Officials urge agencies to coordinate their IPv6 and zero-trust plans
Agencies should develop their IPv6 and zero-trust architecture implementation plans simultaneously because the two work in tandem to improve network cybersecurity, say federal officials.
IPv6‘s 340 undecillion Internet Protocol addresses not only solve the scalability issue of IPv4, which ran out of readily available addresses in 2015, but they support end-to-end visibility and microsegmentation required for zero-trust security.
Agencies’ IPv6 implementation plans, due before the end of fiscal 2021, align with the cybersecurity executive order President Biden issued in May requiring agencies to develop zero-trust architecture implementation plans.
“By providing end-to-end network paths and better support of microsegmentation, the transition to IPv6-only is going to be a key component of zero-trust architecture — which is one of the key pillars of the executive order,” said Maria Roat, deputy federal chief information officer, during the IPv6 Summit hosted by the General Services Administration on Wednesday.
GSA officials at the event would not immediately comment on whether all agencies had met the Office of Management and Budget‘s 180-day deadline to publicize their IPv6 policies, set in a November memo, or if they’re on pace to complete one IPv6-only system pilot before the end of fiscal 2021.
Agencies have opened a “great dialogue” around IPv6 in recent recent months, with the Cloud and Infrastructure Community of Practice hosting meetings in January and May attended by hundreds of federal employees, said Tom Santucci, director of governmentwide policy for the Data Center Optimization Initiative and CloudSmart at GSA.
OMB’s memo further requires 80% of all IP-enabled assets on federal networks to operate in IPv6-only environments by fiscal 2025.
“Support from agency leadership and our industry partners is essential to meet this goal,” Roat said. “And when I say agency leadership, this is not just the CIOs; this is the [chief financial officers], this is the mission owners and everyone that has a stake in the modernization across the board.”
While IPv6 promotes zero-trust security, it also paves the way for 30 billion network devices to connect to the internet by 2023 — expanding the cyber threat landscape even as it improves 5G connectivity. That has agencies like the National Institute of Standards and Technology updating security guidance and developing related testbeds and practice guides.
NIST’s Guidelines for the Secure Deployment of IPv6 haven’t been updated since they were published in 2009.
“A lot has changed about the IPv6 technical landscape, how people handle transition mechanisms to bridge legacy systems, mp6 systems,” said Doug Montgomery, manager of internet and scalable systems research at NIST. “That security guidance needs updates.”
The goal is to turn the guidance into an IPv6 deployment scenario playbook for agencies’ decision makers, Montgomery added.
Meanwhile the National Cybersecurity Center of Excellence within NIST is launching a public-private partnership to demonstrate IPv6-only deployments with plans to produce a practice guide full of use cases.
NIST is also working to ensure IPv6 transitions are included in risk assessments under its Risk Management Framework.
The Cybersecurity and Infrastructure Security Agency is addressing the expanded cyber threat landscape IPv6 presents by issuing guidance for agencies and industry, starting with its Trusted Internet Connections 3.0 program. CISA also wants to ensure its tools can measure IPv6 implementation.
“We are making sure that all programs and services that CISA provides to federal agencies and other state, local, tribal and territorial governments also support IPv6,” said Branko Bokan, cybersecurity specialist at CISA.
While OMB has pushed a transition to IPv6 since 2005, for the first time every common operating system and platform on the market has a mature IPv6 implementation, and much more is known about how to transition away from IPv4, Montgomery said.
Now the majority of traffic to agencies’ public-facing services is IPv6 because industry surpassed the government in IPv6 adoption.
“Amazon Web Services supports the U.S. federal government’s move to IPv6,” wrote Dominic Delmolino, vice president of worldwide public sector technology and innovation at AWS, in a blog Tuesday. “Transitioning to IPv6 will make sure that growing government networks and Internet of Things devices benefit from the increased scale of IPv6.”
