How automation tools add resiliency to DOD’s IT workforce

The continuous rotation of officers and enlisted personnel is a vital part of maintaining military readiness. However, preserving institutional knowledge of thousands of existing IT systems — as well as new ones still being established — remains crucial to keeping Defense Department and military IT systems operating securely, says a new report.

That is why military leaders should be looking more proactively at automation technology, that performs repeatable tasks and reduces the risks and costs associated with staff turnover.

“Automation not only helps preserve the institutional knowledge often lost when technical personnel leave for new assignments, it also helps streamline orientation and training when new personnel take over, allowing them to get up to speed faster and focus on more critical tasks,” said Eric Hennessey, staff consulting solutions engineer for national defense accounts at Splunk.

The report, produced by FedScoop and underwritten by Splunk, takes a closer look at how advanced security orchestration, automation and response (SOAR) tools offer a more productive approach for DOD organizations to support their IT and communications personnel.

SOAR tools, such as Splunk’s Phantom platform, “provide the means to monitor a wide range of existing technology systems and applications; identify their health in real time; and apply prescribed remedies all in an orchestrated, automated and controlled approach,” says the report.

The report details multiple benefits of automating IT tasks. One of the most significant benefits, according to the report, is in reducing the risk of errors that often occur performing repetitive tasks. Another is the ability to codify workflows, to reduce training requirements. Automation also helps security teams detect, investigate and respond to threats at machine speed.

Hennessey points to one example of how personnel are constantly rotating in and out of assignments, and the need for user accounts to be constantly created and removed. “Those types of processes are pretty straightforward and repeatable and very easy to automate. By taking that workload off the service desk staff, they can concentrate on other more important things,” he said.

From the military’s perspective, IT workforce automation is both fundamental and essential to meet the scale and scope of their needs as they push towards digital modernization and data-driven readiness.

According to Anthony Perez, Splunk’s global solutions architect, automating IT processes is also about to take on much greater importance for defense contractors as well.

In order to meet certification requirements for the Pentagon’s Cybersecurity Maturity Model Certification (CMMC), “DOD contractors will need to deploy and adopt proven enterprise-grade technology that can be iteratively tailored and extended,” explained the report.

“From the contractor perspective, I envision organizations leveraging [Splunk’s automation tools] to automate the self-evaluation of their cyber security maturity, identification of gaps, and generation of the bulk of their technical evidentiary package for C3PAO [third-party] auditors to use in their evaluation and CMMC-audit and accreditation process,” says Perez.

These experts expect the need for powerful IT automation platforms to continue to grow as DOD officials place increased strategic importance on digital modernization as part of the National Defense Strategy. That means greater focus on data, cloud, artificial intelligence, C3 and cybersecurity — as well as the right skills and experience to ensure these programs flourish.

Find out more on how automation and orchestration tools can accelerate the performance of the IT workforce.

This article was produced by FedScoop and sponsored by Splunk.

EY appoints new government and public sector practice leader

Consultancy giant Ernst & Young has named Gerry Dixon as managing partner of its U.S. government and public sector division.

He starts work in the role on July 1 and takes over from Michael Herrinton, who retires from the consultancy firm in June next year.

Dixon has worked at EY for over 30 years, most recently as leader of its East Coast consultancy division, and is a founding member of the company’s risk practice.

Commenting on the appointment, EY Vice-Chair and East Coast Managing Partner Richard Jeanneret said: “I believe that Gerry’s proven leadership has well equipped him to lead our Government & Public Sector practice teams to serve clients as they navigate our ever-changing world.”

EY’s government and public sector practice provides consulting and audit advice to the federal government, including on technology, operational improvement, and strategy.

In 2020, the company worked on projects including the revamp of unemployment systems, cybersecurity, and the distribution of the Coronavirus Aid, Relief, and Economic Security (CARES) Act relief funds.

Last November, EY won a contract to audit the financial statements of the U.S. Navy worth up to $263 million, with options to extend the contract for an additional four years.

Continuous monitoring of critical infrastructure absent from cyber executive order

The cybersecurity executive order issued by the Biden administration last week doesn’t require the relevant agencies to increase their visibility into critical infrastructure, a lingering weakness for the federal government, security experts told FedScoop.

