The votes are in for the 2025 FedScoop.

See the winners!

Zero trust: Reputation means nothing anymore

At Cisco, Will Ash helps U.S. government agencies manage cyber risk and secure their mission.

zero trust

Will Ash, Sr. Director, U.S. Public Sector, Cisco

Cyberattackers exploit the trust we place in people and technology to breach critical systems and data. They target our trusted suppliers, partners and service providers. And the startling cyberattacks that keep happening teach an important lesson: Organizations simply cannot trust anything or anyone anymore — everything is a potential attack vector.

No wonder why zero-trust security keeps gaining traction among both government and industry enterprises. But what is zero trust?

Last year the National Institute of Standards and Technology (NIST) released a comprehensive Zero Trust Architecture special publication (NIST SP 800-207). It outlines seven core tenets, followed by a six-part view of a zero-trust network, plus details on components, deployment scenarios, use cases, and more. It’s an incredibly valuable report, but it can seem a bit overwhelming. So, let’s dial the complexity down a little.

At its core, zero trust means that trust is neither binary nor permanent. People and devices cannot “earn” trust, and a trustworthy reputation means nothing. It doesn’t associate “internal” with “trustworthy.” Zero trust validates and revalidates everything, at each access attempt. It monitors everything in real time to spot changes or behavior that appear risky, and it takes immediate action.

Let’s simplify it further with just pillars to describe zero trust:

Understanding zero trust is one thing; adoption is quite another. So, take a breath, and take comfort in NIST SP 800-207, which says that zero trust is “a journey rather than a wholesale replacement of infrastructure or processes,” and encourages small steps to implement it over time. It’s certainly possible to build a zero-trust architecture from scratch. But at Cisco, we’re helping agencies migrate from legacy, perimeter-based architectures today.

But where do you start?

A zero-trust journey begins with a platform approach that balances security and usability at scale. It consistently enforces policy-based controls both on-premises and in multiple clouds; it provides real-time visibility into users, devices, components and applications. It identifies threats and automates response actions. Just use the three-pillar approach we already introduced: zero trust for the workforce, workloads and workplace.

Zero trust for the workforce

Authentication has always been critical to ensure that people and devices are who they say they are. Unfortunately, passwords are putting us at risk because they are stolen, cracked, guessed, weak and left unchanged for long periods of time, sometimes forever. Zero trust demands better.

Imagine if an organization could establish trust in users and devices through multifactor authentication and continuous monitoring of each access attempt. You’d be able to:

By starting with zero trust for the workforce, you’ll be able to make some of the most important incremental steps toward a zero-trust architecture. The enterprise will rely less on reputation, and more on strong authentication and continuous verification.

Zero trust for the workplace

Next, let’s consider your modern workplace. It’s everywhere and anywhere. Therefore, zero trust should allow authenticated users to reach authorized resources from any location or any device, according to your agency’s set policies. It shouldn’t matter where the applications are or where they’re hosted either.

The zero-trust workplace helps to:

Through zero trust for the workforce and workplace, you’ll have made critical improvements to dramatically reduce unnecessary risk. But let’s not forget about applications and data, which brings us to workloads.

Zero trust for workloads

Think of all the pieces that make modern government applications work: Clouds, virtualization, containers, microservices, APIs and more. How can you eradicate trust from the complex web of today’s application stacks?

Zero trust for workloads provides visibility into applications — no matter where they are —to see and control how they work. It enables application segmentation to minimize lateral movement, and monitors application performance to identify root causes. After all, some operational problems are caused by security problems — ransomware is a simple example. So, if you can visualize and control every component and dependency across any environment, you’ll restrict resource access to only those explicitly authorized at that moment in time.

Reputations mean nothing in a zero-trust architecture. People, applications and devices are everywhere, and nothing is “internal” anymore. Yet your mission relies on the confidentiality, integrity and availability of today’s modern government IT. It’s nearly impossible to do away with legacy, perimeter-based approaches. Zero trust is the way forward.

Learn more about how Cisco can help your organization implement a comprehensive zero-trust security model.

Senators attempt to improve electronic health records a second time amid COVID-19 pandemic

A bipartisan group of senators is taking a second stab at improving patient record matching among health-care providers — this time to aid COVID-19 vaccine distribution.

Their reintroduced Patient Matching Improvement Act would make the U.S. Postal Service‘s address-formatting tool available to hospitals, testing laboratories and vaccination sites to increase correct patient record linkages across providers.