Space Force adviser says service may need tailored tech
The Space Force wants to build its own tailored tech on top of the enterprise IT provided by the Air Force, a strategic adviser in the new service’s Technology and Innovation Office said Wednesday.
Requirements that are unique to the Space Force include the creation of a digital engineering environment, where satellites can be designed and tested virtually before being launched into space.
“There will be space force needs that we will either build upon that foundation or we will have to go get ourselves,” said strategic adviser Reb Butler, speaking at an event hosted by the Armed Forces Communications and Electronics Association.
The Space Force, a part of the Department of the Air Force, wants to be the first “digital service” since its operations all involve tech, be they satellites or global communications networks. Butler stressed that a key part of being a digital force is not only building out digital tools but having a digitally savvy workforce.
So far, only 30 percent of new Space Force staff have completed their required initial digital training in things like software and IT. The course work is through the Air Force’s Digital University, a library of classes on tech-related topics.
“We are pleased with the progress and look to onboard more courses to Digital University soon,” A Space Force spokesperson told FedScoop. The requirement to complete the training is self-paced, the spokesperson added.
The majority of the more than 5,500 staff that transferred from the Air Force have previously worked on space-related missions.
As the force brings on more members and expands its mission areas, it plans to run a pilot on communicating with industry, Mike Dickey, director of the Space Force’s Force Design Integration Office, said.
That would be a wholly new way to communicate requirements and one that would rely heavily on tech.
“That’s something that’s very early, we might try to do a pilot later this year,” Dickey said.
‘We need continued support from Congress,’ says CISA chief Wales
The Cyber and Infrastructure Security Agency (CISA) needs continued support from Congress, including backing from lawmakers for the creation of a cybersecurity recovery fund, Brandon Wales said Wednesday.
Wales, the acting director of CISA, said at CyberScoop’s CyberTalks conference that the agency is working hard to promote best cybersecurity practices but that it will need further support from lawmakers to ensure success.
“We are using our voice at CISA to raise awareness, provide best practices, advocate for more funding, but we can’t do it alone,” Wales said. “We need continued support from Congress, including in critical new areas such as dedicated cybersecurity preparedness grants for our state and local governments, and establishing a new cybersecurity recovery fund to ensure our nation can respond to catastrophic cyber incidents.”
His comments come as federal agencies ramp up their response to the epidemic of recent ransomware attacks on entities core to U.S. digital and physical infrastructure, including the Colonial Pipeline hack last month and the SolarWinds attack, which was revealed in December last year.
The creation of a cybersecurity recovery fund was proposed in a report issued at the end of March by the Ransomware Task Force (RTF) — a public-private coalition launched to tackle the ransomware threat that has received White House backing.
In an interview with FedScoop earlier this month, RTF co-chair Chris Painter said that any prospective ban on the payment of ransom demands made by hackers would likely need to be phased, and also accompanied by support measures such as a victims recovery fund. The creation of such a fund would likely require approval from lawmakers.
Speaking at CyberTalks, Wales also highlighted the cybersecurity skills gaps that remain across government and in the private sector, and noted that the U.S. faces an expected cybersecurity workforce shortage of 1.8 million by 2022. The NSA and Department of Homeland Security are among the agencies making major investments in university and community college programs designed to support technology talent considering a career in the federal government.
The CISA chief issued a wider call to arms to the private sector, stressing the importance of improving cybersecurity measures and reporting cyberattacks immediately to the federal government.
“I believe we are at a tipping point, and the time is now to take action for the long-term health of our national security.”
ACLU wants Secret Service and Coast Guard records included in its phone tracking suit
The American Civil Liberties Union seeks a court order requiring the Department of Homeland Security to refer its request for records on the warrantless purchase of cellphone location data to the Secret Service and Coast Guard.
DHS waited more than 14 months to reject the ACLU’s request, and the organization is arguing that resubmission to the individual agencies would cause a “pointless delay” in its lawsuit.
