Zero trust, identity management and DOD network security strategies
Defense agency leaders — aware of the shortcomings of “defense in depth” security approaches — are exploring other security frameworks, like zero trust, to better protect networks from identity-based attacks.

Read the full report.
According to a recent Okta report, the Air Force is one of several agencies using modern identity and access management tools to assist with security and user experience.
It is working to “centralize IAM across 33 systems and 200 applications,” the report says. Additionally, among other capabilities, the IAM platform allows them to streamline auditing and reporting tools and user behavior analytics to uncover anomalies.
The report describes how Okta’s zero trust architecture is being used as a foundation to secure DOD resource across on-premise and cloud environments to help defense organizations manage their extended enterprise, and by making it possible for them to:
- Embrace the secure cloud, at scale — while also extending the same strong authentication to on-prem apps, such as WAM.
- Reduce the complexity of managing separate password and authentication policies across on-premise and cloud resources.
- Provide a consistent and seamless access experience for end users, eliminating password fatigue and improving onboarding time.
Learn more about how zero trust and identity management are proving to be a game-changer for DOD network security.
This article was produced by FedScoop for, and sponsored by, Okta.
US, Albania agree to develop secure 5G networks abroad
The U.S. and Albania agreed Sunday to coordinate development of secure 4G and 5G networks abroad, as the former tries to stop Western Balkans countries from buying potentially compromised Chinese infrastructure.
Without mentioning China by name, both parties acknowledged the threat foreign adversaries pose to the telecommunications supply chain.
In recent years the U.S. has struck similar agreements with the Western Balkans countries of Serbia, Kosovo and North Macedonia to assess the risk of 5G equipment supplied by vendors with connections to foreign adversaries, namely Huawei and ZTE, before buying.
“I think we’re setting a very strong example together here today, particularly on the need to make sure that when it comes to our most sensitive technology and networks, we’re working with trusted vendors,” said Secretary of State Antony Blinken.
Blinken signed the memorandum of understanding with Albanian Prime Minister Edi Rama, noting the partnership between the two countries was “growing stronger, growing deeper.”
Albania was elected to the U.N. Security Council for a two-year term beginning next year on Friday. The country previously participated in a U.S. Army-led, joint military exercise with 27 European and NATO countries called DEFENDER-Europe 21.
House lawmakers recently reintroduced legislation that would see the U.S. Development Finance Corporation fund 5G infrastructure projects in 22 Central and Eastern European countries including Albania. The bill is seen as a counter to China’s Belt and Road and 17+1 initiatives seen as taking advantage of a region that’s historically lacked telecom infrastructure since the Soviet era.
“[W]e have undertaken these issues … asking also the other countries in the region join and to put all together our effort for a very secure path of communication,” Rama said. “And to put this path of communication of very critical services in the hands of the people of Albania, in the hands of institutions of our security forces, and to not allow compromise by third actors and sometimes-malign actors.”
Tech contractor for National Nuclear Security Administration says it is investigating systems hack
A research and development consultancy that works with the Department of Energy and National Nuclear Security Administration is investigating a cyber breach.
In a statement to this publication, Sol Oriens said it had appointed a technology forensics firm to investigate the incident, and that law enforcement agencies had been informed. The company became aware of the breach last month.
Sol Oriens is a New Mexico-headquartered consulting company that provides services to federal government agencies including program management, technology management, weapons R&D and product engineering.
“Upon detecting suspicious activity within our network environment, our IT professionals immediately secured the system and we quickly recovered priority company systems.
“The investigation is ongoing, but we recently determined that an unauthorized individual acquired certain documents from our systems. Those documents are currently under review, and we are working with a third-party technological forensic firm to determine the scope of potential data that may have been involved,” a spokesperson for the contractor said.
Sol Oriens added that to date it has no indication that the incident involves client classified or critical security-related information. The consultancy firm said also that it would notify affected individuals and entities once the forensic investigation into the cyberattack concludes.
A DOE spokesperson said: “The Department of Energy is aware of the cyberattack against Sol Oriens, a veteran-owned consulting firm whose clients include the Department of Energy and the National Nuclear Security Administration.
“There is no evidence that any DOE or NNSA data was compromised and there is no risk or impact to any government systems. We continue to stay in close communication with Sol Oriens,” the spokesperson added.
The NNSA helps to manage the safety of the U.S.’s nuclear stockpile and is a semi-autonomous agency within the DOE, according to its website. It works closely with the Department of Defense and national labs on nuclear safety and use, including nuclear propulsion in the Navy and the country’s emergency response to nuclear incidents.
Hackers have found a path of least resistance by targeting small subcontractors that often do not have the resources for extensive cybersecurity defenses. Last month hackers targeted USAID by compromising an account held with email marketing company Constant Contact.
