Subscribe to our daily newsletter.
Subscribe

GSA poised to complete schedule consolidation on deadline

The General Services Administration says it is on track to consolidate 24 schedules into one common set of terms and conditions for products and services by its Oct. 1, 2019, deadline

One of four pillars in GSA’s Federal Marketplace Strategy, the Multiple Award Schedules Consolidation is intended to modernize acquisition for federal, state and local governments.

“The new solicitation with its simplified format is going to make it much easier for customers to find and purchase the solutions they need to meet their missions,” GSA Federal Acquisition Service Commissioner Alan Thomas said in a statement Wednesday. “It will also make working with government easier by streamlining and simplifying the offer process for new contractors. One schedule means vendors no longer have to manage contracts across multiple schedules.”

Thomas previously called consolidation the “top priority” for administrators in the space.

Organized into large subcategories, the single solicitation incorporates feedback from more than 1,000 comments from agencies and industry in response to two requests for information.

GSA provided its final solicitation for review and will publish it to FedBizOpps on Oct. 1. The new Available Offerings and Requirements webpage will house templates and attachments that are part of the solicitation.

The agency will hold two informational webinars on the solicitation on Sept. 17 and Sept. 19 from 3 to 4 p.m. EDT.

Integration of app vetting with EMM is still an ’emerging’ option for agencies, report says

Two established ways of monitoring an enterprise’s mobile technology — continuous app vetting and enterprise mobility management (EMM) — can be integrated, but no single combination of existing solutions is ideal, according to a new Department of Homeland Security report.

Continuous vetting is designed to catch the exploitable vulnerabilities, malicious code or privacy-violating behaviors in applications, while EMM centrally manages an enterprise’s mobile devices, including their security, and can restrict use of an app or resources until a threat found through vetting is addressed.

The Homeland Security Systems Engineering and Development Institute (HSSEDI) independently evaluated two EMM solutions and six vetting solutions in 43 tests with commercial and custom apps between November and May. While all EMM and vetting solutions passed HSSEDI’s tests, each of the latter offerings were missing features — like the detection of “sideloaded” apps that circumvented normal installation — that prevented them from being recommended as the preferred option.

While some EMM solutions integrated better with particular vetting solutions than others, vetting solutions differed more widely in their strengths and weaknesses, according to HSSEDI’s report, which was finalized in late June and released Wednesday.

Together a vetting solution can share an inventory of installed apps with EMM, which can in turn update agency blacklists and whitelists to reduce their threat exposure.

HSSEDI performed the market analysis on behalf of the Mobile Security Research and Development program within the Department of Homeland Security Science and Technology Directorate.

All six vetting solutions satisfied HSSEDI’s tests by producing comprehensive, easy-to read threat reports — most also able to share a device’s app inventory and rescan updated apps quickly.

“However, most services could not perform reputation analysis, and all offerings either incorrectly labeled custom, non-market apps downloaded from the enterprise app store as sideloaded or failed to detect a sideloaded app in some way,” reads the report. “Detection of spoofed and sideloaded iOS apps was a weak point, almost certainly due to iOS platform restrictions.”

HSSEDI further found not all EMM solutions enforced compliance linked to threats that app vetting detected, and few solutions flagged out-of-date apps.

Integration remains an “emerging” process, so HSSEDI shared its results with the solutions’ respective vendors so improvements could be made — and in some cases they already have been made.

HSSEDI did not evaluate mobile threat detection, which detects and defends against runtime security threats — often using app vetting along with device- and network-level protections — and can similarly integrate with EMM.

The agency further plans to examine how continuous app vetting might work within the Continuous Diagnostics and Mitigation program run by DHS.

As a result, the agency didn’t recommend an integration scheme in its report.

“HSSEDI recommends that agencies review and understand the strengths and limitations of each tool combination and select the EMM and app vetting solution that fits their needs and desired capabilities,” reads the report.

This expert panel will review the Social Security Administration’s IT modernization efforts

An independent panel of experts has been chosen to review of the Social Security Administration’s IT modernization efforts as its official plan nears the two-year mark.

