Page 425 | FedScoop

The votes are in for the 2025 FedScoop.

Basic cybersecurity standards must start with procurements, experts say

Government must do a better job of setting minimum cybersecurity standards when buying IT to avoid more breaches like the ones agencies suffered after the SolarWinds hack, say cyber experts.

Large procurements, in particular, should be used to drive modern security architectures that better protect entire systems, said Jeanette Manfra, director of government security and compliance at Google and a former top official with the Cybersecurity and Infrastructure Security Agency.

If agencies consider the risks of introducing software like SolarWinds Orion to their networks during the procurement process, they’ll also avoid introducing vulnerabilities.

“The government is a very large consumer,” Manfra said during a Center for Strategic & International Studies event Friday. “They need to be driving what those security standards are that they want to see through their procurements.”

While the government should also establish minimum cybersecurity standards for the private sector, experts agreed they should be voluntary and not become a check-the-box activity for companies.

The SolarWinds software supply chain attack began in March and was massive in scale at nearly 18,000 intrusions. At least nine federal agencies were compromised, with the extent of the damage still being assessed.

While the hack was detected in December and widely reported to have been committed by Russia, the reality is that true attribution is ongoing, said retired Lt. Gen. Ed Cardon, senior counselor at the Cohen Group.

All of this points to gaps in information sharing between government and the private sector.

“Info sharing is a pretty broad term,” Cardon said. “Just simple things like worldwide collection of DNS logs, it’s amazing how if we would just do that we could do a lot with attribution. But often those are missing; they’re not collected.”

CISA, which Manfra left in November 2019, continues to make inroads with companies to determine who has the information it needs to avoid specific cyberattacks, she said.

The agency was established to be the central clearinghouse on the civilian side for threat information from the private sector, said Rep. Michael McCaul, R-Texas.

The ranking member on the House Foreign Affairs Committee said he’s planning to introduce legislation establishing a mandatory breach notification system. Breach data could be easily anonymized to protect the companies involved and liability protection ensured, so companies wouldn’t withhold information for fear of lawsuits, McCaul said.

“Some companies don’t report this at all,” McCaul said. “And it’s important we have that threat information to share it not only with the private sector, where 80% of this resides, but across all departments within the federal government.”

DISA’s Vice Adm. Norton retires

Vice Adm. Nancy Norton left one of the military’s top IT jobs Friday as she retired from her directorship of the Defense Information Systems Agency and command of Joint Forces Headquarters-Department of Defense Information Network (JFHQ-DODIN).

Lt. Gen. Robert Skinner of the Air Force replaced Norton at a change of command and directorship ceremony Friday.

Norton leaves at a critical time for DISA as it prepares to issue an $11 billion IT services contract, lead a major consolidation of support agency IT networks and continue investigating the SolarWinds hack. DISA will also maintain its own pivot to maximum telework and continue supporting DOD’s adoption of the Commercial Virtual Remote environment.

“We have done an amazing job,” she said during a virtual roundtable with reporters Thursday. “The thing that was most important, is how we have treated each other as people.”

Supporting the military’s shift to telework was not the first major crisis she steered DISA through. Under her watch, DISA was almost eliminated by Congress in 2018, a move she helped thwart. She said that “telling the DISA story” and increasing the transparency of the agency was what helped save it from the chopping block.

“It is pretty amazing if you think about what would have happened in 2020 if that had happened,” she said of the potential cutting of DISA’s funding.

Amid the response to a global pandemic, Norton also helped oversee the response to the recent SolarWinds breach. As commander of the Joint Forces Headquarters-Department of Defense Information Network, Norton leads the operation and protection of the military’s IT networks, which were targets of the suspected Russian hackers who led the larger cyberespionage campaign. DISA said it did not find any bad actors on DOD networks, but investigations remain ongoing.

Norton joined the Navy as an officer in 1986 and rose to become the first female director of DISA in 2018. While leading the DOD’s IT support agency, she pushed for more diversity and inclusion in the military technology community.

Network consolidation

DISA’s plan to make itself the single service provider for defense support agencies, dubbed the Fourth Estate network optimization initiative (4ENO), is a massive undertaking involving technical consolidation, personnel shifts and workforce restructuring. With Norton at the helm, DISA broadened its mission with the project.

The process is already underway with the Defense Technical Information Center already transitioning help desk and IT personnel into DISA, Norton said. More migration is expected to happen under Skinner’s directorship.

A part of the migration will be the award of the Defense Services Enclave (DES) contract for a single vendor to help with the technical integration of disparate networks — a deal that’s worth up to $11 billion.

The contract will be an indefinite-delivery, indefinite-quantity vehicle with task orders issued for specific work. The agency anticipates a 10-year work period, but the contract will have an initial four-year base with three optional two-year extensions.

