U.S. Navy inks $2.5B contract with Dell for enterprise software licenses
The Department of Defense has awarded Dell a $2.5B blanket purchasing agreement to provide the U.S. Navy with enterprise software licenses.
Under terms of the five-year deal, the technology company will provide user-based subscription licenses for products including Microsoft 365 and Microsoft Azure.
The contract award comes as the DOD transitions to DOD365, which is a higher-security version of Office365 that was purchased through the $4.4 billion Defense Enterprise Office Solutions (DEOS) contract.
The enterprise software licenses will be used by the Department of Defense and U.S. Coast Guard, and the ordering period began on June 1.
Funds will be paid through delivery orders using operations and maintenance DOD funds, although the agreement will not obligate the immediate payment of funds. Two proposals were received for the contract award.
Purchasing software has been a perennial challenge for DOD, as its contracting methods were designed for the procurement of major weapons systems rather than code-based systems that require continual updates.
DISA identity management service to reach entire DOD by next year
The Defense Information Systems Agency‘s new identity, credentialing and access management (ICAM) tool will be available to the entire department “within the next year,” an official said Thursday.
The enterprisewide “global directory,” as it’s called, will give the Department of Defense a centralized directory for identifying users by fiscal 2022, according to DISA. Such an ICAM solution is a central element for the DOD’s top priority adoption of a zero-trust architecture.
The capability will also allow DOD to use new multi-factor identification tools like biometric sign-in and other new approaches.
“We are definitely going beyond two-factor authentication,” Lt. Col. Pete Godbey, a user engagement officer at DISA’s Cloud Computing Program Office, said during Okta’s Age of Identity Summit produced by CyberScoop. He added, “that’s really what our centralized authentication platform can do.”
DISA has been experimenting with a range of access management tools, like using artificial intelligence-based biometric data that measure everything from a user’s stride to the way they tap their phone to validate their identity.
Godbey said the global directory already has more than 100,000 users and is on the “glide path” to being fully rolled out across the department by the end of fiscal 2022.
“As we start finding where these new technical capabilities can be implemented, instead of trying to implement across dozens or more of the systems out there, really what we can do is implement it on a smaller scale and then provide a massive DOD-wide impact in near-immediate term,” Godbey said, adding that a centralized ICAM tool implementing new ways to check identities is easier than having to update a range of ICAM applications.
While DISA didn’t confirm a specific date for completion, other leaders in the DOD have highlighted the technology’s importance.
“That will be the exemplar that we adopt across the board, throughout the department,” Dave Mckeown, DOD’s chief information security officer, told Congress about the tool.
Ransomware Task Force co-chair says a ban on ransom payments would need to be phased
Any federal ban on the payment of ransom demands by hackers in cyberspace would likely need to be phased, according to a co-chair of the Ransomware Task Force.
In an interview with FedScoop, Chris Painter said that any such move would be introduced incrementally, and would be accompanied by new measures to support entities hit with online attacks, such as a victims recovery fund.
While federal agencies don’t pay hacker ransoms, legislation would be needed to create a fund so ransomware victims could avoid paying or to elevate cybersecurity resiliency over a period of several years, he added.
“You can phase [a ban] in over time. You can come up with various backstops to help fund or protect them to get them up to a particular level of standards over a period of a couple of years,” Painter told FedScoop.
“Obviously some of the things we suggested require legislation like having a pool of funds and helping victims so they don’t have to pay the ransom or do better in terms of resiliency for these victims,” said Painter, a former federal cybersecurity official. “There’s a lot we can do to disrupt the business model of these ransomware groups and do more to protect victims.”
Painter is the co-chair of the White House-backed Ransomware Task Force (RTF), which was set up in December to foster public-private collaboration in response to the epidemic of ransomware attacks.
He was previously the U.S. government’s most senior cyber diplomat and was a senior member of the team that carried out President Obama’s Cyberspace Policy Review in 2009. He has also held senior roles at the Department of Justice, FBI, the National Security Council and the State Department.
The question of whether companies that fall victim to cyberattacks should pay digital ransom demands has proved central to discussions of how the federal government and the private sector should respond to ransomware attacks.
According to the RTF’s “Combating Ransomware” report, which was published at the end of April, public and private sector representatives were unable to reach an agreement over whether to implement a unilateral ban on such payments. In the report, RTF recommended that government establish cyber response and recovery funds to support ransomware response and other cybersecurity activities.
Advocates of banning the payments say they fuel a market for cyber criminality by guaranteeing hackers that their demands will be met. Opponents say that the cost of paying ransom demands is often a fraction of the damage caused to companies and their shareholders by refusing to pay.
The Department of Justice elevated ransomware investigations to a similar priority as terrorism for that reason and ordered information sharing with RTF, Reuters reported Thursday.
