Subscribe to our daily newsletter.
Subscribe

‘CEOs are stepping up’ free-of-charge. How the tech industry is helping government during COVID-19

Tech companies have a message for the government: “Help us help you.”

That sentiment, told to FedScoop by founder and President of Yext Brian Distelburger, was echoed by a host of tech companies opening their products to local, state and federal agencies alike as governments face the challenges of the novel coronavirus pandemic.

Offers range from assistance with remote working to free cloud storage and services for researchers working on a vaccine for the virus, and they extend far beyond those listed in this report. The government too is responding by opening up data, forming partnerships with tech companies and granting new authorities to work with telecommunications companies.

“This is unprecedented and so the response from the tech sector has been unprecedented,” Nick Sinai, former deputy federal CTO, told FedScoop. Challenges during the pandemic range from agencies like the Department of Veterans Affairs responding to the direct effects of the virus to much of the government faltering under the strain of “maximum telework.”

“Tech CEOs are stepping up and offering pro-bono products, services, and support – they want to do anything they can to help,” Sinai added.

Sinai is a senior advisor to the venture capital firm Insight Partners. Many of the companies on the firm’s portfolio are among those offering their services pro-bono. A list of more than 50 companies has been compiled into a spreadsheet to showcase those offering services to assist with benefit enrolment, remote-working and sharing public information.

Distelburger said Yext is in talks with senior federal agency officials to bring its natural language processing to government websites to better understand the sentiment behind the questions people are searching for on the internet related to the coronavirus and help provide people with the answers based on CDC data. The benefits of the service are twofold: For citizens, Yext offers an easy way to quickly find answers to their questions about COVID-19. For governments, it provides aggregated data about what constituents are asking so leaders can tailor their communications. The company has already provided a similar service to the state of New Jersey.

“I am thrilled we can help Apple stores update their hours for the new iPhone launch,” Distelburger said of the company’s typical work, “but boy, this is way more important.”

Other tech companies are finding their services fit critical needs during the pandemic. Smartsheet, a remote project-management software company, has built a free template to track COVID-19 response efforts for government agencies.

“Smartsheet is all about allowing the citizen to be able to achieve more, to have better insight and move faster,” said Amy Frampton, Smartsheet’s vice president of product marketing. Those qualities “become really critical in a time like this.”

Smartsheet’s government-specific tools are FedRAMP authorized and 1,800 agencies across international, federal, local and other government organizations are using the program. The COVID-19 template has been downloaded 10,000 times, the company said.

Tech giants pitching in too

Titans of the technology industry have pitched in as well. Amazon committed $20 million in cloud computing resources “to accelerate diagnostic research, innovation, and development” for both tracking and mitigation initiatives.

“[O]ne area where we have heard an urgent need is in the research and development of diagnostics, which consist of rapid, accurate detection and testing of COVID-19,” said Teresa Carlson, vice president of worldwide public sector at Amazon Web Services. “Better diagnostics will help accelerate treatment and containment, and in time, shorten the course of this epidemic.”

Microsoft announced it’s offering its Healthcare Bot service powered by Microsoft Azure to help agencies answer basic questions using robotic process automation. The CDC is using the bot to “quickly assess the symptoms and risk factors” for people who may have been exposed and suggest what to do next, according to a Microsoft blog post.

Google said it will donate more than $800 million to frontline organizations and small- and medium-sized businesses. The company also built a portal of coronavirus-related information.

And Apple last week formed a partnership with the federal government to build a website that uses Centers for Disease Control and Prevention data to screen people experiencing coronavirus symptoms. The CDC plans to encourage other companies to build additional COVID-19 tools.

Some restrictions

For many companies, working with state and local governments could be easier than the federal government, which requires FedRAMP authorization to ensure cloud products are secure. The General Services Administration, which operates FedRAMP, did not respond to multiple requests for comment on how it is working with the private sector.

“One of the challenges is there are a lot of offers to help,” Sinai said. “Inside of government, you have to figure out what are the most appropriate set of offers to leverage, and that takes knowledgeable people too.”

There is also the matter of federal acquisition laws and regulations, said Joe Stuntz, head of federal and platform at encryption company Virtru and a former Office of Management and Budget official.

“There are reasons why people can’t just give stuff away,” he said. For instance, if an agency accepts a reduced-price or free service from a company that later wins a lucrative contract, the free offer could be fodder for a protest. “Tech can enable mission, but there are rules in there for a reason,” Stuntz added. Virtru is offering its encryption and privacy technologies for free as well.

