Subscribe to our daily newsletter.
Subscribe

ICE seeks support for app that tracks visa, immigration violators

U.S. Immigration and Customs Enforcement wants a contractor to operate and maintain its application for tracking leads in terrorism and criminal investigations of visiting foreign nationals who violate their visa status.

ICE issued a request for information Tuesday to manage its LeadTrac system — the IT element used by its Counterterrorism and Criminal Exploitation Unit (CTCEU).

The Counterterrorism and Criminal Exploitation Unit last updated the LeadTrac app in 2016 to assist with investigations of suspected terrorists and criminals using the immigration system. T-Rex Solutions, LLC has held the current contract to support and modernize LeadTrac since September 2015.

CTCEU consists of two sections: The Terrorist Tracking and Pursuit Group (TTPG) investigates nonimmigrant visa holders who violate their status, particularly those with suspected ties to terrorism. Meanwhile, the Student and Exchange Visitor Information System (SEVIS) Exploitation Section (SES) identifies immigration fraud at program schools that enroll foreign nationals.

“These sections work together and form an integrated national security force that draws upon government databases to gather and analyze leads on visitors to the United States,” reads ICE’s request for information (RFI) issued Tuesday.

Both sections use LeadTrac to track leads they’ve referred to ICE Homeland Security Investigations (HSI) field offices for further investigation and enforcement.

Contract personnel are expected to use agile sustainment to modify the system to cope with changes in the LeadTrac platform and Amazon Web Services Cloud hosting environments, implement new user requirements, diagnose and fix errors possibly found by users, and increase software reliability to prevent future problems.

The job requires understanding the interfaces LeadTrac relies on for data, as well as those that rely on the app to provide reciprocal data. Personnel also need a knowledge of systems like SEVIS, which are critical to CTCEU’s workflow.

Contractor questions and requests for additional information are due Feb. 10. Submissions to the RFI are due Feb. 18.

Ex-DIU leader calls for tenfold increase in DOD’s budget for emerging technology

The former head of the Defense Innovation Unit called Wednesday for a massive increase in the budget for emerging technology initiatives across the military, including the Joint Artificial Intelligence Center, the Air Force’s Pitch Day and others.

“Now is the time to supercharge DOD access to innovation,” Raj Shah said during a hearing for the House Armed Services Committee’s Future of Defense Task Force. He described the current funding levels of less than $1 billion on “true AI research” to be not much more than a “rounding error” in the more than $400 billion annual acquisition budget the DOD gets from Congress.

Funding for programs and others should be 10 times what it currently is, said Shah, who was the leader of DIU when the Silicon Valley connector was under its previous moniker, DIUx. He called for flooding cash into Pentagon programs that are “bearing fruit” by bringing innovative technology into the DOD, including the DIU, JAIC, Air Force Pitch Day and “many others” as those that should get a boost in their budget. 

Shah’s comments come as Congress waits for the White House’s budget proposal for fiscal 2021. The document, expected to be released next week, will outline the president’s proposed spending for the year and kick off the budgeting process. Other expert witnesses echoed Shah’s recommendations of upping the funding but in different forms. 

New Incentives

Chris Brose, chief of strategy at defense-technology company Anduril Industries, urged the government not to create venture capital-style projects, but instead simply buy more of what the private sector is already creating. The key is to create demand that the private sector can supply, he said. 

“If the Department of Defense and Congress value AI-enabled capabilities, autonomous systems, small drones and other emerging technologies. .. you have to buy more of them,” Brose said.

Brose said that government leaders are “overthinking” the problem and should focus on creating incentives for companies to sell new technologies to the DOD. A critical part of that will be ensuring stable budgeting processes, Eric Fanning, former secretary of the Army under President Barak Obama, said at the hearing. 

“China does not periodically shut down its government, too often we do,” Fanning said.

Sustaining Human Capital

“Our innovation superpower for the past half-century has been our investment in human capital,” Shah said. But those efforts have “withered” in recent years.

Shah recommended creating a special “national security innovation” visa, opening military installations in cities with major innovation hubs and increase opportunities for technology workers to enlist and use their skills on a part-time National Guard-type service.

“I have seen great innovation … however sometimes it has been hard for the innovation taking place in industry to get into the government,” Fanning said. 

