DHS awards four EIS task orders worth $306M to AT&T
The Department of Homeland Security has awarded four Enterprise Infrastructure Solutions (EIS) task orders for modernizing its telecommunications infrastructure with Internet Protocol-based networking services to AT&T.
Worth a combined $306 million over 12 years if all options are exercised, the task orders cover networking services supporting the DHS headquarters, as well as Immigration and Customs Enforcement, Cybersecurity and Infrastructure Security Agency, and Science and Technology Directorate.
Unlike most departments, DHS is awarding upward of five EIS task orders ahead of the Networx contract’s expiration on March 31, 2023, but these most recent awards were protested first by Lumen Technologies and then Verizon. Those protests were denied by the Government Accountability Office, and now work can proceed.
“We’re honored DHS selected us to modernize its communications capabilities with an IP-
based infrastructure,” said Stacy Schwartz, vice president of FirstNet and public safety at AT&T, in a statement. “We expect the networking transformation to power the many missions of DHS agencies into the future.”
DHS agencies will soon be able to access data networking, voice collaboration, equipment, security and labor, as well as FirstNet priority communications for public safety personnel.
Software-defined wide area network (SD-WAN) and other cybersecurity protections will reduce agencies’ internet connections, and therefore their attack surface. This permits improved monitoring, in keeping with the zero-trust security model, which has become an increased focus in the aftermath of high-profile hacks like SolarWinds.
Atlantic Council calls on U.S. gov to strengthen cyber strategy and accelerate quantum tech
The U.S. government and its allies should strengthen their cybersecurity strategy and accelerate the operationalization of quantum technologies, according to a leading D.C. think tank.
In a report published on Wednesday, the Atlantic Council issued recommendations for maintaining the country’s leadership in science and technology, and for preserving the resilience of its physical and IT supply chains.
According to the study, which was conducted by the think tank’s Commission on the Geopolitical Impact of New Technology and Data, the federal government must support technological development across many separate spheres of society.
The Atlantic Council says federal government should offer greater support for technologies that underpin the growth of digital economies, as well as more support for innovation that enlarges the spaces where societies operate, such as sub-sea technology.
The Atlantic Council also recommends additional backing for the development of artificial intelligence.
“The sophisticated, but potentially fragile, data and tech systems that now connect people and nations mean we must incorporate resiliency as a necessary foundational pillar of modern life,” said David Bray, director of the Council’s Geotech Center.
“It is imperative that we promote strategic initiatives that employ data and tech to amplify the ingenuity of people, diversity of talent, strength of democratic values, innovation of companies, and reach of global partnerships,” added Bray, former CIO of the FCC.
The recommendations come after the Biden Administration in March published its interim national security strategic guidance, which identified cybersecurity as a “top priority,” and said it would strengthen the country’s capability, readiness and resilience in cyberspace.
According to the Atlantic Council, a revamped strategy is crucial for the country’s national and economic security, and it must also work to increase trust and confidence in the digital economy.
Federal government concerns over cybersecurity have come to the fore in recent weeks, amid a surge in ransomware attacks on private and public sector entities, including against the recent attack on the Colonial Pipeline.
The U.S. is also racing to build a new generation of supercomputers, supported by federal departments including the Department of Energy. It is hoped that exascale computing will have a key role to play in the future energy security of the country, by allowing more efficient management of the energy grid.
The think tank is also calling for wider federal oversight of supply chain assurance and said more must be done to harden the security of commercial space industry facilities and space assets. The latter recommendations follow a report by NASA’s oversight body earlier this month, which identified major cybersecurity weaknesses at the organization.
The Atlantic Council is an Atlanticist U.S. think tank focused on international affairs, which was founded in 1961.
NIST to consolidate existing supply chain guidance before issuing new recommendations
The National Institute of Standards and Technology (NIST) will consolidate existing supply chain guidance before identifying gaps on which new standards are based, according to a computing security chief at the agency.
The institute is under pressure to issue separate guidance on protecting critical software and testing source code within 60 days and broad standards on supply chain security within 90 days, as the U.S. government races to respond to recent supply chain attacks like the SolarWinds hack.
Testifying to lawmakers before the House Science Committee on Tuesday, computer security division leader of NIST’s Information Technology Laboratory, Matthew Sholl, said the agency was “on track” to deliver new supply chain security standards.