One workaround is forming partnerships instead of going through the contracting process. A senior administration official told FedScoop that the White House Coronavirus Task Force, the Federal Emergency Management Agency and CDC used a “partnership” for its work with Apple on its COVID-19 website.

“There was no contract awarded and there was no cost to the taxpayers,” the official said.

For agencies going through normal contracting avenues, there is a need for speed and getting money to contractors. The Air Force is working through its AFventures platform to strengthen its small business and emerging technology supply chain, which its acquisition head Will Roper said remains strong.

A silver lining Sinai sees is that agencies across the government are seeing the returns on cloud migrations and modernizing enterprise services. And in the Air Force, Roper said that the emphasis on becoming a digital Air Force laid the groundwork for the department’s telework success.

“This will actually accelerate the move to [Microsoft] Office 365 in the Department of Defense,” he said.

GSA’s coronavirus bot shows how RPA can supplement pandemic response

As federal agencies adapt to the coronavirus pandemic, opportunities to use robotic process automation (RPA) are popping up wherever humans have been collecting ad hoc data about the health crisis. At the General Services Administration, one RPA project shows how an agency can quickly hand over important work to a bot.

In GSA’s case, the RPA team has developed a national COVID-19 bot to speed up collection of infection count data in counties where it manages federal buildings — one of about 20 new automations across the government tied to response.

GSA owns or leases space in about 9,600 buildings in 2,200 communities nationwide, so it coupled county-level infection count data with its geographic information systems (GIS) to visualize the coronavirus threat to its properties.

Staff easily compiled the data early on during the COVID-19 pandemic, but the task has proven daunting in recent weeks. The U.S. surpassed all other countries in number of cases at 140,904 as of 1:30 p.m. Eastern on Monday.

In order to update the data faster, the RPA team engineered the bot to collect infection counts multiple times a day and provide information to the GIS team in a more compatible format. Other agencies have similarly turned to RPA to keep pace with the spread of the virus by analyzing data more rapidly, monitoring workforce health more precisely and performing tasks not being completed by teleworkers who have to focus on mission-critical work.

“As the COVID-19 infection counts started rapidly increasing, the level of effort for aggregating all of the COVID-19 infection count data increased exponentially — ultimately requiring several employees to aggregate and process the data,” James Gregory, RPA program director, told FedScoop. “Due to this manually intensive process, the GIS team was only able to aggregate and report on the data once a day.”

The bot filled the gap. With fewer of those repetitive, high-volume tasks to do, the employees who were manually collecting the data have been reassigned to enhancing GSA’s map, which shows the buildings GSA manages across the U.S. and the associated infection counts in the counties where they’re located.

RPA is transformative technology, Gregory said, as employees increasingly telework due to the coronavirus. It can be initiated remotely or designed to run independently on a schedule.

While the national COVID-19 bot is GSA’s first virus-related automation, the agency has more than 45 others in production and a “very strong pipeline” for the conceptualization of more, he added.

Coronavirus-related RPA uses abound

Every agency has had to adjust its mission amid the pandemic, and RPAs have been added at several, according to UiPath, one of the companies assisting those projects. The Department of Homeland Security built an automation of about 500 bots in 36 hours to perform coronavirus-related data analysis. Agencies from the Centers for Medicare and Medicaid Services to the Food and Drug Administration are working with RPA developers to supplement teleworkers focused on mission-critical work with bots.

The latest bots are handling information technology functions like patch management and call center support and enabling telework by assigning virtual private networks to employees.

“Agencies also have an incremental responsibility to support the COVID-19 effort,” said Chris Townsend, vice president of federal sales at UiPath.

At CMS that’s taken the form of an employee personnel accountability bot, which will pull data from various internal human resources systems and turn the information into reports.

Leaders can then use those reports to identify employee availability for high-priority work.

“This provides the agency with the flexibility to pull information from our separate data systems without doing it manually,” said a CMS spokesperson. “This system will help CMS more efficiently reallocate projects and responsibilities among staff as needed in wake of the unprecedented COVID-19 pandemic.”

Agencies that had very limited RPA pilots are leaning on the technology more heavily. The FDA rushed an urgent coronavirus-related procurement, and they aren’t alone.

“The shift from back-office automation to more mission-oriented automation, I think [COVID-19] will accelerate that,” Townsend said.

The Department of Housing and Urban Development is in the “early stages” of a new RPA deployment, according to a spokesperson who declined to comment on coronavirus support.

