Federal Claims Court judge sides with AWS on JEDI lawsuit timing

A federal claims court judge has granted Amazon Web Services’ requested timeline for hearings in ongoing Joint Enterprise Defense Infrastructure (JEDI) cloud contract litigation.

According to court documents, Amazon is seeking the disclosure of additional internal communications from the Department of Defense — including emails and Slack messages — which lawyers representing the government say cannot be disclosed because of national security concerns.

Both the U.S. government and contract winner Microsoft were seeking to expedite the case schedule. Lawyers for the government said its implications for national security also merit that the case be fast-tracked, while lawyers for Microsoft say it should be sped up because of the large financial losses the technology giant stands to accrue. The company declined to comment further.

Under the schedule put forward by AWS, the cloud services company will file a renewed motion to complete the administrative record by June 18. The U.S. government and Microsoft will then have until July 9 to respond, and Amazon will have until July 16 to file another reply.

It represents the latest stage in the legal challenge, which was launched by Amazon after the Joint Enterprise Defense Infrastructure contract was awarded to Microsoft in 2019.

Pentagon officials have previously indicated that they may be willing to drop the cloud computing project, which has been slowed by the litigation.

In March this year, a federal judge refused a request by the DOD to dismiss much of Amazon’s case, and Deputy Defense Secretary Kathleen Hicks said the department would review the project.

In a statement to FedScoop, a DOD spokesperson said: “We are aware of the Court’s decision relating to the protest; however, it does not affect the DoD’s commitment to establish an enterprise-wide cloud capability.”

AWS did not immediately respond to a request for comment.

USCIS seeks information on contract cybersecurity personnel

U.S. Navy inks $2.5B contract with Dell for enterprise software licenses

The Department of Defense has awarded Dell a $2.5B blanket purchasing agreement to provide the U.S. Navy with enterprise software licenses.

Under terms of the five-year deal, the technology company will provide user-based subscription licenses for products including Microsoft 365 and Microsoft Azure.

The contract award comes as the DOD transitions to DOD365, which is a higher-security version of Office365 that was purchased through the $4.4 billion Defense Enterprise Office Solutions (DEOS) contract.

The enterprise software licenses will be used by the Department of Defense and U.S. Coast Guard, and the ordering period began on June 1.

Funds will be paid through delivery orders using operations and maintenance DOD funds, although the agreement will not obligate the immediate payment of funds. Two proposals were received for the contract award.

Purchasing software has been a perennial challenge for DOD, as its contracting methods were designed for the procurement of major weapons systems rather than code-based systems that require continual updates.

DISA identity management service to reach entire DOD by next year

The Defense Information Systems Agency‘s new identity, credentialing and access management (ICAM) tool will be available to the entire department “within the next year,” an official said Thursday.

The enterprisewide “global directory,” as it’s called, will give the Department of Defense a centralized directory for identifying users by fiscal 2022, according to DISA. Such an ICAM solution is a central element for the DOD’s top priority adoption of a zero-trust architecture.

The capability will also allow DOD to use new multi-factor identification tools like biometric sign-in and other new approaches.

“We are definitely going beyond two-factor authentication,” Lt. Col. Pete Godbey, a user engagement officer at DISA’s Cloud Computing Program Office, said during Okta’s Age of Identity Summit produced by CyberScoop. He added, “that’s really what our centralized authentication platform can do.”

DISA has been experimenting with a range of access management tools, like using artificial intelligence-based biometric data that measure everything from a user’s stride to the way they tap their phone to validate their identity.

Godbey said the global directory already has more than 100,000 users and is on the “glide path” to being fully rolled out across the department by the end of fiscal 2022.

“As we start finding where these new technical capabilities can be implemented, instead of trying to implement across dozens or more of the systems out there, really what we can do is implement it on a smaller scale and then provide a massive DOD-wide impact in near-immediate term,” Godbey said, adding that a centralized ICAM tool implementing new ways to check identities is easier than having to update a range of ICAM applications.

While DISA didn’t confirm a specific date for completion, other leaders in the DOD have highlighted the technology’s importance.

“That will be the exemplar that we adopt across the board, throughout the department,” Dave Mckeown, DOD’s chief information security officer, told Congress about the tool.

