DOD asks for $112B in R&D funding in budget request
The Department of Defense is asking Congress to increase its overall research, development, test and evaluation (RDT&E) budget by more than $5 billion in fiscal 2021, a request that leaders have been teasing in the months before the official budget request was published Friday.
The department is seeking $112 billion for RDT&E, which represents a 5% year-on-year increase from enacted levels in fiscal 2021, and is the largest ever such demand.
The overall budget request for fiscal 2022, which was published earlier in April, comes in at $715 billion.
Defense Secretary Lloyd Austin told lawmakers Thursday that the budget announced Friday would have “the largest ever request for [research, development, test and evaluation] for the development of technologies.”
“Our effort is to make sure that we have the ability to leverage quantum computing, AI [and] space-based platforms,” he told the House Appropriations Defense Subcommittee. He added the funding was also to ensure that the DOD could “not just leverage these capabilities but network these capabilities in ways they have never been networked.”
The DOD’s budget request includes a slight boost to artificial intelligence funding, with this year’s being $874 million, more than the $841 million in last year’s request.
Austin and the department’s No. 2 civilian, Deputy Secretary Kathleen Hicks, have emphasized the need to invest in new technologies, like AI, cybersecurity, and new concepts of operations that use them, while divesting from legacy systems.
“Our fiscal year [2022] budget will provide early insight into our strategic approach,” Hicks said at the Aspen Security Forum in early May. “It will support defense research, development, test and evaluation funding. This will lead to breakthrough technologies that drive innovation and underpin the development of next-generation defense capabilities.”
While overall spending would get a boost if the budget is approved by Congress as is, the Army would see a more than $1 billion cut in its R&D budget, a reflection of a shift to focusing on the Indo-Pacific region where other services like the Navy and Air Force are expected to play a bigger role. The Air Force and Navy combined would get a more than $5 billion bump.
Army funding was also cut as its soldiers begin to withdraw from Afghanistan, DOD acting Comptroller Anne McAndrew told reporters Friday.
Another boost came in cyberspace activities, where the the DOD has requested $10.4 billion, compared with a $9.8 billion request for fiscal year 2021.
To account for the boosts in funding in research and development, cyber and other tech, the request seeking $2.8 billion less funding across a range of legacy systems, including the Army’s IT budget and some intelligence, surveillance and reconnaissance (ISR) tech from special operations command.
White House allocates $9.8B to cybersecurity in 2022 budget request
Just over two months after receiving roughly $2 billion in emergency funding for tech and cybersecurity modernization, the Biden administration wants more money from Congress to build on those investments.
The White House has asked for $500 million to be added to the federal government’s Technology Modernization Fund and $9.8 billion to go specifically toward civilian cybersecurity programs across the government — up from about $8.7 billion for fiscal 2021 — according to its fiscal 2022 budget request released Friday.
Under the passage of the American Rescue Plan in March, the TMF received a $1 billion injection, which the TMF Board has since said it will prioritize for the most pressing modernization and cybersecurity needs across government.
The TMF is a central pot of appropriations intended to fund modernization projects under the stipulation that participating agencies pay back the funding within a set time, typically five years. However, the board recently introduced new repayment flexibilities for higher priority projects to encourage agencies to apply for funding.
“With the continuously evolving IT and cyber landscape, these investments are an important down payment on delivering modern and secure services to the American public, and continued investment in IT will be necessary to ensure the United States meets the accelerated pace of modernization,” says the administration’s budget proposal.
Rep. Gerry Connolly, D-Va., a top advocate in Congress for federal IT modernization, told FedScoop in an emailed statement he is happy to see the call for additional support through the TMF. Connolly was a co-author of the Modernizing Government Technology (MGT) Act, which was signed into law in late 2017 and created the TMF.
“I am pleased to see that the Biden Administration continues to recognize the importance of investing in the federal government’s IT and cyber infrastructure through the Technology Modernization Fund,” Connolly said. “The MGT Act established the TMF with two significant goals in mind: to improve information technology and enhance cybersecurity across the federal government. Those goals are essential to the success of the government, both now and in the future.”