Meanwhile, the Department of Veterans Affairs expressed interest last week in an automation at Cleveland Clinic facilitating the ingestion and analysis of its increased patient load due to COVID-19. VA provides care at 1,243 health care facilities.

“They’re still vetting through what’s out there and what they can apply in their environment,” Townsend said.

The White House Coronavirus Task Force has been made aware of the interest in RPA, Townsend said.

UiPath is offering bots at no cost to enterprise customers for 90 days during the pandemic, but the Federal Acquisition Regulation makes that harder. The company is exploring how agencies might be able to use RPA on a provisional basis.

“We’re willing to do that,” Townsend said.

Correction: March 31, 2020. An original version of this story incorrectly said CMS is deploying a health care screening bot with its Office of Human Capital. The agency is deploying an employee personnel accountability bot that pulls data from various internal human resources systems.

Air Force ramps up use of white-hat hackers to test its IT networks

The Air Force is going beyond traditional bug bounty programs and ramping up its use of ethical hackers to simulate wartime attacks on its IT networks.

A recent $75 million contract signed with cybersecurity firm Dark Wolf is one such example of how the department is trying to strengthen its IT enterprise by penetration testing internal networks, Lauren Knausenberger, chief transformation officer in the Air Force, told FedScoop.

The Air Force last March issued a Fast-Track Authorization to Operate (ATO), allowing the service to issue ATOs more quickly be requiring those systems and applications to meet baseline cyber standards, conduct penetration testing and continuously monitor for threats.

To take advantage of those new authorities, the Air Force is inking deals with private-sector cybersecurity firms to expand penetration testing and so-called “white hat” hacking, where information security researchers simulate adversarial cyber-offensives.

“For the past three years now we have really been embracing the hacker community,” Knausenberger said, referring to the department’s use of bug bounty programs. That embrace has grown tighter as the Air Force is working to bundle more task orders to meet the surging demand for vulnerability hunting across the department. “I do expect our demand will continue for some time,” she added.

The recent $75 million blanket purchase agreement signed in late February with Dark Wolf is one of the first contracts the Air Force awarded that will let hackers really “go crazy” on a range of Air Force IT.

Penetration testers had been used before, but it was in very “mission-specific” ways, Knausenberger said. Previous testing agreements did not allow for the type of full-on assaults the Air Force could experience in the cyber battlefield.

“Insider threats, embedded systems and supply chain analysis are examples of penetration testing areas that the government may have a greater interest in than our commercial clients,” Dark Wolf said through an Air Force spokesperson. “We have taken lessons learned from our commercial practice and applied them to government systems.”

Through the agreement with Dark Wolf, airmen across the department can request penetration testing be done on their networks. To fast-track the tests, many smaller orders are being bundled into task orders that will allow for faster deployment of the testing, Knausenberger said.

The next step for the Air Force is “baking security in from the very beginning” of the development of new technology. As the airmen try to move away from “checklist” security, the results of hacking tests are informing how the Air Force designs its systems.

“A lot of the best hackers are also the best developers,” Knausenberger said.

In the future, the Air Force also hopes to issue larger contracts to cybersecurity firms to be able to channel needs from airmen across the world through fast-tracked task orders to be fulfilled by hackers.

Microsoft earns authorization to handle DOD secret-level information

Microsoft is now approved to host production workloads at the secret classified level for the Department of Defense and other national security missions. The new authority is a key component of the company’s ability to deliver on its award in the Joint Enterprise Defense Infrastructure (JEDI) cloud contract.

Tom Keane, Microsoft’s corporate vice president for Azure Global, announced in a blog post that the company’s Azure Secret Government cloud service has achieved a provisional authority to host DOD data at impact level 6 (IL6) — categorized as classified national security information.

On top of that, Keane announced Microsoft has met a pair of risk management directives necessary to perform key work with intelligence community agencies.

“Built exclusively for the needs of U.S. government and operated by cleared U.S. citizens, Azure Government Secret delivers dedicated regions to maintain the security and integrity of classified Secret workloads while enabling reliable access to critical data,” Keane says of the service.

Late last year, the company earned a 90-day temporary authorization to work with DOD test workloads at IL6. This newest authorization demonstrates Microsoft’s government cloud offering can now move forward to host some of the defense and intelligence communities’ most sensitive information.

Under the $10 billion JEDI contract, Microsoft is required to meet IL6 within 180 days of the October award. Within 270 days, it will also need to receive authorization to handle Top Secret government information, per the contract.