Sholl said also that the agency would deliver the recommendations within the condensed timeframe afforded by President Biden’s recent cybersecurity executive order.
“The initial deliverables might be short. But we also plan on staying persistent on these issues over a much longer period of time,” he said.
In addition to establishing secure software requirements and security measures for using a testing software, NIST is working on two pilot labeling programs that will help agencies understand the security properties of software they might use.
Lawmakers have expressed concern that NIST may not have the necessary resources to meet the tight deadlines. Its cyber and privacy portfolio received funding of only $78 million in last year’s budget.
“I do worry we are increasingly asking NIST experts to do exponentially more work, more quickly, without necessarily the adequate resources,” said Rep. Haley Stevens, D-Mich., who chairs the Research and Technology Subcommittee that oversees the institute.
Sholl made no mention of resource constraints in his testimony.
The Government Accountability Office continues to investigate the SolarWinds hack, and will compile a public report on the incident, which is due to be released later this year.
In a December report on supply chain risk management, GAO found that none of the 23 Chief Financial Officers Act agencies had implemented all the recommended best practices, and 14 had not even started to address the implementation of best practices.
NIST first released its Cyber Supply Chain Risk Management guidance in 2015, followed by its Secure Software Development Framework. And the Office of Management and Budget began directing agencies to address supply chain issues in 2016.
Department of Veterans Affairs oversight body highlights $2.6B IT overspend
The Department of Veterans Affairs underestimated the cost of “physical infrastructure” upgrades in its electronic health record modernization program by as much as $2.6 billion, the department’s inspector general found.
The massive modernization program is in year three of its 10-year timeline with a projected $16 billion price tag. But those costs might increase due to physical infrastructure needs the VA hadn’t initially planned for — things like electrical work, cabling, and ventilation that allow IT infrastructure upgrades to properly function.
“The lack of reliable cost estimates was caused in part by insufficient planning at the outset of the program. [Office of Electronic Health Records Modernization] leaders stated that at the beginning of the program the focus was on the EHRM contract and the system itself, rather than infrastructure,” the report stated.
The program is designed to be a complete overhaul of the VA’s health IT system, with a new cloud-based system from Cerner hosting billions of medical records and supporting all new interfaces for medical staff. The goal is to eventually integrate the VA’s system with a similar digital medical system the Department of Defense is migrating to so service members separating from the military can seamlessly transition to veteran care.
Lawmakers have been critical of the VA’s potential to go over budget and schedule, a concern shared by new VA leadership. The VA twice had to delay the launch of the new system at the first launch facility in Spokane, Washington; one of those delays was caused by the pandemic. Since the EHR’s launch, lawmakers have highlighted instances where the tech has had negative medical impacts, like delayed prescription refills.
The OIG found several missteps and a lack of thorough review to be at fault in VA’s underbudgeting. The department did not seek an independent review of its cost estimates, in violation of its own financial policies, the IG said.
“An independent cost estimate is a complete and fully documented estimate that external or third parties develop and use to test the reasonableness of the program cost estimate,” the report stated. “Thus, it likely would have revealed many of the issues found during this audit and would have allowed VHA to take earlier action to improve the reliability of its estimates.”
One of the most underestimated costs was the price of replacing cabling nationwide. Despite VA leadership signing memos instructing the replacement of cabling, the nearly half-a-billion dollars cost was not included in estimates.
“[N]ationwide cabling costs should be included as part of the cost estimate because upgraded cabling is required prior to full system deployment,” according to the report.
The VA has steadily increased its IT budget requests in the past several years to account for more than just the EHR requirements. In 2020, then-Secretary Robert Wilkie told Congress the VA is playing catch up after years of neglect in its tech systems.
“I will admit that VA has been underfunded on the IT front through the past several decades,” Wilkie told members of the House Veterans’ Affairs Committee. “We were right at the bottom.”
DHS oversight body finds data handling concerns across department agencies
“Persistent” data collection and management issues hinder daily use of large, diverse databases for decision-making across Department of Homeland Security (DHS) agencies, according to its Office of Inspector General (OIG).
DHS‘ OIG reviewed reports between fiscal 2017 and 2019 for recurring and systemic data issues and found 70 instances of integrity, reliability and availability problems throughout more than one-third of reports.
