Air Force develops maturity model for zero trust across the department

The Air Force is developing a maturity model to help broaden its implementation of zero-trust principles in the foundation of its network architecture, its top IT official said Thursday.

The Air Force has found success with initial zero trust projects, like Platform One, the service’s DevSecOps initiative where the network architecture is built with no “trust” or wide access is given to any user, whether familiar to a network or not. Now, the Air Force is trying to move beyond individual projects to implementing zero-trust principles at the enterprise level, Lauren Knausenberger, Air Force CIO, said Thursday during a Dcode event.

“The vision is for the future to be completely zero trust…where we are able to collaborate seamlessly with all of our allies,” she said.

The maturity model will help network administrators and IT professionals across the Air Force bring their architectures in line with zero trust. The model highlights critical elements of the process like ensuring proper data tagging and access management. The Air Force is also working on an enterprise identity, credentialing and access management (ICAM) certification to be able to more securely recognize users.

“We have these little pockets of zero trust, but we are also doing some basics right now,” Knausenberger said.

The maturity model will serve as part of the Air Force’s “road map” to zero trust. It’s unclear how long the journey will take, but tech leaders in the department have been talking about zero trust for months, especially during the pandemic.

“We have a road map there,” Knausenberger said, adding “that we have to do a better job of funding the road map.”

Knausenberger also made some news about Platform One, which is building a secure environment for companies to use once they have received Small Business Innovative Research contracts to work with the Air Force. This will allow contractors to work on more sensitive projects without having to invest in their own government-approved, secure systems.

OMB restores data-driven goal setting requirements that Trump nixed

The Office of Management and Budget restored data-driven goal setting requirements for agencies, with an increased emphasis on addressing health and economic challenges caused by the COVID-19 pandemic.

An OMB memo issued Wednesday reinstated the government’s performance improvement and service delivery framework, which expects senior leaders at agencies to set ambitious goals, hold regular progress reviews and publicly report the results. The memo also brings back customer experience tools.

The Trump administration eliminated the accountability measures in December, citing a lack of public interest in the thousands of pages of performance data posted to Performance.gov annually. But many officials saw the move as an attempt to railroad the initial success of the incoming Biden administration.

“Agencies were clear, and unanimous, in their desire to have the earlier framework reinstated,” wrote Pam Coleman, associate director of performance and personnel management at OMB, in a blog on the changes. “Government performance priorities across multiple administrations have shown significant improvements when the related agency priority goals have received sustained leadership attention with clear definitions of success, collaboration across organizational boundaries and support from the Congress.”

The departments of Veterans Affairs and Housing and Urban Development set a joint agency priority goal to decrease veteran homelessness and did so by 47% between 2010 and 2016. Similarly, the Treasury Department reduced paper transactions for benefits by about 90% in 10 years, and the Department of the Interior increased water conservation and reclamation by 10% out west in two years of setting agency priority goals.

Public interest aside, Government Performance and Results Modernization Act management practices increase data-driven decision making within agencies, Coleman wrote.

Performance.gov will once again be updated quarterly with progress reports, regardless of agencies falling short of objectives.

“The removal of Part 6 from Circular No. A-11 in December 2020 threatened to disrupt strategic and performance planning across federal departments and agencies,” reads the memo. “These activities are critical to clearly defining the outcomes the Federal Government aims to achieve, using feedback from our customers to improve service delivery, and being transparent about agency results.”

Pandemic Analytics Center of Excellence will help IGs investigate fraud

The committee of federal watchdogs tasked by Congress to oversee emergency pandemic spending is developing a center of excellence that uses data analytics to combat COVID-19 relief fraud.

The Pandemic Analytics Center of Excellence, created by the Pandemic Response Accountability Committee (PRAC), will provide the federal inspectors general (IG) community with fraud-fighting tools allowing them to share data analytics and practices to assist with their audit and investigative work.