When the May 7 ransomware attack on Colonial Pipeline Co. occurred, the Cybersecurity and Infrastructure Security Agency lacked any knowledge of the incident until it was notified by the FBI. While the new executive order gives the Office of Management and Budget 60 days to increase contractual threat and incident information-sharing requirements for service providers of operational technology (OT), both private sector companies and lawmakers expressed concerns following the attack that Department of Homeland Security agencies like CISA and the Transportation Security Administration aren’t doing enough to continuously monitor the cybersecurity of OT for pipelines and other critical infrastructure like the U.S. electric grid.

“Departments and agencies who have the responsibility for overseeing critical infrastructure often rely on information that is voluntarily shared,” Jake Olcott, vice president of government affairs at BitSight, told FedScoop. “And the infrequency of some of this data sharing contributes to a lack of broad situational awareness.”

A national response is needed, apart from the cyber executive order, establishing real-time data collection on the effectiveness of OT security controls, amount of malicious activity within systems and remediation of vulnerabilities at scale for every U.S. critical infrastructure company, Olcott said.

Advocacy group Protect Our Power meanwhile called for $22 billion during the next five years for funding power grid security and short-term vulnerabilities, in particular.

“The [Biden] administration has pledged to make further hardening our nation’s electric grid against cyberattacks a key part of comprehensive infrastructure legislation,” said Jim Cunningham, executive director of Protect Our Power, in a statement. “Timing is now more urgent than ever for the federal government, the utility industry and the states to come together and provide a national solution to address this looming national problem.”

BitSight rates organizations’ security performance by considering factors like malware infections, patching rates and vulnerabilities. The Boston-based cyber company evaluated the 2,000 largest U.S. oil and energy businesses and found 52% were performing below its “excellent” benchmark score of 750 as of April 30.

Those companies “may be at risk” for a hack similar to the one Colonial Pipeline fell prey to, and such incidents will only increase with time, Olcott said.

DHS holds lead authority for protecting critical infrastructure, in accordance with the Homeland Security Act of 2002, and within the department, TSA is the lead federal agency for transportation, hazardous material and pipeline security.

Because Colonial Pipeline shut down about 5,500 miles due to the ransomware attack, resulting in intermittent gas shortages in cities along its East Coast route, TSA is expected to respond.

“TSA will continue to work in close coordination with government and pipeline partners to evaluate the key factors garnered from the cyber incident and determine opportunities to reduce and mitigate risk across the sector,” said a TSA spokesperson.

The agency primarily handles pipeline security by reviewing pipeline operators’ security programs to ensure their cybersecurity measures comply with TSA Pipeline Security Guidelines. But TSA can’t require a private company to take action on its recommendations.

Data on high-risk corporate pipeline systems which underwent security reviews are reported quarterly to meet DHS and OMB performance reporting requirements, but such sensitive information isn’t made public.

Still, TSA’s point-in-time assessments don’t meet the federal need for continuous monitoring of all U.S. pipeline companies, Olcott said.

The Government Accountability Office in 2018 found TSA has “significant weaknesses” in its management of pipeline security and subsequently reviewed its process for updating cyber guidelines.

To date, TSA has completed seven of 10 GAO recommendations, including the complete revision of Section 5 of its Pipeline Security Guidelines regarding the identification of critical facilities. “A lack of clear definitions” caused one-third of the top 100 U.S. pipeline systems to report no such facilities previously, according to GAO.

Meanwhile, CISA’s National Risk Management Center and the Department of Energy also got involved in a 2019 effort to craft recommendations for increasing pipeline cybersecurity in coordination with industry, dubbed the Pipeline Cybersecurity Initiative.

“There’s so many different agencies out there that have partial responsibility for various sectors,” Olcott said. “And it’s led to confusion about roles and responsibilities and who’s supposed to have insight and what insights are available.”

TSA increased pipeline security staffing from six to 34 positions since 2018 across headquarters operations, policy and the field to advance its pipeline cybersecurity mission.

A 20-member Pipeline Security Assessment Team has field offices around the U.S. to conduct TSA’s operator assessments.

