GSA planning to lend tech, acquisition expertise to support scaling TMF

General Services Administration officials anticipate lending technology and acquisition expertise to agencies modernizing IT using the more than $1 billion in funds allocated within the American Rescue Plan Act.

GSA holds weekly meetings with the Office of Management and Budget, U.S. Digital Service, Cybersecurity and Infrastructure Security Agency, federal chief information officers, and industry to discuss the $1 billion added to the Technology Modernization Fund (TMF) and $150 million to the Federal Citizen Services Fund (FCSF).

The TMF is a central pot of appropriations that agencies can apply for to fund impactful modernization projects under the stipulation that they’ll pay it back within five years. The FCSF, on the other hand, is an internal GSA fund that TTS can use to support interagency digital services initiatives.

While process improvements streamlining how that money is distributed to agencies will be determined in the coming weeks and months, the news that GSA teams like Technology Transformation Services and 18F will offer assistance should assuage tech companies that demanded as much in a letter last month.

“If we can be of service along the way — whether it’s through our technology expertise, whether it’s through our acquisition expertise, whether it’s through our thought leadership in certain areas,” Sonny Hashmi, commissioner of the Federal Acquisition Service, told FedScoop in an exclusive interview. “We will be available as a resource for those agencies to tap into in the most frictionless way possible.”

TTS is working with the TMF Board to bring in the right people, potentially from the Centers of Excellence and Presidential Innovation Fellows programs, said Dave Zvenyach, the TTS’s director and deputy federal acquisition commissioner.

Adding the right capabilities and skills to the evaluation side of investments is a priority, Hashmi said.

“We have to figure out our org chart behind the scenes and work with our agencies in all the many different ways that we can,” he added. “Because that has been a challenge historically that I think we have the ability to overcome.”

In addition to improving the way investments are made, government is reconsidering agency repayment requirements and how to hold projects accountable for the way funds are spent to “make the most good happen as quickly as possible,” Hashmi said.

GSA’s 10x program has had great success expanding Login.gov entity verification across government on a smaller budget than the TMF and FCSF have now, Zvenyach said.

He categorizes the uses of new funds in three ways: recovery tied to the COVID-19 pandemic, economy, racial inequity and climate change; rebuilding government services; and reimagining digital services delivery — all of which offer high-impact opportunities for investments.

“Some of them are going to be duds,” Zvenyach said. “But some of them are going to be home runs.”

Both officials declined to name specific initiatives that will likely receive TMF funds citing the many stakeholders involved in those decisions. But possibilities include immediate, tactical investments in cybersecurity in response to last year’s SolarWinds hack, new shared services, and specific systems helping people find COVID-19 vaccinations, vote or receive Social Security benefits, Hashmi said.

GSA is assisting the Small Business Administration with baking fraud detection into its loan application systems, which may have doled out as much as $105.4 billion in COVID-19 relief money to fraudsters.

“There are a range of specific initiatives we’re looking at,” Zvenyach said. “Everything from [the Federal Risk and Authorization Management Program] to improving forms and digitizing paper-based services.”

Another factor in all of this is President Biden’s appointment of Clare Martorana as federal CIO last month. Martorana‘s experience with IT modernization as CIO of the Office of Personnel Management and, before that, at USDS bodes well for projects reimagining digital and shared services.

“She brings a wealth of knowledge and experience,” Hashmi said. “And new thinking around how the TMF can actually be used as an investment fund to change things at a much greater scale, across multiple agencies.”

Air Force can now deploy drones from other drones

The Air Force‘s unmanned aerial systems (UAS) capabilities took a step forward with new test flights that launched a small UAS out of a larger drone.

The test, conducted in late March by the Air Force Research Lab, showed that a larger Valkyrie UAS can release a smaller UAS through its weapons bay door, a new capability that could lead to the use of drone networks being deployed during battle.

