The votes are in for the 2025 FedScoop.

See the winners!

DOD to get ‘entire spectrum’ of AI testing in upcoming JAIC contract

The Department of Defense‘s Joint Artificial Intelligence Center plans to issue a multiple-award contract for testing and evaluation services to support all of the department’s AI testing needs.

The contract, expected to be awarded sometime in February, will not just be for the JAIC but rather a mechanism for all of the DOD offices working on AI to access private sector support when testing their systems.

“What we are looking for is the entire spectrum of support,” Jane Pinelis, the JAIC’s head of AI testing and evaluation, said Tuesday during an AFCEA DC event. That could mean testing an algorithm for bias or checking that it can integrate across systems, Pinelis said.

JAIC leaders have said the center should be a leader in testing, given that many of its AI systems will be applied to lethal missions. Pinelis said the JAIC has some of its own internal tools for testing models, but it needs help automating parts of the process, like updating algorithms and software interoperability. Other areas of need include human integration testing, human-machine trust and simulating real-world environments that AI could be deployed in.

The contract’s design for whole-of-DOD use comes after the JAIC recently shifted its core mission away from building products and fielding AI to be an “enabling force” in support of the many offices across the DOD working on AI. Part of that “JAIC 2.0” mindset is to ensure the services it procures from industry can also be leveraged by other parts of the DOD’s AI ecosystem.

This multiple-award contract will be one way for the JAIC to make a connection with industry that others across the department can later use, Pinelis said.

“That was a very important setup for us,” she said of the larger department’s benefit from the contract. “The JAIC is about enabling the department to achieve scale, and the only way we can do that is if we come up with these contract vehicles that others can use as well.”

OMB nominee Tanden on technology: ‘We have a lot of work to do’

The recent SolarWinds breach at several federal agencies has made it clear: “We have a lot of work to do” to improve the government’s use of technology, President Biden’s pick to run the Office of Management and Budget said Tuesday during her confirmation hearing.

Neera Tanden pledged Tuesday to make IT modernization and cybersecurity top priorities if confirmed as director of OMB, which houses the roles of Federal CIO and CISO; the U.S. Digital Service; and the Information Technology, Oversight and Reform fund that supports those offices.

“I think we all recognize that this is not just some far-off risk, it’s a real risk to the American public and their own data,” said Tanden, who was president of left-leaning think tank Center for American Progress prior to her nomination. “And it is increasingly one that other countries are weaponizing. And so it is a high priority.”

Much like President Biden’s American Rescue Plan, Tanden pointed to the Technology Modernization Fund as the vehicle of choice to bolster federal cybersecurity and kick modernization into overdrive. In response to the SolarWinds incident and the ongoing need for technology during the pandemic, the administration has proposed a $9 billion injection of funding into the TMF — a central pot of appropriations intended to fund modernization projects under the stipulation that participating agencies pay back the funding within five years. Tanden advocated for agencies using TMF funding to move decades-old legacy systems to the cloud, shoring up cybersecurity along the way.

But it appears Congress once again has decided to kick the can down the road on expanded funding for the TMF. Lawmakers removed a proposed $9 billion increase from the next COVID-19 relief package due to a hangup in the Senate, FedScoop learned earlier this week. The Biden administration will continue to push for the money in future funding bills.

“We recognize the importance of this modernization, also during a global pandemic, where we need to make sure that our agencies’ information and essentially the public’s privacy is protected, and protected well,” she testified before the Senate Committee on Homeland Security and Governmental Affairs. “So modernizing our systems and allocating resources so that we modernize our systems is really, I believe, a way in which we can make the federal government much more efficient, much more effective, and much more directed to the needs of customers are the American citizens.”

Tanden really emphasized the need for the government to be more in touch with the needs of the American public as they come to it for services. She called it ironic that the U.S. government is so “woefully inefficient and ineffective because we don’t really use technology effectively,” when the nation’s commercial tech industry is one of the most innovative in the world.

“We have the greatest technological innovations and some of the most technologically innovative companies, and our country, our government, you still can’t access information, small businesses can’t find out if they can get access to a small business loan as efficiently, as effectively as possible,” Tanden said.