The ACLU sued DHS, Immigration and Customs Enforcement, and Customs and Border Protection in December over their secret use of a Venntel database for immigration enforcement and potentially more, and now it seems other agencies within the department may be involved.
Since the start of the lawsuit, ICE has proposed a records processing schedule of 500 pages a month — an “unreasonable” pace given the “significant” public interest in the case, according to the ACLU’s response filed April 23.
The DHS Office of Inspector General is now investigating use of the database, and legislation has been introduced that would prohibit warrantless access of such data — necessitating a records processing schedule of at least 1,000 pages a month, the ACLU continued.
“CBP and ICE are producing records on an ongoing basis, but the court has not yet ruled on the disputes the parties presented to it in April,” Nathan Freed Wessler, deputy director of the ACLU’s Speech, Privacy, and Technology Project told FedScoop. “The public interest in the information we are seeking is as strong as ever, with Congress now considering the Fourth Amendment is Not For Sale Act and federal agencies continuing to aggressively purchase access to this highly sensitive information about people’s movements and activities.”
ICE’s current pace would take a year and a half to complete, and that doesn’t include the time the ACLU will have to spend challenging the adequacy of the records returned and agency withholdings and redactions.
The ACLU said the end of May was a reasonable timeframe for the DHS Office of Procurement Operations to provide 22 pages of relevant records and May 20 a fair deadline for the Office of Civil Rights and Civil Liberties, Science and Technology Directorate, Privacy Office, and Office of the General Counsel to complete their searches and assess the volume of relevant records. The organization proposed they submit a joint letter to the U.S. District Court setting a deadline of May 27 to process the records.
DHS did not respond to a request for comment by time of publication.
Democratic Senate aides initially uncovered DHS agencies’ warrantless use of the cell-phone location database during a series of summer oversight calls, but their follow-up requests for more information were ignored — prompting the ACLU’s lawsuit.
Washington, D.C.-based mobile analytics company Venntel collects the data from apps and sells it to government customers, though its full client list hasn’t been disclosed.
The IRS revealed on a June oversight call that its Criminal Investigation unit subscribed to Venntel’s database between 2017 and 2018. Senators subsequently pressured the agency’s inspector general to investigate, though J. Russell George only promised to report back “to the extent allowable under the law.”
CBP’s Venntel database subscription cost half-a-million dollars.
At issue is the Supreme Court’s 2018 Carpenter v. United States decision, which found collection of significant quantities of historical phone location data constitutes a search requiring a warrant under the Fourth Amendment. The ACLU wants to know if immigration authorities are paying for access to databases to circumvent that ruling.
The lawsuit requests copies of contracts, policies and procedures for data use, communications with companies and the related legal analyses.
DOD switches off its temporary teleworking platform used by millions
The Department of Defense will shut down its Commerical Virtual Remote (CVR) environment at midnight Tuesday, marking the transition to a higher security, long-term office productivity environment that employees will use in the office and at home.
Creating CVR was a feat by government standards, with millions of users brought online in a matter of weeks when the pandemic first sent much of the workforce home in March 2020. CVR gave users access to Microsoft Teams and other basic collaboration tools. It was a telework environment born of necessity, and is now being replaced by a more robust version of Office 365 dubbed “DOD365.”
The new platform offers much of the same capabilities as CVR with the ability to do work up to impact level five (IL 5), a jump up from CVR’s max of IL 2 data, and store documents in the OneDrive cloud.
“The rapid stand up of Commercial Virtual Remote (CVR) marked the turning point to the way DoD approaches IT challenges and showed the value of the close working relationships that have been established over the last few years,” John Sherman, acting CIO, told FedScoop in a statement.
At its hight, CVR had nearly 1.5 million users chatting, video calling and sharing documents on the system across the military. It brought novel capabilities to the DOD workforce, which until 2020 rarely could work from outside of military installations. Since early 2021 DOD has been onboarding users on to DOD365 to try and smooth the transition. It’s unclear how many users are on the envionrment now. DOD also recently expanded the number of types of devices that can access the platform.
