Tech industry requests TMF process updates to fast-track COVID-19 and SolarWinds recovery projects

Tech companies called on the government to revise its process for doling out the Technology Modernization Fund, now that it’s received $1 billion for urgent IT and cybersecurity projects, in a letter Wednesday.

The Alliance for Digital Innovation and nine other tech associations sent the letter to the Office of Management and Budget and the General Services Administration asking that TMF projects be proactively funded and repayment requirements for agencies loosened.

Tens of millions of dollars remained unspent in the TMF when lawmakers appropriated a record $1 billion in the American Rescue Plan Act earlier this month, which has agencies and industry worried the money won’t be spent quickly on critical COVID-19 and SolarWinds recovery projects.

“You can’t have OMB and GSA just sit around and wait for agencies’ projects,” Matthew Cornelius, executive director of ADI, told FedScoop. “You have to be proactive about identifying areas you want to invest in, and then find the best way to do that.”

Tech companies had no trouble identifying five TMF investment opportunities in their letter: federal operations, citizen services, remote work, cybersecurity shared services, and secure cloud adoption.

The pandemic has highlighted government’s struggles with identity management, while the SolarWinds hack that left at least nine agencies compromised emphasized a greater need for vulnerability management and secure remote work capabilities, Cornelius said. Collaboration tools, secure data sharing and data analytics platforms are also in high demand.

GSA should immediately tap its army of tech and acquisition professionals inside the Technology Transformation Services‘ Centers of Excellence and 18F to begin flagging government’s biggest enterprise and shared services challenges because more TMF money requires more manpower, Cornelius said. Project flow, execution and oversight must scale.

U.S. Digital Service staff could also be brought in to handle digital services delivery and Cybersecurity and Infrastructure Security Agency employees to find cyber opportunities, all of whom will improve the vetting of projects and can even assist agencies with implementation, Cornelius said.

“It’s not a knock on the folks that are running the Program Management Office now,” he said. “But that was an office that was designed to handle a million dollars for a few projects, not a billion dollars and scores of projects.”

Tech companies expect to be part of the process, requesting quarterly meetings in the letter with the TMF Board and representatives from interagency councils for information and status updates.

Unfortunately TMF’s current five-year repayment window is “unduly burdensome” for many agencies with “inherently riskier projects,” especially when the projects funded through Congress’ normal appropriations process aren’t subject to the same requirements, Cornelius said.

“The [OMB] director clearly has the authority to suspend, waive or alter the repayment requirements to make the fund more like a grant, rather than a loan,” he said.

Doing so will incentivize more agencies to seek TMF funds for multi-agency projects and commercial shared services that need stable funding over multiple years and take as long to retire legacy systems and yield savings, according to the letter.

The letter also asks that GSA consider waiving service fees the TMF PMO charges for processing funding awards.

DARPA’s AI fighter pilot gets more capabilities in latest tests

The artificial intelligence system the Defense Advanced Research Projects Agency (DARPA) is building to pilot fighter jets has added several new capabilities in recent tests.

The Air Combat Evolution (ACE) program made headlines in August when the AI system successfully defeated a human pilot in virtual dogfights 5-0. And now, in the system’s latest tests in February, DARPA added new weapons systems and multiple aircraft to the virtual battles, DARPA said in a March news release.

The trials put ACE on track for live, in-flight tests later in 2021.

“Adding more weapon options and multiple aircraft introduces a lot of the dynamics that we were unable to push and explore in the AlphaDogfight Trials,” Col. Dan “Animal” Javorsek, program manager at DARPA said about the initial trials in August. “These new engagements represent an important step in building trust in the algorithms since they allow us to assess how the AI agents handle clear avenue of fire restrictions set up to prevent fratricide. This is exceedingly important when operating with offensive weapons in a dynamic and confusing environment that includes a manned fighter and also affords the opportunity to increase the complexity and teaming associated with maneuvering two aircraft in relation to an adversary.”