CIA reveals multi-cloud C2E procurement details in new draft

The CIA revealed more of its plan Tuesday to evolve the intelligence community‘s commercial cloud operations by contracting multiple cloud service providers split between two distinct environments.

The agency published a new draft request for proposals and a statement of work for its forthcoming Commercial Cloud Enterprise (C2E), which could be awarded as soon as September, according to the documents obtained by FedScoop. C2E is the highly anticipated follow-on cloud procurement to its like-named Commercial Cloud Services (C2S) awarded to Amazon Web Services in 2013 for $600 million.

The pending acquisition could be worth “tens of billions” of dollars, according to earlier contracting documents. According to this latest draft RFP, the contract will have a five-year base with two optional five-year periods.

The new draft RFP stresses the intelligence community’s need to adopt a multi-cloud environment for its unclassified, secret and top-secret networks to “allow cloud services to be selected based on development strategy and project objectives.” The IC would then “gain advantages from use of each CSP’s unique area of investment in technology, cybersecurity strategy, and best practices.”

Additionally, the acquisition will “promote competition and capitalize on commercial investment and innovation,” focus on security from threats inside and out, and look to extend the IC’s reach to “disconnected and low-bandwidth environments.”

“The IC requires an integrated, interoperable cloud ecosystem that promotes mission success through reliable, available, dynamic, and innovative information technology (IT) services with secure access to functions, capabilities, and data anywhere, anytime, and under all conditions,” the statement of work says. “Based on the IC strategic plan, the IC will leverage Government and multiple commercial cloud capabilities that are interoperable and support workflows within and across multiple security fabrics. The goal is to maximize rapid reuse of data and sharing of data in mission systems to support these capabilities.”

Intelligence community CIO John Sherman spoke about the multi-cloud acquisition last summer as a foundation for adopting emerging technologies. Indeed, the language in the draft supports this vision, saying “These capabilities will provide innovative and contemporary technologies such as artificial intelligence (AI), machine learning (ML), and high-performance computing to meet current and future needs. These capabilities require unified security processes and acceptance that enable quick adoption and portability of applications, data, and code. The IC will leverage these capabilities in an approach that favors vendor flexibility, simplifies use and adoption of new and cloud-native technologies, and promotes necessary culture changes.”

The proposed nuts and bolts of C2E

The acquisition will be split between an indefinite-delivery, indefinite-quantity, multiple-award contract for cloud service providers and another integrator/management contract “for multi-cloud management to support the foundational cloud services acquired in the CSP acquisition.”

The CIA says in the draft that it reserves the right to cycle contractors on and off the contract at before exercising a five-year optional period so that the vendor pool “remains dynamic and can respond to emerging requirements and advances in technology.”

The total C2E operational environment will also be split. One part will be the C2E Commercial Environment, which will feature unclassified commercial off-the-shelf and Federal Risk and Authorization Management Program (FedRAMP)-authorized cloud services with fewer security requirements. The other will be the C2E Regulated Environment, consisting of classified secret and top-secret cloud services, as well as what it calls FedRAMP+ augmented clouds — those that meet FedRAMP “with the addition of a select set of security controls” — for handling controlled unclassified information.

The bulk of the draft statement of work sets forth the system and security requirements the CIA envisions providers will need to meet to compete for a spot on the contract.

One pertinent detail for interested vendors: They must “possess a significant market presence in providing public cloud [infrastructure-as-a-service] service offerings. ‘Significant’ is measured and defined as a CSP that has more than three (3) years of market presence, and demonstrates a minimum of $250 million in annual IaaS service revenue over the last 12 months (excluding all managed and professional services) and a minimum of 100,000 virtual machines (VMs) currently in production, operating simultaneously, within its public commercial cloud,” the draft reads.

The CIA is accepting feedback from potential bidders until Feb. 24. The agency will hold a bidder’s conference Feb. 14 “to highlight critical aspects to the solicitation and allow for vendors to ask questions” at MITRE Corp.’s offices in McLean, Virginia.

Government of the future can’t happen if each agency acts on its own, report says

In order to meet the IT modernization, data and workforce expectations of the President’s Management Agenda, individual parts of the federal government must learn to collaborate on multiple levels, according to a new report by the Partnership for Public Service and Ernst & Young.

Through workshops and interviews with government leaders, the authors of the report distilled a vision of the future of government into four component pieces: agencies collaborate internally, agencies work together, agencies engage the public and agencies establish connections with nongovernmental stakeholders.