“The concept of making DISA the single service provider is really something new,” Norton said. “That is really exciting.”

Pandemic pushed National Cancer Institute to commercial software for telemedicine, CIO says

Prior to the COVID-19 pandemic, the National Cancer Institute relied on “expensive and not user-friendly” custom systems for its telemedicine. But as the need to see patients remotely grew over the past year, the institute turned to commercial software that could more easily support its scaling needs, CIO Jeff Shilling said.

NCI began using Microsoft Teams to communicate with and administer telemedicine to patients in clinical trials. This let both the NCI doctors and researchers and the patients stay safe while continuing care.

People had their doubts about using commercial software for such a highly sensitive mission set. But it was a crisis, and NCI was forced to go into crisis mode to make the move.

“Never let a good crisis go to waste,” Shilling joked during an SNG Live session Thursday. But on a more serious note, he said of people’s concerns using Microsoft Teams for sensitive communications, “Listen, we’ve got to talk to these people. We have many people dying of cancer — many, many millions of people dying of cancer — we can’t worry about some of these things.”

NCI did work with Microsoft to “make sure that everything was encrypted properly, everything was a unique connector,” Shilling said, adding that Microsoft did everything “really well,” rising to the occasion because it too was in crisis mode.

At the end of the day, the new model was successful, Shilling said, because the commodity IT was ready to scale immediately and it was user-friendly from the start — and, perhaps more importantly, it was cheaper.

“The doctors don’t use special medical computers, they use Macs and PCs, just like everybody else,” he said. “So they have all the benefit of using these commodity tools. And so we think we can use these commodity tools in telemedicine as well. And that’ll extend past the patient, to radiology, to pathology, all these things that we can start to use the standard tools, it’ll make it just much, much more portable. And we need that. We need it because we need more medicine for more people. And the only way we can do it is to make it less expensive.”

Dr. James Gulley, director of the Medical Oncology Service at NCI, and his team were some of the first to make the move to Microsoft within the institute last spring. He said in an interview published by the National Institute of Health that his team “quickly got used to the platform, and it became our preferred means of communication between team members, other collaborators and patients.”

“This has opened up opportunities for us to communicate more effectively with patients at home,” Gulley said. “Phone conversation can get some of the information however much of communication is nonverbal. This also provides improved efficiency for patients and healthcare providers and decreases costs in both money, time and potential exposure to SARS-CoV2.”

How open technology and process help the public sector innovate

SBA adapting IT systems providing COVID-19 relief amid program changes

The Small Business Administration continues to adapt its IT systems processing COVID-19 relief applications to address changing program requirements.

The Biden administration announced a two-week window starting Wednesday where only small businesses with less than 20 employees may apply for Paycheck Protection Program (PPP) forgivable loans to keep their workforces employed during the pandemic.

As new legislation and executive mandates attempt to provide relief where it hasn’t yet been granted, SBA is scrambling to make changes to its E-Tran loan system and program portals.

“We’ve been obviously faced with a tremendous scaling challenge…in terms of the volume of transactions we are processing,” said Sanjay Gupta, chief technology officer at SBA, during an ATARC event Thursday. “But also more importantly the velocity at which we are processing this higher volume.”

Businesses went under because initial PPP loans dragged into the summer as SBA struggled to process requests for $400 billion in relief funds and adjust E-Tran to shifting rules for eligibility, financial institutions, terms and conditions, and transferring loans into grants.

SBA also responds to disasters, and President Biden declared Texas’ snowstorm a major disaster earlier this week. The declaration will mean a workload surge for SBA on top of dealing with PPP and Economic Injury Disaster Loans for the pandemic, Gupta said.

Fortunately, SBA’s cloud migration began in 2017, allowing it to scale with increased employees better than it would otherwise. But in March the agency accelerated implementation of a cloud-based secure connector, in lieu of its traditional virtual private network, to improve security and visibility into traffic and performance.

Conditional access — which throttles users’ access if they fail to meet certain conditions related to things like where they’re connecting to the network — has proven helpful during the pandemic. The same is true for geofencing, which took six hours to implement in March and took care of traffic from foreign countries trying to access pandemic loan portals, Gupta said.

SBA is relying on native capabilities more heavily when it comes to cybersecurity tools, anomaly detection and machine learning.

“We are automating these things,” Gupta said. “So a year from now you’ll see a higher resilience posture.”

Uniquely identifying virtual machines on SBA’s network continues to be a challenge however, Gupta said. He led SBA’s 90-day Continuous Diagnostics and Mitigation modernization effort in coordination with the Cybersecurity and Infrastructure Security Agency, and together they developed a model for identification.

Virtual machines are instantiated as needed and may need to be created and destroyed in microseconds. SBA’s model attempts to track and manages those machines in a cloud environment and was published in a report, but the CDM team has yet to release guidance.