Work under that contract, however, is put on hold as Amazon Web Services has protested that DOD erred in evaluating bids from the two vendors. DOD authorized AWS at IL6 in November 2017. The company is currently the only cloud provider approved to handle Top Secret information for the federal government.

Microsoft will surely want a piece of the intelligence community’s forthcoming multi-billion-dollar multi-cloud procurement Commercial Cloud Enterprise (C2E), which could be awarded as soon as September.

Part of Keane’s announcement, Microsoft also launched a third region under Azure Secret Government that he says enables “even higher availability for national security missions to stay ahead of their unique threats.” The three regions are more than “500 miles apart to enable applications to stay running in the face of a disaster without a break in continuity of operations.”

Industry has concerns with CMMC’s ‘very ambitious’ rollout

A coalition of technology trade associations is concerned with the rollout of the Department of Defense’s new cybersecurity standards and certification process, stressing in a letter that DOD needs to clarify gaps in how the industry will need to prepare for the new model.

The Cybersecurity Maturity Model Certification (CMMC) will require all contractors — from boot manufacturers and ammunition makers to cybersecurity firms — to be certified by a third-party assessor to ensure they meet cybersecurity standards on a five-level scale.

But how those scales will be implemented and the ways that the DOD will indicate what will be required of contractors needs more details, says the letter signed by the Information Technology Industry Council (ITI), Alliance for Digital Innovation, BSA: The Software Alliance, Cybersecurity Coalition, Internet Association, and the Computing Technology Industry Association (CompTIA).

“We are concerned that current plans for implementing CMMC lack sufficient clarity and predictability in key areas, and as a result may unnecessarily generate confusion, delay and associated costs,” the trade groups said.

CMMC Accreditation Board members announced yesterday that CMMC is still on track to be introduced into some requests for information contracting documents this summer and all contracts by 2025. The board will oversee the training and certification of third-party assessors.

That timeline is “very ambitious,” according to the letter; industry associations are concerned that building an enterprise of third-party assessors will be too much of a lift to meet the current timeline. The global pandemic of novel coronavirus won’t make it easier, Simone Petrella, CEO of cybersecurity workforce company CyberVista, told FedScoop in an interview.

“The biggest impact is that it is going to force this process into some sort of virtual environment,” Petrella said. She added that training online can be accomplished, but it will need measurable feedback and “a robust process by which you can think through this process in a remote setting.”

The associations are also concerned by CMMC’s interoperability with other government cybersecurity requirements. Processes like FedRAMP already have strict security requirements and the associations want their members to be able to easily switch between the two sets of standards.

CMMC requirements already mirror many of the same controls that FedRAMP does, but not all.

“Allowing for reciprocity with other cybersecurity requirements will reduce the cost and administrative burden of compliance and allow DoD to achieve its cybersecurity goals on a quicker timeline,” the letter states.

Another issue the associations want clarity on is how the DOD will identify which level a contractor will need for what part of a contract. Katie Arrington, the CISO for acquisition and sustainment and leader of the DOD’s CMMC efforts, said that subcontractors will not need to meet the same requirements as larger primes to participate in parts of the same contract. But industry wants more details on how contractors will know at which level they will need to be assessed.

“(I)f each acquisition authority or prime contractor is allowed to establish certification requirements on its own, multiple authorities may set different level requirements for substantially similar services,” the letter states.

Adopting agile mindsets can help agencies ace their FITARA scorecards

When federal agencies saw their latest FITARA scores in December, they should have congratulated themselves on significantly improving in several key areas, as overall grades improved from June 2019. But as Akio Toyoda, president of the Toyota Motor Corporation, once famously said, “I believe there is no best, only better.”

With the next scorecards set to be released in June, agencies should look at this as a time to continue to build on the momentum they showed last year.

Adopting some of the principles that have become the hallmark of agile software development is a good start. Let’s take a closer look at how agencies can develop core agile principles to make their modernization efforts worthy of an “A” grade.

“Simplicity — the art of maximizing the amount of work not done — is essential.”

Agile teams prioritize the things that are most important to their organizational goals and approach development in a piecemeal fashion. Agencies would do well to approach their modernization efforts in the same way. FITARA scorecards have seven categories ranging from “Agency CIO Authority Enhancements” to “Cyber.” Looking at it from a macro perspective, tackling all of these categories simultaneously can be daunting.

