NSA issues zero trust guidance, urging DOD and contractors to adopt model

The National Security Agency issued a cybersecurity information sheet Thursday with instructions for defense agencies and contractors on how to set up a zero-trust network architecture.

In it, NSA urges the entirety of the Department of Defense and its contractors to implement zero trust for sensitive systems to better prevent data exfiltration.

“NSA strongly recommends that a Zero Trust security model be considered for critical networks to include National Security Systems (NSS), Department of Defense (DoD) networks, and Defense Industrial Base (DIB) systems,” according to the cybersecurity information document.

The push to zero trust — where compromise is assumed and users are asked to verify their identity as they move around a network — has grown stronger after the discovery of the massive SolarWinds hack last year. The penetration of sensitive network components by suspected Russian hackers in the breach was another dire example of cybercriminals gaining wide access to information once in a network.

“Adopting the Zero Trust mindset and leveraging Zero Trust principles will enable systems administrators to control how users, processes, and devices engage with data,” NSA said in a release. “These principles can prevent the abuse of compromised user credentials, remote exploitation, or insider threats, and even mitigate effects of supply chain malicious activity.”

The seven-page document is just the beginning of the reference architecture the NSA plans to release to help contractors and DOD components move to a zero-trust model. The agency teased late last year a reference guide it has been working on in partnership with the Defense Information Systems Agency that it plans to release in 2021.

The document includes the pitfalls and challenges associated with its implementation. A lack of commitment by leadership to enterprise wide adoption is primary among those challenges listed in the document.

“With the pervasive need for Zero Trust concepts to be applied throughout the environment, scalability of the capabilities is essential,” the document states.

DIU sees another year of growth in spending, tech transition

The Department of Defense’s Silicon Valley outpost continues to award cash to companies looking to break into the defense market, growing its number of prototype contracts and transitioned technologies in 2020, according to its annual report.

In 2020 the Defense Innovation Unit transitioned 11 programs into full production, meaning it turned a prototype deal into a follow-on contract awarded by a military department or agency.

While an increase from the nine technologies transitioned the year before, it is a small drop in the massive bucket of tech programs run across the DOD.

DIU increased metrics across the board, including new programs started, some of which were launched to contain the spread of the coronavirus in service members. 2020 was DIU’s fifth year of existence, a milestone that was not guaranteed since it was set up as an experiment by then-Secretary of Defense Ash Carter.

The DIU has been the darling of some technology innovation advocates, with its former director calling for a “10x” multiplication of its budget in a congressional hearing. But the challenge for offices like DIU is not necessarily getting companies to build prototypes but rather scaling innovation and disruptive technology use across the massive department. In its five years, DIU has only transitioned 26 technologies, according to the report.

“Now is the time to supercharge DOD access to innovation,” Raj Shah, the first DIU director said during a hearing for the House Armed Services Committee’s Future of Defense Task Force in 2019.

Another change to DIU’s operations this year was the breadth of programs it worked on. It launched 23 new programs, a 35 percent increase over 2019. It placed a large focus on tech that could enhance the DOD’s response to COVID-19. One program created wearables that could detect subtle changes in the wearer’s behavior to identify infected service members.

Another new program Blue sUAS found success outside of just the military, giving agencies options to purchase drones that meet security requirements. The program certified five drones that met cybersecurity and other standards for government use in the face of concerns over Chinese-made drones. Local government agencies also have access to the program.

Artificial intelligence-based technologies continue to be a priority for DIU, the report noted. DIU is not alone in its interest, with similar rapid acquisition offices like AFWERX prioritizing AI procurement as their largest budget area.

NIH advances COVID-19 health status reporting and contact tracing pilot with IBM

The National Institutes of Health moved its COVID-19 verifiable health status reporting and contact tracing pilot into a second phase, awardee IBM announced Thursday.

IBM will begin working with the Washington Suburban Sanitary Commission (WSSC Water) to deploy its Digital Health Pass to prove to NIH the platform will work with third-party organizations. The platform combines public health data like test results and onsite temperature scans with contract tracing technology and will inform the Maryland water utility’s pandemic decisions to bring employees back.