Ransomware Task Force co-chair says a ban on ransom payments would need to be phased

Any federal ban on the payment of ransom demands by hackers in cyberspace would likely need to be phased, according to a co-chair of the Ransomware Task Force.

In an interview with FedScoop, Chris Painter said that any such move would be introduced incrementally, and would be accompanied by new measures to support entities hit with online attacks, such as a victims recovery fund.

While federal agencies don’t pay hacker ransoms, legislation would be needed to create a fund so ransomware victims could avoid paying or to elevate cybersecurity resiliency over a period of several years, he added.

“You can phase [a ban] in over time. You can come up with various backstops to help fund or protect them to get them up to a particular level of standards over a period of a couple of years,” Painter told FedScoop.

“Obviously some of the things we suggested require legislation like having a pool of funds and helping victims so they don’t have to pay the ransom or do better in terms of resiliency for these victims,” said Painter, a former federal cybersecurity official. “There’s a lot we can do to disrupt the business model of these ransomware groups and do more to protect victims.”

Painter is the co-chair of the White House-backed Ransomware Task Force (RTF), which was set up in December to foster public-private collaboration in response to the epidemic of ransomware attacks.

He was previously the U.S. government’s most senior cyber diplomat and was a senior member of the team that carried out President Obama’s Cyberspace Policy Review in 2009. He has also held senior roles at the Department of Justice, FBI, the National Security Council and the State Department.

The question of whether companies that fall victim to cyberattacks should pay digital ransom demands has proved central to discussions of how the federal government and the private sector should respond to ransomware attacks.

According to the RTF’s “Combating Ransomware” report, which was published at the end of April, public and private sector representatives were unable to reach an agreement over whether to implement a unilateral ban on such payments. In the report, RTF recommended that government establish cyber response and recovery funds to support ransomware response and other cybersecurity activities.

Advocates of banning the payments say they fuel a market for cyber criminality by guaranteeing hackers that their demands will be met. Opponents say that the cost of paying ransom demands is often a fraction of the damage caused to companies and their shareholders by refusing to pay.

The Department of Justice elevated ransomware investigations to a similar priority as terrorism for that reason and ordered information sharing with RTF, Reuters reported Thursday.

Speaking to FedScoop, Painter said that without a ban, victims who pay risk violating federal law if the ransom winds up going to a group on the Treasury Department‘s prohibited enemies list, which currently is hard to determine.

“To enable more companies to bear the financial cost of remediation, national governments should create ‘Cyber Response and Recovery Funds’ (CRRFs),” the report said.

It proposed the creation of a CRRF to help cover the cost of restoring IT functionality for local governments, critical national functions, or other entities as their recover from a ransomware attack.

The late April report recommends the creation of a cyber backstop scheme that could function like the Terrorism Risk Insurance Program (TRIPA), which was created after 9/11 and creates a federal requirement for the government to act as reinsurer of last resort.

TRIPA permits the private sector to provide terrorism insurance by guaranteeing that the government would pay a portion of claims in the event of a major terror attack.

Painter added that the Biden administration’s cybersecurity executive order and its recent budget proposal to allot $9.8 billion to cybersecurity were a “good start” in moving forward the country’s response to the ransomware epidemic.

The cyber expert noted also that the recent ransomware attacks on Colonial Pipeline and food processing giant JBS differed from traditional espionage, because of the direct impact they had on the day-to-day lives of U.S. citizens.

“It does make a difference when people can’t get gas or can’t get a hamburger; it brings it home for people,” he said.

Secretary of Defense Austin approves JADC2 strategy

U.S. Secretary of Defense Lloyd Austin has signed off on one of the biggest changes to how the military will fight future wars, approving the Joint All Domain Command and Control (JADC2) strategy that aims to fast-track the use of artificial intelligence and data sharing on the battlefield.

The strategy defines how the military services will approach connecting sensors in the air, land, sea, space and cyberspace and use a networked approach to operations. Secretary Lloyd Austin signing the JADC2 strategy marks the beginning of implementing much of the nascent work the military has started, from testing new technologies and developing new concept of operations to use them.

“We have been given the clear signal to begin,” Lt. Gen. Dennis Crall, chief information officer for the Joint Staff and director of the J-6, which oversees all of the military’s command and control networks, said. “It’s outcome delivery time.”

