The votes are in for the 2025 FedScoop.

See the winners!

HoloLens 2 headset will be model for Army’s future acquisitions

The Integrated Visual Augmentation System (IVAS) the Army recently procured for $21 billion will be the gold standard for other acquisition programs to follow, the Army’s top general told lawmakers Wednesday.

The IVAS system, designed by Microsoft and based on its HoloLens 2 headset, is a “transformation” from the night vision systems the Army currently uses as it also has augmented and virtual reality capabilities built into the headset, Gen. James McConville told the House Appropriations Defense Subcommittee on Wednesday during a hearing on the Army’s budget.

The program shattered the usual multi-year — even multi-decade — timeline for fielding major Army acquisition programs, taking just 28 months to go from prototype to purchase, largely thanks to a novel structure of embedding soldiers in the design process, McConville said. “IVAS is a good example of where we are trying to go with acquisition as a whole.”

Microsoft President Brad Smith told the Senate in February that the company hedged it would win the award and had started building manufacturing facilities early to help speed up the scaling of production.

The system will allow soldiers to train in environments projected in their headsets, giving them experiences in far-flung environments. The Army also hopes the tech will reduce training injuries.

“That cap I think is going to transform how our soldiers operate,” McConville said.

McConville spoke about wanting to transform the Army from an Industrial Age one in the information age, as he has repeated often in public remarks. He pointed to having constant “soldiers touch points” on the project as a successful part of the IVAS process that will be repeated in other programs to make the broader transformation he wants to achieve.

“We must transform the Army,” he said.

CISA has a better understanding of critical software post-SolarWinds hack

Following the SolarWinds hack, the Cybersecurity and Infrastructure Security Agency believes it has developed a better understanding of critical software across government.

CISA’s National Risk Management Center has spent the four months since the hack was discovered determining the risks such software poses to national critical functions and developing tools to mitigate the threat, said Assistant Director Bob Kolasky.

The SolarWinds hack compromised at least nine agencies when Russian operatives used its updating system to push malware to Orion software users, and now all agencies should take stock of their IT infrastructure, Kolasky said.

“We call this supply chain security; we call it supply chain risk management about understanding the hardware and software that you rely on to do business and do critical processes,” he said. “But that actually means differentiating between the hardware and software you rely upon to do critical processes and doing your own survey of what your critical processes are.”

Even SolarWinds customers unaffected by the hack had to reevaluate their IT environments now that supply chain attacks of this magnitude are no longer simply theoretical.

A large, nation-state adversary was nothing SolarWinds was “really, truly prepared for,” said Tim Brown, the company’s chief information security officer and vice president of security.

“This adversary was not simple,” Brown said. “They were quiet, they were stealthy, they lived off the land, they only were there when they needed to be there, they weren’t noisy.”

SolarWinds can do better as a software provider when it comes to development transparency and is looking to help industry after pushing releases the last four months, he added.

CISA is a partner in those efforts.

Government information sharing needs to improve, and the National Risk Management Center wants to ensure agencies aren’t entering into software contracts where, should a breach happen to one, it winds up affecting another’s systems, Kolasky said.

“What is the overall national response capability?” he said. “And how are we going to have depth of remediation, so that we can anticipate things bigger than what just happened?”

That will require working with companies like SolarWinds. Adversaries currently share information better than the public and private sectors do, Brown said.

SolarWinds attackers hit the company at the endpoint, and it didn’t have double checks in place. Now SolarWinds not only builds software but installs, decompiles and checks it back against source code, Brown said.

“I truly gave a little too much flexibility to my developers and my development network,” he added.

Many software companies do when it comes to allowing developers different operating systems and administrative and application rights. But SolarWinds has since imposed tighter policies, procedures and controls on its development team. They’ve “kind of slowed things down,” but the development team has been “very accepting” when they wouldn’t have been even six months prior, Brown said.

Check-ins to source code no longer just require a peer review but also an architect review. And SolarWinds stood up a triple-build environment, where it builds in a disconnected clean room — with both a developer and lab environment — compares results and prevents anyone from having access to all three, Brown said.

Pentagon leaders emphasize role of emerging technologies in battle

The top two leaders in the Pentagon in some of their first major public speeches shared visions for a Department of Defense that heavily relies on emerging technologies and creating new strategies to use them.

Secretary of Defense Lloyd Austin emphasized the need to depart from previous ways of waging war and focus on new, technology-driven tools and strategies during his first major speech, given in Honolulu at the change of command ceremony for Indo-Pacific Command last Friday. The same message was echoed later that same day by Deputy Secretary Kathleen Hicks, who said that the department must “aggressively take steps to be a data-centric organization” and create new ways to use data in the field and in command centers.