Part of what got CVR up and running so fast was a telework task force of military department CIOs that convened to surge resources to CVR. The task force was led by then-CIO Dana Deasy and met daily at the onset of the pandemic, the DOD said at the time.
A small office within the DOD CIO’s office, the Cloud Computing Program Office, worked “24 hours a day, seven days a week” in the first two months to get the cloud space needed to run the environment.
“It is the Thursday that never ended because it was the day that never ended for us,” she said in December, retelling the story of March for the first time.
CVR was not without its limitation. Only IL 2 work could be done on the system and its capabilities were rudimentary compared to the full suite of tools many private sector companies offer. It also operated on a security waiver in order to be stood up so fast.
Building a better citizen experience with contact center modernization strategies
Government contact center operations have long been stretched thin by escalating pressure to control bottom-line costs. But the effects of the pandemic — and the subsequent unemployment and health crisis — showed many government leaders that their agency contact centers were not prepared to meet the surge in citizen needs.
Modernizing contact center operations with cloud-enabled infrastructure promises a more agile approach in the face of crisis or surge events, according to a new report, produced by Scoop News Group, and underwritten by TTEC.

Read the full report.
Moreover, by moving contact centers away from legacy infrastructure, agencies can integrate automation and ai-enabled tools that connect the front-end citizen interactions with other downstream workflow processes at the agency.
The report describes how agencies, like the Wyoming Department of Workforce Services (DWS), deployed cloud and automation technology to deflect calls from at-capacity systems. Additionally, they were able to use an intelligent virtual assistant (IVA) to provide rapid answers to routine questions, resulting in a 24% decrease in call frequency.
TTEC’s Director of Public Sector, Ryan Haywood explains that injecting a layer of digital interaction with the agency before connecting to a live agent is one of the most effective ways agencies have found to streamline surges in requests. That is achieved by incorporating new communication channels such as text messaging, chatbots and other automation tools to make interactions more efficient.
By integrating automation technology, agency contact centers have been able to reduce operations costs, improve employee and constituent satisfaction and provide greater agility to react to surge events, according to Amber Rosebaugh, director of government technology strategy for TTEC.
“When an agency automates the back-end processes, response times also accelerate for the citizen,” she explained.
Read more about FedRAMP-authorized contact center solutions that are designed to deliver better citizen experiences.
This article was produced by FedScoop and StateScoop and sponsored by TTEC.
FBI wants to work more closely with private sector to boost deterrence
The Federal Bureau of Investigations wants to work more closely with the private sector to glean data from hacks and work to deter future attacks on both government and company networks.
The agency’s lead cyber policy official, Tonya Ugoretz, said that in order to better defend against the range of attacks in cyberspace, the agency can’t act alone. She stressed that the government needs both preemptive cooperation from industry for tips on the latest cyber incidents, but it also needs to work with victims of cyber crime to follow patterns and have a greater chance at attributing the criminals or nation states behind the attack. Boosting cooperations is critical part of implementing the FBI’s cyber strategy.
“The private sector holds valuable cyber threat intelligence that exists no where else,” Tonya Ugoretz, deputy assistant director for the FBI Cyber Division, said at CyberScoop’s CyberTalks digital conference. “So each of us is half-blind if we don’t bring our perspectives together.”
The private sector has tipped off the FBI on several recent major hacks, including the SolarWinds supply chain breech that targeted government data.
“Our work doesn’t stop with this public attribution, we will continue to comb through data and make connections,” she said.
The private sector partners Ugoretz has identified for more engagement include: IT service providers, owners and operators of critical infrastructure, and also victims of cyber crime that can provide rich data to the government.
“Our engagement with victims is an under appreciated piece of the puzzle,” she said.