Appropriators, however, gave been hesitant in the past to fork over money to the nascent TMF program until it’s a proven, successful model. And with $1 billion already sitting in the fund, appropriators may want to see some evidence that that emergency funding is spent meaningfully before handing over an additional $500 million, said Matthew Cornelius, executive director of the Alliance for Digital Innovation.
“There’s this weird dynamic where there’s still an incredible amount of political support from the administration, both from the previous as well as this one, on the TMF,” Cornelius told FedScoop. “But there’s also a real need to change that operating model that was sort of instituted three or four years ago in order to get that $1 billion out and to then make the case for why the additional $500 million is needed.”
To date, the TMF program has “awarded ten initiatives a total of approximately $79.4 million,” the budget document says. Until the American Rescue Act, only $175 million had been put into the fund over four appropriation cycles.
Ultimately, it will come down to House Appropriations Subcommittee on Financial Services and General Government to prioritize its 2022 allocations toward the TMF, Cornelius said. So, the agencies in charge of TMF administration — the Office of Management and Budget and the General Services Administration — should work over the next few months to make good headway awarding some of that $1 billion, he said.
“If OMB and GSA get their act together, really push forward quickly on high priority projects where they spend a good chunk of that billion that they’ve been given here over the next four to five months as they continue to make their case to the appropriators, there’s an opportunity for them to get more money in there,” Cornelius said.
Cybersecurity would see a solid boost
Of the greater $9.8 billion proposed for civilian cybersecurity, $110 million would go to support the Cybersecurity and Infrastructure Security Agency‘s federalwide cybersecurity efforts and $750 million to agencies affected by recent cyberattacks, like the sweeping SolarWinds hacks, “to address exigent gaps in security capability,” the proposal says. CISA got $650 million in emergency funding under the American Rescue Plan.
“These resources would better enable Federal agencies to protect technology and safeguard citizen’s sensitive information from the threats posed by cybercriminals and adversaries,” the budget proposal says. “Agencies will continue to improve cybersecurity practices, implement supply chain risk management programs, develop coordinated vulnerability disclosure programs, and improve cyber threat intelligence analysis.”
Just Thursday night, it was revealed that the U.S. Agency for International Development was the latest federal agency to be hit by a cyberattack, reportedly by the same Russian hackers responsible for the SolarWinds breach, according to Microsoft.
Additionally, the budget proposes setting aside $15 million to support the launch of the White House’s Office of the National Cyber Director position.
Despite the uptick in money requested for cybersecurity, what the budget proposal doesn’t seem to account for is the new mandates from the Biden administration’s recent cybersecurity executive order, Cornelius said.
“Because of the timing from the budget and the EO, there’s really not money in the budget to implement any of that stuff,” he said. Outside of the additional $860 million combined that would go to CISA and to address recent hacks, most of the additional cybersecurity request increase is for “plus ups…independent of the additional activity they’re going to have to take on as part of the EO,” Cornelius pointed out.
These elements fall under a larger federal-wide civilian IT proposed budget of $58.4 billion for 2022, up from the $57.1 billion estimated for this current fiscal year.
These figures do not include the Department of Defense’s IT budget, which is released separately. As context, DOD requested $38 billion for IT in fiscal 2021.
The budget proposal mentions a number of other IT initiatives the administration looks to support, such as IT workforce development, the Federal Data Strategy and the U.S. Digital Service, but it doesn’t explicitly provide information on their funding. USDS got $200 million under the American Rescue Plan, multiplying several times over what the organization has received in funding so far during its short life.
Lawmakers introduce bill to create federal rotational program for cyber experts
Lawmakers have introduced a bipartisan bill that would create a rotational program within the federal government for cyber experts from the private sector.
Rep. Ro Khanna, D-Calif., and Rep. Nancy Mace, R-S.C., on Friday introduced the Federal Rotational Cyber Workforce Program Act in the House of Representatives. It is the same version of a bill that was last month introduced in the Senate by lawmakers on both sides of the aisle.
The proposed legislation aims to solve the difficulty faced by the federal government in obtaining the top cyber and tech talent needed to counter sophisticated threats from foreign actors. Federal government agencies have in recent years faced challenges recruiting top cyber and technology talent, in large part because of the pay differential between the private and public sectors.