One of the biggest increases in complexity during the testing came from adding a second aircraft for the AI system to try maneuver against. Whereas the initial tests were one-on-one dogfights, the latest rounds had two virtual F-16s matched against the AI system.

In that initial run, different companies designed different systems using machine learning to virtualize millions of dogfights for the AI to learn from. Heron Systems, a small defense contractor came out victorious.

Some criticized the initial tests as “AI theater,” meaning they bared little technological fruit but made for an interesting show. Dogfights are relatively simple tasks on the scale of what fighter pilots have to do in combat, and the AI system was only tested in a virtual environment.

“I appreciate that the DOD wants to show the world that it is on the cutting edge of AI deployment, but this simply is not it,” Missy Cummings, director of the Humans and Autonomy Laboratory at Duke University and former Navy pilot told FedScoop in August following the initial tests.

But the latest tests add new capabilities DARPA says will contribute to future systems. The agency also used the tests to ensure human trust in machines, an important topic the DOD is lacking in, according to a recent study.

“This enables us to see how much the pilot is checking on the autonomy by looking outside the window, and comparing that to how much time they spend on their battle management task,” Javorsek said.

DHS migrating to ‘cloud-first’ identities en route to zero trust

Migrating from legacy identity solutions to “cloud-first” identities is the next step in the Department of Homeland Security’s implementation of zero-trust security, according to the CISO of one of its component agencies.

Zero-trust security requires a network’s users to provide credentials before granting them access, after which they’re typically subject to continuous validation. That remains a challenge for DHS‘s external partners, Alma Cole, CISO of Customs and Border Protection, said during an ATARC event Tuesday.

Migrating identities to the cloud will make it easier and more secure to link them with those at other agencies or companies DHS contracts with, as well as add device identities.

“We’ve all had to deal with usernames and passwords and things for all these disconnected services at agencies,” Cole said. “So having that cloud-based identity that can actually federate with other entities in a really seamless way is key.”

Once that’s out of the way, DHS can begin using policy enforcement mechanisms to control what those identities have access to on the network.

DHS will use a network access control plane and comply-to-connect (C2C) framework — as well as a software-defined network (SDN) that verifies the posture of devices, user and user authorizations and entitlements — when granting on-premise users access to portions of the network.

As for external users like remote workers, DHS plans to replace its virtual private network with secure access service edge (SASE) cloud services.

“That is probably the first real, meaningful way to start implementing some hard, zero-trust access control policies and really lock down your agency,” Cole said.

By connecting offsite users to the network via a cloud-based tunnel, DHS need only expose the applications they’re authorized to use instead of the entire network, he added.

That’s especially useful if an advanced persistent threat (APT) nation state or state-sponsored group attempts to access the network because hacking one host, desktop or laptop will no longer allow them to see everything in the environment, Cole said.

DHS’s CISO would like to see more zero-trust guidance at the federal level.

While the NSA released a basic roadmap about a month ago, agencies haven’t even begun to scratch the surface of the data provided by programs like the Continuous Diagnostics and Mitigation program, Cole said.

That will require greater zero trust maturity, which comes with implementing more security capabilities and ultimately artificial intelligence.

“It’s so all-encompassing,” Cole said. “And it’s so overwhelming.”

Pentagon’s Joint Common Foundation AI platform is up and running

The Department of Defense launched a new coding platform aimed at helping users across the military build their own artificial intelligence models.

The Joint Artificial Intelligence Center’s Joint Common Foundation (JCF) has reached “initial operating capability” and already has some users in the services, center Director Lt. Gen. Michael Groen said Tuesday, although he did not specify what type of projects or who is involved.

The JCF is meant to be a one-stop-shop for anyone from dabbling data amateurs looking to fill out a slide-deck to full-on machine-learning developers hungry for clean data and an environment to write code. It will play a central role for the developing JAIC, especially as it turns to being an “enabling force” across the DOD rather than working on specific AI projects.