The DOE has a cybersecurity test called the “Cybersecurity Capability Maturity Model (C2M2),” companies can voluntarily use to assess the security of their networks.
News of the Sol Oriens breach was first reported by CNBC last Friday.
US, UK forge emerging technology R&D partnership
The U.S. and U.K. agreed to forge a partnership over the next two years for developing emerging technologies like artificial intelligence, quantum computers and batteries, under the revised Atlantic Charter signed Thursday.
President Biden and U.K. Prime Minister Boris Johnson struck the agreement ahead of the G7 Summit in Cornwall, England, which promises to increase funding for research and development around climate change, cancer, future disease outbreaks and supply chain security.
Revisions to the 80-year-old charter emphasize democracy and human rights, defense and security, science and innovation, and economic prosperity as the two countries look to counter efforts by foreign adversaries like China and Russia to undermine them and gain a technological advantage.
“We will continue to strengthen collaboration in science and technology,” reads the agreement. “This will facilitate increased joint world-class research, as well as encourage the development of rules, norms and standards governing data sharing, technology, and the digital economy that reflect our values and principles.”
Moving forward the President’s Council of Advisors on Science and Technology and Prime Minister’s Council for Science and Technology will coordinate more closely.
Similarly the new U.S. National Center for Epidemic Forecasting and Outbreak Analytics and the new U.K. Health Security Agency Centre for Pandemic Preparedness will work together to eliminate infectious disease threats before they become epidemics or pandemics. That includes scaling detection with the development of an integrated, global surveillance system, the Global Pandemic Radar, as well as genomic sequencing.
“Enhancing global surveillance is critical to achieving our collective ambition to deliver safe, effective and affordable vaccines, therapeutics and diagnostics within 100 days of a future pandemic threat being identified,” reads the agreement.
With respect to climate change, clean energy technologies are another focus of the partnership.
The revised Atlantic Charter makes it clear the U.S. and U.K. intend to manage potential abuses of emerging technologies through international institutions and laws. That includes opposing disinformation campaigns targeting democratic elections, boosting cybersecurity and maintaining a free and open internet.
On the security front, the charter promises to deliver a “robust” data access agreement between the U.S. and U.K. — given their “appropriately high level” of information protections — to support law enforcement investigations into cyberattacks and terrorism while upholding privacy. Both countries vowed to work with tech companies to further such work.
Biden taps IT company CEO Del Toro to be secretary of the Navy
The president nominated former Naval officer and current CEO of a small IT company, Carlos Del Toro, to be secretary of the Navy.
Del Toro has been president and CEO of SBG Technology Solutions since 2004, according to LikedIn. Prior to this, he served more than two decades in the Navy, including deployments commanding a missile destroyer and working in the office of the Secretary of Defense.
At SBG he worked closely with the federal government on a range of issues, according to a White House statement.
“As CEO and President of SBG Technology Solutions, Del Toro has supported defense programs across a host of immediate and long-term Navy issue areas, including shipbuilding, AI, cybersecurity, acquisition programs, space systems, health, and training,” the statement said.
The Navy has struggled with cybersecurity and modernizing its IT systems. A 2019 report found major gaps in both the Navy and its industrial suppliers’ networks, a problem previous secretaries have tried to prioritize, despite high turnover in the top job.
New-era authentication key widens trusted access to federal resources
The recent wave of highly public cyberattacks has cast a spotlight on last month’s White House executive order on cybersecurity, and the need for agencies to modernize their cybersecurity and authentication systems.
The executive order’s call for implementing zero-trust architecture, and new requirements to focus on more modern authentication strategies, signals an important turning point for government, say cybersecurity experts.

Read the full report.
“This executive order will affect many organizations, both in the public and private sector, that work with the government [including] financial services, healthcare, the public sector, critical infrastructures, high tech, and education,” commented David Treece, Director Solutions Architecture at Yubico in a new report on modernized multifactor authentication (MFA) strategies.
The new directives lay out the need for agencies to implement a more multifaceted and modernized approach to authentication that can support today’s widely distributed and dynamically configured networks, according to a new report, produced by FedScoop and underwritten by Yubico.
The limits of CAC/PIV cards
The report highlights the rapidly evolving nature of authentication tools and the need for agencies to expand upon traditional public key infrastructure (PKI) methods. While the government’s long-established PKI-based Common Access Card (CAC) and Personal Identity Verification (PIV) credentials remain foundational to controlling access to defense and civilian systems respectively, they still have their limits.
Those working in command centers requiring simultaneous access to multiple systems, for instance, can generally only use their CACs to access one system at a time. CAC and PIV cards also require specialized contact-based card readers — to prevent someone from eavesdropping on the traffic that goes between the card and the card reader — making them difficult to use with modern devices such as mobile smartphones and tablets.