The pilot’s advancement marks a win for NIH‘s Digital Health Solutions for COVID-19 contract, awarded to seven organizations for a total of $22.8 million — assuming all awardees receive phase two funding.

“Emerging smarter from the COVID-19 pandemic requires adopting technologies to increase
resiliency,” said Andrew Fairbanks, U.S. federal sector leader at IBM, in the announcement. “As testing becomes more widespread and vaccines are distributed, it’s more important than ever to foster innovative thinking and develop solutions such as IBM Digital Health Pass, designed to support organizations in bringing people back to a physical location.”

The National Cancer Institute and National Institute of Biomedical Imaging and Bioengineering awarded the second phase of IBM’s contract, originally won in September, once it demonstrated Digital Health Pass’s feasibility.

NCI and NIBIB are interested in using the platform not just during the ongoing pandemic but for future public health preparedness and pandemic response.

Data collected by Digital Health Pass is anonymized and stored in NIH’s COVID-19 data hub made available to researchers while also allowing participants like WSSC Water to privately monitor employee vaccination and health status.

IBM has until September to continue working with WSSC Water, which serves 1.8 million Montgomery and Prince George’s county residents, at its Laurel, Maryland, headquarters and additional locations.

“Using a cloud-based tool, instead of multiple paper processes, will simplify our self-monitoring, reporting and contact tracing efforts — allowing our employees to spend more time focused on providing safe, seamless and satisfying water services to our customers,” said Carla Reid, general manager and CEO of WSSC Water.

The other organizations to win Phase 1 spots on NIH’s Digital Health Solutions for COVID-19 contract for their digital health solutions were: Evidation Health; iCrypto; physIQ; Shee Atiká Enterprises; the University of California, San Francisco; and Vibrent Health.

Machine learning speeding up patent classifications at USPTO

Machine learning is helping the U.S. Patent and Trademark Office shorten the time it takes to assign patent applications to examiners, instead of having to redo its entire classification process, according to CIO Jamie Holcombe.

USPTO sent its top engineers to Google on the East and West coasts to learn more about ML and TensorFlow application programming interfaces.

Now those engineers are using Python with TensorFlow to apply ML to patent classification, search and quality.

“We immersed them in the culture, and they got Googly,” Holcombe said during an ACT-IAC event Wednesday. “They got certified in TensorFlow, which is the open-source library for a lot of neural network feedback loops.”

USPTO has patent examiners use those feedback loops to rate how well ML algorithms are classifying patent applications to the art units and examiners that evaluate them, as well as search for algorithms in the system.

Despite having 250 years of historical data to train its algorithms with, USPTO relies primarily on daily feedback from examiners to ensure they’re working.

The agency is also hiring vendors to classify patent applications and comparing those classifications against its own algorithms. Having vendors and patent examiners working in tandem further refines the algorithms, Holcombe said.

“There always could be a black swan, and that’s what you’re trying to prevent in the curation of your data moving forward,” Holcombe said. “Black swans have to be cared for and handled and managed appropriately, or else it will break the system.”

USPTO remains in the early stages of ML use, in part because it’s still cleaning its data. While the agency uses robotic process automation (RPA) for clerical and administrative processes, it’s still getting used to the technology before applying it to patent and trademark workflows, Holcombe said.

Holcombe said he doesn’t believe AI yet exists, but there’s a spectrum of automation technologies with RPA at one end and more advanced neural networks at the other.

Space Force focusing on pitch days, consortiums to speed up tech acquisition

The U.S. Space Force wants to lean on consortiums and host “Shark Tank”-style pitch events to rapidly acquire tech from the commercial space industry.

The force has plans to host the first “Space Pitch Day” in the spring where companies will present ideas for the potential to win a cash award on the spot. The Air Force has awarded billions of dollars during pitch days, a model the young Space Force plans to copy.