“This is the sixth flight of the Valkyrie and the first time the payload bay doors have been opened in flight,” Alyson Turri, demonstration program manager, said in a release.

The Valkyrie XQ-58A is an “attritable” system, meaning it is cheap enough to easily replace it if destroyed or lost. The Valkyrie drone hardware is being developed for use in multiple Air Force emerging technology programs, including the Skyborg program, which plans to network attritable drones as “loyal wingmen” to human-piloted fighters, and the Advanced Battle Management System that will serve as the backbone of the military’s Internet of Things concept.

Nesting a smaller drone into the Valkyrie system that can be deployed mid-air could give the Air Force enhanced surveillance, counter-drone and even explosive-delivery capabilities. The smaller drones were developed by Kratos and Area-I — the latter of which was recently acquired by Anduril Industries.

Other parts of the military are also investing in research on how to build networks of drones and how to counter enemy systems. Turning single drones into systems of networked drones has also been a priority for Anduril, the new owner of Area-I, which specializes in mid-air launch systems.

“We believe that to really enable these technologies to go, you have to solve the autonomy side,” Anduril CEO Brian Schimpf told FedScoop when the purchase was announced.

The tests in late March also increased the altitude and speed at which the Valkyrie flew, giving it enhanced military capability.

Six months into JAIC 2.0, DOD still needs to move faster on AI

Despite revising its strategy six months ago to speed up artificial intelligence adoption across the Department of Defense, the Joint AI Center is still not moving fast enough, its director said.

The JAIC made the significant change from being an organization focused on product delivery to being more of an “enabling force” that supports AI offices across the military in November. That change brought more unity of effort across the department’s AI projects, but it’s still not moving as fast as it should be, Lt. Gen. Michael Groen said during a press briefing Friday.

“Is JAIC 2.0 enough? Are we moving fast enough?” Groen said. “I lay awake at night and say the answer is no.”

Groen’s message of raising the bar for the JAIC’s performance was echoed by Bob Work, former deputy secretary of defense, who appeared alongside Groen in his capacity as vice chair of the National Security Commission on AI. Work backed the JAIC’s new strategy of being an enabling force designed to help others, pointing to his commission’s 700-page report on how to achieve more of the speed Groen is after.

New development networks

Groen says he is satisfied with much of the work the JAIC has done, but he measures success in the achievements of other AI- and data-focused organizations through DOD. That means getting program offices more tools like the Joint Common Foundation, the JAIC’s AI coding environment, and the data-know how to achieve AI at scale.

Groen also detailed his hopes of stitching together a cloud-based “operating layer” of databases and development platforms to turn disparate efforts into unified ones.

“You need a network of operating platforms,” he said. “This will give us the capability.”

When civilians and service members want to work with data or code new solutions they still turn to a patchwork of different environments, like the Air Force’s Platform One. There are also disparate cloud systems with different authorities to operate, a problem officials hope the still-stymied Joint Enterprise Defense Infrastructure (JEDI) cloud program will fix.

Beyond purely technical work, Groen said members of the JAIC have fanned out across the department to share best practices. He said the center has less of a “teacher-student” relationship and more of a partnership and supporting role with other AI initiatives. He said the JAIC is also finding ways to use its new acquisition authority.

“We can do our own acquisition,” Groen said. “Now we can start a much broader array of support services.”

A new set of recommendations

The NSCAI report Work helped lead has more than 100 recommendations for the DOD to speed up the work the center is already engaged in.

“We thought about this as a blueprint,” he said. “You should not look at the recommendations individually, you have to do them all together to get the effect that the commission feel is important.”

The recommendations push the DOD to be “AI-ready” by 2025 through widespread education, leadership support for  AI, computer hardware development to run AI on, and greater investment in cutting-edge and basic AI research.

Groen said the JAIC is fully behind all of the recommendations but taking a “hard look” at some— which he didn’t enumerate — on how exactly they could be implemented.