Researchers estimate improving the exchange of information between health IT systems in this way could mean tens of thousands of additional matches.

“The COVID-19 pandemic is the worst public health crisis that our country has witnessed in generations, and we must take full advantage of any technology that is available to us in order to contain this virus and save lives,” said Sen. Maggie Hassan, D-N.H., who’s co-sponsoring the bill with Sen. Bill Cassidy, R-La. “This bipartisan bill provides a simple solution to help improve the vaccination process, bolster contact tracing efforts and more accurately track community spread.”

Improving electronic health record systems will also help patients after the pandemic, Hassan added.

Patient matching fails up to half the time due to record typos, changes in names or address, and similarities in information between people.

Hassan and Cassidy first introduced the bill in August, during the previous Congress, to aid COVID-19 response efforts. Back then the two warned delaying could hinder broad administration of a vaccine, but the bill never left the Senate health committee.

“Identifying and containing COVID-19 before it spreads within a community is possible with existing technology,” said Cassidy, a doctor. “This bill provides an important tool to more quickly isolate the virus and save lives.”

Air Force’s Platform One deepens ties with industry in new agreement with Lockheed

The Air Force’s DevSecOps environment Platform One has inked an agreement with Lockheed Martin to collaborate on software-factory activities, deepening the platform’s ties to industry.

The Basic Ordering Agreement (BOA) allows for future task orders and contracts between the two to get signed much faster than the traditional acquisition process allows. The work Lockheed anticipates doing is transitioning other defense customers’ systems to the Platform One environment and “hardening” the security of the platform.

“Collaboration with industry is key to the success of Platform One and other advanced cloud and software efforts, and we look forward to working with the Defense Industrial Base to improve the way we deliver fast, secure and high-quality code to warfighters,” the Air Force’s Chief Software Office Nicolas Chaillan said in a release.

A BOA is not a contract itself, but can allow for more easily issued task orders or contracts for products and services that are hard to quantify, like code, according to government guidelines. It can shrink the time to issue future contracts from months to days, senior software engineer and Lockheed Martin Space senior fellow, Robin Yeman, said in an interview.

“This allows us to rapidly get on contract for capability they need to deliver,” she said.

Platform One has been signaling its desire to deepen its ties with industry. It recently published a request for information for a Cooperative Research and Development Agreement (CRADA). That’s a research partnership between the government and nongovernment entities that allows for the private sector to commercialize government-created technology while contributing to further research.

Platform One’s DevSecOps uses containerization and the associated Kubernetes technology to automate code deployment in a secure way. The idea is to make the process so secure the products themselves can be trusted. It’s a process Yeman called “revolutionary,” especially in government where security is paramount but agility has been lagging.

“It is treating IT like a mission,” she said.

With this BOA, Lockheed also benefits by getting to apply Platform One’s DevSecOps to its own software factory.

“Software is at the heart of every system we deliver, and we understand the DoD’s urgent need for faster deliveries, more powerful mission capabilities, and open-source, open-architecture foundations for software,” Yvonne Hodge, senior vice president of Enterprise Business Transformation at Lockheed Martin, said in a release. “Platform One is a truly innovative approach that is propelling the DoD’s DevSecOps evolution, and the collaboration with industry has helped us build infrastructure and capabilities that are well-aligned to the DoD’s vision.”

Platform One is the environment on which all the code for the Air Force’s Advanced Battle Management System (ABMS) is being created. ABMS and other initiatives that aim to link sensors to shooters via an internet-like capability for weapons, all will rely heavily on software and the security of Platform One.

House Armed Services Committee adds subcommittee focused on tech

The House Armed Services Committee has split the focus of one of its subcommittees to give more attention specifically to the Department of Defense’s emerging technology and IT work, it announced Wednesday.

The new Cyber, Innovative Technologies, and Information Systems (CITI) Subcommittee was formed out of the now-former Intelligence and Emerging Threats and Capabilities Subcommittee. The intelligence and non-technical work of the former subcommittee will continue on under a new Subcommittee on Intelligence and Special Operations.

The change was made to be able to provide more focused oversight on technology matters and shift over non-technical topics, like special operations and counter-proliferation of weapons of mass destruction, to other groups of lawmakers. The new subcommittee’s jurisdiction includes cybersecurity, IT policy, artificial intelligence and software acquisition.