“[F]ollow-through and continued improvement will be essential to address the internal control issues underlying the data deficiencies we highlighted,” read the OIG’s report, which was issued Monday. “Only then can the department be assured it captures reliable and accurate data to accomplish its mission responsibilities.”
The OIG flagged 82 internal control deficiencies across five categories that have reduced the quality of data: security and technical controls, program and operational oversight, guidelines and processes, system design and functionality, and training and resources.
In response, DHS rebuffed the report’s findings, but said there would always be opportunities to improve the use of its data assets.
“DHS strongly disagrees with the report’s overly broad conclusion that personnel ‘do not have essential information they need for decision-making or to effectively and efficiently carry out day-to-day mission operations.
“The OIG provides no direct evidence nor, to our knowledge, completed any analysis with the level of methodological rigor necessary to support this conclusion,” the department’s GAO/OIG liaison office said.
Previous reports by the DHS OIG have identified data security deficiencies, and established that they put financial data at risk of unauthorized access and disclosure. They show also that a number of national security systems lacked current Authorities to Operate (ATOs).
Other information identified to be at risk in prior reports include: unmanned aircraft data within Customs and Border Protection’s Intelligence, Surveillance, and Reconnaissance Systems, personally identifiable data in the Office of Health Affairs’ Electronic Patient Care Reporting system and BioWatch portal.
Case management and investigative data in Secret Service systems, immigration data in U.S. Citizenship and Immigration Services’ CLAIMS3, and cybersecurity data in the National Protection and Programs Directorate’s unclassified and top secret Mission Operating Environment systems, have also previously found to be at risk.
In addition, inaccurate and incomplete data meant the Office of the Chief Human Capital Officer had trouble conducting a cybersecurity workforce analysis that counted and coded contractors and tracked training efforts, according to a prior report.
DHS OIG has suggested looking to the department’s IT Strategic Plan and Enterprise Data Strategy, which expires this year, as well as the Federal Data Strategy to continue modernizing systems.
“[M]anagement should design information systems and controls to ensure the data recorded is accurate and valid,” the report said. “DHS requires the integration of quality into every phase of information management including creation, collection, maintenance and dissemination.”
CMMC accreditation chief says assessor training coming ‘mid-to-late’ summer
The long wait for those who want to be certified assessors for the Department of Defense‘s new contractor cybersecurity standards might be over this summer, according to the CEO of the organization overseeing training.
In a public letter and attached FAQ signed by Matt Travis, which was issued on Wednesday, training for assessors will begin in “mid-to-late summer 2021.”
Travis is the new CEO of the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB), which is the organization responsible for implementing new CMMC standards. Assessors are a critical part of the procurement ecosystem, and for implementing sweeping new cyber standards for all of DOD’s 300,000 contractors.
“I know many of you are eager to learn of when the CMMC ecosystem will kick into full operational gear. I will say this―we are getting close,” Travis said. “We are on the cusp of reaching some exciting milestones in the coming weeks.”
It’s been a long-promised start for a scheme that the AB has previously delayed. In April 2020 the then-board chair, Ty Schieber, said the AB was in the “final stages” of putting the training together. The AB has a group of randomly selected “provisional assessors” that will give feedback on the process, but no fully accredited assessors will be appointed until all testing and accrediting is complete.
Without trained and certified assessors, there will be no one to inspect the networks of contractors that will need third-party approval that they are meeting one of the cybersecurity levels in the five-tear CMMC model. By fiscal year 2026, all contracts will have CMMC requirements that will mandate contractors get an assessment to continue working with DOD, with minimal exceptions.
It is one of the many parts of the ecosystem that must move forward if a timeline dictated by DOD is to be kept. It’s separate from the training and certification of Certified Third Party Assessment Organizations (C3PAOs) which has also faced some delays. Certified assessors are individuals that will be hired with C3PAOs to assess DOD contractors.
The AB, which oversee the ecosystem and implementation of the CMMC program, also recently hired a new member of its professional staff to oversee training. Melanie Kyle Gingrich will be vice president for training and development and oversee the AB’s initial training course, as well as organizations licensed by the AB to conduct the future training of assessors.
NSA places greater focus on unclassified work in new physical, virtual hubs
One of the nation’s most secretive intelligence agencies is making a strategic effort to do more work in the open.
The National Security Agency has developed new physical and virtual workspaces to support collaboration around its unclassified work.