Tanden likely won’t face an easy road to confirmation in an evenly split Senate due to her partisan background. Sen. Rob Portman, R-Ohio — a former OMB director himself — brought up some of her controversial partisan jabs on Twitter at his Republican colleagues — many of whom will vote on Tanden’s confirmation, like Sen. Ted Cruz, R-Texas, whom she compared to a vampire.

“I do think the last several years have been very polarizing and I apologize for my language that has contributed to that,” said Tanden, who since deleted the troublesome tweets. “I know it’s on me to demonstrate to this committee and to Republican members and Democratic members I can work with anyone.”

Connolly bashes Senate’s ‘short-sighted’ decision to kill TMF funding mid-pandemic

Rep. Gerry Connolly criticized the Senate’s “short-sighted” decision to kill $9 billion for IT modernization in the latest COVID-19 relief package as “dereliction” on Tuesday.

Connolly, a Democrat from Virginia, thought the House and Senate had reached a consensus agreement to fund the Technology Modernization Fund at around $5 billion or $6 billion.

Prior to taking power, the Biden administration chose TMF as its mechanism for pumping money into ancient IT systems that have struggled to provide people and small businesses with pandemic relief funds, proposing to put $9 billion into the fund.

“But the Senate, in its great wisdom, started arguing: ‘What is that for? That seems like a slush fund. How is that related to COVID?'” Connolly said at an ACT-IAC event. “And you would think that they were living on a different planet.”

Many lawmakers operate on the “false assumption” the government transitioned to remote work and began making direct payments to people and loans to small businesses on functional IT systems during the pandemic, he said. Rather, the reality is the Small Business Administration‘s E-Tran system went from processing a loan portfolio of $20 billion to handling $400 billion in relief funds overnight. And the system’s rules for eligibility, financial institutions, terms and conditions, and transferring loans into grants all had to change to save more small businesses.

“The E-Tran system couldn’t handle programming the changes, couldn’t handle the enormous volume of requests, couldn’t handle the volume of additional loan money,” Connolly said.

Businesses went under as a result.

Similarly, the IRS‘s 40- to 50-year-old IT systems struggled to send out stimulus checks due to changes in qualifications and income thresholds, as well as problems finding people’s direct deposit information.

Money approved in April was still being disbursed in September at a rate of only 5 million payments a week.

Through it all, Congress has passed five relief bills exceeding $4 trillion in less than 11 months, including a $918 billion bill in December, without funding TMF once.

“It’s another example of the educational process we need to undertake with my colleagues in the Congress, especially in the other body, about just how integral and important these investments are,” Connolly said. “And that the whole mission can fail if you don’t make those investments.”

Northrop Grumman’s sale of IT shop reflects interest in market’s growth, analysts say

As private equity firm Veritas Capital buys Northrop Grumman’s IT shop for a reported $3.4 billion, the acquisition is effectively creating one of the largest defense IT providers while highlighting the growing consolidation in the market.

The sale is in line with recent trends for major defense firms, which have been selling off IT shops, and for buyers, who are eager to tap into the market for big-ticket federal contracts. This latest sale, completed Feb. 1, was not a surprise to analysts, who said it showed the continued growth of the federal IT business. Veritas plans to combine the acquired business with its Peraton unit, which is a major IT service provider to the Department of Defense.

“The interesting thing about it [is that Northrop] hadn’t done it sooner,” Andrew Hunter, director of the Defense-Industrial Initiatives at the Center for International and Strategic Studies, said in an interview.

The military has been placing more emphasis — and dollars — on IT in recent years, giving contractors with the technology talent ample room to pursue business lines. Major programs like the Joint Enterprise Defense Infrastructure (JEDI) cloud computing project have multibillion-dollar ceilings, and projects like the Air Force’s network-of-networks Advanced Battle Management System (ABMS) have brought tech that used to be more back-office-focused — like data analytics — closer to the battlefield.

“IT markets are growing markets, full stop, without question,” Hunter said. There might be some areas where traditional contractors couldn’t fully take advantage of that situation, however, because they’ve been “seeing growth in revenue, but not growth in margins,” he said.

That growth in revenue, meanwhile, has been enticing for IT-focused capital groups and technology firms.