These remarks designate a much more specific stance than in past administrations around building a military force of the future that is dependent on tech.

They want “to mark a departure from the approach of DOD under [former Secretary of Defense James] Mattis,” Bryan Clark, a senior fellow at the Hudson Institute, told FedScoop about the leaders’ remarks.

Mattis focused on traditional lethality and readiness during his two years as President Trump’s secretary of defense, rather than the long-term technology-driven competition. And Mark Esper, Trump’s second confirmed defense secretary, often referenced artificial intelligence changing the “character” of warfare, but rarely spoke on its applications or specific uses.

But Austin and Hicks are taking a very different, much more direct approach when it comes to tech. “Our fiscal year [2022] budget will provide early insight into our strategic approach,” Hicks said at the Aspen Security Forum. “It will support defense research, development, test and evaluation funding. This will lead to breakthrough technologies that drive innovation and underpin the development of next-generation defense capabilities.”

While not mentioned directly by either Hicks or Austin, both implicitly pushed the capability that the new digital concept of operations called Joint All Domain Command and Control (JADC2) promises to deliver. The idea is to create a so-called “internet of military things” where weapons can share data to enable distributed, speedier decision-making. It’s a wonky topic that has been getting increasing nods of support from leaders in public.

“In this young century, we need to understand faster, decide faster, and act faster,” Austin said in his speech. “Our new computing power isn’t an academic exercise.”

Austin also foot-stomped the domains where threats are increasingly proliferating: space and cyberspace.

“So what we need is the right mix of technology, operational concepts, and capabilities — all woven together in a networked way that is so credible, flexible, and formidable that it will give any adversary pause,” he said.

Hicks directly identified China as the leading threat driving the department’s accelerated tech-driven push. China has the advantage of combining its economic, military and tech capabilities to challenge U.S. interests, she said.

And while China is the top threat, it isn’t the only one. “We have never had the luxury of being faced with only one threat,” she said.

This landscape will require the DOD to overcome “institutional inertia” and find new processes that can keep pace with rapid changes to capabilities. Hicks stressed the need to change the budgeting process to account for what the DOD needs to buy, including software and tech that changes faster than the current two-year cycle allows for.

“Platforms will always matter, but it’s the software…it’s those pieces that make such a critical difference in our capability,” she said. “That’s a different funding picture.”

Neither Austin nor Hicks detailed exactly how their view of tech-driven warfare will play out. But that was to be expected, Clark said. With the department’s full budget request coming in late May, they wanted to keep their cards close to the chest.

“They started out in a very aligned point,” he said. “That’s different and I think that’s useful for them.”

Air Force brings Hack-a-Sat back for second year

The U.S. Air and Space Forces will once again allow security researchers to penetrate some of their most precious assets: satellites.

During last year’s first Hack-a-Sat bug bounty initiative, the Air Force opened a satellite to more than 6,000 white hat security researchers to see if they could break-in, in turn helping the Air Force to learn about its vulnerabilities.

This year’s contest will follow much of the same format as last year’s hosted at DEF CON 2020. and aims to attract even more participants to test the security of satellites. Registration is now open for the qualification round which includes a new “Jeopardy-style format” with hackers being able to earn points based on speed and accuracy of solving problem sets.

“The security and cyber-resiliency of our on-orbit systems is an absolute necessity as we look to ensure the peaceful development of the global commons of space over the coming decades,” Lt. Gen. John Thompson, commander of the Space Force’s Space and Missile Systems Center, said in a release. “This required a multitude of specialties, so partnerships across the entire professional cybersecurity spectrum are vital to developing the next-generation of secure space systems.”

The initiative extends on the Air Force’s work to build stronger connections across the hacker community, which once was suspicious of working with the military and federal government.

“Working with the Air Force on this was awesome because it’s not every day you get access to this kind of technology to mess around with,” Cyrus Malekpour, a winning team member for last year’s Hack-a-Sat, told FedScoop at the time.

The top three finishing teams that make it through the qualifying rounds are eligible for $50,000, $30,000 and $20,000 for first, second and third place, respectively. Will Roper, the Air Force’s former head of acquisition, technology and logistics, said he wanted hackers to be able to “make a living” off bug bounty programs like this.