“I’m sure it’s in the works,” Gupta said.

NSA issues zero trust guidance, urging DOD and contractors to adopt model

The National Security Agency issued a cybersecurity information sheet Thursday with instructions for defense agencies and contractors on how to set up a zero-trust network architecture.

In it, NSA urges the entirety of the Department of Defense and its contractors to implement zero trust for sensitive systems to better prevent data exfiltration.

“NSA strongly recommends that a Zero Trust security model be considered for critical networks to include National Security Systems (NSS), Department of Defense (DoD) networks, and Defense Industrial Base (DIB) systems,” according to the cybersecurity information document.

The push to zero trust — where compromise is assumed and users are asked to verify their identity as they move around a network — has grown stronger after the discovery of the massive SolarWinds hack last year. The penetration of sensitive network components by suspected Russian hackers in the breach was another dire example of cybercriminals gaining wide access to information once in a network.

“Adopting the Zero Trust mindset and leveraging Zero Trust principles will enable systems administrators to control how users, processes, and devices engage with data,” NSA said in a release. “These principles can prevent the abuse of compromised user credentials, remote exploitation, or insider threats, and even mitigate effects of supply chain malicious activity.”

The seven-page document is just the beginning of the reference architecture the NSA plans to release to help contractors and DOD components move to a zero-trust model. The agency teased late last year a reference guide it has been working on in partnership with the Defense Information Systems Agency that it plans to release in 2021.

The document includes the pitfalls and challenges associated with its implementation. A lack of commitment by leadership to enterprise wide adoption is primary among those challenges listed in the document.

“With the pervasive need for Zero Trust concepts to be applied throughout the environment, scalability of the capabilities is essential,” the document states.

DIU sees another year of growth in spending, tech transition

The Department of Defense’s Silicon Valley outpost continues to award cash to companies looking to break into the defense market, growing its number of prototype contracts and transitioned technologies in 2020, according to its annual report.

In 2020 the Defense Innovation Unit transitioned 11 programs into full production, meaning it turned a prototype deal into a follow-on contract awarded by a military department or agency.

While an increase from the nine technologies transitioned the year before, it is a small drop in the massive bucket of tech programs run across the DOD.

DIU increased metrics across the board, including new programs started, some of which were launched to contain the spread of the coronavirus in service members. 2020 was DIU’s fifth year of existence, a milestone that was not guaranteed since it was set up as an experiment by then-Secretary of Defense Ash Carter.

The DIU has been the darling of some technology innovation advocates, with its former director calling for a “10x” multiplication of its budget in a congressional hearing. But the challenge for offices like DIU is not necessarily getting companies to build prototypes but rather scaling innovation and disruptive technology use across the massive department. In its five years, DIU has only transitioned 26 technologies, according to the report.

“Now is the time to supercharge DOD access to innovation,” Raj Shah, the first DIU director said during a hearing for the House Armed Services Committee’s Future of Defense Task Force in 2019.

Another change to DIU’s operations this year was the breadth of programs it worked on. It launched 23 new programs, a 35 percent increase over 2019. It placed a large focus on tech that could enhance the DOD’s response to COVID-19. One program created wearables that could detect subtle changes in the wearer’s behavior to identify infected service members.

Another new program Blue sUAS found success outside of just the military, giving agencies options to purchase drones that meet security requirements. The program certified five drones that met cybersecurity and other standards for government use in the face of concerns over Chinese-made drones. Local government agencies also have access to the program.

Artificial intelligence-based technologies continue to be a priority for DIU, the report noted. DIU is not alone in its interest, with similar rapid acquisition offices like AFWERX prioritizing AI procurement as their largest budget area.

NIH advances COVID-19 health status reporting and contact tracing pilot with IBM

The National Institutes of Health moved its COVID-19 verifiable health status reporting and contact tracing pilot into a second phase, awardee IBM announced Thursday.

IBM will begin working with the Washington Suburban Sanitary Commission (WSSC Water) to deploy its Digital Health Pass to prove to NIH the platform will work with third-party organizations. The platform combines public health data like test results and onsite temperature scans with contract tracing technology and will inform the Maryland water utility’s pandemic decisions to bring employees back.

The pilot’s advancement marks a win for NIH‘s Digital Health Solutions for COVID-19 contract, awarded to seven organizations for a total of $22.8 million — assuming all awardees receive phase two funding.

“Emerging smarter from the COVID-19 pandemic requires adopting technologies to increase
resiliency,” said Andrew Fairbanks, U.S. federal sector leader at IBM, in the announcement. “As testing becomes more widespread and vaccines are distributed, it’s more important than ever to foster innovative thinking and develop solutions such as IBM Digital Health Pass, designed to support organizations in bringing people back to a physical location.”