Veritas has been a major player in the recent acceleration of acquisition activity in the IT market. It bought Peraton from L3Harris in 2017 for $690 million before going on to pay $7.1 billion for Perspecta, which it plans to merge with the Northrop buy. Separate arms of Veritas have also made recent major defense IT acquisitions. The series of purchases could create the DOD’s largest IT service provider by contract revenue soon, according to analysis from Bloomberg Government.

As the multibillion-dollar deals are closing, market forces are working on companies at the newer end of the life-cycle, too. Startups and early-stage venture-backed companies are entering defense IT in ways that are disrupting how the big, traditional players build new business lines.

In the past, consolidation was a money-moving “shell game” with in the market, said Nate Ashton, managing director for public policy at Dcode, a government-technology incubator. The game basically served to streamline revenue and create a more efficient “back end” for managing contracts, he said.

In the future, acquisitions could start to focus on buying out the disruptive technology being brought to market, Ashton said.

“What I think will come down the line over the next few years … is more smaller acquisitions of true differentiating technologies,” Ashton said.

Now, most of the value-add for companies in inking multibillion-dollar deals comes with adding IT personnel, prime contracts and government connections. With more emerging technology on the horizon, innovations themselves could become a part of the equation, Ashton said.

Innovation from within is also part of the picture for the big contractors, too, of course. Northrop Grumman is not completely exiting the IT business, analysts noted, because its portfolio of defense work will remain tech-heavy as warfighting systems become more intertwined with software and IT.

Congress’ tradition of cutting TMF funding from COVID-19 relief packages continues

Lawmakers removed a $9 billion increase to the Technology Modernization Fund from the next COVID-19 relief package due to a hangup in the Senate, a congressional source said Monday.

It’s not the first time an expansion of the TMF — a White House-administered program for boosting agencies’ IT — has been proposed as a component of a coronavirus response bill, only to fall aside as the House and Senate negotiated the packages.

In this case, Sen. Kyrsten Sinema, D-Ariz. took issue with the cost, the congressional source said. Her office could not be reached for comment prior to publication.

Democratic Reps. Carolyn Maloney of New York and Gerry Connolly of Virginia, who chair the House Oversight Committee and its Government Operations subcommittee, respectively, petitioned hard for a TMF boost benefitting high-priority IT and cybersecurity projects in a late January letter to House leadership.

But despite President Biden‘s initial support for improving federal IT, he’s also been looking for ways to shrink spending in the relief bill. The president wants a $1.9 trillion package that emphasizes helping unemployed people, lower-wage workers and families with children.

The proposed TMF funding would represent, by far, the biggest boost to the fund since its creation in 2017. Over the program’s entire lifespan, Congress has allocated a total of $150 million to it. Proponents of the TMF tout it as a quick and efficient way to get dollars to crucial IT projects, outside of the usual flow of agency budgets.

That efficiency is even more important during the pandemic, wrote the eight representatives in the January letter to leadership.

“Without modern and nimble IT systems, the federal government cannot deliver critical payments and services to individuals, families, and businesses who rely on them,” the lawmakers wrote.

Discussions are already underway to include the $9 billion for the TMF in another piece of upcoming legislation, said the congressional source, who asked not to be identified so as to speak freely about the negotiations.

The relief bill still includes $1.2 billion for other IT- and cybersecurity-related provisions, the congressional source said. Those include shared security services from the Cybersecurity and Infrastructure Security Agency; governmentwide projects from Technology Transformation Services within the General Services Administration; and rapid hiring by the federal chief information security officer and U.S. Digital Service.

Biden’s transition team supports increasing TMF funding as a way of launching shared IT services across government and enhancing security in the aftermath of the devastating SolarWinds breach.

Billions in TMF funding have previously been cut from COVID relief bills. A $3 billion TMF appropriation was included in the House version of the first coronavirus relief package in March but ultimately left out, as was a $1 billion appropriation proposed by House Democrats in July for a subsequent relief bill.

Biden calls for tech modernization to boost workforce at national security, foreign policy agencies

Agencies with foreign policy and national security missions must modernize to ensure officials performing those roles have the latest technologies at their disposal, according to a new memo from President Biden.

Modernization is one of the six principles that should guide the revitalization of the workforce, the institutions and the partnerships at those agencies, the memorandum says. The others are integrity, transparency, diversity, service and accountability.