“The JCF is live, we have the tools, we are starting to develop, we are starting to host data, we are starting to host algorithms,” Groen said during the National Defense Industry Association’s inaugural National Security AI Conference and Exhibition. “We hope to grow that into full operating capability.”

The plan is to add a “block upgrade” every month to the platform to expand its data hosting, coding and other capabilities.

“Every month we want to add more services,” Groen said.

Other DevSecOps platforms, somewhat similar to the JCF, exist across the military services, including the Air Force’s Platform One. But Groen said the JAIC’s market for the JCF is made up of those who do not already have access to such a service-designed platform.

User feedback will play a major role in the early development of the platform. The JAIC is using user surveys to solicit initial users and those who would be using the JCF to hear what they will want. Working more closely with the individual services and the many AI offices across the department is a new focus of the JAIC. While initially the center was stood up as an AI fielding office to deliver products in key mission areas, now in its second iteration as the “JAIC 2.0,” it is focused on enabling others to build their own tools.

“We think that is a key tool to broad enablement across the department in the transformation of AI,” Groen said.

The hope is to eventually stitch together a common “data fabric” for enhanced interoperability and usage across the department, Groen added.

The JAIC inked a $106 million deal in August with Deloitte to help build the JCF platform.

Treasury awards its final EIS task order

The Treasury Department awarded the last of its six planned Enterprise Infrastructure Solutions task orders to AT&T, the telecommunications company announced Tuesday.

The 12-year, $231 million task order covers modernization of the Treasury‘s voice and data networks and cybersecurity as the department looks to enable its increasingly mobile workforce of more than 100,000 employees across about 700 locations.

Lawmakers initially expressed concern Treasury wasn’t keeping pace with the $50 billion EIS contract’s final deadline of Sept. 31, 2022, for transitioning off its predecessor Networx, but the department’s transition is now more than three-quarters complete.

“Hats off to the technology leadership and team at Treasury for making a deliberate and comprehensive commitment to network modernization,” said Chris Smith, a vice president with AT&T Public Sector. “We look forward to working with Treasury to help transform its communications capabilities and help ensure it is future-ready for further innovation.”

Work is already underway with Treasury poised to obtain EIS technology and cost savings quickly, according to AT&T‘s announcement.

AT&T’s last big EIS task order award was a 10-year, $311 million contract with the National Oceanic and Atmospheric Administration in November to prepare for 5G and edge computing by consolidating the agency’s networks into one Internet Protocol-based network.

DOD at risk of not meeting its own electromagnetic spectrum goals, experts tell Congress

The Department of Defense might know that it needs to put in more work to better manage its use of the electromagnetic spectrum — but so far that work has been lacking, according to expert testimony Friday.

The DOD still needs to empower high-ranking leaders to push spectrum initiatives, a key goal of the department’s spectrum strategy published in September, according to Joseph Kirschbaum, director for the Government Accountability Office’s Defense Capabilities and Management Team.

The Pentagon developed its spectrum strategy hoping to claim “superiority” in building and defending robust networks after two decades of warfare with low-tech adversaries. That lack of a need to use spectrum atrophied much of DOD’s EMS muscles, senior leaders have said. As the military starts measuring its readiness to fight a large-scale, great power war, it has acknowledged it needs to play catch up.

“The Department uses the electromagnetic spectrum for situational awareness, communicating with friendly forces, identifying enemy capabilities, directing strikes, navigation, and countless other tasks … the military is facing unseen challenges in the electromagnetic spectrum right now,” Rep. Jim Langevin, D-R.I., said during Friday’s hearing. Langevin is chairman of the newly created House Armed Services Subcommittee on Cyber, Innovative Technologies, and Information Systems.

Kirschbaum highlighted previous recommendations of a GAO report from December for the department to create a long-term oversight mechanism to ensure the spectrum strategy gets implemented during his testimony.

“The United States can no longer be assured of superiority in the spectrum,” Kirschbaum said. Previous strategies have not been fully implemented due to “bureaucratic and organizational hindrances,” and the current one could meet the same fate without action, he warned.