So far IGs have only managed to return or seize $2.5 billion of the $84 billion in potential fraud committed between the Small Business Administration‘s Paycheck Protection Program (PPP) and Economic Injury Disaster Loan (EIDL) program, according to a memo released by the House Select Subcommittee on the Coronavirus Crisis on Thursday.

“In order to fulfill the PRAC’s mission we need better technological tools for IGs and our oversight partners, including the use of advanced data analytics,” said PRAC Chair Michael Horowitz, IG of the Department of Justice, during a subcommittee hearing the same day.

The Coronavirus Aid, Relief, and Economic Security (CARES) Act created PRAC, which is comprised of 22 IGs from across government who are charged with seeing to it that federal funds, like those in the CARES Act and the American Rescue Plan Act, are spent properly. The committee is working with the Office of Management and Budget and other agencies to address fraud data gaps.

Despite the $84 billion potentially lost to fraud, Republicans on the House subcommittee touted the fact SBA used the PPP and EIDL programs to quickly give $910 billion in COVID-19 relief to small businesses.

“[T]his subcommittee is focused on attempting to tear down a bipartisan program that kept the economy afloat during the early and toughest days of the pandemic,” said Rep. Jim Jordan, R-Ohio, the ranking member. “We all agree fraud is bad. But we should all agree that a 99% success record is unprecedented, and we have President Trump to thank for that.”

But $84 billion in fraud would be more than 9% of the money SBA distributed, and the agency’s IG found the Trump administration ignored fraud flags, awarded loans with little to no vetting and abandoned a rule that two employees approve applications in the case of EIDL. Proper controls were added to SBA’s electronic loan application system, E-Tran, too late in the case of PPP.

Then-Treasury Secretary Steve Mnuchin cited the need for speedy loan delivery for the inevitable problems that arose at the time.

“Let me be clear: That is a false choice,” said Rep. Jim Clyburn, D-S.C., chair of the subcommittee. “Americans should not have to and did not have to choose between quickly getting aid during a crisis and preventing the theft or waste of billions of tax dollars.”

SBA has yet to conduct a formal fraud risk assessment for PPP or EIDL.

COVID-19 relief fraud investigations will continue for a decade because that’s how long the loans will be in SBA’s portfolio, said Mike Ware, IG at SBA.

“As we continue to address our processing backlog, we will employ data analytics to further triage and guide these efforts,” Ware said. “Data analytics have made a difference in our office’s ability to keep our stakeholders currently and fully informed in a timely manner.”

The SBA Office of Inspector General overlaid its data with the Treasury Department‘s Do Not Pay list and found “quite of bit of money” went to people who should never have been paid, Ware said. Analytics also helped catch duplicate PPP payments.

A problem with lists is that the fraudsters on them quickly learn to steal other people’s identities in order to continue their work. And identity theft was prevalent in EIDL fraud cases and reared its head with PPP loans as well, Ware said.

Some in the tech industry have advocated for automated screening as a fraud deterrent, in lieu of lengthy, inefficient investigations after the fact.

But the first three supplemental appropriations SBA OIG received to improve COVID-19 relief oversight were put toward recruiting auditors, analysts and criminal investigators; EIDL fraud investigative staff and data analytics; and increasing investigative capacity, Ware said.

A total of $142 million was allocated to the oversight community in the American Rescue Plan Act passed earlier this month.

“The Biden administration and Congress have also worked together to ensure that critical oversight bodies like the PRAC, [Government Accountability Office] and IG community have the resources and tools they need to do their jobs,” Clyburn said.

SOCOM wants to prioritize stronger communications encryption

U.S. Special Operations Command, the elite group that undertakes some of the military’s most sensitive and high-stakes operations, is prioritizing finding technology to improve the encryption of its communications, its commander said Thursday.

“I personally changed our modernization priorities and restructured our funding to modernize those capabilities,” SOCOM Commander Gen. Richard Clarke told the Senate Armed Services Committee during a hearing about the need for stronger encryption as quantum computing emerges as a threat to traditional security measures.