Federal CDO Council preparing 10 data science training program use cases

The Federal Chief Data Officers Council plans to release 10 data science training program use cases soon in a sign of the agency collaboration to come, according to Chair Ted Kaouk.

Each use case will feature a different agency like the Department of Health and Human Services‘ Data Science CoLab or the Air Force‘s data governance certification program.

The use cases were compiled by the council’s Data Skills Development Working Group, which aims to bolster agencies’ data workforce.

“We have an opportunity to accelerate that learning because we can learn about what others are doing — what’s worked for them,” said Kaouk, who primarily serves as CDO of the U.S. Department of Agriculture, during an ACT-IAC event Tuesday. “And I think that crosses the data skills domain; that crosses data sharing.”

The use cases come shortly after the joint hiring announcement for data scientists issued by 10 agencies in January, a project led by the U.S. Digital Service in partnership with the Federal CDO Council.

Meanwhile, the council’s COVID-19 Data Coordination Working Group has developed a number of prototypes addressing data-sharing challenges between agencies.

“That’s really focused on working with HHS to facilitate broader access to key public health data across internal agencies and developing decision support tools that are primed to be shared across agencies,” Kaouk said.

The council is similarly working with the Census Bureau to improve agencies’ access to its American Community Survey data.

And Kaouk anticipates agencies will create their first artificial intelligence inventories later this year, once the council releases the guidance it’s developing with the Federal Chief Information Officers Council. The inventories will detail each agency’s existing and planned AI use cases for everyone’s benefit.

The council is developing a framework for coordinating with the other Foundations for Evidence-Based Policymaking Act councils geared toward evaluation officers, statistical officials and privacy officials. And it’s updating existing guidance to reflect the Biden administration’s priorities.

Those priorities include better data management, skills and infrastructure; racial equity; and analysis of data collection practices and privacy protections for COVID-19 data in particular.

The council has about 80 member agencies currently.

Using the momentum of the pandemic to advance zero trust security

Getting buy-in from agency leaders to prioritize investments into zero-trust security has been challenging. But the pandemic — resulting in work-from-home initiatives and the loss of physical access controls — is forcing agency leaders throw their security and access planning assumptions out the window.

With the loss of the ability to manage devices, control software updates and establish trust for users accessing government systems, CIOs and CISOs need to build security strategies that future-proof their agency against new threats and cyber risks, according to a new report.

Read the full report.

The FedScoop report, “Pandemic Forces Agencies to Accelerate Zero Trust Security Plans,” underwritten by Duo Security, looks at two key pillars of establishing zero trust: centralized authentication and strong digital identity capabilities.

Core tenets of zero trust

“Ideally, agencies want to get to a place where it doesn’t necessarily matter what credential an employee was issued, or whether or not the employee is using a managed device. With strong MFA and identity assurance, the organization can centralize a policy engine in such a way as to determine whether or not access should be granted,” says the report.

That means reprioritizing what security and access controls look like when establishing trust for bother users and devices, according Helen Patton, advisory CISO at Duo Security, now part of Cisco.

At the top of risks to address, says Patton, are compromised privileged accounts which allow for the lateral spread of breaches across the network. This is especially true with shared administrative accounts.

“If agencies are still using accounts with just a password and no multi-factor enacted, they are missing critical controls to authenticate that the user is who they say they are,” Patton warns.

She goes on to explain that in shared admin accounts, “agencies give multiple users access to a primary username and password. These are the kinds of weaknesses threat actors hope to exploit to gain access and move laterally across the network.”

Two of the core tenets of zero trust require that an organization see where authentication is occurring — at the application level — to enact policy engines where they will be most effective; and authenticate digital identity to gain insight into the network, the perimeter and what devices are accessing agency resources.

Zero trust controls in action

Patton illustrates how these modern security controls can work during an active security incident.

In January 2021, when Apple announced the iOS 14 vulnerability, Duo’s parent company, Cisco, implemented a policy change for access authentication.

“In a matter of minutes, Cisco rolled out the policy to all of its protected applications accessed by more than 400,000 endpoints, making it a requirement for devices to install the iOS 14.4 update before they were able to connect to the network,” explains Patton.

At the end of the day, dynamic policies helped Duo and Cisco push a policy updates across the network and place responsibility with the user to manage their device and access.

Read more about modernizing authentication controls to allow your agency to react quickly to the next security threat.

This article was produced by FedScoop and sponsored by Duo Security.

Army planning open-architecture guidelines for contracts

The Army is working with industry to unify the technology it will buy for future platforms and vehicles by creating a modular and open-architecture approach.