The Space Force is also looking to speed up tech acquisitions by opening its contracts to consortiums of vetted companies that can bid on proposals and other transaction agreement (OTAs) contracts.

“We have to have an increasingly long-term perspective” on innovation, Dr. Joel Mozer, chief scientist for the Space Force, said during the virtual Air Warfare Symposium hosted by the Air Force Association. That long-term perspective on innovation will rely on partnerships with industry to constantly improve technology over the years of come, Mozer said.

Already, the Space Force has seen success working with consortiums. The Space Enterprise Consortium, for example, has produced anti-jamming satellite communications technology for the force, Lt. Gen. John Thompson, commander of the Space and Missile Systems Center, said Wednesday. The tech was piloted during large-scale tests of the Air Force’s Advanced Battle Management System in September where it successfully maintained communications despite electronic interference. That accomplishment is one Thompson and other leaders hope to replicate across a broad range of tech types.

Mozer emphasized that the Space Force will need new cybersecurity tools to better protect satellites and other space assets. Already, Space Force has inked deals with cybersecurity companies for zero-trust network design and other means to protect information generated in and transmitted through space.

“Future warfare is really going to be much more information-centric,” Mozer said.

Another new acquisition model the Space Force plans to use is Section 804 Middle Tier Acquisition, Thompson said. It’s a process that allows contracting officers to rapidly acquire prototypes without needing to go through the typically lengthy procurement process. With the recent expansion of the commercial space industry, many technologies are in the early prototyping phase, allowing for more use of Section 804 processes.

GSA re-awards spots on $5.5B 2GIT contract

The General Services Administration re-awarded 79 spots on a $5.5 billion contract allowing all levels of government to buy IT hardware and software products and services.

Protests stalled the Second Generation IT (2GIT) five-year blanket purchase agreement (BPA) awards, which included 58 small businesses, for 15 months.

The BPA streamlines the purchasing of commercial-off-the-shelf (COTS) technology through GSA Advantage!, allowing agencies to meet complex requirements faster.

“2GIT will deliver great value across the federal government,” said Laura Stanton, assistant commissioner of IT Category, in the announcement. “It serves as an example of GSA developing IT solutions that cater to agencies’ current and future requirements with supply chain risk management as a key feature.”

The contract is the first instance of the Office of IT Category including supply chain risk management (SCRM) requirements making vendors self-certify the maturity of their networks and verify they’re sticking to their plans moving forward.

GSA worked with the Air Force on 2GIT to extend the Best-in-Class (BIC) IT Products purchasing solution to all agencies including those at the state, local and tribal levels through the Cooperative Purchasing Program.

2GIT ensures the collection of prices paid data and tracking of savings, cost reductions and administrative burden. Vendors can add new products quickly through the FASt Lane modification process.

Three companies — Blue Tech, Coast to Coast Computer Products and Red River Technology — protested GSA’s original awards in November 2019. GSA took corrective action only for Red River and small business Blue Tech to protest again, in addition to Force 3, which had won a spot on the original contract.

Of those four companies, only Coast to Coast Computer Products failed to receive a spot the second time around.

Five other small businesses made it onto the contract this time: ACG Systems, Four, KPAUL Properties, Lowry Solutions, and Walker and Associates. And so did Telos Corporation and Telos Identity Management Solutions.

BearCom Operating and CDW Government missed out this time as did small, woman-owned, disadvantaged business Divine Imaging; small, disadvantaged business NeoTech Solutions; and small business Vee Model Management Consulting.

“With the award of the 2GIT BPAs, we are proud to support multiple awardees from each of the small business categories: HUBZone, Woman-Owned, Service-Disabled Veteran-Owned, and 8(a) businesses,” said Sonny Hashmi, commissioner of the Federal Acquisition Service, in a statement. “Small and disadvantaged businesses form an important component of the federal contracting community, and GSA will continue to identify and elevate opportunities for them to bring their expertise and innovation to support the federal government.”