“As technology continues to advance at an incredibly rapid rate – from artificial intelligence to biotechnology and everything in between – it is critical that the Armed Services Committee redoubles our efforts to bridge the gap between current capabilities and future requirements,” larger committee chair Rep. Adam Smith, D-Wash., and new subcommittee chair Rep. Jim Langevin, D-R.I., said in a statement.

Langevin was also chair of the former intelligence and Emerging Threats and Capabilities Subcommittee. The top Republican on the old committee, Rep. Elise Stefanik, R-N.Y., will also transition over as ranking member.

Some of the new technology subcommittee’s members also participated in a recent task force that crafted a report on the future of warfare, examining at the use of artificial intelligence, cyber war and other technology-driven changes to the armed forces.

The full list of the subcommittee’s jurisdiction will be:

FBI awards $13.5M risk assessment contract in move to CIA clouds

The FBI is adopting the intelligence community’s real-time risk assessment practices for cloud computing.

Telos Corporation announced a $13.5 million contract from the bureau Wednesday to integrate its Xacta solution — which is already used by the CIA — with the FBI’s clouds. The bureau wants to shorten the time it takes to grant contractors permission to access its systems so its assessors can focus on more pressing security issues.

“They want to have a customized risk-management framework,” John Wood, CEO of Telos, told FedScoop. “They want to have a customized business process that provides workflows, and that ensures process efficiency and consistency across their enterprise.”

Telos has 12 months to add the risk assessment capability to the GovCloud the FBI uses, then to the FBI’s part of two CIA clouds: Commercial Cloud Services (C2S) and Secret Commercial Cloud Service (S-C2S). The FBI expects to hook up with those services this year.

Contractors seeking authorities to operate in the FBI’s system, whether on premise or in the cloud, must test against about 11,000 security controls within the National Institute of Standards and Technology’s Cybersecurity Framework. The manual process used to take nine months for the IC to provision a server but with the cloud takes 30 seconds, Wood said.

Xacta automates 85 percent of and continuously updates those controls, which ensure “very solid” cyber-hygiene such as good passwords, strong user access control and multi-factor authentication, Wood said.

Gaining a better understanding of the bureau’s risk posture is especially important following the massive breach of software from government contractor SolarWinds, Wood said. The incident compromised at least eight agencies as of December. The FBI has not specified whether it was exposed to the breach.

CMMC Accreditation Body must split to meet requirements of new contract

The third-party accreditation body implementing the Department of Defense‘s new cybersecurity standards for contractors will split into two entities to meet international standards mandated through a no-cost contract it signed with the department last fall.

The Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) will split off the part of the organization that trains and tests assessors, creating the CMMC Assessors and Instructors Certification Organization (CAICO), according to contract language that mandates the shift. The AB will retain the responsibility of accrediting assessors that will do the cybersecurity audits of defense contractors’ networks.

The mandate was a focal point of the months-long negotiations between the accreditation body and the DOD on the no-cost contract’s statement of work (SOW), which defines the relationship between the two. Those discussions grew contentious at times, especially over control and responsibilities of the CMMC “standard,” sources told FedScoop.

The contract was signed in November, but only became public on Feb. 1 following a Freedom of Information Act request from Inside Cybersecurity. FedScoop filed a separate FOIA in early December that has not been returned.

The AB has said the split will not substantially impact assessors within the ecosystem, adding that the move is necessary to meet international standards that guard against conflicts of interest in assessment organizations.

Some board members have hinted at the AB looking different in the months and years to come while still providing the same services to those seeking to become assessors.

“There is a lot to this; this is not going to happen next month,” Jeff Dalton, the new vice-chair of the AB, said during a recent town hall. “We are going to start moving toward these things over time.”

The split outlined in the SOW is tied to ISO 17011, which does not permit accreditation bodies to control both the training and accreditation process. Housed under one entity, there could a conflict between the quality of the training and the scrutiny of the accreditation.

The split will not impact other parts of the CMMC ecosystem the AB has oversight over, board members have said.

The AB will need to have the organizational split completed by Oct. 31, 2022, according to the contract.

The board is now in a race to accredit enough assessors to begin the long process of certifying the roughly 300,000 contractors in the defense industrial base. CMMC requirements are being rolled out into contracts over a five-year period. Once fully in place, contractors will need to be certified at the appropriate one-to-five cybersecurity maturity level to work on a DOD contract. The scale is based on the sensitivity of the information contractors will be given permission to handle on their networks — level one requires basic security hygiene practices and level five includes elaborate security for networks.