“Select PSAT staff have attended comprehensive cybersecurity training through Idaho National Labs in partnership with CISA and are undergoing additional cybersecurity training and certification in support of TSA’s expanding pipeline cybersecurity mission,” said the TSA spokesperson.

DISA issues zero-trust reference architecture for Defense Department

The Pentagon’s IT support agency recently issued an initial zero-trust reference architecture to put the entire Department of Defense on the same page implementing modern cybersecurity practices.

The Defense Information Systems Agency (DISA) released version 1.0 of the reference architecture in February but just recently made it public. Former DISA Director Vice Adm. Nancy Norton teased the launch of the document late last year, attributing the move to mass telework during the pandemic as an accelerant for the DOD’s move to zero trust.

It also comes as the Biden administration last week issued an executive order that, among other things, has mandated civilian agencies to create plans for the adoption of zero-trust architectures. The mandate falls under a larger push to modernize federal cybersecurity in the wake of the recent cyberattacks that have compromised federal agencies through the exploitation of software made by contractor SolarWinds and flaws in Microsoft’s Exchange software.

DISA’s 163-page reference architecture sets out the strategic purpose, principles, associated standards and other technical details for the DOD’s large-scale adoption of zero trust, which shifts from network-based defenses to a data-centric model and doesn’t grant implicit trust to users to prevent potential malicious actors from moving around a network. The department’s adoption of zero trust is based on three foundational guidelines: “Never trust, always verify; assume breach; and verify explicitly.”

“The intent and focus of zero-trust frameworks is to design architectures and systems to assume breach, thus limiting the blast radius and exposure of malicious activity,” Brandon Iske, DISA Security Enablers Portfolio chief engineer, said in a statement.

DISA worked with the DOD Office of the CIO, U.S. Cyber Command and the National Security Agency to develop this initial reference architecture.

“From start to finish, the development of this initial DOD ZT Reference Architecture has been a true team effort,” said Joe Brinker, the DISA Security Enablers Portfolio manager. “The partnership we’ve fostered through this process with our NSA, Cyber Command and DOD CIO mission partners was integral toward the development of a comprehensive reference architecture that was unanimously approved by DOD senior leadership.”

Brinker said that “DISA will continue to partner with DOD components in planning the implementation of [zero trust] across the department and the development of [zero trust]-aligned enterprise capabilities.”

Last month, acting DOD CIO John Sherman revealed that the department is also developing a zero-trust strategy to be released later this year. During remarks at the Billington CyberSecurity Defense Summit, Sherman explained that while zero trust is a cybersecurity and technology model, it more so represents a mindset shift for the DOD.

“This is not about technology, it’s about strategy,” he said.

Lawmakers urge DOD to go big on cyber in 2022 budget

Lawmakers are urging the Department of Defense to go big in budgeting for cybersecurity in fiscal 2022.

During a hearing on the cyber posture of U.S. forces Friday, members of Congress voiced support for a larger cyber budget and for finding new ways to elevate the importance of cybersecurity in the DOD.

“I just want to encourage you to be bold and provide something that really helps move us into the 21st century,” Rep. Elissa Slotkin, D-Mich., said during a Subcommittee on Cyber, Innovative Technologies, and Information Systems hearing.

Slotkin nor others referenced a specific dollar amount, but she said she would support a “truly transformational” cyber budget.

Meanwhile, the Biden administration has yet to issue a full budget request, which traditionally kicks off Congress’ appropriations process. This has left lawmakers in the dark on the fiscal priorities are for the new administration.

Witnesses Gen. Paul Nakasone, commander of U.S. Cyber Command and director of the National Security Agency, and Mieke Eoyang, deputy assistant secretary of defense for cyber policy, did not give any hints on what DOD’s cyber budget request will look like.

Other lawmakers expressed a willingness to reorganize the civilian leadership chart to elevate cyber’s importance within the military. Subcommittee Chair Rep. Jim Langevin, D-R.I., questioned why the traditional domains of warfare have service secretaries but cyber’s top-ranking civilian is four-rungs bellow a service secretary.

“Candidly, it’s frustrating that the people in this room both members and witnesses seem to be fighting an uphill battle to put cyber front-and-center in the department,” Langevin said.