President Biden‘s memo, issued Thursday, calls for recruiting and retaining technical talent that will strengthen the national security and foreign policy workforce, as his administration refocuses on diplomacy and rebuilding alliances that languished under former President Trump.

“Too many of America’s foreign policy and national security institutions have lost, or are at risk of losing, their technological edge,” reads the memo. “To succeed in a competitive world, we must close mission-critical knowledge and skills gaps, compete in and win the race for talent, equip our workforce with cutting-edge technology and agile, flexible, and adaptive organizational structures, and establish incentives and rewards for innovation across the government.”

The memo establishes an Interagency Working Group on the National Security Workforce chaired by the principal deputy national security adviser with deputy directors of the Office of Management and Budget, Office of Personnel Management, and Office of Science and Technology Policy serving as vice chairs.

Members include the heads or their designees of the departments of Commerce, Defense, Energy, Homeland Security, Justice, State, Treasury, Veterans Affairs; the Office of the Director of National Intelligence; the FBI and CIA; and the U.S. Agency for International Development.

The working group will task all agencies with forming a special advisory group of those heavily reliant on science and technology expertise to recommend ways of recruiting and retaining that talent.

In light of the COVID-19 pandemic, agencies will also be expected to propose innovative ways of surging hiring of skilled talent during crises and develop plans for increased flexibility that include remote work and adoption of secure, remote technology.

Lastly the agencies will assess their implementation of security clearance reforms and ensure investigations are efficient.

Starting a year from now, the working group will produce an annual report on the critical skills agencies need and their progress obtaining them. The group has 180 days to report on the authorities available for hiring talent in STEM fields to the national security workforce, how to more effectively use those mechanisms, and further executive actions needed.

The White House is looking beyond simply partnering with foreign nations, given changes in technology, and will use emerging technologies to further its partnerships.

“Cities and states have shown they can lead on issues such as climate change; industry stands on the cutting edge of technological development and is often responsible for securing our critical infrastructure; and social movements advance larger goals by taking coordinated, grassroots action,” reads the memo. “The United States must engage with all of these actors to best achieve its national security and foreign policy goals.”

A new National Security Council (NSC) Directorate on Partnerships and Engagement has 30 days for member agencies to each designate a senior official to oversee partnership engagement. Agencies are further encouraged to meet at least quarterly with a rotating group of partners from state and local government, academia, the private sector, nongovernmental organizations, and civil society.

Biden’s national security adviser, Jake Sullivan, has 180 days to report on low-cost, inclusive ways — such as online surveys, wikis, petitioning systems and discussion boards — to gain partner feedback.

A Deputies Committee meeting will occur within 60 days to discuss refocusing foreign policy on benefitting the U.S. middle class. And heads of the NSC and advisory agency each have 30 days to tap a senior official to head initiatives benefitting the middle class and integrating foreign policy objectives with domestic ones.

Within 90 days, agencies must report to the APNSA on how they’ll contribute to a foreign policy agenda benefitting the middle class, and the APNSA has two years to release a report assessing implementation of the entire memo.

New guidelines from NIST on how to avoid cyberattacks from a nation-state

The National Institute for Standards and Technology has some new advice for contractors that handle sensitive information desirable to adversarial nation-states.

In a new special publication, NIST SP 800-172, the agency details how systems administrators should arrange networks and which security practices could provide additional protection from advanced persistent threats (APTs) — the industry term for hacking groups typically associated with foreign governments.

The new document arrives in the wake of the SolarWinds incident, in which alleged Russia-backed attackers compromised the company’s update servers to push out malware to federal agencies, major corporations and other organizations. Similar attacks large-scale compromises are only expected to rise in frequency and ferocity, leaving contractors vulnerable to unwittingly giving away important information and damaging their reputations.

Much of the advice includes practices that should already be in place for federal contractors, such as using strong passwords, multi-factor authentication and automated tracking of unauthorized users on a network. Other suggestions could be a bigger lift — especially for small businesses — such as maintaining cyber-response teams in the event of a major incident.

“Cyberattacks are conducted with silent weapons, and in some situations those weapons are undetectable,” Ron Ross, a computer scientist and a NIST fellow, said in a release from NIST. “Because you may not ‘feel’ the direct effects of the next hack yet, you may think it is coming someday down the road; but in reality, it’s happening right now.”