Air Force picks 15 airmen-designed projects to automate menial tasks

The Air Force’s Vice Chief’s Challenge yielded 15 winning ideas based on technology to help automate menial tasks and give airmen new opportunities to get their hands on code.

The winning ideas ranged from chatbots for financial management systems to network monitoring software to improve cybersecurity. And now those ideas will be given the resources to pilot, test and scale across the Air Force.

Launched in February 2020 with the theme of “Saving Airmen Time,” the challenge was aimed at finding new solutions for time-consuming but low-skill tasks that members of the Air Force face every day. The challenge combines two priorities of the Air Force and other military branches: to automate low-skill, time-intensive workloads and give more opportunities for service members to develop tech skills.

“We asked for our Airmen’s help in identifying and eliminating drains on time that do not directly contribute to warfighting readiness — and our Airmen delivered,” Air Force Vice Chief of Staff Gen. David Allvin said in a news release. “The response to this challenge was impressive.”

Over the past year, pitches were evaluated based on their scaling potential and how much time they could save for airmen. This model of airmen pitching their ideas to senior leaders has quickly become a favorite across the service, which has hosted similar “Shark Tank” style events in recent years to generate new technology pilots.

The program’s design of calling for ideas directly from end users is a key part of the technology-driven, innovative culture that Air Force leaders are trying to develop.

“While the entire staff remains focused on pursuing innovative solutions, we firmly believe that no one knows better what processes or tasks weigh on our Airmen, than Airmen themselves,” then Vice Chief of Staff Gen. Stephen Wilson said in 2020 at the start of the contest. “We are asking for Airmen’s help in identifying and eliminating drains on their time that do not directly contribute to warfighting readiness.”

Other winning ideas include automated flight scheduling for squadrons, Microsoft Word templates for Air Force documents and data collection on Air Force child care programs.

The new urgency for federal financial authorities to leverage the cloud

Olivia Peterson leads the U.S. Federal Financial Services business at Amazon Web Services. She previously served as Senior Vice President of Client Services at SS&C Primatics and Senior Business Initiatives Director at Freddie Mac.

By most measures, the world’s financial institutions have made significant strides in the past few years digitizing their operations and their service offerings.

The pressure to keep up with consumers and investors — now accustomed to switching institutions with a few clicks on their smartphones — as well as an emerging cadre of technologically-disruptive competitors, among other factors, have driven most financial services firms to invest heavily in a variety of digital transformation strategies.

However, the continuing speed and impact of technology changes underway at banks, investment firms, insurers and other financial institutions are also putting enormous pressures on government monetary officials and financial regulators to keep up.

The need for greater agility at scale by federal agencies to monitor, examine, regulate and support financial markets clearly took on new urgency this past year in the face of the pandemic and news of the cyberattack on SolarWinds, which impacted the departments of Treasury, Commerce, Justice, Homeland Security, the U.S. court system, along with a number of corporations.

The good news is: The cloud computing capabilities propelling technological innovation among financial institutions are also available to federal agencies and regulators.

Moreover, the wide range of high-performance data processing, analytics and AI capabilities available from AWS today offer federal financial agencies and regulators not only a smarter way to procure state-of-the-art infrastructure. Those capabilities also provide altogether new and pivotal opportunities to:

Expand mission-focused capabilities — The critical mass of computing resources and engineering talent assembled by the leading cloud providers have led to a vast and expanding array of secure, turnkey and AI-assisted tools and IT services, many of which have become essential to operating in today’s digitally-connected world. These tools offer federal financial authorities far more powerful, flexible and automated mechanisms to help monitor and regulate the U.S. economy and its participants than what’s commonly available on most existing government IT systems.

Reduce mounting risks and costs — Financial services agencies face a triumvirate of technology challenges: Aging technology platforms that will only grow more expensive to maintain; a declining number of people who know how to program and maintain them; and a widening gap in agility and speed in responding to changing market conditions compared to financial sector leaders and malicious state actors. Modernization doesn’t just mean improving platforms and adopting emerging technologies like machine learning; it  also means investing in infrastructure that can flex and scale at a moment’s notice, which only the cloud can achieve.