“In short,” as the report says, “the government of the future will have to be more connected.”

Put another way — and to use one of the government’s favorite buzzy phrases — it’s time to break down silos. But what does that actually mean?

“It starts internally,” Venice Goodwine, chief information security officer at the U.S. Department of Agriculture, said Wednesday morning at the Partnership’s launch event for the paper. “It starts within my agency first … and then across agencies to break down those silos as well.”

She also gave a shoutout to shared services as a mechanism for cross-agency collaboration. “There is no need to spend the investment to rebuild something that’s already been built,” she said. “To interconnect, we need to leverage investment that other agencies have already made.”

For Barbara Morton, deputy chief veterans experience officer at the Department of Veterans Affairs, it’s important to consider the root causes of persistent silos.

“For me the main driver for that is the way we’re budgeted,” she said. “We’re budgeted in silos. So its natural, the natural state of things will be that we’re going to address our vertical, we’re not necessarily going to think horizontally because our dollars are aligned to our vertical.”

That said, Morton says she sees civil servants who are trying to fight this “gravitational pull” of money, and that bodes well. As an example the PMA’s cross-agency priority goals, she said, are a chance to build collaboration networks.

Finally panelist Nancy Potok, former chief statistician of the U.S., warned attendees to move beyond the words of “breaking down silos” to the actual work of it.

“I’ve heard for decades people talking about breaking down silos in government,” she said. But it doesn’t mean much if it stops there. “Where I’ve seen success is where people have been able to move beyond the rhetoric,” she said.

“It won’t work in general. It’s got to be a specific, tangible problem that people are really tackling and that you can see makes a difference. And then you move on to the next problem, and over time you’ve changed the culture to a problem solving ‘let’s improve culture’ as opposed to let’s sort of talk about this and fill out the templates and keep doing what we’ve been doing forever.”

VA’s Wilkie: EHR modernization unimpeded after Byrne’s removal

Department of Veterans Affairs Secretary Robert Wilkie stressed Wednesday that even though he fired his deputy overseeing the department’s ongoing electronic health record modernization Monday, the project is moving forward as normal.

Deputy Secretary James Byrne’s removal “will not impact it at all,” Wilkie said at a press conference at the National Press Club. As VA’s No.2, Byrne was the top accountable official for the modernization project.

The project is a massive migration of the electronic health records of millions of veterans from the outdated Veterans Information Systems and Technology Architecture (VistA) platform to a cloud-based commercial Cerner system. The department is working in partnership with the DOD to ensure seamless interoperability between the two as active service members retire and depend on VA health services.

Byrne’s firing was simply a matter of “not gelling” with other members of the team, Wilkie said in response to questions from reporters, denying that it had anything to do with the handling of a highly publicized sexual harassment case at a VA hospital in September. In an earlier statement, he said he had a “loss of confidence” in Byrne.

Two other high-ranking VA officials overseeing the day-to-day management of the EHR program — John Windom and Melissa Glynn — remain in place, Wilkie said, and he has confidence their work will continue as planned. The VA will give the White House names of candidates to replace Byrne soon.

While Wilkie didn’t directly address if the launch of the modernized EHR is still scheduled for late March, he said “I expect us to be able to launch this. The mission goes on.”

The first 5G hospital

Wilkie listed other emerging technology initiatives the VA is pushing Wednesday. For instance, the first 5G VA hospital in the country, the VA Medical Center in Palo Alto, Calif., will go online later this week, he said.

The hospital will use 5G speed and bandwidth to give doctors “richer” and “more detailed” patient information, Wilkie said. Having more information delivered with lower latency will be a “breakthrough” for surgeons in the operating room, the sectary added.

Officials worry Iran will target defense contractors with cyberattacks

The Department of Defense remains on alert for retaliation in cyberspace for a U.S. attack that killed a top Iranian general. But security experts and federal officials warn that Iran could target the military another way — through potentially vulnerable defense contractors.

Weak cybersecurity practices in the complex DOD supply chain could make those companies attractive targets if Iran wanted to strike a measurable blow against the U.S., experts said at a panel Tuesday on Iranian cyberattacks hosted by the Institute for Critical Infrastructure Technology. Nation-states like China already have shown such is possible, siphoning billions of dollars from the defense industry through the digital theft of intellectual property.