White House proposes even more for Technology Modernization Fund

In its fiscal 2022 discretionary funding request on Friday, the White House asked Congress for an additional $500 million for the Technology Modernization Fund, citing agencies’ need to update and secure antiquated information systems.

That’s on top of a $110 million increase, to $2.1 billion, requested for the Cybersecurity and Infrastructure Security Agency and $750 million requested as a reserve for agencies’ IT enhancements.

The American Rescue Plan Act saw a record $1 billion injected into the TMF and $650 million appropriated to CISA in March, but countering the cybersecurity threats posed by China and Russia remains a priority for the Biden administration.

The General Services Administration will play a central role in managing the TMF and other governmentwide funding for IT modernization.

“These funds will allow GSA to support the administration’s efforts to tackle the climate crisis, promote economic opportunity and strengthen federal cybersecurity,” Acting Administrator Katy Kale said in a statement. “These critical investments will enhance support to federal agencies and the public, while making our nation’s infrastructure more secure and sustainable.”

GSA‘s emphasis will be on mission-critical systems and citizen-facing digital services in light of the COVID-19 pandemic and the SolarWinds hack that compromised products agencies use, according to the request.

The proposed increase for CISA would go toward enhanced cyber tools, hiring and support services. Another $20 million would be for a new Cyber Response and Recovery Fund.

Within the Department of Commerce, the White House asked for $916 million — a $128 million increase — in funding for the National Institute of Standards and Technology. That money would expand NIST’s research into computing, cybersecurity, artificial intelligence and quantum information science (QIS). Another $39 million was requested for spectrum sharing research benefitting broadband and 5G deployment.

Additionally, the White House proposed a $1.7 billion increase, to $10.2 billion, for the National Science Foundation to, in part, establish a new directorate for prioritizing practical applications of AI, high-performance computing, QIS, robotics, advanced communications, and cybersecurity research.

“NSF stands ready to maximize the impact of this increase in funding and tackle critical challenges to bolster the U.S. economy and our leadership in critical and emerging areas of research and technological advancements,” said an agency spokesperson in a statement.

The White House request also asks for $4.8 billion for the Department of Veterans Affairs‘ Office of Information Technology in support of cloud modernization and $2.7 billion for the department’s ongoing Electronic Health Record modernization.

Discretionary funding is but one part of the president’s overall proposed budget request, which the Office of Management and Budget intends to release in the coming month. The discretionary request doesn’t include mandatory proposals or tax reforms, and Congress will decide which of the president’s proposals to fund.

“This year’s appropriations process comes at a particularly important moment,” said one administration official on a call with reporters. “Where the past decade, due to overly restrictive budget caps, our country has underinvested in core public services, benefits and protections that are incredibly important to our success.”

Three recommendations to secure a hybrid workforce

Kurt Steege, chief technology officer at ThunderCat and Peter Romness, cybersecurity principal at Cisco, together bring decades of experience advising IT leaders in the U.S. government.

The pandemic proved to agency leaders that they can offer a more flexible work arrangement for government workers. But securing a remote and hybrid work environment for today — and tomorrow — requires greater attention to a holistic security strategy.

Flexibility built into both policies and the underlying IT infrastructure is one way that CIOs and CISOs can accommodate a new way of working. And what agency leaders should aim for is a near seamless and equitable work experience — whether from home or from the office.

The good news is that thanks to the investments many agencies made to use cloud infrastructure, IT leaders are now in a position to take advantage of more effective cloud security capabilities around data. That includes identity and access controls that can reduce agencies’ overall security risks in the years ahead.

Smart cloud decisions yesterday make today’s response possible

The immediate need during the pandemic was to adjust IT systems so that employees could work productively at home. Secondary to that, agency IT departments needed to make certain those systems were secure. Unfortunately, the traditional “checkbox approach” to securing systems is no longer enough to lessen the level of cyber risk agencies face today.

To build a holistic security strategy will take both time and money — for which there are many limitations for agencies.