Speaking to FedScoop, Painter said that without a ban, victims who pay risk violating federal law if the ransom winds up going to a group on the Treasury Department‘s prohibited enemies list, which currently is hard to determine.
“To enable more companies to bear the financial cost of remediation, national governments should create ‘Cyber Response and Recovery Funds’ (CRRFs),” the report said.
It proposed the creation of a CRRF to help cover the cost of restoring IT functionality for local governments, critical national functions, or other entities as their recover from a ransomware attack.
The late April report recommends the creation of a cyber backstop scheme that could function like the Terrorism Risk Insurance Program (TRIPA), which was created after 9/11 and creates a federal requirement for the government to act as reinsurer of last resort.
TRIPA permits the private sector to provide terrorism insurance by guaranteeing that the government would pay a portion of claims in the event of a major terror attack.
Painter added that the Biden administration’s cybersecurity executive order and its recent budget proposal to allot $9.8 billion to cybersecurity were a “good start” in moving forward the country’s response to the ransomware epidemic.
The cyber expert noted also that the recent ransomware attacks on Colonial Pipeline and food processing giant JBS differed from traditional espionage, because of the direct impact they had on the day-to-day lives of U.S. citizens.
“It does make a difference when people can’t get gas or can’t get a hamburger; it brings it home for people,” he said.
Secretary of Defense Austin approves JADC2 strategy
U.S. Secretary of Defense Lloyd Austin has signed off on one of the biggest changes to how the military will fight future wars, approving the Joint All Domain Command and Control (JADC2) strategy that aims to fast-track the use of artificial intelligence and data sharing on the battlefield.
The strategy defines how the military services will approach connecting sensors in the air, land, sea, space and cyberspace and use a networked approach to operations. Secretary Lloyd Austin signing the JADC2 strategy marks the beginning of implementing much of the nascent work the military has started, from testing new technologies and developing new concept of operations to use them.
“We have been given the clear signal to begin,” Lt. Gen. Dennis Crall, chief information officer for the Joint Staff and director of the J-6, which oversees all of the military’s command and control networks, said. “It’s outcome delivery time.”
JADC2 is intended to give the U.S. a greater military advantage by allowing for data sharing through a global, resilient network. Advocates of the new concept say that if a fighter jet can automatically share data with a soldier on the ground, the two units can coordinate more easily.
Within the JADC2 framework, each military service has its own project. The Army has Project Convergence and the Air Force has the Advanced Battle Management System (ABMS). Both are focused on implementing the JADC2 framework, but with their own focuses on areas on things like increasing the precision of ground munitions for Project Convergence, and in-flight data sharing for ABMS. The Navy also has Project Overmatch, focused on building seafaring networks.
One of the critical points of the new strategy is coordinating the disparate efforts across the military into one interoperable framework of technology and operations. The strategy relies on a cross functional team (CTF) that has members from the across the department that can coordinate between services that often do not like working with each other.
“The CTF, that is the widest table setting you can imagine to get after these problems,” Crall told reporters Friday. He added, “we have had pieces of this in the past, we have never had this compressively put together.”
Crall added that the DOD need an enterprise cloud solution for work on JADC2 to continue past experimentation, whether that is the Joint Enterprise Defense Infrastructure (JEDI) or some other contract. JEDI continues to be stuck in legal limbo, with continued protests from Amazon Web Services over the two-time award to Microsoft Azure.
“Where I am at today…I am able to take advantage of that multi-cloud provision,” he said, referring to the DOD’s current cloud offerings. “I think the real question is…how long can you do that?”
Security for any joined-up data sharing system remains a principal concern, and Crall highlighted the need for the DOD to improve identity, credentialing and access management (ICAM) on JADC2 networks.
“If we don’t have a real ICAM solution it will be impossible,” he said.
Homeland Security CDM dashboard lacks key data, IG report finds
The Department of Homeland Security can’t prioritize or respond to cybersecurity risks in real time because its internal Continuous Diagnostics and Mitigation (CDM) dashboard lacks some of the necessary data, according to its Office of Inspector General (OIG).
DHS‘ OIG found the dashboard reported less than half of the required data on network assets because collection hadn’t been automated and integrated for every agency in the department as of March 2020, in a report released Tuesday.
While the report is DHS specific, its Cybersecurity and Infrastructure Security Agency, which manages the entire CDM program, came under fire from lawmakers in March when agencies governmentwide struggled to assess the effects of recent, high-profile supply chain attacks like the SolarWinds hack.
“According to DHS, its current dashboard could not yet handle the required volume of data or report all data to the federal dashboard as required,” read the report published on Tuesday.
“Until the DHS dashboard is fully functional, DHS cannot leverage the intended benefits of the dashboard to manage and respond to cybersecurity threats.”