Those and other limitations led a small group of engineers from Yubico in 2008 to develop the YubiKey, a hardware security key that utilizes DoD-approved PKI cryptography and Identify Federation Service (IFS) solutions to authenticate users as an alternative to CACs.
YubiKeys provide “a form factor that is as strong as the CAC or the PIV and can be used across multiple devices without a smart card reader,” explains Jeff Frederick in the report. Frederick is lead technical resource for the public sector team at Yubico. The YubiKey has since become a DOD-approved alternative authenticator.
Fast forward to the advent of cloud computing, the ubiquitous reliance on multiple mobile computing devices, and most recently, the massive redistribution of the government’s workforce during the pandemic, and the need for more modern and adaptable alternatives to multi-factor authentication has grown exponentially.
That led Yubico to work with various certificate authority (CA) vendors as well as with Google, Microsoft and other leading technology suppliers to advance the capabilities of remote authentication, says Frederick.
Most notably, Yubico became a founding member of the non-profit FIDO (Fast Identity Online) Alliance, formed to address the lack of interoperability among authentication devices. Yubico engineers have also teamed up with organizations to develop open, scalable and interoperable mechanisms which work effectively in the cloud and ultimately, are aimed at supplanting the reliance on passwords.
That has spawned a comprehensive line up of YubiKeys, capable of supporting multiple authentication protocols, allowing users to access accounts four-times faster than other two-factor authentication (2FA) and cut support calls by 92%, according to the report. And unlike other 2FA, YubiKeys store no data, require no network connection and don’t run on software — which is why users have experienced zero account takeovers.
The report highlight’s Yubico’s latest all-in-one multi-protocol YubiKey 5 FIPS Series is designed to meet the highest authenticator assurance level (AAL3) requirements from NIST for government and regulated industries.
“YubiKeys provide six, multi-factor authentication protocols all on one physical piece of hardware,” says Frederick, including the ability to support both legacy and modern security protocols, using static passwords, one-time passwords (OTP), PIV (smart card), OpenPGP, FIDO U2F and FIDO2. Additionally, Yubico designed the hardware so that the authentication secret is stored on a separate secure chip built into the YubiKey, so that it cannot be copied or stolen.
“Government agencies can use the YubiKey to bridge the gap to the future,” adds Rob Konosky, director for Yubico’s federal defense business. “There’s no reason to wait to start issuing hardware security keys such as the YubiKey to every single, soldier, sailor, airman and marine that has strong authentication needs.”
Download the full report and learn how Yubico can help accelerate your agency’s journey to zero trust.
This report was produced by FedScoop and underwritten by Yubico.
Glavy nominated as top IT officer for US Marine Corps
The Biden administration has nominated Maj. Gen. Matthew Glavy as the next deputy commandant for information of the U.S. Marine Corps.
The deputy commandant post was created in 2017, and is the service’s equivalent of a uniformed CIO.
Glavy will replace Lt. Gen. Loretta “Lori” Reynolds, the current deputy commandant for information. Glavy, if confirmed by the Senate, will get his third star and rise to the rank of lieutenant general.
“Deputy Commandant for Information develops and supervises plans, policies, and strategy for operating in the Information Environment and identifies requirements in doctrine, manpower, training, education, and equipment in order to support Marine Air Ground Task Force operations in the Information Environment,” according to the Marine Corps website.
Glavy currently serves as the head of Marine Corps Forces Cyberspace Command at Fort Meade, Maryland. It is currently unclear who will replace Glavy at the Marine’s cyber component command.
The Marine Corps falls under the oversight of the Department of Navy, and Glavy would work with the top IT official in the department, CIO Aaron Weis. The Department has been working to upgrade its cybersecurity and implement a new “strategic vision” for its IT.
Air Force rolls out new software for flight planning using Cloud One
The Air Force unveiled Tuesday new software that it has been developing that it says will optimize flight planning using its internal cloud provider, Cloud One.
The software, dubbed Joint Open Mission Systems Core Mission Planning (JOMS CMP), is not billed for full deployment until 2027, but the development team at Hanscom Air Force in the interim will work to update the legacy system currently in place. The system being replaced is used to schedule when aircraft take off, get refueled in flight and their directions in the sky.
The software will “provide a more tailored planning session that integrates squadron and user preferences, which reduces workload and optimizes fuel usage,” Jeff Flowers, program manager at Hanscom AFB, said in a press release.
The new software is designed with Joint All Domain Command and Control (JADC2) in mind, the military’s strategy for making an internet-of-things connecting platforms across land, air, sea, space and cyberspace. The idea is that with a cloud-based, modernized software suite being used to plan flight patterns, that data will be more easily sharable. Linking data between machines is core to JADC2, which aims to use artificial intelligence to sift through all the data and be a decision making aid to commanders, and even let machines make some decision themselves.