The agency, which historically focuses most of its work on highly classified mission sets, had been strategically developing these unclassified work environment spaces for a few years when the COVID-19 pandemic hit. The crisis forced the NSA to accelerate the launch of the hubs where NSA personnel and contractors can securely work together in-person and online on unclassified workloads, said Rebecca Guzman, who leads the rollout of the Unclassified Work Environment program.
“As we navigated the day-to-day realities of the pandemic, we really were focused on coming out with a better way of doing business after being forced to look at how resilient we were as an agency,” Guzman said Wednesday during Riverbed’s Network Transformation Summit, hosted by FedScoop. “So that’s been to establish a more agile, more efficient way to sustain our workforce, regardless of where they were coming from. And so as a result, we’ve created new unclassified options, both virtually and physically.”
The unclassified work environment allows the 70-year-old agency to do this type of widespread unclassified, off-site work for the first time ever, Guzman said. This is “really challenging for an organization that typically works in a highly classified mission.”
“This really represents a huge cultural change for the agency with a workforce that is used to providing protection for a lot of our classified information — it really isn’t embedded in our DNA,” she said. “And so as an agency, we’ve had more change in the last year than we have over the last 10 [years] in technology.”
In the physical collaboration spaces, NSA provides “modernized technology and smart devices to allow folks to have a space to be able to do some of that collaboration with partnership outside the agency,” Guzman said.
Initially, this was all the program was intended to be: a set of physical collaborative spaces. But the pandemic quickly showed the NSA that virtual work would soon become part of the new norm and that the unclassified work environment must reflect that while accelerating the work it already had underway.
NSA CIO Greg Smithberger teased some of these capabilities last summer during the peak of the pandemic, saying the agency was sifting through its less-sensitive mission sets to see what it could possibly move into an unclassified cloud environment appropriate for telework.
In addition to the cultural shift the new environment required, Guzman said it forced NSA to bring greater focus to using non-customized commercial technologies both for the speed of delivery and the collaborative utility inherent in off-the-shelf software.
“This was pivotal because we could not deliver these solutions if we were customizing and building them ourselves,” she said. “That also meant protecting and defending every endpoint of that ecosystem.”
NSA had thousands of personnel use the in-person and virtual environment throughout the pandemic with the intent to expand that moving forward. With this, the employees “can be and have been more productive,” Guzman said. “They’ve been able to engage with the workforce. We’ve had town halls where folks can really be reached right where they are. And they’re able to also collaborate with industry partners and work in a very hybrid collaboration environment that’s been really productive for us.”
Pandemic or not, this is a solution the NSA will need moving forward, Guzman said. The efforts “were not a COVID reaction, it has been an enduring, fundamental change in our approach and how we enrich mission. Thanks to the efforts across the agency and industry partners, we now have lots of folks working from the office, from home and really wherever they are, jumping in to really add that value.
AWS to launch data centers in United Arab Emirates
Amazon Web Services (AWS) air expanding its presence in the Middle East, with three new data centers based in the United Arab Emirates (UAE).
They will go live in the first half of 2022 and expand the company’s presence in the region, which is currently limited to Bahrain, the company announced Wednesday. AWS currently has 80 such centers around the world.
“We are excited to build on the great momentum of cloud adoption in the Middle East by providing more choice for customers in the UAE to run applications and store data locally,” said Peter DeSantis, senior vice president of global infrastructure at AWS.
AWS remains a major cloud service provider to the U.S. government. It remains in a protracted legal battle with the Department of Defense after it was passed over for a $10 billion Joint Enterprise Defense Information (JEDI) cloud computing contract.
In the Middle East, AWS contracts with governments including Egypt, Kuwait and Bahrain.
Tech companies write to Biden administration pushing commercial tech preference
A group of technology companies and trade lobby groups has written an open letter to the Biden administration, calling on it to ensure federal agencies follow existing preference regulations for commercial software and technology procurement.
In the letter, which was sent on Tuesday, the companies requested also that the Office of Management and Budget (OMB) provide specific updated guidance to agencies on the issue.
Agencies are required by federal law to adopt existing private-sector tech and software solutions, where practicable, rather than developing custom-built solutions.
Salesforce, Palantir, Splunk and DataRobot were among the signatories to the letter and were joined by trade groups including the Alliance for Digital Innovation, the Silicon Valley Defense Group, and the Alliance for Commercial Technology in Government.