Instead, agencies should focus on improving in the areas that are most important to their organizations. For example, perhaps datacenter optimization is not as critical right now to an agency in dire need of improving cybersecurity. That agency should prioritize shoring up its approach to risk management. They might receive a better score in the “Cyber” category at the expense of their “Data Center Optimization Initiative” score, but their efforts will be in line with their organization’s goals. Plus, they can focus their energy on datacenter optimization the next time around, if they so choose.

At the end of the day, everything in the scorecards is important, but tackling the most important things first and seeing some immediate and measurable improvements in specific categories can make it easier to boost performance in the areas that matter most at the time. Quick wins can also be empowering and help teams get ready for the next project.

In fact, wins are regularly celebrated by agile development teams. Team celebrations can increase employee engagement, which is a key focus of the Office of Personnel Management’s annual Federal Employee Viewpoint Survey. The same mentality can and should be encouraged as agencies look to improve both employee satisfaction — and their scores.

“Business people and developers must work together daily throughout the project.”

Collaboration is an essential part of agile software development. Managers help agile team members to understand the goals of their organizations so that the applications they’re developing are in-line with organizational needs. Everyone works closely together to share ideas, solve problems, and make sure that things stay on track.

FITARA success is also highly dependent on open communication that starts at the top. The majority of agencies that have seen scorecard success have the support of an open, dynamic, and transparent leadership team that has established clear directives and shares them frequently with IT.

Successful agencies tend to have FITARA coordinators within the CIO shop. These coordinators work closely with IT teams to help them follow FITARA maturity model guidance. They also help teams to have a full understanding of what the law requires. With this knowledge, team members can work toward a passing grade, and even go above and beyond them.

“Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale.”

Automating the development process helps minimize time-consuming manual processes, reduce the chance for mistakes, and accelerate the tempo of delivery. It reduces human error and frees agency staff to focus on automating other parts of the scorecard and improving service delivery. It also helps fulfill agile development’s promise for a faster, more iterative approach to software creation.

For instance, infrastructure that was once composed of racks of physical equipment is now virtual and software-defined using Infrastructure-as-Code. Similarly, regulatory compliance that once required copious amounts of three-ring binders, checklists on clipboards, spreadsheets, and humans to annually check the boxes can now be automated every code check-in and daily using machine-readable Compliance-as-Code. This can prevent security posture drift by keeping security standards in place at all times. In short, automated Infrastructure-as-Code and Compliance-as-Code can alleviate teams from having to manually oversee every aspect of their infrastructures and move compliance processes from “checking boxes” to “measuring what matters.”

The more things are automated, the less time is spent on necessary but painstaking tasks. It becomes easier for teams to focus on making value-added improvements where they really count, deliver results faster, and continuously improve.

“At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly.”

In short, agile development teams are constantly assessing what they do and how they do it. They learn from their efforts, make adjustments, and continue to push forward in an effort to always improve.

Indeed, continuous improvement is the driving force behind many of today’s most successful organizations, including Toyota Motor Corporation. President Toyoda’s perspective on work stems from his automobile company’s commitment to Kaizen, the English translation of which is “continuous improvement.” It emphasizes maximum quality, minimum waste, and a constant strive for greater efficiency and service.

Government agencies must adopt the same attitude, even if they score straight A’s on their next scorecards. Modernization is a journey without a destination, and there’ll always be room for improvement and sustained excellence.

David Egts is chief technologist, Red Hat Public Sector

Coronavirus could further delay EIS telecom modernization ‘crucial’ to emergency response

The General Services Administration doesn’t anticipate delaying deadlines for agencies to modernize their telecommunications under the Enterprise Infrastructure Solutions (EIS) contract. But some vendors on the contract believe that the ongoing coronavirus response might further delay new awards.

Agencies had until Sept. 30, 2019, to issue task orders under the $50 billion EIS, the government’s flagship telecom and network modernization vehicle. But that deadline came and went with some larger agencies like the departments of Homeland Security and Agriculture having yet to put task orders out for bid.

“My kid’s school just got extended another month to April 24,” Mike Maiorana, senior vice president of public sector at Verizon, told FedScoop. “I think we’ve got to — the longer we go here and the more information we get — be open to adjusting our plans to ensure that the federal agencies and the vendor community are best positioned to deliver on what’s most important.”

During the COVID-19 pandemic, that’s mission-critical services like bandwidth, mobile devices, conference bridges and contact centers that enable telework, Maiorana said.

All of those services can still be procured using EIS’s predecessor, Networx, as well as WITS3 and local service area contracts through March 31. That’s when GSA intends to begin limiting the use of such contracts — extended until March 31, 2023, when they’ll expire.