For the past two decades, SOCOM has mostly focused on fighting non-state actors with limited tech. But as the entire military pivots to great power competition, it’s expected that strategic competitors like China and Russia will bring more-advanced cybersecurity and technology means to any fight.

During Thursday’s Senate hearing Clarke did not mention any particular new electronic warfare or encryption tools, just saying they broadly would be used to hide his operators’ movements from enemies.

“We also have to have encrypted communications and electronic warfare capabilities so that our forces…reduce the probability of them to be targeted,” he told lawmakers.

As quantum computers become more readily available, the concern is that they will be able to guess passwords and break through the layers of security in current communications technology. Other military agencies like the Defense Information Systems Agency also announced research into quantum-proof encryption.

Other new priorities for the command are “data and data management,” Clarke added. SOCOM has been a leader in testing new artificial intelligence capabilities, like predictive maintenance for its helicopters. The command has touted itself as being a sort of beta tester or “pathfinder” for AI tech the DOD can possibly use at scale.

 

Tackling two challenges every agency faces getting to the cloud

Dave Levy leads the U.S. government, nonprofit and healthcare businesses at Amazon Web Services (AWS). Prior to joining AWS in 2017, he led Apple’s U.S. government business. He also serves as Chair of the Space and Procurement council for the U.S. Chamber of Commerce, on the boards for the Professional Services Council and Fairview Medical, and on the Innovation and Research Board for Children’s National Medical Center in Washington, D.C.

Part of successful leadership starts with listening. Just prior to the pandemic, I set out on a 100-day listening tour to hear directly from federal agencies about their aspirations, their challenges and what would make a difference in accomplishing their missions. Two themes repeatedly emerged.

First was the challenge of keeping up with so many transformational technologies, such as machine learning, flexible databases and computing at the edge. Second was the ongoing imperative to train and empower federal workforces — and get them and their agency partners foundationally grounded in cloud and emerging technologies.

The world of cloud computing has grown explosively in the 15 years since Amazon launched its Simple Storage Service and Elastic Compute Cloud. It’s not just the massive amount of cloud infrastructure that’s been built; it’s also the accumulated development of high-performing, rapidly-deployable services now available to enterprises.

However, many organizations, including most federal agencies, lack the know-how, skill and experience to take fuller and faster advantage of the cloud’s evolving capabilities.

To help our customers stay ahead of the technology learning curve,  Amazon Web Services (AWS) is committed to putting our unrivaled experience, expertise and innovation to work to help agencies and their partners better understand the art of the possible with cloud computing. We’re also committed to helping our customers train and expand a new generation of employees who can use those skills to innovate faster and improve the delivery of their missions.

The power of experience

On the first front, it is our hard-earned belief that there is no compression algorithm for experience in cloud computing. AWS was born not only out of the wellspring of clever engineering, but from the more fundamental desire to develop services that make sense for our customers — either by building for them, inventing with them, or inventing on their behalf.

This proven experience is why government agencies trust AWS to handle their most sensitive workloads. We offer federal government customers two AWS GovCloud (US) Regions, designed to allow U.S. government agencies and contractors to move sensitive workloads to the cloud by addressing their specific regulatory and compliance requirements. Many regulated industries, including the defense industrial base, have also put their confidence in AWS GovCloud (US). AWS GovCloud (US) helps federal and state government agencies manage and analyze vast amounts of data securely — from sensitive patient medical information to export trade data to “controlled unclassified information” (a.k.a. Impact Level 5) data at the Department of Defense.

AWS continues to lead the way in developing, or co-developing, new and innovative cloud-based products and services — much of which can be seen in action at our AWS re:Invent and government sector events. Our team is driving advances in everything from the latest in Kubernetes containers; to high-performance flexible databases; to our pioneering work in AI — from the machine learning layer to cognitive applications like Alexa. We’re also bringing greater compute and storage capabilities to the edge, with devices like AWS Snowball, which promises to revolutionize the types of IT services available to our nation’s warfighters and the global government workforce.