The bright side is that we have seen how the Cloud First and Cloud Smart policies set by the last two administrations have paid off in big ways. In fact, the most notable successes to facilitating mission during the pandemic are coming from those organizations which have been leveraging their cloud investments.

The biggest change making a difference in security — more than any other security practice — is when organizations use cloud tools to implement dynamic and persona-based policies that control access to agency resources. It not only improves security. It also improves the user experience, by allowing people to view content in a way that helps them in their job — regardless of the location — without jumping through a variety of security hoops to make that happen.

To achieve those improvements, though, requires visibility across the network. From a data security standpoint that means understanding where your data is, how it is being used and accessed, how the network behaves and knowing what policies that have been built.

Investing in security for hybrid work environments

The future of work is poised to look very differently across both the government and private sectors now that leaders and employees alike have experienced many of the positive benefits of a flexible work environment.

One of the discussions we have been a part of with some of our customers is a thoughtful transition to a “30-40-30” office-home work model: 30% of an organization’s staff may never return to the office; 40% may go back to the office a few days a week; and the remaining 30% would most likely work full-time at the office.

To secure this new work model, our first recommendation involves matching policies with existing use cases. Even before you look at the security tools you plan to use, weaving together policies regarding identity and data will make the whole system run more smoothly and securely.

Our next recommendation — and often a sticking point when managing data security — is understanding appropriate levels of security classification and sensitivity. For agencies that work in a more classified or sensitive area, it’s easy to just classify everything the same. But it’s also important to look at the long-term needs of users. The good news is, dynamic policies make it easy to adjust the data classification to be more variable, depending on the user and type of data.

That ties into our third recommendation, which is identifying what you have. A lot of organizations don’t know where to start in this endeavor. The don’t know what data they have or where it is; they often don’t even know all the devices that are in their environment or what those devices are doing. Having an accurate inventory really matters.

The value of working with strong partners

While at the surface these recommendations may seem simple, the complexity of agencies’ enterprise network brings a lot of challenges. That is why we promote working with a strong integration partner to get the most from your existing security investments and lessen the burden of acquisitions for new tools.

The partnership between ThunderCat Technology and Cisco offers a great resource for agencies to integrate and automate Cisco’s security tools across agency networks because ThunderCat Technology has built a practice around Cisco’s suite of solutions.

Cisco brings a full range of tools that provide the strongest levels of visibility, flexibility and security. ThunderCat Technology, meanwhile, understands all the components operating across an agency’s systems, and can serve as a knowledgeable advisor for how to best develop a holistic security strategy across multiple vendors partners so everything works together.

Learn more about how ThunderCat Technology and Cisco can help your organization integrate a holistic security strategy.

White House asks for $5B to fund VA IT in 2022

The White House released a discretionary budget outline Friday that asks Congress to appropriate $4.8 billion for the Department of Veterans Affairs‘ Office of Information and Technology for fiscal 2022.

The $4.8 billion top-line IT number is just shy of the enacted $4.9 billion given by Congress last year, which doesn’t include emergency funding made available to the VA to account for telemedicine and telework needs during the pandemic.

Separate from the OIT budget, the White House has also asked for $2.7 billion for the continued modernization of VA’s electronic health record, a 10-year project that could cost north of $16 billion before it’s all said and done.

“The funding request invests in the core foundations of our country’s strength and advances key U.S. Department of Veterans Affairs (VA) priorities, including addressing Veteran homelessness, suicide prevention, caregiver support, and modernizing information technology systems to enhance customer service experience and ensure Veterans receive world-class health care,” VA Secretary Denis McDonough said in a statement following the budget proposal release.

In total, the VA is requesting $113.1 billion in discretionary funding, an $8.5 billion or 8.2% increase from the fiscal 2021 enacted level, according to the White House.

Congress ended up giving the VA more than it asked for in fiscal 2021, and we’ll have to wait and see if appropriators will be as generous this time given the record spending the government has already undertaken in light of the pandemic.