The Social Security Advisory Board announced on Tuesday that 11 high-level IT and management professionals — mostly from the federal contracting space — will assess SSA‘s progress on the initiatives outlined in the October 2017 IT Modernization Plan.

“The Panel will also review the success of the systems modernization from the end-user’s perspective, including those inside and outside the agency,” a statement reads.

Alan Balutis, senior director of North American Public Sector at Cisco’s Business Solutions Group, will lead the group. Other members include:

The panel will meet for the first time in “fall 2019” and will present its findings to the Advisory Board by early fiscal 2021.

In summer 2018, SSA leaders spoke about the agency’s IT modernization journey and its focus on hybrid cloud solutions. This kind of environment allows SSA “to reduce our footprint on the mainframe where it makes sense,” John Foertschbeck, senior adviser in SSA’s Office of Systems Operations and Hardware Engineering said at the time. “We want to be able to put applications in the appropriate location where they run the best.”

The Social Security Advisory Board is a bipartisan, independent federal government agency established to advise the president, Congress and the commissioner of Social Security on matters of policy. The seven-member board was created in 1994.

DHS questions vulnerability disclosure program

The Department of Homeland Security plans to collect information on security vulnerabilities in its information systems and wants to know if its methods are sound.

Section 101 of the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure (SECURE) Technology Act requires DHS to establish a Vulnerability Disclosure Program. Undiscovered vulnerabilities could be exploited by nation-states or hackers to steal personally identifiable information or manipulate data.

People, organizations and companies will be able to submit vulnerabilities they find in the department’s systems to DHS in a “safe and lawful way” while honing their skills, according to a notice in the Federal Register.

“In addition, without the ability to collect information on newly discovered security vulnerabilities in DHS information systems, the DHS will rely solely on the internal security personnel and or discovery through post occurrence of such a breach on security controls,” reads the notice.

The program will use a form allowing submitters to share vulnerable hosts, information needed to reproduce the bug, suggestions on how to mitigate the problem, and the predicted impact if nothing is done.

Zero-day vulnerabilities, those unknown to DHS, are of particular concern.

DHS anticipated about 3,000 responses each taking three hours to ingest for a 9,000-hour burden. The agency wants to know if potential program participants think collection is even necessary, the estimated burden is accurate, the information sought can be expanded, and automated or electronic submission is needed.

Comments are being accepted until Oct. 28, and the form will ultimately be posted on DHS’s website in addition to those of its subsidiary agencies like the Transportation Security Administration and Immigration and Customs Enforcement.

Congress continues to consider the creation of a DHS bug bounty program, expected to cost $44 million, rewarding independent researchers who find software and hardware vulnerabilities with payouts.

Pentagon plans drone event for new VC, startup matchmaker program

The Department of Defense will look to engage small, innovative businesses that develop small unmanned aircraft systems (UAS), as part of the first industry outreach event for its newly created startup and investor matchmaking program.

Ellen Lord, undersecretary of Defense for acquisitions and sustainment, told reporters at a briefing this week about the small-UAS outreach event planned for October and the progress of the Trusted Capital Marketplace Program — “a public-private partnership that will convene trusted sources of private capital with innovative companies critical to the defense industrial base and national security.”

“[W]e stood up our team to manage both capital vetting requirements and industry outreach and matching efforts,” Lord said. “We have identified the first industry sector target goals, and we hope to have an industry outreach event in October which will focus on small UAS.”

Though she didn’t talk dollars or specifics on the companies or how many will be involved, she said she’s “encouraged we’re moving forward.”

The program chose small UAS — or what many call drones — as its first item of focus because of “where we are right now in terms of having our entire U.S. marketplace eroded,” Lord said.  It’s “also because it’s very intuitive, people can understand what these small quadcopters are and so forth.”

Lord pointed the finger at Chinese-based drone developer DJI for eroding the market.

“So essentially, we don’t have much of a small UAS industrial base because DJI dumped so many low-price quadcopters on the markets,” she said. “And we then became dependent on them, both from the defense point of view and the commercial point of view, and we know that a lot of the information is sent back to China from those. So it’s not something that we can use.”