He also expressed frustration over how different cyber duties, from electromagnetic spectrum management to information operations, are spread out in different portfolios.

DIU is making an Uber-like app for talent management in DOD

The Defense Innovation Unit is building a talent-on-demand app for service members with digital experience to be matched with jobs they can apply their skills to.

“Gig Eagle” is like an Uber for talent, as Sarah Pearson, contractor and commercial artificial intelligence commercial executive for DIU, described it. The military has members across different components, from enlisted members to reserves and the National Guard, that give them time to spend in the private sector when they are not on active duty. Those different experiences they gain while outside of the military can now be used through Gig Eagle, said Pearson, who served in the Navy before working in the Silicon Valley.

“We are creating a gig economy for the Department of Defense,” Pearson said during an AI Week SNG Live panel. “You could think about it almost like an Uber but for the DOD.”

But, instead of connecting riders with cars, the DOD can connect commanders and program managers with shorter-term needs with military personnel ready to work on assignments within their skillset.

The DOD has a very regimented way of assigning roles to service members. Sometimes, that leads to putting those with cyber or tech skills in non-technical roles. It’s an opportunity wasted in the eyes of senior leadership that has struggled to retain technical members who often have greater opportunities in the private sector.

“We are ultimately trying to connect a highly technical highly skilled workforce within the department,” Pearson said.

Gig Eagle is a new way to address that, especially for part-time service members who have full-time day jobs. Pearson noted an example of a reservist who works at a venture capital fund, and when the time comes to put their uniform, they can bring that financial experience with them.

DIU is not the only one working on this. The Army has been testing new ways to retain talent and have a more modern management system that rewards digital skills.

GSA developing governmentwide cloud acquisition strategy

The General Services Administration is developing a governmentwide cloud acquisition strategy and wants feedback from cloud service providers and other industry partners.

GSA‘s plan is to deliver a multiple-award blanket purchase agreement (BPA) for Software-as-a-Service, Platform-as-a-Service and Infrastructure-as-a-Service cloud offerings on a pay-as-you-go basis. New innovations, dubbed Anything-as-a-Service, may be considered for future procurement vehicles.

The request for information (RFI) comes a day after President Biden issued a long-awaited cybersecurity executive order requiring federal agencies to develop zero-trust security architecture implementation plans making use of secure cloud services.

“The IT environments in which the government operates are changing and evolving at a rapid pace, driving GSA to leverage the Multiple Award Schedule Cloud [Special Item Number] to develop an easy-to-use, government-wide acquisition solution for cloud services in a hybrid model,” said Keith Nakasone, deputy assistant commissioner of IT Category at GSA, in the Thursday announcement. “The No. 1 thing agencies ask for is an acquisition solution that offers a full set of commercial, secure, soup-to-nuts cloud products and services. We think now is the right time to make it happen.”

Agencies would use the proposed BPA to replace legacy IT products and services with secure cloud ones, with market research showing a multiple-award BPA to be the best approach for procuring existing offerings.

Pandemic remote work has seen agencies alter their IT environments, embrace zero-trust security and seek more cloud offerings, so GSA wants to develop a solution set for federal, state, local and tribal governments.

The cloud acquisition strategy will be rooted in the Cloud Smart strategy and President’s Management Agenda IT modernization goals.

Industry has until May 24 to complete the survey on the RFI.

Industry collaboration will make or break cybersecurity executive order

Government must improve the way it works with industry if it wants to implement Wednesday’s cybersecurity executive order on schedule, technology experts told FedScoop.

The executive order comes after the recent Colonial Pipeline, Microsoft Exchange and SolarWinds hacks, which found the government ill-equipped to mitigate cyberattacks by nation-states or mere hackers with the right tools and know-how.

Agencies’ known struggles identifying innovative tech companies that offer the cloud services they need to implement zero-trust security will likely slow compliance, Terry Rydz, tech engagement manager at Dcode, told FedScoop.

“Something that has hindered and something that government should really be paying attention to is its ability to tap into America’s innovation base,” Rydz said. “To work with tech companies that honestly have the tech to address a lot of these issues, and have been doing it in the commercial sector for a while, but have trouble breaking into and working with the federal government.”