Just as important as having the broadest and deepest assortment of on-demand IT and data management services is AWS’s wealth of experience. Our experts continue to bring that experience to federal agencies, to help them experiment, iterate and innovate with cloud solutions and do so quickly and effectively.

The need for training

We’re also committed to expanding the availability of cloud technology training. We want to make sure the barriers are as low as possible for our customers and our partners to access the cloud services they need. That’s why, at re:Invent 2020, we announced that by 2025 AWS will help 29 million people globally grow their technical skills with free cloud computing skills training.

Our commitment to training drove us to develop a large organization dedicated to providing training and certification tailored for the U.S. government. We’re continuing to expand a cafeteria-style curriculum to meet a variety of skill levels and learning goals that support agencies and their workforces.

As cloud computing becomes more ubiquitous, it’s easy to lose sight of the fact that the potential of the cloud is not in the technology or apps themselves; it’s in how the cloud is harnessed and utilized to help organizations fulfill their missions more effectively. AWS stands ready to help federal agencies and their partners by leveraging our unrivaled experience to support workforce development and mission delivery.

Learn how AWS can help your agency capitalize on today’s cloud or contact us at AWS Public Sector.

Read more insights from AWS leaders on how agencies are using the power of the cloud to innovate.

Tech industry requests TMF process updates to fast-track COVID-19 and SolarWinds recovery projects

Tech companies called on the government to revise its process for doling out the Technology Modernization Fund, now that it’s received $1 billion for urgent IT and cybersecurity projects, in a letter Wednesday.

The Alliance for Digital Innovation and nine other tech associations sent the letter to the Office of Management and Budget and the General Services Administration asking that TMF projects be proactively funded and repayment requirements for agencies loosened.

Tens of millions of dollars remained unspent in the TMF when lawmakers appropriated a record $1 billion in the American Rescue Plan Act earlier this month, which has agencies and industry worried the money won’t be spent quickly on critical COVID-19 and SolarWinds recovery projects.

“You can’t have OMB and GSA just sit around and wait for agencies’ projects,” Matthew Cornelius, executive director of ADI, told FedScoop. “You have to be proactive about identifying areas you want to invest in, and then find the best way to do that.”

Tech companies had no trouble identifying five TMF investment opportunities in their letter: federal operations, citizen services, remote work, cybersecurity shared services, and secure cloud adoption.

The pandemic has highlighted government’s struggles with identity management, while the SolarWinds hack that left at least nine agencies compromised emphasized a greater need for vulnerability management and secure remote work capabilities, Cornelius said. Collaboration tools, secure data sharing and data analytics platforms are also in high demand.

GSA should immediately tap its army of tech and acquisition professionals inside the Technology Transformation Services‘ Centers of Excellence and 18F to begin flagging government’s biggest enterprise and shared services challenges because more TMF money requires more manpower, Cornelius said. Project flow, execution and oversight must scale.

U.S. Digital Service staff could also be brought in to handle digital services delivery and Cybersecurity and Infrastructure Security Agency employees to find cyber opportunities, all of whom will improve the vetting of projects and can even assist agencies with implementation, Cornelius said.

“It’s not a knock on the folks that are running the Program Management Office now,” he said. “But that was an office that was designed to handle a million dollars for a few projects, not a billion dollars and scores of projects.”

Tech companies expect to be part of the process, requesting quarterly meetings in the letter with the TMF Board and representatives from interagency councils for information and status updates.

Unfortunately TMF’s current five-year repayment window is “unduly burdensome” for many agencies with “inherently riskier projects,” especially when the projects funded through Congress’ normal appropriations process aren’t subject to the same requirements, Cornelius said.

“The [OMB] director clearly has the authority to suspend, waive or alter the repayment requirements to make the fund more like a grant, rather than a loan,” he said.