Called the Common Modular Open Architecture (CMOA) initiative, the modernization push is in a feedback-seeking phase where the Army still hopes to hear more from industry. A team within the Office of the Chief Systems Engineer (OCSE) is developing the future contracting language and reference guides.

The service recently completed its first industry day event on how best to balance the military’s desires for interoperability and industry’s push to keep intellectual property rights for competitive advantage. Open-architecture technology has grown in popularity recently for the ease of upgrading and swapping out pieces of software in a system, but commercial companies are often reluctant to break away from building proprietary products.

“We want to have the flexibility to allow for modernization,” Jeannette Evans-Morgis, chief systems engineer and head of the CMOA initiative, said on a call with reporters Monday.

Evans-Morgis said her office is looking to make changes on areas considered “low-hanging fruit.” In that basket are data standards for programs like the Optionally Manned Fighting Vehicle (OMFV), the Army’s replacement for the Bradley Fighting Vehicle that has been a staple of Army operations for decades.

Starting with data interoperability and software reference guides will be a jumping-off point for the broad push to make it easier for the Army to “plug and play” new tech, Evans-Morgis said.

One of the outcomes the Army wants to see through this initiative is machine-to-machine data sharing. The OMFV is being designed with data and software as central elements so that it will operate like an iPhone that can constantly upgrade and download new applications through a common architecture, like the Apple App Store. But, using that analogy, many of the Army’s platforms would be the devices that need to be completely replaced to allow for upgrades.

The team behind the CMOA will be producing multiple kinds of documents to guide industry’s future work with the Army, including reference guides, contracting language and standards. Evans-Morgis committed to giving industry plenty of time to adjust its practices and tools to what the Army needs once those new documents are finalized and put into contract solicitations.

“That’s what really critical: We have to get it before we start writing those RFPs,” Evans-Morgis said.

The Army is encouraging more feedback on its plans from both industry and offices across the service that run programs like the OMFV.

“Obviously, this is always going to be a work in progress,” Evans-Morgis said.

Administration introduces ‘more flexible’ TMF repayment model

Agencies that take money from the federal Technology Modernization Fund will now have more flexibility in how they repay those investments, the Biden administration announced Tuesday.

The Office of Management and Budget and General Services Administration, which lead the administration of the fund with the TMF Board, introduced “an updated and more flexible model” for distributing the $1 billion recently appropriated to the TMF.

Under that, there will now be three categories of repayment for TMF projects:

The original TMF repayment model, which required the repayment of all funds within five years, had been a major source of contention and a reason many agencies didn’t want to participate in the program, despite the opportunity for additional funding. The changes also come after lawmakers have urged administrators to update the fund to be more flexible for agencies to use.

“The TMF enables multi-year transformational projects by ensuring Federal agencies have resources that exist throughout the lifecycle of modernization,” said Federal CIO Clare Martorana in a statement. “We plan to use these resources to enable the Federal Government to better respond to SolarWinds and the COVID-19 crisis, and to support the economic recovery.”

On top of this, the board will also now prioritize selecting and funding projects “that cut across agencies, address immediate security gaps, and improve the public’s ability to access government services,” said a release from OMB and GSA. The board will give top priority to projects focused on modernizing high-priority systems, cybersecurity, public-facing digital services and cross-government services and infrastructure.

“The updated TMF model provides the clarity and flexibility necessary to encourage Federal agencies to prioritize technology modernization while transforming the relationship between the Federal Government and the public we serve,” Acting GSA Administrator Katy Kale said in a statement. “It is more aggressive – to meet the urgent technology needs of the Federal Government today, as well as more ambitious – to anticipate the demands of tomorrow.”

The board “encourages” agencies to submit proposals that might fit these prioritized categories by June 2.

Former GSA CIO: It’s time for a federal ‘Agile First’ strategy

Government should prioritize agile methodologies not only in software development but in IT procurement, finance, budgeting and hiring as well, according to a former CIO of the General Services Administration.

Tasks should be done in parallel rather than sequentially when possible, and paper-based processes should not only be digitalized but done in real-time, Casey Coleman told FedScoop.

The federal Cloud First strategy prioritized cloud migration, while the Cloud Smart strategy directed agencies to take advantage of as-a-service offerings. Ensuring adoption of the agile method is a logical next step and a recommendation ACT-IAC made to the Biden administration during the presidential transition.

“If you think about how work gets done on the ground in departments and agencies, we still have old waterfall processes,” said Coleman, now senior vice president with Salesforce. “There’s an opportunity now to think about what we’ve learned in the pandemic and to change the way we operate to Agile First.”