Dcode vets tech companies for their applicability to federal missions and cyber protections and trains them to work with agencies.

The executive order sets numerous deadlines for updating Federal Acquisition Regulation and Defense Federal Acquisition Regulation Supplement contract requirements to increase the detail and speed at which companies share cyber threat and incident information with agencies.

“The tech companies that come through our program and some of those traditional contractors, it kind of forces them to be more exploratory internally about the security and inherent risks tied to their own IT systems and how that impacts the security of their government clients,” said Lauren Strayhorn, tech engagement manager at Dcode.

Whether the threat of losing government contracts will cause companies to improve cyber protections, when market incentives did not, remains to be seen.

But public-private communication stands to improve because of the order, said Robert Cattanach, partner at Dorsey & Whitney, in a statement.

“By mandating prompt disclosure of cyber events by federal contractors, establishing a lessons-learned process and more rigorously vetting the reliability of newly defined ‘critical software’ through the lens of a ‘zero-trust architecture,’ the process-heavy order will focus both attention and resources on a hugely vulnerable component of the day-to-day functioning of both the public and private sectors,” Cattanach said.

Federal contractors didn’t immediately balk at the order’s “aggressive” timeline by their estimation.

The government expects contractors to share proprietary intelligence many sell “at a premium” and prove their code is secure prior to releases or lose its business, said Charles Herring, chief technology officer at WitFoo, a security information and event management company.

“For years source code integrity has gone largely unaudited, which is going to leave many software providers scrambling to update secure development operations procedures, acquire tools for testing code, retrain developers to use secure coding approaches and re-write thousands of lines of code to become compliant,” Herring said. “It is a potentially devastating blow to providers that have neglected these hygiene steps.”

But it’s also foundational to the new security paradigm the government is working toward.

Breaches can happen quickly and reporting them can be embarrassing and scary for tech companies and agencies alike, yet it’s integral to maintaining national security, said Lindsay Atherton, tech engagement manager at Dcode.

“Making the federal agencies think deeply about not only what the requirements are from a reporting perspective from cloud service providers, but the parameters around them, is going to be essential in creating an environment of trust,” Atherton said.

Previous federal cloud strategies promoting agencies’ migration to the cloud didn’t particularly emphasize securing those services.

This executive order changes that.

“We had Cloud First, and then Cloud Smart. The Executive Order on Improving the Nation’s Cybersecurity moves us into the era of Cloud Secure,” said Stephen Kovac, vice president of global government and head of corporate compliance at tech company Zscaler. “We are encouraged to see the focus on developing cloud security strategies, technical reference architectures and cloud governance security frameworks.”

The existing Federal Risk and Authorization Management Program and Trusted Internet Connections 3.0 security frameworks should form the cornerstones of “Cloud Secure” as agencies modernize their security, Kovac added.

Tech experts also praised the order’s emphasis on increasing collaboration between government and industry.

“We appreciate the focus on public-private collaboration in this executive order and its meaningful steps to modernize and streamline federal information systems, networks, and supply chains,” said Jason Oxman, president and CEO of the Information Technology Industry Council in a statement. “We look forward to working with the Biden-Harris administration to ensure that federal agencies and contractors have the proper resources and support to ensure that U.S. cybersecurity objectives are advanced while minimizing any potential impact on privacy, civil liberties and U.S. competitiveness.”

Agencies are getting on board, too.

The Department of Homeland Security will take “immediate steps” to implement the order, said Secretary Alejandro Mayorkas.

“Today’s executive order will empower DHS and our interagency partners to modernize federal cybersecurity; expand information-sharing; and dramatically improve our ability to prevent, detect, assess and remediate cyber incidents,” Mayorkas said in a statement.

New legislation building upon the executive order should be expected in the coming months.

Sen. Mark Warner, D-Va., chairs the Select Committee on Intelligence, which has been instrumental in moving critical cyber legislation to date.

“This executive order is a good first step, but executive orders can only go so far,” Warner said in a statement. “Congress is going to have to step up and do more to address our cyber vulnerabilities, and I look forward to working with the administration and my colleagues on both sides of the aisle to close those gaps.”

DOD clears path for first assessor to enter CMMC market

The Department of Defense‘s cyber inspectors approved the first company to become a certified assessor for the department’s new contractor cybersecurity standards, clearing a critical hurdle in the process.