The old software, Joint Mission Planning System (JMPS), does not provide the flexibility to plan missions in the type of coordinated way called for in the Joint Warfighting Construct that the JADC2 strategy and family of technologies was borne out of.
“We are working to modernize JMPS with a service-oriented architecture that will increase speed, automation, and improve user experience,” Emily Coppin, Airspace Mission Planning Division, program manager, said in the release. “By incorporating a process that is shaped by user feedback, we have been able to synthesize requirements four times faster and provide more flexible and efficient management of developer resources. Through this JMPS sustainment effort, we have been able to shift, even in that old architecture, to a far more agile approach to mission planning software development.”
The software team is also collaborating with the Navy’s Air Combat Command and other organizations in across he military. The idea is the more collaboration on the software, the more interoperable and aligned with the JADC2 technical infrastructures being developed by the Joint Staff it will be.
The Air Force has worked on similar tech in the relatively low-stakes world of flight scheduling, using the data-rich task to test the waters on new data-based tech. In 2019 it signed contracts for using machine learning platforms to optimize pilot training logging. Eventually, the Air Force wants to use machine learning, AI and cloud-based software in applications directly related to waging war.
Army awards L3Harris $3.3B contract for overseas radio equipment and services
L3Harris, the major tech and defense contractor, has been awarded a $3.3 billion contract for overseas radio equipment and communications services by the Army.
It is an indefinite delivery, indefinite quantity contract, and will allow foreign military partners to buy radios through the Army’s Communications-Electronics command.
L3Harris was the only company to bid on the contract, which was awarded by U.S. Army Contracting Command in Aberdeen Proving Ground, Maryland.
The Army manages the sale of certain equipment, such as radios and vehicle platforms, to foreign partners.
Delayed DHS biometrics system’s risk management issues persist
The Department of Homeland Security plans to replace the functionality of its 27-year-old biometrics system, the first increment of a program that was supposed to end this year, in December.
Part of the reason the $4.3 billion Homeland Advanced Recognition Technology (HART) system for fingerprint matching and facial recognition won’t be fully operational is that DHS considered the program low risk until it began updating its assessment process in May 2020.
The Government Accountability Office found DHS still hasn’t updated its policy associated with assessments, so that other high-risk IT programs are aware of the new requirements, and that HART still has three risk management best practices to fully implement, according to a report released Tuesday.
GAO’s report comes a little more than a year after the DHS Privacy Office found partial and unmitigated privacy risks, like those posed by deepfakes and unintended sharing of sensitive information, to HART in an assessment.
The HART program has yet to fully maintain a risk management strategy, develop a risk mitigation plan based off that strategy, or periodically monitor the status of all risks to mitigate them.
As a result, DHS’s existing Automated Biometric Identification System (IDENT) — used to store digital fingerprints and iris scans on foreign nationals for travel, trade and immigration screening by the U.S. and its allies — remains in place. IDENT has data capacity, accuracy and assurance issues known since 2011, and can’t fully support agencies attempting to match biometrics against their data repositories.
Begun in 2016, HART was expected to cost $5.8 billion all told and provide additional biometric services, a web portal, and analysis and reporting tools by 2021. Now the DHS Office of Biometric Identity Management projects that Increment 2 won’t be finished until 2022 and Increments 3 and 4 until 2024.
Once Increment 1 is complete, all agencies will move from IDENT to HART.
Increment 2 will see the addition of multiple matching operations, like using two forms of biometric data to identify someone, while improving accuracy and potentially storage. Development is underway.
Increment 3 covers new tools boosting human examination of biometric data; the web portal; and addition of DNA, palm, voice, scar and tattoo data.
The final increment includes analyses and reporting based on Increment 2 data storage, a holistic view of identities, even more data, mobile access, and elimination of duplicate and inaccurate data.
Neither of the last two increments have been started.
“OBIM’s reliance on an overextended, 27-year-old biometric identity management system to support national security, law enforcement and immigration decisions emphasizes the critical need for OBIM to ensure that further delays, cost overruns, and performance issues with the HART program are avoided,” reads GAO’s report.
The prospect remains difficult because the HART program has also struggled with IT acquisition best practices, introducing more risks to the program.
According to GAO, program officials must: fully review contractor work, monitor all program costs, monitor stakeholder involvement, and maintain bidirectional traceability requirements.
Without this. HART will face further delays, cost overruns and won’t meet agencies needs, according to the oversight body.
GAO recommended DHS address the seven partially implemented best practices it flagged, and DHS concurred — responding that all would be completed between June 30 and December 31.
“DHS remains committed to incorporating feedback to improve its program management and oversight processes,” wrote R.D. Alles, deputy under secretary for management, in the response. “The department will continue to provide its stakeholders with current and accurate cost and funding data through existing mechanisms and will continue to address the IT Dashboard.”