To boost its own cyber defenses, the FBI recently requested an additional $15.2 million from Congress. The agency is also seeking to modernize its enterprise IT with recent requests to industry. The bureau anticipates signing a long-term contract with an IT vendor for enterprise services that will support its recently reformed office of the chief information officer to better defend its own networks that are under constant attack.
Cyber EO response will involve leaders from every agency, Federal CISO says
Federal CIOs and CISOs from every agency will be involved in creating new governmentwide cybersecurity guidelines set to be issued as part of President Biden’s recent cybersecurity executive order, according to Federal CISO Chris DeRusha.
DeRusha said Tuesday his office is working with the Federal CIO and CISO councils to ensure information security leaders from across government are involved in drafting the new guidelines.
“Obviously this is a pretty big executive order…it really is an all-of-government exercise,” he said at CyberTalks 2021, hosted by CyberScoop. “CIOs and CISOs will be included in the drafting of every aspect of the guidance. They are going to need to implement them, so they are more than welcome to help us develop them and to make them successful.”
The cyber executive order, issued last month by the Biden administration, requires the Office of Management and Budget to issue a slew of new cybersecurity rules for agencies. It includes a mandate that the OMB should work with the Department of Homeland Security and the General Services Administration over the next 90 days to develop a federal cloud-security strategy and guidance.
Commenting more broadly on the government’s response to last year’s SolarWinds hack, DeRusha said there remains a way to go until basic security measures such as multi-factor authentication and endpoint detection are implemented uniformly across government agencies.
He noted also the importance of senior agency leaders having appropriate emergency plans in place that can be followed in the event of another major cyberattack.
“Agencies need a consistent playbook for senior leaders to work through when an incident like SolarWinds occurs,” he said.
Modernizing federal cybersecurity is just one element of the larger cybersecurity EO. It also calls for increased sharing of threat information between the government and private sector, and for the development of baseline software supply chain security standards for any software sold to the federal government.
Additionally, the order calls for the creation of a national Cybersecurity Safety Review Board, akin to the National Transportation Safety Board.
Cisco inks $1.2B software contract with DISA
The Defense Information Systems Agency has awarded Cisco a $1.2 billion indefinite-delivery/indefinite-quantity contract for software services, the Department of Defense announced Monday.
The software Cisco will be providing is “Cisco Smart Net Total Care and Software Support Services,” according to a public release about the contract. The performance period will start with a one-year base but could be extended up to three years if all goes well.
The DOD’s request received three proposals, the department said.
Cisco’s Smart Net software is designed to help resolve IT issues and keep enterprise software for large organizations up to date, according to its website. It’s tech that “that keeps your IT running smoothly,” a promotional video claims.
DISA has been consolidating the networks of combat support agencies and taking on the responsibility to run their help desks. It’s unclear if this contract is directly related to that initiative.
Agriculture CISO Venice Goodwine takes role with Air Force
Venice Goodwine has left the Department of Agriculture to lead the U.S. Air Force’s enterprise IT function.
Goodwine started in the role of director of enterprise IT for the Air Force under CIO Lauren Knausenberger last Monday, a source familiar with the matter told FedScoop.
She served as USDA’s chief information security officer since late 2018, overseeing a $208 million cybersecurity budget, according to the agency. Before that, she had a long tenure in the military, serving as a senior cybersecurity officer advising the Air Force CISO and a senior program manager in the Marine Corps Systems Command.
While at USDA, she led improvements to the agency’s cybersecurity maturity score under the House Committee on Oversight and Reform’s Federal IT Acquisition and Reform Act (FITARA) Scorecard from an F to a B grade.
She spoke with FedScoop in January 2020 about the emerging importance of a zero-trust security framework in the federal government, acknowledging that “identity is now the new perimeter” for cybersecurity. “I understand that my data will now be at Starbucks and outside of my actual perimeter and how am I actually going to protect that data throughout its lifecycle?” she said at the 2020 Zero Trust Security Summit.
USDA did not comment on Goodwine’s departure prior to publication.