This special publication builds upon NIST’s SP 800-171, a set of requirements that often apply to federal contracts that deal with controlled unclassified information (CUI). Even though agencies like the Department of Defense requiring those so-called “171” controls in many contracts, the security practices have often been ignored or not fully implemented by contractors. The security self-checkup clearly didn’t work for many companies, DOD officials have said.

Exfiltrations of sensitive data from companies handling CUI led the Pentagon to launch the Cybersecurity Maturity Model Certification (CMMC) program to ensure contractors are meeting requirements through third-party verification. The new “172” document will likely show up in contracts that pertain to sensitive information that nation-states would like to get their hands on.

Zero trust: Reputation means nothing anymore

At Cisco, Will Ash helps U.S. government agencies manage cyber risk and secure their mission.

zero trust

Will Ash, Sr. Director, U.S. Public Sector, Cisco

Cyberattackers exploit the trust we place in people and technology to breach critical systems and data. They target our trusted suppliers, partners and service providers. And the startling cyberattacks that keep happening teach an important lesson: Organizations simply cannot trust anything or anyone anymore — everything is a potential attack vector.

No wonder why zero-trust security keeps gaining traction among both government and industry enterprises. But what is zero trust?

Last year the National Institute of Standards and Technology (NIST) released a comprehensive Zero Trust Architecture special publication (NIST SP 800-207). It outlines seven core tenets, followed by a six-part view of a zero-trust network, plus details on components, deployment scenarios, use cases, and more. It’s an incredibly valuable report, but it can seem a bit overwhelming. So, let’s dial the complexity down a little.

At its core, zero trust means that trust is neither binary nor permanent. People and devices cannot “earn” trust, and a trustworthy reputation means nothing. It doesn’t associate “internal” with “trustworthy.” Zero trust validates and revalidates everything, at each access attempt. It monitors everything in real time to spot changes or behavior that appear risky, and it takes immediate action.

Let’s simplify it further with just pillars to describe zero trust:

Understanding zero trust is one thing; adoption is quite another. So, take a breath, and take comfort in NIST SP 800-207, which says that zero trust is “a journey rather than a wholesale replacement of infrastructure or processes,” and encourages small steps to implement it over time. It’s certainly possible to build a zero-trust architecture from scratch. But at Cisco, we’re helping agencies migrate from legacy, perimeter-based architectures today.

But where do you start?

A zero-trust journey begins with a platform approach that balances security and usability at scale. It consistently enforces policy-based controls both on-premises and in multiple clouds; it provides real-time visibility into users, devices, components and applications. It identifies threats and automates response actions. Just use the three-pillar approach we already introduced: zero trust for the workforce, workloads and workplace.

Zero trust for the workforce

Authentication has always been critical to ensure that people and devices are who they say they are. Unfortunately, passwords are putting us at risk because they are stolen, cracked, guessed, weak and left unchanged for long periods of time, sometimes forever. Zero trust demands better.

Imagine if an organization could establish trust in users and devices through multifactor authentication and continuous monitoring of each access attempt. You’d be able to:

By starting with zero trust for the workforce, you’ll be able to make some of the most important incremental steps toward a zero-trust architecture. The enterprise will rely less on reputation, and more on strong authentication and continuous verification.

Zero trust for the workplace

Next, let’s consider your modern workplace. It’s everywhere and anywhere. Therefore, zero trust should allow authenticated users to reach authorized resources from any location or any device, according to your agency’s set policies. It shouldn’t matter where the applications are or where they’re hosted either.

The zero-trust workplace helps to:

Through zero trust for the workforce and workplace, you’ll have made critical improvements to dramatically reduce unnecessary risk. But let’s not forget about applications and data, which brings us to workloads.

Zero trust for workloads

Think of all the pieces that make modern government applications work: Clouds, virtualization, containers, microservices, APIs and more. How can you eradicate trust from the complex web of today’s application stacks?

Zero trust for workloads provides visibility into applications — no matter where they are —to see and control how they work. It enables application segmentation to minimize lateral movement, and monitors application performance to identify root causes. After all, some operational problems are caused by security problems — ransomware is a simple example. So, if you can visualize and control every component and dependency across any environment, you’ll restrict resource access to only those explicitly authorized at that moment in time.