JADC2 is intended to give the U.S. a greater military advantage by allowing for data sharing through a global, resilient network. Advocates of the new concept say that if a fighter jet can automatically share data with a soldier on the ground, the two units can coordinate more easily.

Within the JADC2 framework, each military service has its own project. The Army has Project Convergence and the Air Force has the Advanced Battle Management System (ABMS). Both are focused on implementing the JADC2 framework, but with their own focuses on areas on things like increasing the precision of ground munitions for Project Convergence, and in-flight data sharing for ABMS. The Navy also has Project Overmatch, focused on building seafaring networks.

One of the critical points of the new strategy is coordinating the disparate efforts across the military into one interoperable framework of technology and operations. The strategy relies on a cross functional team (CTF) that has members from the across the department that can coordinate between services that often do not like working with each other.

“The CTF, that is the widest table setting you can imagine to get after these problems,” Crall told reporters Friday. He added, “we have had pieces of this in the past, we have never had this compressively put together.”

Crall added that the DOD need an enterprise cloud solution for work on JADC2 to continue past experimentation, whether that is the Joint Enterprise Defense Infrastructure (JEDI) or some other contract. JEDI continues to be stuck in legal limbo, with continued protests from Amazon Web Services over the two-time award to Microsoft Azure.

“Where I am at today…I am able to take advantage of that multi-cloud provision,” he said, referring to the DOD’s current cloud offerings. “I think the real question is…how long can you do that?”

Security for any joined-up data sharing system remains a principal concern, and Crall highlighted the need for the DOD to improve identity, credentialing and access management (ICAM) on JADC2 networks.

“If we don’t have a real ICAM solution it will be impossible,” he said.

Homeland Security CDM dashboard lacks key data, IG report finds

The Department of Homeland Security can’t prioritize or respond to cybersecurity risks in real time because its internal Continuous Diagnostics and Mitigation (CDM) dashboard lacks some of the necessary data, according to its Office of Inspector General (OIG).

DHS‘ OIG found the dashboard reported less than half of the required data on network assets because collection hadn’t been automated and integrated for every agency in the department as of March 2020, in a report released Tuesday.

While the report is DHS specific, its Cybersecurity and Infrastructure Security Agency, which manages the entire CDM program, came under fire from lawmakers in March when agencies governmentwide struggled to assess the effects of recent, high-profile supply chain attacks like the SolarWinds hack.

“According to DHS, its current dashboard could not yet handle the required volume of data or report all data to the federal dashboard as required,” read the report published on Tuesday.

“Until the DHS dashboard is fully functional, DHS cannot leverage the intended benefits of the dashboard to manage and respond to cybersecurity threats.”

According to the report, the DHS Office of the Chief Information Security Officer’s dashboard only reported 40% of hardware assets, 24% of software assets, 18% of configuration settings and 16% of vulnerability management.

It found also that the CDM dashboard was developed with software that couldn’t handle the data volume, and a new dashboard on a more robust platform was not expected until early 2021 at the earliest.

The study found also that out of $180 million spent on CDM, at least $38 million was wasted because certain essential system tools were removed and not replaced.

DHS OIG also found three critical and eight high-risk vulnerabilities across the department’s operating systems and databases, with 10 of the 11 occurring on multiple systems.

Lastly, DHS OIG found agencies were not on track to implement the required configuration settings for their CDM servers, leaving them vulnerable to disruptions and cyberattacks.

DHS OIG recommended OCISO update the department’s CDM program plan with appropriate deadlines for its dashboard transition, agencies’ tool replacements and data integration; address system and database vulnerabilities; and define patch management responsibilities.

The department has agreed with the recommendations, noting that patch management responsibilities were defined on July 6, 2016.

“While DHS acknowledges the initial challenges in fully implementing its [CDM] program, the statement that the department ‘has not yet strengthened its cybersecurity posture,’ is inaccurate,” wrote the department’s GAO-OIG Liaison Office in its response.

“In addition, DHS disagrees with the assertion that $38 million was wasted during the initial effort to design and deploy a department-wide solution.”

The Government Accountability Office found that no agency governmentwide had implemented all the key requirements of the CDM program, in a report released in August.

During a March Senate hearing, CISA’s Acting Director Brandon Wales said almost all parts of every agency had achieved a common CDM baseline as the program closes out Phases 1 and 2 of the program this year.