Strategic competitors like China and Russia have been hard at work developing weapons to disrupt U.S. networks and communications using spectrum, the hearing’s witnesses told lawmakers. The ability to disrupt DOD’s networks would be damaging in a battle now, and even more devastating in the future as the DOD turns to rely more and more on spectrum to run operations.

“The greatest risk I see today is continuing to apply a legacy strategy to the strategic realities of today,” William Conley, former director for electronic warfare in the Office of the Secretary of Defense, told lawmakers.

Developing new tools in spectrum management crosses into the DOD’s software goals since much of it is based on software-defined radios. Instead of working with antennas and other hardware, the latest research involves coding advanced algorithms and artificial intelligence to instruct the hardware to jump between frequencies, avoid jamming and finding innovative ways of communicating.

“That merging of the software and the hardware world I think will be very exciting,” Bryan Clark, a senior fellow at the Hudson Institute, told lawmakers at the hearing.

Missing E-Tran controls saw SBA issue $692M in duplicate pandemic relief loans

The Small Business Administration issued $692 million in duplicate pandemic relief loans because it failed to add the proper controls to its electronic application system, according to its Office of Inspector General.

E-Tran didn’t always prevent duplicate Paycheck Protection Program (PPP) loans made between April 3 and Aug. 9, when the loans were disbursed. Reasons included the computer script for detection stopped working, lender submissions used employer identification numbers and Social Security Numbers interchangeably, and some buyers applied via multiple lenders, according to SBA OIG‘s report.

The House Select Subcommittee on the Coronavirus Crisis requested the report, in part, because it wants to ensure E-Tran vulnerabilities are addressed before the remaining $150 billion in PPP loans are disbursed.

“Loans given to ineligible borrowers place taxpayer funds at risk of financial loss and delayed the amount of available critical capital needed for eligible businesses to withstand the effects of the pandemic during the first round of PPP funding,” reads the report.

Congress appropriated $659 billion, all told, for PPP loans intended to cover struggling small businesses’ payroll, rent and utilities.

About 4,260 borrowers received multiple PPP loans, despite SBA working with lenders to implement E-Tran controls in May. OIG found SBA temporarily turned off those controls between June 23 and 30 to resolve duplicate loans already identified with lenders, leading to more duplicate loans being made during that time.

OIG recommended SBA review potential duplicate loans and recover improper payments, review E-Tran controls to ensure those loans aren’t forgiven, strengthen controls for future PPP-type programs, and improve guidance for lenders — all of which SBA agreed to do.

“The inspector general’s report is consistent with the select subcommittee’s findings last year that billions of dollars in PPP loans issued by the prior administration may have been diverted to fraud, waste and abuse,” Rep. Jim Clyburn, a Democrat from South Carolina who chairs the subcommittee, said in a statement. “Today’s report is yet more evidence of the Trump Administration’s poor implementation of PPP, which ignored the intent of Congress by failing to get vital assistance to the neediest small businesses.”

SBA argued it was unlikely that borrowers intentionally exploited E-Tran’s initial vulnerabilities because only lenders have access, but OIG was quick to point out fraud still occurred.

The agency’s loan review plan states PPP loans are subject to automated screening. But software company Giant Oak ran the Department of Justice‘s first 57 PPP loan fraud defendants through its GOST screening platform and found 25% of them had committed fraud previously that should have barred them from receiving relief, CEO Gary Shiffman, who’s also a Georgetown professor, told FedScoop.

“That’s a very strong indication that they weren’t doing screening,” Shiffman said. “And in their statements, they were trying to get the money out quickly, so they were relying on the investigation as the deterrent.”

Most fraudsters assume the odds of an investigation into a loan less than $150,000 is low, and investigating fraud after the fact is “incredibly inefficient” compared to deterring it all together with screening, he added.

SBA did not respond to multiple requests for comment.