According to the report, the DHS Office of the Chief Information Security Officer’s dashboard only reported 40% of hardware assets, 24% of software assets, 18% of configuration settings and 16% of vulnerability management.
It found also that the CDM dashboard was developed with software that couldn’t handle the data volume, and a new dashboard on a more robust platform was not expected until early 2021 at the earliest.
The study found also that out of $180 million spent on CDM, at least $38 million was wasted because certain essential system tools were removed and not replaced.
DHS OIG also found three critical and eight high-risk vulnerabilities across the department’s operating systems and databases, with 10 of the 11 occurring on multiple systems.
Lastly, DHS OIG found agencies were not on track to implement the required configuration settings for their CDM servers, leaving them vulnerable to disruptions and cyberattacks.
DHS OIG recommended OCISO update the department’s CDM program plan with appropriate deadlines for its dashboard transition, agencies’ tool replacements and data integration; address system and database vulnerabilities; and define patch management responsibilities.
The department has agreed with the recommendations, noting that patch management responsibilities were defined on July 6, 2016.
“While DHS acknowledges the initial challenges in fully implementing its [CDM] program, the statement that the department ‘has not yet strengthened its cybersecurity posture,’ is inaccurate,” wrote the department’s GAO-OIG Liaison Office in its response.
“In addition, DHS disagrees with the assertion that $38 million was wasted during the initial effort to design and deploy a department-wide solution.”
The Government Accountability Office found that no agency governmentwide had implemented all the key requirements of the CDM program, in a report released in August.
During a March Senate hearing, CISA’s Acting Director Brandon Wales said almost all parts of every agency had achieved a common CDM baseline as the program closes out Phases 1 and 2 of the program this year.
Just over a month later, CDM Program Manager Kevin Cox announced plans to depart and return to the Department of Justice as its deputy chief information officer.
Federal health IT provider Halfaker and Associates to be acquired for $250M
Government technology contractor SAIC will pay $250 million to acquire federal health IT provider Halfaker and Associates.
Halfaker provides healthcare IT services to government departments including the Department of Defense and the Department of Veterans Affairs. It is among the top largest five IT providers by awarded task orders on the VA’s Transformation Twenty-One Total Technology Next Generation acquisition program.
Halfaker President and CEO Dawn Halfaker said: “The alignment of SAIC’s culture and values with this important mission has been critical in making the decision to join forces and successfully bolster the services we provide our customers with even greater digital transformation capacity and scalability.”
The transaction is expected to close by July 30 this year, subject to closing conditions. Halfaker is headquartered in Arlington, Virginia.
Last month the National Institutes of Health has issued a request for proposals for its long-awaited governmentwide acquisition vehicle that will give up to $50 to federal contractors over a 10-year period.
The CIO-SP4 vehicle has 10 task areas including IT services, CIO support, cybersecurity, digital government and cloud services and software development.
Pentagon to establish new security standards for 5G technology
The Department of Defense (DOD) is working to create its own set of security standards for 5G, according to the department’s principal director for the technology.
Speaking at a 5G security summit hosted by Billington Cybersecurity, Joe Evans said the DOD must understand all hardware and software used — including cell towers and receptors — and that it would have its own set of security standards for procuring 5G networks.
“We are really working across the 5G initiative to understand and develop [the] necessary security standards within DOD,” Evans said.
Evans is the Principal Director for 5G in the office of the director of defense research and engineering (modernization). This division sits within the office of the Under Secretary of Defense for Research and Engineering at the DOD.
The new standards will dictate what requirements private companies must meet in order to collaborate with the DOD on installing the technology.
Security standards will play a major role in ongoing collaboration between industry and government, as much of the DOD’s strategy on 5G has so far revolved around opening military bases to private companies to conduct research and development.
The implementation of uniform security standards remains in an early stage, with even a common definition of 5G technology yet to be established.
In particular, Evans’ office and the chief information officer of the DOD are focused on ensuring that 5G technology does not compromise supply chain security.
The DOD has several test sites for the new technology around the U.S., including in San Diego to Georgia. Private companies are able to test 5G tech in a secure but less-regulated environment such as supply warehouses.
As new security standards for 5G are established and introduced, some existing technologies will become insufficient or incompatible.
“Not all the old standards will fit the new models,” added Evans, speaking at the event.
Security experts in recent years have raised concerns about the potential for China to use its large market share of the 5G hardware market in order to conduct acts of espionage. So far, the U.S., the U.K. and Australia have banned the use of Huawei on 5G networks. Other European countries are considering similar restrictions.
AI-supported ‘superteams’ key to future of federal workforce: Deloitte
New artificial intelligence-supported “Superteams” will play a central role in the future structure of staffing at federal agencies, according to a new report by Deloitte.