The COVID-19 pandemic proved out everything from digital signatures to telehealth, she added.

Coleman’s comments come days after she testified before the Senate Emerging Threats and Spending Oversight Subcommittee, which held the first in a series of hearings on the need to modernize legacy IT systems in government. Subsequent hearings will explore innovative solutions to the problem.

The government will spend more than $100 billion on IT this fiscal year, when last fiscal year about $29 billion of that went toward maintaining legacy systems. And that number doesn’t take into account those systems’ negative fiscal impact on security, service delivery and customer experience, said Sen. Maggie Hassan, D-N.H., who chairs the subcommittee.

Hassan noted the IRS’s delays in processing tax returns and economic impact payments was due, in part, to its aging system that relies on paper and not digital records.

“The American people pay the price of failing to modernize legacy IT systems,” Hassan said. “Over the past year in particular, my office has received hundreds of messages from constituents struggling to access passports and visas, unemployment benefits, economic stimulus payments, benefits information from the Department of Veterans Affairs, and information on filing taxes.”

The 10 most critical legacy IT systems in government as of June 2019 ranged from eight to 51 years in age and cost $337 million to maintain. Several systems operated with known security vulnerabilities, and the departments of Education, Health and Human Services, and Transportation had no plans for modernization, according to a Government Accountability Office report released in late April.

Only the departments of Defense and the Interior had modernization plans that included milestones, a description of the work needed and the intended disposition of the system in question. The rest — the departments of Homeland Security and the Treasury, Office of Personnel Management, Small Business Administration, and Social Security Administration — only had partial plans.

“[T]he agencies’ modernization initiatives will have an increased likelihood of cost overruns, schedule delays, and overall project failure,” reads the report. “Project failure would be particularly detrimental in these 10 cases, not only because of wasted resources, but also because it would prolong the lifespan of increasingly vulnerable and obsolete systems, exposing the agency and system clients to security threats and potentially significant performance
issues.”

And yet Coleman has never been more optimistic about the “generational opportunity” for agencies to migrate to the cloud thanks to the emergency of commercially operated, always-on, hardened and upgraded platforms.

For instance, COVID-19 contact tracing began as a paper-based process before migrating to cloud-based platforms. “The COVID pandemic has forced and pushed all of us into modernizing in weeks or months what otherwise would have taken years,” Coleman said. “And from the innovation that has emerged from the tragedy of the pandemic, we’ve seen that governments are able to move quickly and be able to respond in no time to pressing needs of their communities.”

Outside of the $1 billion injected into the Technology Modernization Fund in March, Coleman said she’d like to see agencies use working capital funds “more advantageously.” The funds created by the Modernizing Government Technology Act roll over money not used the previous fiscal year and give agencies more control over IT project timelines and continuity.

Government IT legislation is also in need of an update, even if technology does naturally evolve at a faster pace.

“If you look at the legislation that is in place,” Coleman said. “Some of it is generations behind where we are with technology.”

Army looking for modernized enterprise data platform

The Army is on the hunt for an enterprise data platform and managed services, according to a recently released request for information.

The document, published by the Enterprise Cloud Management Agency, outlines the need for services to help enable the type of information collection and processing it needs to win in the future and modernize business practices. The current state of data management is scattered and doesn’t allow the Army to gain insights across different mission areas from cybersecurity to logistics, according to the document.

“[T]he Army must fundamentally transform its approach to data governance and data management, which requires a standardized, secure, trusted, agile and resilient set of data management services and a data platform to serve all common data governance needs across all data domains,” the RFI states.

The scope of what the Army wants is broad, with the desired platform being able to reach across different security classifications of networks and even coalition networks that allied militaries use to work with the U.S. The point of having one platform with standard services is to allow users to view wide arrays of datasets and glean deeper insights into Army operations from business analytics to warfighting.

Some examples of how the Army expects to use its new platform include ingesting a wide array of data and standardizing it on demand, working with the Army’s native cloud environment cARMY and supporting advanced analytics like artificial intelligence and machine learning.

“The Platform enables analytical work products, perform advanced data analytics, Artificial Intelligence/Machine Learning (AI/ML) and data visualization at an enterprise level,” the RFI states in its section on foreseen usage scenarios.

The Army is not looking to burn down its current data tools and start from scratch. Instead, it wants whatever platform and services it receives from industry to include the modernization of its current set of data management tools.

The Army will be hosting an industry day event in May to answer questions on the request.