“The agencies that have open procurements have taken actions to modify due dates past March 31,” said Dave Young, senior vice president of public sector at CenturyLink. “I think probably the next step I would expect is that GSA — as they better understand the timetable of this impact — will modify their schedule.”

Depending on how long the coronavirus continues to spread and impact federal operations, GSA may need to extend existing contract expiration dates even further, Young said.

GSA has asked agencies’ transition teams for information on how COVID-19 is impacting their move from Networx to EIS and agreed to work with those that have already awarded task orders on a “case-by-case basis” to mitigate delays, said an agency spokesperson.

“Recent events have demonstrated the critical role that modern, flexible telecommunications and network services play in enabling a governmentwide response to a national emergency. The transition to EIS will lay the groundwork for accelerated IT modernization and improved [Continuity of Operations Program] implementation,” the spokesperson said. “A timely transition now is crucial to helping agencies acquire emerging communications technologies so they can plan for future challenges.”

Based on agency feedback, GSA may issue additional broad guidance or assistance, the spokesperson added.

EIS work continues for some

In the meantime, EIS contract primes like Verizon, CenturyLink and MetTel noted a small wave of pre- and existing-bid activity in spite of the coronavirus.

“Many of the largest federal agencies in the federal government are having pre-bid conference calls right now, this week,” Maiorana said. “So I think the federal agencies have a sense of urgency.”

Agencies should take a “balanced approach” when it comes to augmenting their networks to handle COVID-19 and transitioning to EIS, he said.

The Department of Labor became the latest agency to come out with its EIS request for proposals (RFP) over the weekend.

Labor actually released a winner-take-all task order early on but reworked it after a pre-award protest from Granite Telecommunications. Now the task order will consist of two to five awards.

The Social Security Administration is still moving quickly on its EIS transition, having awarded a $253.5 million task order for local, long-distance and access management to MetTel on Feb. 4, said Diana Gowen, senior vice president of the small business’ federal program.

Work has been stopped on MetTel’s other task order award, a $127.3 million contract for voice services from the Department of Veterans Affairs, due to a protest from CenturyLink.

CenturyLink’s technical evaluation was priced higher than MetTel’s. But the award was best value, and MetTel came in lower on price with everything else being equal, said an industry source.

The delays at DHS and USDA in issuing RFPs might be chalked up to turnover in their chief information officer shops, Gowen said.

Regardless, it appears two large agencies won’t have awarded task orders by the next March 31 deadline along with a host of smaller ones.

When the Networx contract saw delays, it took a series of congressional hearings and the Transportation Security Administration being hauled in front of the House Oversight Committee for lawmakers to realize GSA didn’t have the authority to make agencies do anything, Gowen said.

Members of the House government operations subcommittee expressed frustration earlier this month that GSA couldn’t punish agencies for missing EIS deadlines. But that was before Congress became consumed with emergency coronavirus legislation and the most vocal EIS critic, Rep. Mark Meadows, R-N.C., accepted the job as President Trump’s new chief of staff.

“I don’t believe, given the current world situation, that this is going to get the kind of attention from the Hill and [the Office of Management and Budget] that it would take to really bring it over the finish line,” Gowen said. “So I think things will eke out like they have been, and we’ll just all deal with it.”

Gowen thinks GSA will likely move its deadlines “ever so slightly,” citing COVID-19. But officials working on EIS like Fred Haines, Bill Zielinski and Allen Hill “would all like these agencies to just get on with it,” she said.

A silver lining: The slow release of task orders is preferable to a tsunami because it allows for more competition, rather than primes picking and choosing their battles, Gowen added.

Fair opportunities due dates being pushed back to April or May has given CenturyLink a chance to develop a new operational rhythm in response to the coronavirus, Young said.

“I do think that agencies and GSA have all focused on the right things,” he said. “And that’s: How do we keep government operational for the citizens of the country and take the right steps to augment networks that need to be augmented to handle a changed work environment?”

Work continues on CMMC rollout amid coronavirus disruption

The rollout of the Department of Defense‘s new cybersecurity standards and certification process will continue on-track despite the coronavirus’ disruptions to the Pentagon’s workforce, top program officials said Thursday.

The nonprofit board that leads training of third-party assessors under the Cybersecurity Maturity Model Certification (CMMC) signed a memorandum of understanding with the DOD this week that “formalized” its authority to certify those cybersecurity assessors, the board’s chairman Ty Schieber said Thursday.