If passed, the legislation would create a dynamic, prestigious program that allows senior tch industry staff to work for the U.S. government for a defined time period.
Participants would be able to return to their original position, or similar, in the private sector once their time in the program has ended, according to the bill. It encourages agencies to identify positions for rotation that have a focus on multi-agency, integrated cyber missions.
The legislation would mandate that the Office of Personnel Management lead the program in consultation with the Chief Human Capital Officers Council, the Chief Information Officers Council, and the Department of Homeland Security.
It also requires the Government Accountability Office to study the program’s effectiveness during a pilot.
After consideration by lawmakers, the bill will next move to the House Committee on Oversight and Reform for scrutiny.
Commenting on the legislation, Rep. Khanna said: “Silicon Valley has and will continue to lead the world in creativity & scientific discovery, but we can’t rely on private investment alone to protect our cyber-infrastructure from bad actors.”
“The federal government, America’s largest employer, must lead. This dynamic rotational program will give our cyber professionals the wide-ranging experience they need to defend us from growing threats abroad,” he added.
Rep. Nancy Mace said: “This program will equip not only our current generation of cybersecurity professionals but our next, ensuring America’s grid is prepared for attack. To strengthen our cybersecurity workforce is to strengthen our national defense.”
Speaking to FedScoop earlier this month, a senior procurement official said that in some cases staff working in the private sector can receive up to ten times the salary compared with a similar public sector position.
USAID hit with cyberattack by Russian-backed group Nobelium: Microsoft
The Russian-backed group reportedly responsible for last year’s sweeping SolarWinds hacks have once again breached a federal agency — this time the U.S. Agency for International Development.
Hackers within the Russian group Nobelium are believed to have accessed USAID’s Constant Contact email marketing service account, according to Microsoft, who published a blog post late Thursday on the attack. Once the group had access to the USAID account, it began a larger intelligence-gathering phishing campaign targeting 3,000 email accounts at more than 150 different organizations, including other agencies, think tanks, contractors and non-governmental organizations.
It’s unclear from the blog post whether the attackers accessed other USAID systems or data. Microsoft did not comment beyond the information in the blogs.
“[T]he actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone,” Microsoft’s Tom Burt wrote in the blog post. “This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network.”
Microsoft said it detected the activity this week and said that its services automatically block many of the attacks, adding that there’s “no reason to believe these attacks involve any exploit against or vulnerability in Microsoft’s products or services.”
Microsoft began tracking the so-called spear-phishing campaign — where an attacker uses social engineering and deception, often via email, to target specific individuals — in February, but the situation escalated in April, the company said, before the USAID emails were sent May 25.
The incident remains active, according to Microsoft, and the company will add more details when they become available.
“Microsoft security researchers assess that the Nobelium’s spear-phishing operations are recurring and have increased in frequency and scope,” the company said in a separate post. “It is anticipated that additional activity may be carried out by the group using an evolving set of tactics.”
The Nobelium group is believed to have been responsible for the SolarWinds attacks that have affected at least nine federal agencies and many more organizations within the contracting base and wider industry. In this latest breach, however, Microsoft says that the group took an approach that “differs significantly” from the SolarWinds campaign, which targeted the firm’s Orion software to access victims’ networks.
News of the ongoing campaign comes as President Joe Biden is set to take a meeting with Russian President Vladimir Putin in Geneva next month as the U.S. looks “to restore predictability and stability to the U.S.-Russia relationship.”
In a statement to FedScoop, USAID acting spokesperson Pooja Jhunjhunwala, said: “The U.S. Agency for International Development (USAID) became aware of potentially malicious email activity from a compromised Constant Contact email marketing account.
“The forensic investigation into this security incident is ongoing. USAID has notified and is working with all appropriate Federal authorities, including the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA).”
A spokesperson for Constant Contact said: “We are aware that the account credentials of one of our customers were compromised and used by a malicious actor to access the customer’s Constant Contact accounts.
“This is an isolated incident, and we have temporarily disabled the impacted accounts while we work in cooperation with our customer, who is working with law enforcement.”
DHS awards four EIS task orders worth $306M to AT&T
The Department of Homeland Security has awarded four Enterprise Infrastructure Solutions (EIS) task orders for modernizing its telecommunications infrastructure with Internet Protocol-based networking services to AT&T.