Doing so will incentivize more agencies to seek TMF funds for multi-agency projects and commercial shared services that need stable funding over multiple years and take as long to retire legacy systems and yield savings, according to the letter.

The letter also asks that GSA consider waiving service fees the TMF PMO charges for processing funding awards.

DARPA’s AI fighter pilot gets more capabilities in latest tests

The artificial intelligence system the Defense Advanced Research Projects Agency (DARPA) is building to pilot fighter jets has added several new capabilities in recent tests.

The Air Combat Evolution (ACE) program made headlines in August when the AI system successfully defeated a human pilot in virtual dogfights 5-0. And now, in the system’s latest tests in February, DARPA added new weapons systems and multiple aircraft to the virtual battles, DARPA said in a March news release.

The trials put ACE on track for live, in-flight tests later in 2021.

“Adding more weapon options and multiple aircraft introduces a lot of the dynamics that we were unable to push and explore in the AlphaDogfight Trials,” Col. Dan “Animal” Javorsek, program manager at DARPA said about the initial trials in August. “These new engagements represent an important step in building trust in the algorithms since they allow us to assess how the AI agents handle clear avenue of fire restrictions set up to prevent fratricide. This is exceedingly important when operating with offensive weapons in a dynamic and confusing environment that includes a manned fighter and also affords the opportunity to increase the complexity and teaming associated with maneuvering two aircraft in relation to an adversary.”

One of the biggest increases in complexity during the testing came from adding a second aircraft for the AI system to try maneuver against. Whereas the initial tests were one-on-one dogfights, the latest rounds had two virtual F-16s matched against the AI system.

In that initial run, different companies designed different systems using machine learning to virtualize millions of dogfights for the AI to learn from. Heron Systems, a small defense contractor came out victorious.

Some criticized the initial tests as “AI theater,” meaning they bared little technological fruit but made for an interesting show. Dogfights are relatively simple tasks on the scale of what fighter pilots have to do in combat, and the AI system was only tested in a virtual environment.

“I appreciate that the DOD wants to show the world that it is on the cutting edge of AI deployment, but this simply is not it,” Missy Cummings, director of the Humans and Autonomy Laboratory at Duke University and former Navy pilot told FedScoop in August following the initial tests.

But the latest tests add new capabilities DARPA says will contribute to future systems. The agency also used the tests to ensure human trust in machines, an important topic the DOD is lacking in, according to a recent study.

“This enables us to see how much the pilot is checking on the autonomy by looking outside the window, and comparing that to how much time they spend on their battle management task,” Javorsek said.

DHS migrating to ‘cloud-first’ identities en route to zero trust

Migrating from legacy identity solutions to “cloud-first” identities is the next step in the Department of Homeland Security’s implementation of zero-trust security, according to the CISO of one of its component agencies.

Zero-trust security requires a network’s users to provide credentials before granting them access, after which they’re typically subject to continuous validation. That remains a challenge for DHS‘s external partners, Alma Cole, CISO of Customs and Border Protection, said during an ATARC event Tuesday.

Migrating identities to the cloud will make it easier and more secure to link them with those at other agencies or companies DHS contracts with, as well as add device identities.

“We’ve all had to deal with usernames and passwords and things for all these disconnected services at agencies,” Cole said. “So having that cloud-based identity that can actually federate with other entities in a really seamless way is key.”

Once that’s out of the way, DHS can begin using policy enforcement mechanisms to control what those identities have access to on the network.

DHS will use a network access control plane and comply-to-connect (C2C) framework — as well as a software-defined network (SDN) that verifies the posture of devices, user and user authorizations and entitlements — when granting on-premise users access to portions of the network.

As for external users like remote workers, DHS plans to replace its virtual private network with secure access service edge (SASE) cloud services.

“That is probably the first real, meaningful way to start implementing some hard, zero-trust access control policies and really lock down your agency,” Cole said.