CMMC will require all defense contractors to hire third-party assessors that have been accredited by the board and that will certify they meet one of the model’s levels of cybersecurity. If a contractor does not receive a CMMC certification, it will not be allowed to bid on defense contracts.

“Work does continue,” Katie Arrington, the CISO to the undersecretary for acquisition and sustainment, said Thursday during a virtual event on CMMC’s impact. “We are working a tremendous amount in the virtual environment.”

CMMC will have five levels of security needs: starting at level 1, with the lightest standards and the most common requirement, and going to level 5, for the highest standards around controlled unclassified information.

DOD will put the requisite CMMC level requirements as language in contract documents. Arrington said the department’s plans to have requirements phased into 10 requests for information this summer continue as normal, as does the larger hope that CMMC requirements will be in every DOD contract by 2025.

The board is now working to “operationalize” the newly codified relationship with the DOD, Schieber said. That means beginning the accreditation process for potential third-party assessors soon.

Arrington added that she is exploring ways to use video conferencing for instructions as assessments start.

False CMMC advertisement

During the event, Schieber warned that some companies have been falsely advertising themselves as certified CMMC testers — despite there being no such thing, yet.

He said that while progress continues and some companies are positioned to eventually become certified assessors, that process hasn’t yet kicked off, so no companies have been certified.

Undersecretary for Acquisition and Sustainment Ellen Lord has warned of this prior. “Unfortunately, the Department has learned that some third-party entities have made public representations of being able to provide CMMC certifications to enable contracting with DoD,” she said in a statement. “To be clear, there are no third-party entities at this time who are capable of providing a CMMC certification that will be accepted by the Department.”

Despite having to cancel in-person meetings for the several working groups and different boards under the umbrella of the accreditation board, Schieber said the ‘“the pace accelerates from here” on working to get CMMC implemented.

DOD warns contractors of taking ‘adversarial’ investments during pandemic

Defense contractors might be feeling the urge to seek capital to stay afloat during the coronavirus pandemic, especially for the parts of their business that don’t rely on federal dollars. But those companies should stay away from foreign investors who may be “adversarial” to U.S. national security, top Department of Defense officials said this week.

“It’s critically important that we understand that during this crisis the [Defense Industrial Base] is vulnerable to adversarial capital, so we need to ensure companies can stay in business without losing their technology,” Ellen Lord, undersecretary of defense for acquisition and sustainment, told reporters Wednesday. She said foreign sources, whether used for capital investment or production of contracted goods and services, have an associated “fragility.”

The coronavirus pandemic and economic downturn “presents a greater attack surface” for malicious foreign actors “as there is uncertainty especially with small businesses as to whether their contracts will continue,” Lord said. “So we want to basically mitigate that uncertainty.”

Since last summer, the DOD has been hosting events around its Trusted Capital Marketplace, “a public-private partnership that will convene trusted sources of private capital with innovative companies critical to defense industrial base and national security.” The department has continued to host the events virtually as the COVID-19 pandemic has limited in-person interactions across the Pentagon.

Jennifer Santos, deputy assistant secretary of defense for industrial policy, said the Trusted Capital Marketplace program is targeted at getting “to the left” of the Committee on Foreign Investment in the United States (CFIUS) review process, which is meant to protect national security in any foreign transactions. Doing so, Santos said, ensures “that critical companies are able to access clean capital that assists their commercialization.”

Still, the DOD will look to strengthen reviews under CFIUS during this critical time, Santos said, calling it “more important than ever.”

“We simply cannot afford to let this period of uncertainty eat into reviews that foreign investment is shifting into hypervigilance,” Santos said.

Lord added: “There is no question that we have adversarial capital coming into our markets for nefarious means. So what we are doing is on the defense side looking at CFIUS, on the offensive side we’re using our trusted capital mechanisms.”

The DOD has also created a Joint Acquisition Task Force to synchronize the department’s response to the coronavirus as it relates to the acquisition community. That task force is led by Stacy Cummings, principal deputy assistant secretary of defense acquisition enablers in the DOD.

In addition to directing “Defense Production Act authorities and funding in response to this immediate crisis,” Lord said, the task force will work on “building capacity in identified areas of fragility in the defense industrial base, both the industrial capability and workforce, with a focus on reducing reliance on foreign supply sources.”

Supply chain heat map

DOD has data repositories and portals and is establishing new ones within its Defense Contract Management Agency and the joint task force to ” bring in critical feedback” and accept “good ideas from industry so that there is one repository where we can go and see what is being offered in terms of technical assistance and manufacturing capabilities,” Lord said.