The National Cancer Institute and National Institute of Biomedical Imaging and Bioengineering awarded the second phase of IBM’s contract, originally won in September, once it demonstrated Digital Health Pass’s feasibility.

NCI and NIBIB are interested in using the platform not just during the ongoing pandemic but for future public health preparedness and pandemic response.

Data collected by Digital Health Pass is anonymized and stored in NIH’s COVID-19 data hub made available to researchers while also allowing participants like WSSC Water to privately monitor employee vaccination and health status.

IBM has until September to continue working with WSSC Water, which serves 1.8 million Montgomery and Prince George’s county residents, at its Laurel, Maryland, headquarters and additional locations.

“Using a cloud-based tool, instead of multiple paper processes, will simplify our self-monitoring, reporting and contact tracing efforts — allowing our employees to spend more time focused on providing safe, seamless and satisfying water services to our customers,” said Carla Reid, general manager and CEO of WSSC Water.

The other organizations to win Phase 1 spots on NIH’s Digital Health Solutions for COVID-19 contract for their digital health solutions were: Evidation Health; iCrypto; physIQ; Shee Atiká Enterprises; the University of California, San Francisco; and Vibrent Health.

Machine learning speeding up patent classifications at USPTO

Machine learning is helping the U.S. Patent and Trademark Office shorten the time it takes to assign patent applications to examiners, instead of having to redo its entire classification process, according to CIO Jamie Holcombe.

USPTO sent its top engineers to Google on the East and West coasts to learn more about ML and TensorFlow application programming interfaces.

Now those engineers are using Python with TensorFlow to apply ML to patent classification, search and quality.

“We immersed them in the culture, and they got Googly,” Holcombe said during an ACT-IAC event Wednesday. “They got certified in TensorFlow, which is the open-source library for a lot of neural network feedback loops.”

USPTO has patent examiners use those feedback loops to rate how well ML algorithms are classifying patent applications to the art units and examiners that evaluate them, as well as search for algorithms in the system.

Despite having 250 years of historical data to train its algorithms with, USPTO relies primarily on daily feedback from examiners to ensure they’re working.

The agency is also hiring vendors to classify patent applications and comparing those classifications against its own algorithms. Having vendors and patent examiners working in tandem further refines the algorithms, Holcombe said.

“There always could be a black swan, and that’s what you’re trying to prevent in the curation of your data moving forward,” Holcombe said. “Black swans have to be cared for and handled and managed appropriately, or else it will break the system.”

USPTO remains in the early stages of ML use, in part because it’s still cleaning its data. While the agency uses robotic process automation (RPA) for clerical and administrative processes, it’s still getting used to the technology before applying it to patent and trademark workflows, Holcombe said.

Holcombe said he doesn’t believe AI yet exists, but there’s a spectrum of automation technologies with RPA at one end and more advanced neural networks at the other.

Space Force focusing on pitch days, consortiums to speed up tech acquisition

The U.S. Space Force wants to lean on consortiums and host “Shark Tank”-style pitch events to rapidly acquire tech from the commercial space industry.

The force has plans to host the first “Space Pitch Day” in the spring where companies will present ideas for the potential to win a cash award on the spot. The Air Force has awarded billions of dollars during pitch days, a model the young Space Force plans to copy.

The Space Force is also looking to speed up tech acquisitions by opening its contracts to consortiums of vetted companies that can bid on proposals and other transaction agreement (OTAs) contracts.

“We have to have an increasingly long-term perspective” on innovation, Dr. Joel Mozer, chief scientist for the Space Force, said during the virtual Air Warfare Symposium hosted by the Air Force Association. That long-term perspective on innovation will rely on partnerships with industry to constantly improve technology over the years of come, Mozer said.

Already, the Space Force has seen success working with consortiums. The Space Enterprise Consortium, for example, has produced anti-jamming satellite communications technology for the force, Lt. Gen. John Thompson, commander of the Space and Missile Systems Center, said Wednesday. The tech was piloted during large-scale tests of the Air Force’s Advanced Battle Management System in September where it successfully maintained communications despite electronic interference. That accomplishment is one Thompson and other leaders hope to replicate across a broad range of tech types.

Mozer emphasized that the Space Force will need new cybersecurity tools to better protect satellites and other space assets. Already, Space Force has inked deals with cybersecurity companies for zero-trust network design and other means to protect information generated in and transmitted through space.

“Future warfare is really going to be much more information-centric,” Mozer said.

Another new acquisition model the Space Force plans to use is Section 804 Middle Tier Acquisition, Thompson said. It’s a process that allows contracting officers to rapidly acquire prototypes without needing to go through the typically lengthy procurement process. With the recent expansion of the commercial space industry, many technologies are in the early prototyping phase, allowing for more use of Section 804 processes.