Fraud occurred 16% of the time when the Federal Emergency Management Agency disbursed relief after hurricanes Katrina and Rita, which in PPP’s case could mean as much as $105.4 billion in jeopardy, Shiffman said.

If SBA is committed to screening now, it will need to abandon static lists of past criminal convictions in favor of machine learning that examines patterns of fraudulent behavior, he said.

Machine-learning models can create prioritized lists of the highest to lowest threats, and if SBA vets the top 1%, then they’ve done a “phenomenal job,” Shiffman said.

New industry partnership promises to strengthen authentication security

Andrew Whelchel is a certified principal sales engineer at Okta, specializing in enterprise security architecture, identity risk, data privacy, cloud, mobile and API security.

The pandemic is speeding up plans of most organizations to embrace the cloud and meet new needs of a remote and hybrid workforce. But for federal agencies, even though the structure of the workplace has changed, federal regulations setting access and identity verification standards have not.

Cloud’s ability to bring greater speed, agility and security to the mission is within reach, as long as agencies can find provide access to cloud-based applications which meet Federal Identity, Credential and Access Management (FICAM) policies.

That’s been a challenge for many agencies. But it’s also the promise of a new partnership between Okta and Amazon Web Services. Okta Identity Cloud is now available through Amazon Marketplace, to give agencies access to a FedRAMP-approved cloud identity platform that supports their modernization goals.

Access tools that minimize cyber risk

The uptick in security threats — like recent ransomware attacks and compromised supply chains — continue to put agencies at risk. Systems are increasingly interconnected. That makes FICAM more than a just a check box to meet federal security regulations. FICAM lays the groundwork for agencies to implement modern identity and access controls and ultimately paves a path forward to architecting a zero-trust environment.

The remote and hybrid workforce increases agencies’ cyber risk as long as employees are not working inside government buildings. It is critical that federal IT infrastructure moves away from traditional credential validation, like PIV and CAC, and traditional remote access security such as VPN, to an access solution that solidifies a zero-trust security posture.

Those organizations which have already fallen victim to a ransomware attack learned that in the event of a breach or attack, IT security teams can benefit from segmentation, to isolate threats quickly. But at the same time, multiple accounts create more access complexity. Organizations with hundreds and thousands of users will exponentially increase the number of accounts per person.

Without a tool like Okta’s Identity Cloud, users have to remember a lot of passwords and credentials. Consequently, IT administrators need to be mindful that with segmentation also comes the need to take a heightened management posture for access and identity verification controls.

Okta’s single sign-on and multifactor authentication solutions comply with a number of FICAM policies — not just for access controls, but for logging, auditing and even providing attestations that someone should continue to have the rights that they have. The universal directory consolidates users, groups and devices into a single directory, giving administrators the ability to manage the lifecycle of users’ access.

Additionally, Okta Identity Cloud operates both on-premises and in cloud environments and supports agencies’ moves to embrace either hybrid or multi-cloud infrastructure. Ultimately, the goal is to create a more resilient infrastructure against cyber threats that doesn’t complicate the user’s experience.

Testing the waters with pilot projects

Using Okta with AWS’ cloud infrastructure offers both speed and agility of access that agencies are looking for their applications today and in the future. By getting users approved for certain capabilities, and then mirroring those attributes inside of AWS, agencies can have certainty that the right people are the right privileges to access federal data. That includes employees, contractors, partners and citizens who interact with the government at different levels.

Those who are hesitant to move forward need only test this concept with a pilot program to get started. Those who’ve already begun testing workloads related to home connectivity, zero-trust connectivity, ticketing management or automation software are seeing the benefits almost immediately. And because these pilot tests are managed in the cloud, there are no setup costs and no provisioning to spin up a Okta’s tool inside AWS.

Once agencies understand how easy it is to move their data and connect their identity to that cloud, it doesn’t take long to begin moving a lot more projects and workloads to the cloud.

Okta is a leader in the identity space, and its broad network of application integrations simplifies the deployment and management of cloud apps, services and infrastructure for those organizations migrating to the cloud.