Reputations mean nothing in a zero-trust architecture. People, applications and devices are everywhere, and nothing is “internal” anymore. Yet your mission relies on the confidentiality, integrity and availability of today’s modern government IT. It’s nearly impossible to do away with legacy, perimeter-based approaches. Zero trust is the way forward.

Learn more about how Cisco can help your organization implement a comprehensive zero-trust security model.

Senators attempt to improve electronic health records a second time amid COVID-19 pandemic

A bipartisan group of senators is taking a second stab at improving patient record matching among health-care providers — this time to aid COVID-19 vaccine distribution.

Their reintroduced Patient Matching Improvement Act would make the U.S. Postal Service‘s address-formatting tool available to hospitals, testing laboratories and vaccination sites to increase correct patient record linkages across providers.

Researchers estimate improving the exchange of information between health IT systems in this way could mean tens of thousands of additional matches.

“The COVID-19 pandemic is the worst public health crisis that our country has witnessed in generations, and we must take full advantage of any technology that is available to us in order to contain this virus and save lives,” said Sen. Maggie Hassan, D-N.H., who’s co-sponsoring the bill with Sen. Bill Cassidy, R-La. “This bipartisan bill provides a simple solution to help improve the vaccination process, bolster contact tracing efforts and more accurately track community spread.”

Improving electronic health record systems will also help patients after the pandemic, Hassan added.

Patient matching fails up to half the time due to record typos, changes in names or address, and similarities in information between people.

Hassan and Cassidy first introduced the bill in August, during the previous Congress, to aid COVID-19 response efforts. Back then the two warned delaying could hinder broad administration of a vaccine, but the bill never left the Senate health committee.

“Identifying and containing COVID-19 before it spreads within a community is possible with existing technology,” said Cassidy, a doctor. “This bill provides an important tool to more quickly isolate the virus and save lives.”

Air Force’s Platform One deepens ties with industry in new agreement with Lockheed

The Air Force’s DevSecOps environment Platform One has inked an agreement with Lockheed Martin to collaborate on software-factory activities, deepening the platform’s ties to industry.

The Basic Ordering Agreement (BOA) allows for future task orders and contracts between the two to get signed much faster than the traditional acquisition process allows. The work Lockheed anticipates doing is transitioning other defense customers’ systems to the Platform One environment and “hardening” the security of the platform.

“Collaboration with industry is key to the success of Platform One and other advanced cloud and software efforts, and we look forward to working with the Defense Industrial Base to improve the way we deliver fast, secure and high-quality code to warfighters,” the Air Force’s Chief Software Office Nicolas Chaillan said in a release.

A BOA is not a contract itself, but can allow for more easily issued task orders or contracts for products and services that are hard to quantify, like code, according to government guidelines. It can shrink the time to issue future contracts from months to days, senior software engineer and Lockheed Martin Space senior fellow, Robin Yeman, said in an interview.

“This allows us to rapidly get on contract for capability they need to deliver,” she said.

Platform One has been signaling its desire to deepen its ties with industry. It recently published a request for information for a Cooperative Research and Development Agreement (CRADA). That’s a research partnership between the government and nongovernment entities that allows for the private sector to commercialize government-created technology while contributing to further research.

Platform One’s DevSecOps uses containerization and the associated Kubernetes technology to automate code deployment in a secure way. The idea is to make the process so secure the products themselves can be trusted. It’s a process Yeman called “revolutionary,” especially in government where security is paramount but agility has been lagging.

“It is treating IT like a mission,” she said.

With this BOA, Lockheed also benefits by getting to apply Platform One’s DevSecOps to its own software factory.

“Software is at the heart of every system we deliver, and we understand the DoD’s urgent need for faster deliveries, more powerful mission capabilities, and open-source, open-architecture foundations for software,” Yvonne Hodge, senior vice president of Enterprise Business Transformation at Lockheed Martin, said in a release. “Platform One is a truly innovative approach that is propelling the DoD’s DevSecOps evolution, and the collaboration with industry has helped us build infrastructure and capabilities that are well-aligned to the DoD’s vision.”

Platform One is the environment on which all the code for the Air Force’s Advanced Battle Management System (ABMS) is being created. ABMS and other initiatives that aim to link sensors to shooters via an internet-like capability for weapons, all will rely heavily on software and the security of Platform One.