For instance, the department has developed a heat map that overlays coronavirus positive tests with shelter-in-place restrictions across the country to “help us with predictive solutions and planning when overlaid with the location of our industry partners,” Lord explained.

Santos said that tool, which she referred to as a supply chain heat map, helps DOD leadership “understand the impacts of the supply chain overlaid with the [Centers for Disease Control and Prevention] data.”

Lord issued guidance last week declaring the defense industrial base an essential critical infrastructure that should continue operation during the pandemic. She said this was necessary because “industrial leaders told us that state and local governments had different shelter-in-place rules and guidelines, with some even issuing misdemeanor citations to workers trying to get to work.”

“I will tell you, the vast majority are working,” Lord said of defense contractors. “They do want to work. CEOs are reaching out to us to ensure that they can continue operations.”

In the end, the DOD officials did not have clear answers to many of the most pressing questions, such as what specifically defense contractors are being asked to do under the Defense Production Act to support. Lord said the department recognizes “what we’re doing is imperfect” but is moving as quickly and thoughtfully as possible during the current crisis to respond in the best interest of national security.

“I want to emphasize that we are looking at the totality of what we do with the acquisition workforce — supporting the warfighter, making sure that both readiness and modernization are underway, all the way back to making sure that we have a secure, safe, and resilient defense industrial base — so, close communication, keeping cash flowing, keeping operations going with minor pauses in a variety of places,” she said.

For remote learning in government, coronavirus cyber training could prove transformational

Agencies are increasingly seeking training on cybersecurity fundamentals during coronavirus telework, offering the government a rare chance to transform how its employees learn using the NICE Cybersecurity Workforce Framework.

Developed by the National Institutes of Standards and Technology, the National Initiative for Cybersecurity Education framework breaks down agency work roles, like cyber defense analyst, to their core knowledge, skills, abilities and tasks (KSATs).

The COVID-19 pandemic presents agencies with the opportunity to audit their employees and determine where there are cyber skills gaps that remote learning can fill, Rodney Petersen, NICE director, told FedScoop.

“The discussions I’m hearing at the moment are less about the training needs and more about how the entire learning ecosystem could be fundamentally changed,” Petersen said. “And cybersecurity could become the pilot for how that is implemented and rethought in this current environment.”

Cyber workforce development firm CyberVista has seen an uptick in requests — almost exclusively from a “handful” of federal agencies — for digital forensics and basic training as the coronavirus spreads, said CEO Simone Petrella.

Federal employees using mobile devices for remote work leaves them more exposed to cyber threats, meaning roles that aren’t traditionally focused on security suddenly require that knowledge to a greater degree, Petrella said.

“Outside of the forensic requirement, I actually think that the biggest need I’ve seen across the board is in fundamental and baseline skills for entry- to mid-level staff that can ultimately be upskilled and trained to those more specialized roles,” she said.

The NICE Framework not only helps agencies identify what roles they need but how to measure the effectiveness of training so employees can ultimately fill those positions.

Agencies remain in the early stages of workforce considerations as they focus on mission-critical functions in the face of COVID-19, Petersen said.

“One of the skills that people are going to take for granted during this time period is the impact telework has on what we call professional, soft or employability skills,” he said. “Because obviously we don’t have the same level of face-to-face or interpersonal interactions we would in the workplace.”

Video conferencing can be used to preserve those skills, as can virtual learning environments like cyber ranges, Petersen said.

Common mistakes include agencies thinking they can simply stick instructors in front of webcams and relying too heavily on lecture-based curriculums, Petrella said.

Hands-on learning ensures employees can actually do the work required by allowing for qualitative, technical assessments, which CyberVista already conducts in distributed environments like the one the coronavirus has created, she said.

“We’re in this remote environment, and so everyone feels fairly isolated,” Petrella said. “So you don’t want to necessarily give them an experience where they are isolated.”

NICE issued a call for proposals Tuesday for its annual conference scheduled for November in Atlanta. Several early proposals centered on continuity of learning during the pandemic.

Figuring out how to accommodate a more remote workforce throughout the talent lifecycle is critical, and a move toward online learning in government will allow for greater experimentation and innovation, Petersen said.

“I think it’s going to revolutionize telework as we see how it’s both possible and potentially productive,” he said. “It’s certainly going to cause us to reconsider employment from a distance for a variety of careers including cybersecurity, and, of course, it’s going to require that we rethink how we learn.”