The statement of work replaces a previous memorandum of understanding and gives the DOD considerable oversight over the AB. Now, the board’s financial decisions must be reported to the DOD. The department will also conduct quarterly reviews of the AB to ensure it’s in compliance with DOD policy and “alignment” with the contract.

How cloud security tools provide greater return on agency resources

Security weaknesses exposed during the COVID-19 pandemic have prompted government agency IT leaders to look for better ways to address three key areas: vulnerabilities, threats and inefficiencies in measuring risk, according to a new report.

These vulnerabilities have also led to the realization that rather than piling on more tools, agencies are attaining more meaningful results by utilizing cloud services to increase visibility across their networks and analyze security data more rapidly.

cybersecurity

Read the full report.

The report spotlights New York City Cyber Command as one of the many agencies that have seen significant operational improvements by taking a cloud-based, zero-trust approach that utilizes Google Cloud. The increased storage capacity, processing power and lower total costs gave NYC Cyber Command cybersecurity experts the ability to analyze data quickly and respond to security threats faster.

Using a cloud-based approach to security is a more cost- and resource-effective way to get the most from agency security tools, says the report, produced by FedScoop and StateScoop and underwritten by Google Cloud. With a single-pane-of-glass” view across the infrastructure — and a number of FedRAMP-approved cloud services — Google Cloud’s platform is designed to take on cybersecurity in a holistic manner.

The reality for many organizations is that their IT teams have a lot to manage already. In addition to ever-changing regulations and policy updates, there is an overwhelming amount of data and tools that agencies must manage, according to Dan Prieto, Google Cloud’s strategic executive for Public Sector.

“An average large enterprise can have upwards of 150 cyber tools installed. That level of complexity and fragmentation hinders the ability of cyberdefenders to operate with agility, scale and timeliness in the face of evolving cyberthreats,” he says.

To turn the corner on security, finding the right partners work with is an effective way to integrate the use of real-time analytics at scale. It can be a game-changer in terms of productivity.

The report touches on a number of tools that are available to consolidate and integrate cybersecurity telemetry and essential IT operations data from across all parts of the enterprise — legacy and cloud alike.

“When organizations move to a hybrid- or multicloud environment, a common misconception is that they can take their existing infrastructure and replicate it,” shares Chris Johnson, global compliance product lead at Google Cloud. The problem with that practice is that if you have inconsistent application of your security and compliance controls, you’re at risk.

That’s why the single-pane-of-glass view deployed across the hybrid-cloud infrastructure helps solve those visibility problems around policy and focuses security on outcomes.

Rather than piling on more tools, leaders are able to understand risk and able to make better informed decisions about resource trade-offs to make their existing resources go as far as possible.

Learn how Google Cloud helps government agencies improve citizen services, increase their operational effectiveness and deliver proven innovation or read more stories on preparing a Future-Ready Government.

This article was produced by FedScoop and StateScoop and sponsored by Google Cloud.

The future of work in a post-pandemic world

The COVID-19 pandemic is pressuring federal agencies to embrace digital transformation at a faster rate than they have been accustomed to. While these quick changes present certain challenges, they may set many organizations on a path towards a more secure infrastructure, more productive workforce and ability to retain the necessary talent within public service, according to a new report.

Read the full report.

The good news for agencies is that they are not alone. Every organization has been undertaking digital transformation in some form for years. The pandemic has just given technology adoption all-new gravity and urgency.

A recent report, produced by OpenText, explores the possibilities and pitfalls of the future workforce and offers guidance for public service and critical infrastructure leaders. As the pandemic response has evolved, common trends are emerging among organizations to keep their workers safe and remain productive.

“Even industries that once held a siloed view of themselves are now looking more to their counterparts to evaluate what’s working,” says the report. “This kind of cross-industry collaboration and knowledge sharing will play a significant role in shaping the future of work for every industry.”

Whether or not these changes will continue after the immediate crisis ends is unclear. But the report predicts long-lasting lessons that will change how organizations operate moving forward, such as:

“Enterprise leaders must consider how they adapt their existing processes to continuously enhance their employee and customer experience,” the report says.

That will require agency leaders to be more proactive with technology changes that can equip them with actionable insights from their organization’s data and streamline systems function to ensure agency programs are flexible enough to support change.

“From the rise of cybersecurity attacks, data and compliance challenges, as well as the pressure to accelerate digital transformation, the future of work will be rooted in innovation, scalability and collaboration. The bottom line is these challenges will produce positive side-effects across industries,” the report says.