Worth a combined $306 million over 12 years if all options are exercised, the task orders cover networking services supporting the DHS headquarters, as well as Immigration and Customs Enforcement, Cybersecurity and Infrastructure Security Agency, and Science and Technology Directorate.
Unlike most departments, DHS is awarding upward of five EIS task orders ahead of the Networx contract’s expiration on March 31, 2023, but these most recent awards were protested first by Lumen Technologies and then Verizon. Those protests were denied by the Government Accountability Office, and now work can proceed.
“We’re honored DHS selected us to modernize its communications capabilities with an IP-
based infrastructure,” said Stacy Schwartz, vice president of FirstNet and public safety at AT&T, in a statement. “We expect the networking transformation to power the many missions of DHS agencies into the future.”
DHS agencies will soon be able to access data networking, voice collaboration, equipment, security and labor, as well as FirstNet priority communications for public safety personnel.
Software-defined wide area network (SD-WAN) and other cybersecurity protections will reduce agencies’ internet connections, and therefore their attack surface. This permits improved monitoring, in keeping with the zero-trust security model, which has become an increased focus in the aftermath of high-profile hacks like SolarWinds.
Atlantic Council calls on U.S. gov to strengthen cyber strategy and accelerate quantum tech
The U.S. government and its allies should strengthen their cybersecurity strategy and accelerate the operationalization of quantum technologies, according to a leading D.C. think tank.
In a report published on Wednesday, the Atlantic Council issued recommendations for maintaining the country’s leadership in science and technology, and for preserving the resilience of its physical and IT supply chains.
According to the study, which was conducted by the think tank’s Commission on the Geopolitical Impact of New Technology and Data, the federal government must support technological development across many separate spheres of society.
The Atlantic Council says federal government should offer greater support for technologies that underpin the growth of digital economies, as well as more support for innovation that enlarges the spaces where societies operate, such as sub-sea technology.
The Atlantic Council also recommends additional backing for the development of artificial intelligence.
“The sophisticated, but potentially fragile, data and tech systems that now connect people and nations mean we must incorporate resiliency as a necessary foundational pillar of modern life,” said David Bray, director of the Council’s Geotech Center.
“It is imperative that we promote strategic initiatives that employ data and tech to amplify the ingenuity of people, diversity of talent, strength of democratic values, innovation of companies, and reach of global partnerships,” added Bray, former CIO of the FCC.
The recommendations come after the Biden Administration in March published its interim national security strategic guidance, which identified cybersecurity as a “top priority,” and said it would strengthen the country’s capability, readiness and resilience in cyberspace.
According to the Atlantic Council, a revamped strategy is crucial for the country’s national and economic security, and it must also work to increase trust and confidence in the digital economy.
Federal government concerns over cybersecurity have come to the fore in recent weeks, amid a surge in ransomware attacks on private and public sector entities, including against the recent attack on the Colonial Pipeline.
The U.S. is also racing to build a new generation of supercomputers, supported by federal departments including the Department of Energy. It is hoped that exascale computing will have a key role to play in the future energy security of the country, by allowing more efficient management of the energy grid.
The think tank is also calling for wider federal oversight of supply chain assurance and said more must be done to harden the security of commercial space industry facilities and space assets. The latter recommendations follow a report by NASA’s oversight body earlier this month, which identified major cybersecurity weaknesses at the organization.
The Atlantic Council is an Atlanticist U.S. think tank focused on international affairs, which was founded in 1961.
NIST to consolidate existing supply chain guidance before issuing new recommendations
The National Institute of Standards and Technology (NIST) will consolidate existing supply chain guidance before identifying gaps on which new standards are based, according to a computing security chief at the agency.
The institute is under pressure to issue separate guidance on protecting critical software and testing source code within 60 days and broad standards on supply chain security within 90 days, as the U.S. government races to respond to recent supply chain attacks like the SolarWinds hack.
Testifying to lawmakers before the House Science Committee on Tuesday, computer security division leader of NIST’s Information Technology Laboratory, Matthew Sholl, said the agency was “on track” to deliver new supply chain security standards.