Leaders on Capitol Hill and at VA have expressed concerns about cost overruns on the EHR program, which is funded separately from the IT budget. Secretary McDonough told Congress in March that he saw higher than anticipated staff needs during the initial launch of the program, which may result in higher costs than the $16 billion originally expected.

The VA received $2.6 billion in the enacted fiscal 2021 budget for the EHR program.

Spending on the new cloud-based medical records system was supposed to peak early in the rollout. The program is built on Cerner’s Millennium software system and will eventually be interoperable with a similar system being rolled out in military medical centers.

Agencies gain ‘momentum’ appointing Evidence Act leadership

Government has seen “momentum” around evidence-based policymaking at agencies, the majority having placed senior officials in charge of advancing data-driven decision making, according to the Evidence Team lead at the Office of Management and Budget.

All agencies submitted their interim learning agendas, first annual evaluation plans and interim capacity assessments in September, as mandated by OMB guidance stemming from the Foundations for Evidence-Based Policymaking Act, said Diana Epstein.

More than two years after the passage of the Evidence Act, relatively few agencies lack the leadership needed to implement its requirements.

“For the most part agencies have named their designated officials: the evaluation officers, the statistical officials and the chief data officers,” Epstein said, during a Data Foundation event Thursday. “The councils for each of these officials have been meeting regularly, and we’ve had some great cross-council collaboration.”

The Evaluation Officer Council meets monthly and works regularly with the Federal CDO Council and Performance Improvement Council. Meanwhile, Epstein’s team and the Office of Evaluation Sciences within the General Services Administration hold a monthly Evaluation and Evidence Training Series for hundreds of federal employees. The Interagency Council on Evaluation Policy was also rebooted and expanded.

OMB provided detailed feedback on agencies’ draft documents, and some have already published their evaluation plans on their websites as required.

“The last thing we want is for this to be yet another compliance or reporting exercise where agencies just put in minimal effort, check the boxes and nothing really changes,” Epstein said.

Agencies are expected to submit their first full learning agendas — identifying priority questions about programs, policies and regulations that can be answered with data — and capacity assessments as part of their strategic plans next fall. That’s on top of their fiscal 2023 evaluation plans. 

The Biden administration recently reaffirmed government’s commitment to evidence-based policymaking with its Memo on Restoring Trust in Government, which will see OMB release additional guidance in the coming months.

“We still have a long way to go,” Epstein said. “But it’s very exciting to see all the progress that we’re making collectively.”

Final CMMC rule expected to be finished in about a month

The final Defense Federal Acquisition Regulation Supplement (DFARS) rule that will require all contractors to have third-party inspections of their networks prior to working with the Department of Defense will get its final tweaks within the next 30-40 days, the program’s lead official said Thursday.

The interim final rule for the Cybersecurity Maturity Model Certification (CMMC) that was published in September received many comments from industry that the DOD has been working to adjudicate, said Katie Arrington, the department’s chief information security officer for acquisition and sustainment. She said the team is working to make the rule “go final” in about a month.

“You shouldn’t be waiting to build [cybersecurity] costs in” to rates, Arrington said to contractors during a Deltek webinar.

The interim final rule put CMMC into effect in December but had an open comment period for industry to give feedback to the government. As the CMMC program management office works through feedback, it has been tweaking the rule.

Issuing an interim final rule is not the norm but was needed because of the importance of securing industrial base contractors, Arrington said. CMMC is the department’s latest attempt to secure the industrial base’s cybersecurity, which has been vulnerable to massive data breaches of government information down the supply chain.

One of the biggest questions about the rule has been about reciprocity between CMMC and other federal cyber compliance programs. Arrington didn’t say what reciprocity may be coming but said that there will be guidance in CMMC Assessment Guides the DOD is working on.