“Many federal agencies continue to favor custom-built, more expensive solutions, even when there are proven, widely available commercial solutions that, in many cases, can be modified to meet unique requirements,” the companies said. “As a result, many technology companies conclude that it is too difficult to work with the government.”
By failing to enforce the regulations, the federal government often misses out on the cutting-edge tech developed in the private sector. “Rather than miss out on private sector innovations, the government should consistently enforce laws and policies that give preference to commercial software and technology solutions and support these domestic industries, including startups and small businesses,” the letter says. “We specifically request that the OMB provide clear guidance to federal agencies to make certain that the existing statutory requirements for commercial preference are followed.”
Under statutory requirements, federal agencies must buy commercial technology and software when “reasonably practicable.” This is codified in the Federal Acquisition Streamlining Act (FASA), which was passed in 1994.
Private sector representatives say that such legislation is necessary because in-house federal agency development projects have a high failure rate and redundancy created by such programs has a huge cost for the U.S. taxpayer.
Speaking to FedScoop, executive director of the Alliance for Digital Innovation, Matthew Cornelius, said technology companies had “stepped up” to provide COVID-19 testing, contact tracing and information solutions during the past 15 months, and that they want to see a continuation of pandemic spending momentum on commercial solutions.
“There’s already a lot of building blocks in place, where the administration needs to embrace this chance to buy commercial first,” said Cornelius.
The trade group leader added that too often broad IT modernization efforts burden contracting officers with lists of requirements that see recompeted contracts awarded to the same vendors because it’s “comfortable and easy.”
Mac Thornberry, former chairman of the House Armed Services Committee and member of the Silicon Valley Defense Group’s board of advisors, said commercial tech adoption is key to “preparing for great power competition.”
“If it is really urgent, and I think it clearly is, the government has to act like it,” Thornberry said. “That means acquiring systems now that are tested and proven and can be readily adopted, rather than waiting — sometimes for years — to build systems from scratch that may never work and are likely to be outdated if they do.”
Dave Vorland, executive director for the Alliance for Commercial Technology in Government, said: “You find out during a crisis what technology works and doesn’t work and it is consistently commercial software that responds best when government efficiency is most critical — as we have seen during the COVID-19 pandemic.”
National Institutes of Health launches $50B governmentwide IT contract vehicle
The National Institutes of Health has issued a request for proposals for its long-awaited governmentwide acquisition vehicle that will give up to $50 billion to federal contractors over a 10-year period.
The CIO-SP4 vehicle has 10 task areas including IT services, CIO support, cybersecurity, digital government and cloud services and software development.
It will be managed by the NIH’s Information Technology Acquisition and Assessment Center (NITAAC) and is designed to meet agencies’ general information technology, biomedical and health IT needs across the federal government.
CIO-SP4’s $50 billion ceiling represents an increase from the previously-launched CIO-SP3 vehicle, which allotted $20 billion to IT contracts over a 10-year period. CIO-SP3 was launched in June 2012 and runs until May 30, 2022.
The new contract has a five-year base ordering period and a five-year extension option.
Contract vehicles permit flexibility at the task order level and acquisition agreements where a quick turnaround time is required. NIH will award spots on the larger vehicle to prime contractors that can then compete for task orders under the scope of CIO-SP4.
Commenting on the launch of the contract, NITAAC acting Director Brian Goodger said: “CIO-SP4 builds upon the success of CIO-SP3 and takes into account several lessons learned that we believe will enhance the experience of our federal agency customers and contract holders alike.
“We are excited about the possibility CIO-SP4 holds for revolutionizing the way agencies acquire IT.”
Goodger did want to remind agencies that CIO-SP3 is still a good option for their IT needs. “However, we want to remind agencies that while they anticipate CIO-SP4, CIO-SP3 still remains a vital option for their procurement needs. CIO-SP3 expires in May 2022, has ample ceiling room and awards issued before the expiration of CIO-SP3 can be extended up to five years,” he added.
NITAAC is a federal executive agent and is authorized by the Office of Management and Budget to administer three governmentwide IT acquisition contracts: CIO-SP3, CIO-SP3 Small Business, and CIO-CS. These contracts, along with NASA’s SEWP and the General Services Administration’s various IT vehicles, comprise the federal government’s governmentwide acquisition vehicles, or GWACs as they’re called.