Sholl said also that the agency would deliver the recommendations within the condensed timeframe afforded by President Biden’s recent cybersecurity executive order.
“The initial deliverables might be short. But we also plan on staying persistent on these issues over a much longer period of time,” he said.
In addition to establishing secure software requirements and security measures for using a testing software, NIST is working on two pilot labeling programs that will help agencies understand the security properties of software they might use.
Lawmakers have expressed concern that NIST may not have the necessary resources to meet the tight deadlines. Its cyber and privacy portfolio received funding of only $78 million in last year’s budget.
“I do worry we are increasingly asking NIST experts to do exponentially more work, more quickly, without necessarily the adequate resources,” said Rep. Haley Stevens, D-Mich., who chairs the Research and Technology Subcommittee that oversees the institute.
Sholl made no mention of resource constraints in his testimony.
The Government Accountability Office continues to investigate the SolarWinds hack, and will compile a public report on the incident, which is due to be released later this year.
In a December report on supply chain risk management, GAO found that none of the 23 Chief Financial Officers Act agencies had implemented all the recommended best practices, and 14 had not even started to address the implementation of best practices.
NIST first released its Cyber Supply Chain Risk Management guidance in 2015, followed by its Secure Software Development Framework. And the Office of Management and Budget began directing agencies to address supply chain issues in 2016.
Department of Veterans Affairs oversight body highlights $2.6B IT overspend
The Department of Veterans Affairs underestimated the cost of “physical infrastructure” upgrades in its electronic health record modernization program by as much as $2.6 billion, the department’s inspector general found.
The massive modernization program is in year three of its 10-year timeline with a projected $16 billion price tag. But those costs might increase due to physical infrastructure needs the VA hadn’t initially planned for — things like electrical work, cabling, and ventilation that allow IT infrastructure upgrades to properly function.
“The lack of reliable cost estimates was caused in part by insufficient planning at the outset of the program. [Office of Electronic Health Records Modernization] leaders stated that at the beginning of the program the focus was on the EHRM contract and the system itself, rather than infrastructure,” the report stated.
The program is designed to be a complete overhaul of the VA’s health IT system, with a new cloud-based system from Cerner hosting billions of medical records and supporting all new interfaces for medical staff. The goal is to eventually integrate the VA’s system with a similar digital medical system the Department of Defense is migrating to so service members separating from the military can seamlessly transition to veteran care.
Lawmakers have been critical of the VA’s potential to go over budget and schedule, a concern shared by new VA leadership. The VA twice had to delay the launch of the new system at the first launch facility in Spokane, Washington; one of those delays was caused by the pandemic. Since the EHR’s launch, lawmakers have highlighted instances where the tech has had negative medical impacts, like delayed prescription refills.
The OIG found several missteps and a lack of thorough review to be at fault in VA’s underbudgeting. The department did not seek an independent review of its cost estimates, in violation of its own financial policies, the IG said.
“An independent cost estimate is a complete and fully documented estimate that external or third parties develop and use to test the reasonableness of the program cost estimate,” the report stated. “Thus, it likely would have revealed many of the issues found during this audit and would have allowed VHA to take earlier action to improve the reliability of its estimates.”
One of the most underestimated costs was the price of replacing cabling nationwide. Despite VA leadership signing memos instructing the replacement of cabling, the nearly half-a-billion dollars cost was not included in estimates.
“[N]ationwide cabling costs should be included as part of the cost estimate because upgraded cabling is required prior to full system deployment,” according to the report.
The VA has steadily increased its IT budget requests in the past several years to account for more than just the EHR requirements. In 2020, then-Secretary Robert Wilkie told Congress the VA is playing catch up after years of neglect in its tech systems.
“I will admit that VA has been underfunded on the IT front through the past several decades,” Wilkie told members of the House Veterans’ Affairs Committee. “We were right at the bottom.”
DHS oversight body finds data handling concerns across department agencies
“Persistent” data collection and management issues hinder daily use of large, diverse databases for decision-making across Department of Homeland Security (DHS) agencies, according to its Office of Inspector General (OIG).
DHS‘ OIG reviewed reports between fiscal 2017 and 2019 for recurring and systemic data issues and found 70 instances of integrity, reliability and availability problems throughout more than one-third of reports.