In a study published Thursday, the consultancy firm said challenges presented by the Covid-19 pandemic during the last year had fast-tracked the use digital technology to streamline workflows and reduce the volume of mundane tasks that staff must undertake.
“During the COVID-19 pandemic, many public sector organizations accelerated incorporating technology into their team structure as a survival strategy to enable adaptability and speed.
“Superteams ensure that the right workforce type (human or technology) gets properly allocated to critical tasks: by using digital technology to unburden the human workforce of dirty, dangerous, and dull tasks, leaders enable the workforce to focus on meaningful, high-impact work that requires human insight to solve problems, think strategically, and build interpersonal relationships,” Deloitte said in the study.
The study comes as government agencies continue to experiment with the use of AI to automate business processes, including at the Pentagon. The Defense Innovation Unit and private sector contractors have worked with the U.S. Army to develop automated systems for flagging erroneous financial transactions.
DataRobot and Summit2Sea are among the private sector contractors that have developed machine learning systems for the DOD.
According to Deloitte, superteams are defined by giving technology the status of a full-on teammate. The consultancy says that although technology systems must still be led by humans, they are growing rapidly in their ability to be applied to complex problems.
GSA making ‘significant’ investments to automate FedRAMP processes
The General Services Administration’s Technology Transformation Services arm is making “significant” investments in automating security authorization processes for cloud service providers, Director Dave Zvenyach said on Wednesday.
Zvenyach said these new investments under the Federal Risk and Authorization Management Program (FedRAMP) will focus on automation, process improvements and additional resources to help plug gaps, as well as make agencies more aware of existing authorities to operate (ATOs).
FedRAMP approves secure cloud technologies for agencies’ reuse via ATOs. Onboarding new cloud service providers, however, carries significant costs, not only that of the initial authorization but also annual reassessments, significant change requests and continuous monitoring as well.
CSPs and CIOs regularly urge the FedRAMP Program Management Office to automate what processes they can to streamline onboarding, but investment hasn’t kept up with demand.
“As we add cloud service providers to FedRAMP, it ends up having a nonlinear cost,” Zvenyach said, during an ACT-IAC event.
TTS investments in automation, process improvements and additional resources will help plug gaps, as well as make agencies more aware of existing ATOs, he added.
The thousands of ATOs agencies already reuse save taxpayer dollars, improve security and lower vendors’ overhead costs.
TTS is collaborating with the FedRAMP PMO and Joint Authorization Board on process work, as well as the Federal CIO, CIO Council and Office of Management and Budget to ensure FedRAMP’s reciprocity with the Pentagon’s Cybersecurity Maturity Model Certification (CMMC) program. The Department of Defense‘s CIO office is already represented on the JAB, which makes things easier, Zvenyach said.
“This isn’t just a [General Services Administration] thing,” he said. “We really do need to have partnership.”
Tasked with improving the public’s digital experience with government, TTS is still responding to the pandemic, economic recovery, racial inequity and climate change in its work. Major investments are also being made to improve the security and usability of Login.gov, the government’s identity and authentication platform, Zvenyach said.
But now agencies including GSA also need to finalize return-to-office plans by July 19, as required by the Safer Federal Workforce Task Force.
Under Zvenyach’s leadership, TTS has adopted a “distributed-by-default” mindset.
“My experience is distributed by default is a better pattern than the hybrid approach,” Zvenyach said. “I think people should be distributed, or they should be in person. And we should try and think about how you use the best of each, rather than trying to blend them together.”
People working in person shouldn’t receive more benefits than those who opt not to, which, in turn, allows TTS to focus on outcome delivery and measuring success, he added.
To that end, TTS has invested in collaboration tools, restructured how it conducts meetings and rethought results measurement to enable employees to live across the country in a more equitable, accessible work environment.
One downside to a more distributed workforce is feedback is harder to come by, so Zvenyach set up an anonymous, digital feedback form.
“I really do read all of the comments that come in,” he said.
Former GSA procurement leader Nakasone to join VMware
Former General Services Administration procurement leader Keith Nakasone is set to join cloud computing firm VMware as a federal strategist.
He joins the company in mid-June after leaving the GSA at the end of May, and in the new role will report to VMware’s government strategy and innovation leader Peter Romano.
Nakasone worked at GSA as deputy assistant commissioner of acquisition management within the Office of Information Technology Category. Before this, he held senior procurement roles at the Federal Communications Commission and the Defense Information Systems Agency.
Following his departure from GSA, Nakasone’s responsibilities will be taken on in an acting capacity by Cheryl Thornton-Cameron, who is executive director of ITC Schedule Contract Operations at the agency.
Earlier this month, the GSA launched an industry consultation over plans to issue a multiple-award cloud blanket purchase agreement as part of a government-wide acquisition strategy.