Enable advanced data strategies and analysis — The growth of digital transactions globally has put tremendous burdens on both regulators and regulated commercial entities to gather, process and analyze massive data sets for timely insights. The cloud makes it easier to collect, ingest, store and analyze data — and do so faster and more cost-effectively and securely. That helps alleviate burdens for both examiners and the regulated; but it also helps equip under-staffed agencies to leverage that data and respond more quickly to market risks, fraud and abuse.

Certainly, a number of regulatory organizations have already begun capitalizing on the scalability and capabilities of the cloud.

For instance, the Financial Industry Regulatory Authority (FINRA), the nation’s securities industry self-regulator, built a petabyte-scale data lake on AWS. It then took advantage of open-source technologies and cloud-native analytics tools to enable 1,500-plus analysts and business partners to securely query financial trading data — involving terabytes of data updated daily — across the U.S. securities market. This kind of performance could not be achieved on-premises.

The Federal Deposit Insurance Corporation (FDIC), meanwhile, has communicated its plans to modernize regulatory reporting processes and requirements to obtain more detailed and frequent data on banks’ loan portfolios. Currently, banks collect between 1,400 and 2,400 data fields, and transfer them to the Federal Deposit Insurance Corp. for aggregation and analysis each quarter. The goal, according to FDIC Chairman Jelena McWilliams, is to develop a “modernized and automated data system (that) would improve the ability of supervisors to identify bank-specific and systemwide risks sooner and more efficiently, while reducing the compliance burdens on individual institutions.”

And other agencies, such as the National Credit Union Administration, are also taking advantage of the cloud. NCUA has been piloting a web-based platform aimed at streamlining the examination process for credit unions and examiners. The new platform — the Modern Examination & Risk Identification Tool (MERIT) — is expected to be available this year and ultimately replace a 25-year old legacy application called the Automated Integrated Regulatory Examination System (AIRES).

There’s one other compelling reason why federal financial agencies and regulators should start capitalizing more fully on the cloud now: Today’s cloud services have made modernizing IT systems easier to procure and maintain for the future.

When AWS first launched the Amazon Elastic Compute Cloud in 2006, it also recognized the importance of making computing services easier to acquire. That led to the concept of “infrastructure-as-code,”  which lays the foundation for applications that can launch and scale in seconds-to-minutes through code implementations instead of long procurement cycles.

What this means is innovation and modernization are no longer dependent on or stalled by technology refreshes and lengthy acquisition cycles; they can happen in minutes. Fast-forward to 2021: Given all of the FedRAMP-secured cloud solutions available through AWS and its partners, and AWS’s unique experience available to the federal government, the ability to innovate and modernize in new and powerful ways and to harness the power of data are literally at your fingertips.

Learn how AWS can help your agency capitalize on today’s cloud, or contact us at USFedFin@amazon.com.

Read more insights from AWS leaders on how agencies are using the power of the cloud to innovate.

VPNs pose challenges for agencies sustaining remote work

Virtual private networks (VPNs) are presenting some agencies with added challenges as they increase remote work during the COVID-19 pandemic.

Some agencies had to make emergency acquisitions for more VPN licenses and are now looking to segment their data because the technology provides more internet exposure than advocates of models like zero-trust security are comfortable with. Infrastructure, not cloud, remains the focus as agencies attempt to remotely connect employees to network assets that may still be on-premise, and zero-trust security architectures are preferable, said Dan Jacobs, director of cloud adoption and cybersecurity within the General Services Administration Centers of Excellence.

“I know several organizations went through some crippling issues when COVID first happened,” Jacobs said during an AFCEA Bethesda event Tuesday. “They simply didn’t have enough licenses, and the ones that did have enough licenses didn’t necessarily have the throughput. And their VPN failed them.”

The Nuclear Regulatory Commission is considering segmenting its data as part of its VPN approach and changing the way it handles authentication and provides permissions due to security concerns, said Jonathan Feibus, the agency’s chief information security officer.