By connecting offsite users to the network via a cloud-based tunnel, DHS need only expose the applications they’re authorized to use instead of the entire network, he added.

That’s especially useful if an advanced persistent threat (APT) nation state or state-sponsored group attempts to access the network because hacking one host, desktop or laptop will no longer allow them to see everything in the environment, Cole said.

DHS’s CISO would like to see more zero-trust guidance at the federal level.

While the NSA released a basic roadmap about a month ago, agencies haven’t even begun to scratch the surface of the data provided by programs like the Continuous Diagnostics and Mitigation program, Cole said.

That will require greater zero trust maturity, which comes with implementing more security capabilities and ultimately artificial intelligence.

“It’s so all-encompassing,” Cole said. “And it’s so overwhelming.”

Pentagon’s Joint Common Foundation AI platform is up and running

The Department of Defense launched a new coding platform aimed at helping users across the military build their own artificial intelligence models.

The Joint Artificial Intelligence Center’s Joint Common Foundation (JCF) has reached “initial operating capability” and already has some users in the services, center Director Lt. Gen. Michael Groen said Tuesday, although he did not specify what type of projects or who is involved.

The JCF is meant to be a one-stop-shop for anyone from dabbling data amateurs looking to fill out a slide-deck to full-on machine-learning developers hungry for clean data and an environment to write code. It will play a central role for the developing JAIC, especially as it turns to being an “enabling force” across the DOD rather than working on specific AI projects.

“The JCF is live, we have the tools, we are starting to develop, we are starting to host data, we are starting to host algorithms,” Groen said during the National Defense Industry Association’s inaugural National Security AI Conference and Exhibition. “We hope to grow that into full operating capability.”

The plan is to add a “block upgrade” every month to the platform to expand its data hosting, coding and other capabilities.

“Every month we want to add more services,” Groen said.

Other DevSecOps platforms, somewhat similar to the JCF, exist across the military services, including the Air Force’s Platform One. But Groen said the JAIC’s market for the JCF is made up of those who do not already have access to such a service-designed platform.

User feedback will play a major role in the early development of the platform. The JAIC is using user surveys to solicit initial users and those who would be using the JCF to hear what they will want. Working more closely with the individual services and the many AI offices across the department is a new focus of the JAIC. While initially the center was stood up as an AI fielding office to deliver products in key mission areas, now in its second iteration as the “JAIC 2.0,” it is focused on enabling others to build their own tools.

“We think that is a key tool to broad enablement across the department in the transformation of AI,” Groen said.

The hope is to eventually stitch together a common “data fabric” for enhanced interoperability and usage across the department, Groen added.

The JAIC inked a $106 million deal in August with Deloitte to help build the JCF platform.

Treasury awards its final EIS task order

The Treasury Department awarded the last of its six planned Enterprise Infrastructure Solutions task orders to AT&T, the telecommunications company announced Tuesday.

The 12-year, $231 million task order covers modernization of the Treasury‘s voice and data networks and cybersecurity as the department looks to enable its increasingly mobile workforce of more than 100,000 employees across about 700 locations.

Lawmakers initially expressed concern Treasury wasn’t keeping pace with the $50 billion EIS contract’s final deadline of Sept. 31, 2022, for transitioning off its predecessor Networx, but the department’s transition is now more than three-quarters complete.

“Hats off to the technology leadership and team at Treasury for making a deliberate and comprehensive commitment to network modernization,” said Chris Smith, a vice president with AT&T Public Sector. “We look forward to working with Treasury to help transform its communications capabilities and help ensure it is future-ready for further innovation.”

Work is already underway with Treasury poised to obtain EIS technology and cost savings quickly, according to AT&T‘s announcement.

AT&T’s last big EIS task order award was a 10-year, $311 million contract with the National Oceanic and Atmospheric Administration in November to prepare for 5G and edge computing by consolidating the agency’s networks into one Internet Protocol-based network.