“In the cyber realm, Iran is more likely to act out now,” said Jamil Jaffer, vice president of strategy at IronNet Cybersecurity and a former Department of Justice official. Iran is on the short list of countries known for harboring or sponsoring advanced persistent threat (APT) groups tied to sophisticated cyber-operations. 

Two officials from the Department of Defense Cyber Crime Center, Ronnie Obenhaus and Christopher Burke, stressed that businesses that do work with the DOD could be targets, along with the financial, health and energy sectors. The Cyber Crime Center is the organization that contractors report to when they are breached.

The threat to private businesses — defense contractors or not — is not new, with senators from both parties warning small businesses of potential attacks.

“We are concerned that small businesses may not have the information and tools necessary” to implement cybersecurity practices recommended by the Department of Homeland Security in the wake of the U.S. attack that killed Iran’s top general, Sens. Marco Rubio, R-Fla., and Ben Cardin, D-Md., wrote in a letter to the Small Business Administration in January.

So far, the the only publicly reported retaliation for the Jan. 3 airstrike that killed Gen. Qassem Soleimani was a missile attack five days later on a U.S. military facility in Iraq.

‘Tune your sensors to the proxies’

The complexity of the threats and avenues for an attack only makes things more dangerous. For instance, Iran could retroactively claim responsibility for an attack carried out by a rogue group, proxy or even other nation-states, warned Gregg Kendrick, U.S. Marine Corps Forces Cyberspace Command executive director.

“The risk is pretty high,” Kendrick said proxies getting involved. “Iranian proxies are going to feel the need to draw attention to themselves.”

Further muddling attribution, other countries could even mask their own attacks to look like Iran, particularly Russia and its “wiley cat” leader, Vladimir Putin, Kendrick said.

“They are not going away anytime soon,” Kendrick said of proxy attacks. “Tune your sensors to the proxies.”

Meanwhile, the warning comes as the DOD is trying to ramp up the cybersecurity standards for the defense industry to prevent exactly this scenario. The department published the Cybersecurity Maturity Model Certification (CMMC) standards Friday to place new information security requirements on defense contractors that handle the Pentagon’s sensitive information.

It is a major step to securing the military’s complex supply chain that makes for a vast attack surface. Contracts should start to contain CMMC accreditation requirements later this fall, and if contractors don’t meet them, they won’t be able to bid on those contracts.

“Know what your company makes and who wants it,” said Obenhaus, deputy chief of analytics for the DOD Cyber Crime Center.

DHS, agencies need to improve compliance on cybersecurity directives, GAO says

The Department of Homeland Security and the civilian agencies that receive its binding operational directives (BODs) must do more to ensure that those cybersecurity mandates are followed in full and on time, according to a new Government Accountability Office report.

GAO audited the five-step BOD process across the five directives that were in effect as of December 2018, at a random sample of 12 civilian agencies. The congressional watchdog agency found that DHS doesn’t always coordinate with stakeholders when developing directives or consistently validate agencies’ self-reported actions toward addressing the mandates.

“DHS is not well-positioned to validate all directives because it lacks a risk-based approach as well as a strategy to check selected agency-reported actions to validate their completion,” reads the report.

The Federal Information Security Modernization Act of 2014 (FISMA) gives DHS the authority to issue BODs, which require agencies to do things like better secure their websites or email systems, lest they remain vulnerable to cyberattacks. Since 2015, DHS has issued eight BODs.

While DHS has started holding regular coordination meetings with the National Institute of Standards and Technology — which provides governmentwide expertise for cybersecurity policies — the GAO says the department often only reached out to NIST one to two weeks before issuing a BOD and ignored technical comments.

DHS, as a result, risked writing directives that conflicted with NIST guidance, GAO says.

A 2015 BOD gives agencies 30 days to mitigate critical vulnerabilities uncovered by DHS scans of their internet-accessible systems. Agencies achieved 87% compliance in 2017, though that number dropped to 85% in 2018 and 61% in 2019 — the decline attributed to the 35-day partial government shutdown from late December 2018 to late January 2019.

Still, about 2,500 vulnerabilities out of 3,600 discovered were mitigated through four years.

Agencies also mitigated risks to more than 11,000 devices after DHS issued the 2016 Threat to Network Infrastructure Devices directive having them address several “urgent vulnerabilities” targeting firewalls across federal networks.