There are other parts of the CMMC DFARs rule that will impact contractors before they are required to get an assessment. They now need to submit a self-assessment of their cyber compliance to the DOD, according to the rule. That process is separate from the CMMC assessment but could help companies prepare for their inspection by giving themselves a test first.

“The only thing they need to wait for is for the assessor to be aligned with the [third party assessment organizations],” Arrington said. No organization has been fully cleared yet to give assessments.

MetTel becomes latest EIS vendor to receive managed security services authorization

The government gave MetTel permission to provide Trusted Internet Connections 3.0-compliant managed security services through the Enterprise Infrastructure Solutions contract, the telecommunications company announced Thursday.

Together the General Services Administration and Cybersecurity and Infrastructure Security Agency granted MetTel the authority to operate (ATO) Managed Trusted Internet Protocol Service (MTIPS).

MTIPS secures agencies’ internet traffic by reducing the number of connections needed, which reduces the .gov’s attack surface while making it easier to monitor.

“GSA recognized the MetTel team’s capability to provide MTIPS security services with a modern and modular structure that will provide new benefits for agencies,” said Robert Dapkiewicz, senior vice president and general manager of MetTel Federal, in the announcement. “The constant attempt by cybercriminals to penetrate government websites is showing no sign of slowing down.”

MTIPS covers additional cyber services like continuous monitoring, which in MetTel’s case will be provided by its EIS security partner Raytheon. Other services include network intrusion detection, hosted Domain Name System sink holing, and email scanning and filtering — all of which send real-time data to a security operations center.

One of eight primes on the government’s $50 billion EIS contract for telecom and network modernization, MetTel is the only non-incumbent local exchange carrier to build its own MTIPS infrastructure.

Only three other EIS primes — AT&T, Lumen and Verizon — have completed the TIC Assessment and Authorization Process to receive their MTIPS ATOs. BT Federal, Core Technologies, Defined Technologies and Granite Telecommunications were awarded MTIPS through EIS but have yet to complete the process.

Military-wide data requirements document coming soon, Joint Chiefs’ Hyten says

The nation’s No. 2 general said Wednesday that by the end of spring the military will get a “strategic directive” defining data requirements that will lay the foundation for how the Department of Defense will use data at scale.

The new document will define several technical requirements for networks and data standardization that will be used to implement a common data architecture across the force, said Gen. John Hyten, vice chairman of the Joint Chiefs of Staff. Developed by the Joint Requirements Oversight Council (JROC) which Hyten leads, the document will define data requirements for all the services with the hope of enabling the type of rapid data-sharing and processing needed to field modern concepts of operations and artificial intelligence-enabled warfare.

“We have a chance to actually stay ahead of our adversary…to dominate data,” Hyten said during the 5G Tech Summit hosted by AFCEA DC.

The “Information Advantage Strategic Directive,” as Hyten dubbed it, will be one of many critical documents coming out of the Joint Staff in the coming months that relate to Joint All Domain Command and Control (JADC2) — the overarching concept of operations where a military Internet of Things is born out of the ability to fuse data across the domains of military operations. The goal is to increase lethality by converging operations and fielding force-multiplying technologies like AI that will speed up decision making based on real-time data from the field.

“This is an unbelievingly challenging process,” Hyten said of creating the data standards and military-wide requirements needed to enable JADC2 operations.

On top of the technical challenges, Hyten said he hopes the guidance will help overcome cultural and security barriers to data sharing. Classification levels have stymied the military’s ability to widely share data. Stringent security practices have become muscle memory for some, even when working with less sensitive data that doesn’t need high levels of security.

The requirements will also take into account many of the technical challenges operators face in the field. Rural outposts with limited connectivity can’t send massive packets of data, bandwidth challenges that Hyten said were top of mind when thinking about the requirements for enterprise networks.

“If we push these huge packages of data with 5G…then at the edge what data do we push?” he said, referring to how new 5G networks the military is experimenting with could allow for much more data to be transferred. “That is an unbelievably complicated problem.”