Also, read more from leaders about how state and local agencies are modernizing identity authentication.

Learn more about the availability of Okta Identity Cloud and its products in AWS Marketplace.

VA creating new digital platform to modernize GI Bill benefits

The Department of Veterans Affairs is building a new platform to centralize GI Bill-related benefits processing, a long-desired modernization effort to help veterans receive the higher education benefits they’re entitled to.

The VA awarded a contract to Accenture Federal Services on March 11 to start building the “Digital GI Bill” platform as a means to ease communications between veterans, schools and the government.

The idea of modernizing the VA’s benefits system been talked about for years following the passage of legislation in 2017 requiring an update to the way veterans can receive tuition and other benefits for higher education. Those changes, though, caused glitches in the existing system, which led to years of working on a long-term fix.

Momentum picked up modernizing the program last fall when the department asked Congress to reprogram COVID-stimulus funding for the IT project and made meaningful progress updating outdated systems and processes as required by the 2017 law.

Introduced under landmark legislation during World War II, the GI Bill allows veterans to earn funding to cover their education after service and has seen several updated laws to tweak its administration. 

“[T]his platform will enable VA to call, email, text and chat with GI Bill beneficiaries, grant the Veterans Benefits Administration (VBA) immediate access to beneficiary records and respond to questions from colleges and universities instantaneously,” according to a press release. It described the platform as “an end-to-end systems management perspective to ensure proper compliance and oversight of GI Bill programs, and the use of data and business intelligence tools to track, monitor and measure school and student outcomes.”

It is yet another digital modernization push in the VA, which has faced challenges in modernizing some of its other major programs like electronic health records modernization.

The platform will be a product of both the VBA and the Office of Information Technology, according to the VA. The two will be using $243 million of reallocated money from the CARES Act, the initial round of stimulus passed by Congress in March of 2020.

Air Force updates Digital University with new career tracks

The Air Force‘s platform to upskill its workforce got some major new additions, with new career pathways and course designs to organize users’ learnings around specific technical skill sets.

The Digital University platform’s initial launch in summer opened up thousands of lessons from contractors Udemy, Pluralsight and Udacity without much direction for the learner. The latest updates push the platform closer to what many companies in the private sector have embraced to keep their workforces sharp on the latest technology skills, with specific career paths and customizable tracks for particular skills.

“Technical training typically isn’t done well in the Air Force, so there is a demand to upskill our technical airmen for the jobs we need. DU was built to be that central hub,” said 1st Lt. Peyton Cleveland, who built much of the backend of the new course paths.

Digital University is managed by the Air Force’s Business and Enterprise Systems Product Innovation office (BESPIN). The team told FedScoop in September that it plans to “constantly [update] digital training” on the DU platform, made evident by the new pathways and customization available in the latest release.

“The goal was to completely transform the way we think about digital training,” Cleveland said about DU.

The first Digital University users were cybersecurity specialists and technical professionals looking to stay up-to-date on the latest coding techniques — the type of tech professionals who might already know what lessons to look for in the library. From there, DU leaders hope to expand the user base to curious airmen and Space Force guardians who recognize the benefits of technical skills in their roles but would need more guidance on where to begin — hence the newly coded career paths.

Some hope that senior leaders will also jump on the platform, just like Chief of Space Operations Gen. Jay Raymond said he has done. Raymond also said previously that digital literacy will be a requirement for new Space Force members, who can take Digital U coursework and other tech training to develop new skills.

So far, the platform seems to have taken hold, DU officials say.

“A lot of the feedback has been really positive,” Cleveland told FedScoop. “People love what we are doing and want more of it.” Even the Army is jumping onboard with a pilot of the platform, Cleveland said.

Digital University has been praised by Air Force and technology leaders as a way to help turn the greater Department of Defense into a more-digital organization. With the decades it takes for young, tech-native people to rise through the ranks of the military, Digital University’s leaders hope the program can start to turn those already in senior roles into leaders who recognize the value of digital skills in the modern military.