GAO recommended DHS determine when to coordinate with stakeholders when developing directives, as well as develop a strategy for validating agencies’ self-reported actions — using a risk-based approach when possible.

Two other recommendations pertained to DHS’s Securing High Value Assets directive, which is designed to protect agencies’ most critical information and systems.

DHS leads in-depth assessments of high-value assets that agencies identify, but GAO found its performance metric didn’t allow agencies to submit remediation plans when a weakness couldn’t be addressed within the BOD’s 30-day timeframe. GAO recommended realigning the metric.

In fiscal 2018, DHS only completed 61 of 142 required high-value asset assessments, and in fiscal 2019 that number was 73 out of 142 assessments — leaving 150 remaining. DHS has no schedule for completing a reassessment of the program.

DHS also doesn’t plan to finalize guidance for agencies, contractors and independent assessors on conducting reviews of assets not included in its review until the end of fiscal 2020.

GAO recommended developing a schedule and plan for addressing these outstanding issues and identifying the resources it needs. DHS concurred with all four recommendations.

Federal agencies need to improve hiring flexibility in battle for IT talent

Google wins Air Force EITaaS award for IT security

The Air Force awarded a $2 million prototype contract to Google for IT and network security services as part of the branch’s larger Enterprise IT-as-a-service (EITaaS) effort.

The contract, which was awarded in December, extends the Air Force’s larger EITaaS push, which includes network-as-a-service, end-user services, and compute and storage.

Through the other transaction agreement contract, Google will also “assess the Air Force’s current enterprise IT landscape and measure the digital experience of Airmen across the Air Force,” according to a news release published Monday. The tech giant will assess how to get the “right data at the right time” to airmen and bring “scalable and secure” networking into the Air Force’s enterprise systems.

“We want to understand how Google provides secure and reliable access to data,” Capt. Trey LaSane, EITaaS project officer in the service’s Command, Control, Communications, Intelligence and Networks Directorate, said in a press release. “We ultimately want to enable a more secure platform, where we are able to identify users and ensure they have the appropriate permissions to connect them with the data they need.”

On top of this, the Air Force also hopes to work with Google to “develop a plan to potentially integrate its commercial solutions at an Air Force test site, exploring the future viability for innovative solutions across the Air Force enterprise,” the release says.

The EITaaS program is meant to bring in commercial providers to provide basic IT services so that the Air Force can free up airmen for more specialized, cyber-focused network defense and mission assurance. The first OTAs were signed in 2018 to the tune of $127 million, and more have been awarded since then.

Air Force Deputy CIO Bill Marion has long championed the move. 

“We want our airmen transitioning from running email and boxes to focusing on cyberdefense,”  Marion said in 2018. “Every time we move to the cloud, the intent is to free up cyber-operators for the Mission Defense Teams.”

These OTAs are designed to be small experiments, Marion told FedScoop in October, but the hope is that if successful, they will scale into larger contracts that impact the entire Air Force enterprise.

“Everybody wants us to go faster, and we want to go faster, but if you go too big, big-bang IT typically fails,” he said.

The National Archives is looking for some more cloud

The National Archives and Records Administration (NARA) needs more “flexibility and efficiency” from its cloud services.

The independent agency posted a request for information recently, soliciting feedback from companies on a potential plan to replace its enterprise cloud contract. The contract listing is called “Platform & Infrastructure for Cloud Archives & Records Depositories” or, in acronym form, PICARD.

The requirements of a new cloud contract spring from the directive that NARA transition to fully electronic record keeping, and stop collecting paper records, by the end of 2022.

“Beginning January 1, 2023, all other legal transfers of permanent records must be in electronic format, to the fullest extent possible, regardless of whether the records were originally created in electronic formats,” an Office of Management and Budget memo from July states. “After that date, agencies will be required to digitize permanent records in analog formats before transfer to NARA.”

NARA currently uses Amazon Web Services, but is considering moving to multi-cloud. The agency recognizes that “other agencies transferring records to NARA could be transferring them from any cloud hosting environment and NARA needs to be prepared for ensuring efficient transfer of records into its legal and logical custody.”

The agency also has new functionalities in mind, and as such “requires the flexibility to expand its cloud presence.”

Responses to the RFI are due Feb. 20.