelligent automation where a bot would scan trademarks and identify words in the dictionary. Then it would attempt to recognize more nuanced trademark names, like “Nice2CU,” and attempt to match those to dictionary words, despite the strange spelling.
The TMF is set to get $1B payday
Editor’s Note: President Biden signed the American Rescue Act on Thursday afternoon.
With the House passage of the American Rescue Act on Wednesday, the Technology Modernization Fund is one step away from finally getting the $1 billion injection lawmakers and tech advocates have been lobbying for nearly a year.
Now that both chambers of Congress have passed the $1.9 trillion COVID-19 relief bill, it is headed to the desk of President Joe Biden, who is expected to sign it Friday. The bill, among other things, will send stimulus checks of up to $1,400 to Americans who qualify, extend a $300 weekly unemployment supplement and provide billions in relief to businesses, governments and other organizations that have struggled during the pandemic.
Beneath those top-level provisions, the relief bill will expand funding for some critical federal IT and cybersecurity programs that play a key role in the government’s digital response to COVID-19. Namely, the TMF will with a single $1 billion appropriation receive five-times as much as it has in its entire existence from past funding bills — a meager total of $150 million since its creation in 2017.
The TMF is a central pot of appropriations intended to fund modernization projects under the stipulation that participating agencies pay back the funding within five years.
“Throughout this global health crisis, millions of Americans facing illness, unemployment, food insecurity, and an inability to pay their mortgages or rent have looked to the federal government for help,” said Rep. Gerry Connolly, D-Va., who is perhaps the biggest advocate for federal IT and the TMF on Capitol Hill. “Yet despite urgent Congressional action to provide unprecedented levels of economic assistance, those in need have had their misery exacerbated by a broken IT infrastructure that has prevented them from receiving timely support,”
The administration of the fund is led by a board of federal IT officials, headed by Federal CIO Clare Martorana, who was announced in the role this week. Leading this board and administering the fund will likely be a huge early priority for Martorana in her new job.
Former Federal CIO Suzette Kent told FedScoop in a prior interview that the TMF works — but “it’s not at the scale that we need,” meaning more money is needed to make it more effective.
“When you look at $25 million, I am not diminishing the importance of $25 million, but in a government initiative that impacts something that serves all citizens of the United States, that number doesn’t give you the opportunity to do very many projects,” Kent said last August. “When you look at the size of major investments on the IT dashboard, you can pretty quickly get your head around the fact that $25 million isn’t going to go very far. It was originally envisioned with more, and more was asked for.”
Roughly a year ago during the early days of the pandemic, lawmakers proposed doling out $3 billion for the TMF to help agencies fund IT upgrades tied to the coronavirus response. That proposal was cut from the final draft of the bill that would become the CARES Act.
Ever since then, across D.C., advocates, including Connelly and his colleague Rep. Steny Hoyer, D-Md., have argued how modernized tech and cybersecurity play an essential part in federal COVID-19 response efforts with little success. Tech associations like the Alliance for Digital Innovation also pushed repeatedly for TMF funding, penning letters to leaders on Capitol Hill in defense.
It wasn’t until Biden took office and Democrats took over both chambers of Congress that it looked possible that the TMF would receive funding. The Biden administration proposed a whopping $9 billion deposit in its initial outline of the American Rescue Plan. Even then, in February, it appeared TMF might get shorted by the Senate, which cut the proposal from an early draft of the most recent relief bill.
Rep. Carolyn Maloney, D-N.Y., said in a statement she is glad to “secure some funding, but we need much more to fully address the vulnerabilities of our aging federal IT systems.” She added: “We are working closely with the Senate Homeland Security and Government Affairs Committee on additional legislative options to ensure the federal government has the technology infrastructure it needs to serve Americans efficiently, effectively, and securely.”
The TMF isn’t the only federal IT program to benefit from the relief bill. When signed, it will also send $650 million to the Cybersecurity and Infrastructure Security Agency (CISA) for “cybersecurity risk mitigation,” $200 million to the U.S. Digital Service — once again multiplying several times over what USDS has received in funding so far during its short life — and $150 to the General Services Administration’s Federal Citizens Services Fund.
Top admiral says IT platform is ‘key’ to deterrence in the Pacific
The top admiral overseeing all forward-deployed forces in the Pacific — from North Korea to New Zealand — is working to convince Congress that stronger IT platforms are key to winning future fights in the region.
One of the programs Adm. Philip Davidson, commanding general of the Indo-Pacific Command, wants Congress to continue to fund is the Mission Partner Environment (MPE), which allows partner nations to link into U.S. military systems and communications. Davidson said the platform is critical in deterring the military’s top strategic competitor China as it allows the U.S. to work more closely with allied nations.
Davidson’s argument — which he presented during a pair of hearings this week before the House and Senate Armed Services committees — is that the U.S.’s strongest asset in the region is its partnership with allies. To further deepen those ties, the military needs to link communications and tactical data networks with those friendly countries, he’s said while making rounds on the Hill in the early days of this month.
Lawmakers appeared receptive to boosting funding for Pacific operations and tech being a part of that.
“MPE provides universal battle management and automated decision making by accessing a multi-domain sensor network,” according to Davidson’s written testimony.
The environment would be funded in part through the Pacific Deterrence Initiative (PDI), a larger $27 billion request over the next six years. The PDI is a specific pool of money authorized by Congress to fund troop deployments and other deterrence-related activities in the Pacific. It’s modeled after the European Deterrence Initiative, created to counter Russian aggression in Europe in 2014. Davidson described the broad strokes of the PDI in the open part of the hearings but saved intimate details for a closed, classified briefing with lawmakers.
While in fiscal 2021 MPE specifically got $50 million in funding, it’s unclear what Davidson wants for the program in the years to come.
MPE is already available and in use by some high-level officers, but Davidson wants to expand that.
“My key objective…is to pursue the MPE,” he told senators of strengthening alliances.
Former DOD Chief Information Officer Dana Deasy told reporters in July that the MPE was a key priority of the CIO’s office as well. But, he estimated that the cloud-based system wouldn’t be in widespread use until 2028.
“This is the next generation of how we fight and communicate with our allied partners,” Deasy said.
The military is currently in its own internal battle to link data from the different services and domains. Trying to link tech from different countries may prove even more challenging as it will need to not only bridge languages but ensure interoperability with equipment built by other militaries.
“Interoperability is at the very core of our Republic of Korea-U.S. military alliance, and it has been that way for decades,” Gen. Robert Abrams, commander of U.S. forces in Korea, told the House Armed Services Committee during a hearing Wednesday.