According to a Zscaler risk report released this month, among 357 IT and cybersecurity professionals — 25 of them in government — 93% said their organization had deployed VPN services despite 94% acknowledging cybercriminals exploit their vulnerabilities to access network assets. Social engineering, ransomware and malware are the most common ways to compromise VPNs.

“Right now VPN just throws open the fire hose and gives me access to everything I had when I was in the building,” Feibus said. “Do I necessarily need that when I’m remote?”

Of the professionals Zscaler surveyed, 67% were considering remote access alternatives to traditional VPNs and 72% were prioritizing zero-trust security. And 59% were accelerating those efforts because of increased remote work.

“It’s encouraging to see that enterprises understand that zero-trust architectures present one of the most effective ways of providing secure access to business resources,” Chris Hines, director of zero-trust solutions at Zscaler, said in a statement. “As organizations continue on their journey to cloud and look to support a new hybrid workforce, they should rethink their security strategy and evaluate the rising cybersecurity threats that are actively exploiting legacy remote access solutions, like VPN.”

A cloud-delivered, zero-trust service that brokers all user-to-app connections is the best approach, Hines said.

But agencies aren’t so sure. Maintaining ownership of infrastructure is often easier than using cloud services because then you have to work with the provider to adjust for efficiencies, Feibus said.

The Air Force is taking another approach with its software factories using DevSecOps to embed security into service mesh architectures from the outset. But that isn’t a “panacea” for VPN woes either, said Ron Ross, a fellow at the National Institute of Standards and Technology.

NIST wrote the Federal Information Processing Standard 199 back in 2004 to ensure all data in federal systems was categorized as high, moderate or low impact.

“We understood then that complexity was going to overwhelm us at some point and that making sure we could identify the things that were most important; we can separate those, isolate those resources and give them better protection,” Ross said. “That concept is still very much in play today.”

But even DevSecOps developers are reliant on code libraries imported from a variety of sources without much transparency or trust. Broad-based policies and strategies are needed to address that “systemic” problem, Ross said.

“How much trust do we have in those code libraries? Who manages those libraries?” he asked. “What’s in the libraries?”

Citing JEDI, a top Microsoft executive calls for reform of contract protests

The president of Microsoft told lawmakers Tuesday that legal reforms are needed to shorten the timeline for federal contract award protests — a process the company is all too familiar with as it’s tied up in disputes around the Pentagon’s multibillion-dollar cloud contract for more than a year now.

Microsoft President Brad Smith didn’t offer specific recommendations on what the federal government could change to speed up protests, but he broadly suggested there should be a more efficient adjudication process without sacrificing the chance for companies to make their voices heard. Microsoft has not been able to start work with the Department of Defense under the $10 billion Joint Enterprise Defense Infrastructure (JEDI) cloud contract that it won in October 2019 because of a grueling ongoing award protest Amazon Web Services filed that November.

Reforming procurement protests would allow federal agencies like the DOD to acquire and use technology more quickly without needing to wait for outdated acquisition processes to play out, Smith said during a Senate Armed Service Committee hearing on emerging technology development in the DOD

“How do you move quickly when the protest process moves so slowly?” he said.

Others testifying with Smith on Tuesday concurred that the DOD needs to find ways to streamline acquisition to take better advantage of emerging tech.  Hawk Carlisle, the retired Air Force general who now leads the National Defense Industry Association, agreed with Smith on costs of a lengthy bid protest, saying there is no disincentive for companies to file a suit. And ultimately, he said, this hurts the military customers who have to wait for protests to wind through the claims process.

“Don’t disadvantage the person that is waiting for the equipment,” Carlisle said.

The longer Amazon’s protest stretches on, the more future of the JEDI contract is coming into question. Smith acknowledged Microsoft may never get paid or be able to move forward with work under the contract. The DOD also said in a letter to Congress recently it is may have to consider an alternative if the protest continues on much longer.

“We have literally been frozen by a federal court on our performance on the JEDI contract for more than 12 months,” Smith said.