The DOD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) approved the first company, which was not named, to move forward in the Cybersecurity Maturity Model Certification (CMMC) process, a spokesperson told FedScoop. Now, it is up to the CMMC Accreditation Body (CMMC-AB) to grant the company Certified Third Party Assessment Organization (C3PAO) status, meaning that it can officially assess the maturity of defense contractors’ cybersecurity in compliance with new CMMC requirements.

“[W]e can say the first C3PAO has been certified by the agency. Keep in mind, the certification process is multi-tiered and [Defense Contract Management Agency’s] role is to verify and validate the ability of a C3PAO to protect the data that will be entrusted to them,” Matthew Montgomery, spokesperson for the DCMA, the agency that houses DIBCAC, told FedScoop.

The initial approval of the anonymous company is a critical milestone for the CMMC program as many have worried that there won’t be enough accredited C3PAOs to conduct CMMC assessments at a rate fast enough to meet DOD’s target of auditing all 300,000 companies in the defense industrial base over the next several years. Come fiscal 2026, the DOD will have CMMC requirements in all contracts.

The CMMC model is a tiered system with five levels of cybersecurity maturity that all defense contractors will be tested against once every three years. The DOD has said that most contractors will only need a level one assessment, but many expect level three, which is equivalent to the current standard for handling controlled unclassified information, to be more common than expected.

Under CMMC, companies can no long self-attest to meeting cyber requirements. Accredited assessors will need to evaluate and test their systems and policies against the new CMMC standards.

“If you do the math on that…how is that feasible?” Johann Dettweiler, director of operations for TalaTek, a prospective C3PAO, said in an interview in April. He added: “There is…a little bit of a log jam.”

At least for now, part of that log jam appears to be lifting, but many more assessment organizations are awaiting their initial assessment from the DIBCAC.

But many cybersecurity companies have found the rules on policy documentation during the initial assessments to be too strict. That could spell trouble in the future if cybersecurity experts have trouble meeting the standards; and, if it took the DIBCAC months to clear the first company, assessments for companies with less mature network defenses could take even longer.

“You have to be able to show that you have the policies and that you have been living the policies, and that last part is really tricky,” said Jim Goepel, a former CMMC Accreditation Body member and the CEO of Fathom Cyber.

Air Force working on an App Store for IT

The Air Force says it’s making huge leaps and bounds in acquiring enterprise IT services that could help move missions forward — but not everyone who could be using the tech knows about it.

To market the Air Force’s new IT services better, Chief Information Officer Lauren Knausenberger said she is working to build a one-stop-shop like Apple’s App Store or Amazon.com to list products and services that have an authority to operate (ATO) across the service’s enterprise.

Products like Tableau’s data visualization software, cloud offerings and others will be presented on a website that offices across the force and click and buy.

“There are actually some really great services [available] today, but it requires many, many meetings and phone calls and in-person interactions to help people understand what those services are,” Knausenberger said at Cisco’s FedFWD 2021 Summit produced by FedScoop. “At this point, they are mature enough that I should be able to go to a website, click on it and buy it.”

The current state requires airmen to sift through contracts, contact contracting officers and even go through another round of the ATO process, which can take weeks, even if a service is already cleared. It’s a frustrating process both for those seeking to use tech and those, like Knausenberger, that help buy it.

She said that with a “single storefront” for tech, the department could save time and money.

“We are very excited about this and I think it will streamline a lot for us,” Knausenberger said.

The initiative is a part of a broader effort by the Air Force to share more of its successes and market the products and services available to airmen. The storefront will also share some of the internal technology the Air Force has built with its Platform One, Cloud One and Kessel Run teams.

“Sometimes even when you solve problems in the digital transformation realm, it is really hard to tell people that you have solved them,” Knausenberger said. “We are not marketing organizations.”

The Air Force now has cloud capabilities through Cloud One that reach the secret level of security. Some legacy systems have even started migrating to the secret cloud, the CIO said.  Similarly, its Platform One team created a DevSecOps platform that has a continuous ATO that allows teams of airmen to craft secure code that will be authorized for use from the get-go.