OpenText is a leader in enterprise information management — a solution that provides a comprehensive view of all information within the enterprise environment, both on-premise and in the cloud.

Read more about future-proofing your enterprise in times of unprecedented digital transformation.

This article was produced by FedScoop and sponsored by OpenText.

Eric Hysen to return to DHS as CIO

The Department of Homeland Security is awaiting word from the White House to announce Eric Hysen its new chief information officer, according to a source with knowledge of the hiring.

For now, Hysen holds the title of senior adviser at the department, a DHS spokesperson told FedScoop. His announcement as DHS CIO, a politically appointed position, is imminent, a separate source said.

The White House appointment will see Hysen a member of the Biden-Harris transition team who focused on technology strategy and delivery — return to the department whose Digital Service he created as a wing of the larger U.S. Digital Service team.

Hysen fills the vacancy left by Karen Evans, who departed in January.

The role of DHS CIO sits inside the management directorate, overseeing IT coordination across the greater department and working with component agency CIOs, like Immigration and Customs Enforcement and the Transportation Security Administration. The CIO is in charge of IT security for the department, separate from the work of DHS’s Cybersecurity and Infrastructure Security Agency, whose mission is to protect the nation’s critical infrastructure from physical and cyberthreats.

During Hysen’s last stint at DHS, from September 2015 to March 2017, his team of 35 IT experts improved the U.S. Refugee Admissions Program through data analytics and predictive modeling, launched an online application for citizenship, and developed tools to streamline airport security.

When he departed Hysen called his time at DHS his “first tour of duty,” adding he was “hooked” on the impact.

More recently Hysen served as senior fellow of policy design and implementation at the National Conference on Citizenship, where he worked with the Penn Biden Center for Diplomacy and Global Engagement to recommend innovations in refugee policy, process and systems.

Hysen’s pending appointment was first reported by Federal News Network.

Kathleen Hicks to prioritize data as Pentagon No. 2

Kathleen Hicks, the nominee to be deputy secretary of Defense, told senators during a confirmation hearing Tuesday she wants to continue pushing the Department of Defense to be a data-driven organization.

Likely to be confirmed as the Pentagon’s No. 2 in the coming days, Hicks said she would take the job of the de-facto chief operating officer and lead by using data to inform business decisions. She also committed to continuing the push to modernize warfighting systems to be more data-centric in new operating concepts.

“As we move into an era of data, the department needs to move there too,” she told the Senate Armed Services Committee.

As deputy secretary, Hicks will likely oversee most Pentagon technology modernization and reform initiatives in place of her boss, Secretary Lloyd Austin, whose expertise lies more in uniformed military operations as a retired four-star general.

Many saw Hicks’ nomination as a counterbalance to Austin with her mastery of the “bureaucratic black arts,” as former Defense Secretary Robert Gates said introducing her during the hearing. Gates also praised her strategic analysis that included work on the recent National Defense Strategy, which pivoted the military to focus on great power competition with China.

“At a time of significant challenges internationally and great uncertainty surrounding defense budgets and programs, Dr. Kath Hicks is well qualified to assist Secretary Austin in realistically ensuring that budgetary decisions and military strategy are integrated,” Gates said.

Hicks expressed support for using data not only in business and budgetary decisions but also in military operations. She endorsed the military needing to move towards new “operational concepts,” a likely reference to the data-centric Joint All Domain Command and Control (JADC2) concept where battlefield networks are to be linked across domains.

Hicks previously ran the International Security Program at the Center for Strategic and International Studies where she authored and oversaw reports that called for a data-centric, internet-like system of warfare and bringing more technology talent in the DOD.

While she did not mention artificial intelligence during her hearing, in advanced written answers to policy questions she expressed support for the main AI hub she would oversee if confirmed — the Joint AI Center. The latest defense policy bill made the office a direct report to the deputy secretary.

“If confirmed, the JAIC will be my primary tool for guiding and accelerating the integration of artificial intelligence into the Department’s missions and activities,” she wrote, committing to regular meetings with JAIC leadership.

Hicks also voiced support for the current cyber posture of “defend forward,” where cyber operators covertly breach foreign adversary networks to understand their position and get early warnings on potential attacks on U.S. networks. The concept has come under some scrutiny recently given the failure of the U.S. government to see a widespread supply chain breach in the SolarWinds Orion hack.

“I am supportive of the approach,” Hicks said, but added that she needs to examine “exactly how the authorities are being executed,” giving her some wiggle room to adjust her broad support in specific areas.