“[F]ollow-through and continued improvement will be essential to address the internal control issues underlying the data deficiencies we highlighted,” read the OIG’s report, which was issued Monday. “Only then can the department be assured it captures reliable and accurate data to accomplish its mission responsibilities.”
The OIG flagged 82 internal control deficiencies across five categories that have reduced the quality of data: security and technical controls, program and operational oversight, guidelines and processes, system design and functionality, and training and resources.
In response, DHS rebuffed the report’s findings, but said there would always be opportunities to improve the use of its data assets.
“DHS strongly disagrees with the report’s overly broad conclusion that personnel ‘do not have essential information they need for decision-making or to effectively and efficiently carry out day-to-day mission operations.
“The OIG provides no direct evidence nor, to our knowledge, completed any analysis with the level of methodological rigor necessary to support this conclusion,” the department’s GAO/OIG liaison office said.
Previous reports by the DHS OIG have identified data security deficiencies, and established that they put financial data at risk of unauthorized access and disclosure. They show also that a number of national security systems lacked current Authorities to Operate (ATOs).
Other information identified to be at risk in prior reports include: unmanned aircraft data within Customs and Border Protection’s Intelligence, Surveillance, and Reconnaissance Systems, personally identifiable data in the Office of Health Affairs’ Electronic Patient Care Reporting system and BioWatch portal.
Case management and investigative data in Secret Service systems, immigration data in U.S. Citizenship and Immigration Services’ CLAIMS3, and cybersecurity data in the National Protection and Programs Directorate’s unclassified and top secret Mission Operating Environment systems, have also previously found to be at risk.
In addition, inaccurate and incomplete data meant the Office of the Chief Human Capital Officer had trouble conducting a cybersecurity workforce analysis that counted and coded contractors and tracked training efforts, according to a prior report.
DHS OIG has suggested looking to the department’s IT Strategic Plan and Enterprise Data Strategy, which expires this year, as well as the Federal Data Strategy to continue modernizing systems.
“[M]anagement should design information systems and controls to ensure the data recorded is accurate and valid,” the report said. “DHS requires the integration of quality into every phase of information management including creation, collection, maintenance and dissemination.”
CMMC accreditation chief says assessor training coming ‘mid-to-late’ summer
The long wait for those who want to be certified assessors for the Department of Defense‘s new contractor cybersecurity standards might be over this summer, according to the CEO of the organization overseeing training.
In a public letter and attached FAQ signed by Matt Travis, which was issued on Wednesday, training for assessors will begin in “mid-to-late summer 2021.”
Travis is the new CEO of the Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB), which is the organization responsible for implementing new CMMC standards. Assessors are a critical part of the procurement ecosystem, and for implementing sweeping new cyber standards for all of DOD’s 300,000 contractors.
“I know many of you are eager to learn of when the CMMC ecosystem will kick into full operational gear. I will say this―we are getting close,” Travis said. “We are on the cusp of reaching some exciting milestones in the coming weeks.”
It’s been a long-promised start for a scheme that the AB has previously delayed. In April 2020 the then-board chair, Ty Schieber, said the AB was in the “final stages” of putting the training together. The AB has a group of randomly selected “provisional assessors” that will give feedback on the process, but no fully accredited assessors will be appointed until all testing and accrediting is complete.
Without trained and certified assessors, there will be no one to inspect the networks of contractors that will need third-party approval that they are meeting one of the cybersecurity levels in the five-tear CMMC model. By fiscal year 2026, all contracts will have CMMC requirements that will mandate contractors get an assessment to continue working with DOD, with minimal exceptions.
It is one of the many parts of the ecosystem that must move forward if a timeline dictated by DOD is to be kept. It’s separate from the training and certification of Certified Third Party Assessment Organizations (C3PAOs) which has also faced some delays. Certified assessors are individuals that will be hired with C3PAOs to assess DOD contractors.
The AB, which oversee the ecosystem and implementation of the CMMC program, also recently hired a new member of its professional staff to oversee training. Melanie Kyle Gingrich will be vice president for training and development and oversee the AB’s initial training course, as well as organizations licensed by the AB to conduct the future training of assessors.