Just over a month later, CDM Program Manager Kevin Cox announced plans to depart and return to the Department of Justice as its deputy chief information officer.

Federal health IT provider Halfaker and Associates to be acquired for $250M

Government technology contractor SAIC will pay $250 million to acquire federal health IT provider Halfaker and Associates.

Halfaker provides healthcare IT services to government departments including the Department of Defense and the Department of Veterans Affairs. It is among the top largest five IT providers by awarded task orders on the VA’s Transformation Twenty-One Total Technology Next Generation acquisition program.

Halfaker President and CEO Dawn Halfaker said: “The alignment of SAIC’s culture and values with this important mission has been critical in making the decision to join forces and successfully bolster the services we provide our customers with even greater digital transformation capacity and scalability.”

The transaction is expected to close by July 30 this year, subject to closing conditions. Halfaker is headquartered in Arlington, Virginia.

Last month the National Institutes of Health has issued a request for proposals for its long-awaited governmentwide acquisition vehicle that will give up to $50 to federal contractors over a 10-year period.

The CIO-SP4 vehicle has 10 task areas including IT services, CIO support, cybersecurity, digital government and cloud services and software development.

Pentagon to establish new security standards for 5G technology

The Department of Defense (DOD) is working to create its own set of security standards for 5G, according to the department’s principal director for the technology.

Speaking at a 5G security summit hosted by Billington Cybersecurity, Joe Evans said the DOD must understand all hardware and software used — including cell towers and receptors — and that it would have its own set of security standards for procuring 5G networks.

“We are really working across the 5G initiative to understand and develop [the] necessary security standards within DOD,” Evans said.

Evans is the Principal Director for 5G in the office of the director of defense research and engineering (modernization). This division sits within the office of the Under Secretary of Defense for Research and Engineering at the DOD.

The new standards will dictate what requirements private companies must meet in order to collaborate with the DOD on installing the technology.

Security standards will play a major role in ongoing collaboration between industry and government, as much of the DOD’s strategy on 5G has so far revolved around opening military bases to private companies to conduct research and development.

The implementation of uniform security standards remains in an early stage, with even a common definition of 5G technology yet to be established.

In particular, Evans’ office and the chief information officer of the DOD are focused on ensuring that 5G technology does not compromise supply chain security.

The DOD has several test sites for the new technology around the U.S., including in San Diego to Georgia. Private companies are able to test 5G tech in a secure but less-regulated environment such as supply warehouses.

As new security standards for 5G are established and introduced, some existing technologies will become insufficient or incompatible.

“Not all the old standards will fit the new models,” added Evans, speaking at the event.

Security experts in recent years have raised concerns about the potential for China to use its large market share of the 5G hardware market in order to conduct acts of espionage. So far, the U.S., the U.K. and Australia have banned the use of Huawei on 5G networks. Other European countries are considering similar restrictions.

AI-supported ‘superteams’ key to future of federal workforce: Deloitte

New artificial intelligence-supported “Superteams” will play a central role in the future structure of staffing at federal agencies, according to a new report by Deloitte.

In a study published Thursday, the consultancy firm said challenges presented by the Covid-19 pandemic during the last year had fast-tracked the use digital technology to streamline workflows and reduce the volume of mundane tasks that staff must undertake.

“During the COVID-19 pandemic, many public sector organizations accelerated incorporating technology into their team structure as a survival strategy to enable adaptability and speed.

“Superteams ensure that the right workforce type (human or technology) gets properly allocated to critical tasks: by using digital technology to unburden the human workforce of dirty, dangerous, and dull tasks, leaders enable the workforce to focus on meaningful, high-impact work that requires human insight to solve problems, think strategically, and build interpersonal relationships,” Deloitte said in the study.

The study comes as government agencies continue to experiment with the use of AI to automate business processes, including at the Pentagon. The Defense Innovation Unit and private sector contractors have worked with the U.S. Army to develop automated systems for flagging erroneous financial transactions.

DataRobot and Summit2Sea are among the private sector contractors that have developed machine learning systems for the DOD.

According to Deloitte, superteams are defined by giving technology the status of a full-on teammate. The consultancy says that although technology systems must still be led by humans,  they are growing rapidly in their ability to be applied to complex problems.