DJI, the world’s largest commercial drone maker, is facing a ban from all U.S. military purchases over cybersecurity concerns and allegations of links to the Chinese government, as Lord suggested. The company, however, says the allegations are “obviously false” and “unsubstantiated speculation.”

A DJI spokesperson contested what Lord said, claiming that no data is automatically sent back to the Chinese government “or to any unauthorized party.” The spokesperson told FedScoop, “If our U.S. customers choose to share any data with DJI, this data is housed and stored on secure Amazon Web Services servers located in the United States.”

The U.S. wants to “rebuild that capability,” Lord said, adding that any developments around small unmanned systems made in the defense sector could also benefit the commercial sector. “We actually have had a lot of work going on in the department about architectures for small UAS, whether they be fixed wings or quadcopters.  So we thought it was a good time to stand it up.”

Elaborating on the function of the marketplace, Lord said “we are going to be in different cities around the country convening groups where we would invite the capital providers, as well as the industry representatives. We’re working on who all those people are right now. And then we would provide a mechanism for them to work with one another.”

Lord said in May, when she first announced the program, that its mission is to support “small, innovative companies that, frankly, don’t either have the resources or the sophistication in terms of the contacts to reach sources of capital.” The 2018 National Defense Authorization Act required a pilot of such a program “that supports small and medium-sized companies to manufacture ’emerging defense and commercial technologies,’” she said.

DOD also wants to figure out how it can get in on the potential investments,” she said. “What we’re working on right now is how we, as DOD, can invest a little bit in many of these companies as well, so they could be branded as having DOD contracts. We think that would be helpful.”

Lord alluded to the marketplace team having “a whole list of other areas” it’s considering as future focuses. She hopes to plan another meeting for January and host event “every couple months.”

DIU wants annual penetration testing, and more, to secure its own IT

The Defense Innovation Unit wants to begin annual penetration testing, red teaming and cybersecurity training to ensure its own networks are compliant with federal standards.

 The agency’s Washington Headquarters Services Acquisition Directorate seeks quotes from small businesses for 12 months of services. Businesses worth $27.5 million or less qualify, and the fixed-price order requires offers to stay firm for 120 days after the Sept. 16 deadline.

As the Pentagon’s innovation arm, DIU procures commercial solutions to rapidly improve national security. In this case, it’s looking to help itself. Services will be delivered in three phases, the first being penetration testing of key information technology complete with vulnerability scans, a systems audit using a series of attacks and a final report. The winning vendor is expected to have more than 10 years of penetration testing experience.

Phase two involves red teaming — simulated, real-world attacks that will expose weaknesses in DIU’s information security program and document evidence of compromises with screenshots and video of physical or electronic breaches.

The final phase, team training, will use the data gathered from the first two phases to enhance cyber defenses and mitigate vulnerabilities while training staff on current attack techniques. A multi-staged, skill-enhancement program will be developed including blind spot analysis and cyber hygiene training.

The performance work statement calls for “designing and assisting in the creation of supporting processes that allow for a series of systems that enable DIU to actively manipulate the operating environment of a potential attacker. This may include designing and implementing systems that provide additional operational awareness.”

Systems will deploy deception- and decoy-based cyberdefenses to slow attacks. The solutions are expected to work with other technologies like Google Drive, Amazon Cloud Services, Azure Active Directory and VMWare tools.

The end goal is “to help shift the organization to a highly mature defensive position by transitioning from being unaware of certain types of threats, to being aware, to being reactive, and finally to being proactive on the defensive front,” reads the statement. “This includes mapping actions required to achieve the highest level of defensive posture available within a given budgetary range.”

Military services ‘truly aligned’ on IT delivery, Air Force deputy CIO says

The different branches of the military are better aligned in their IT delivery than Air Force Deputy CIO Bill Marion has ever seen them before.

As each of the services drives toward an IT-as-a-service (ITaaS) delivery model — partnering with commercial vendors to provide reliable and fast commodity network and device services — they are coming together and leveraging each other’s progress rather than starting from scratch, Marion said Tuesday at the Air Force Information Technology & Cyberpower event in Montgomery, Alabama.

“Services, cloud, the network, all of those elements — we have a consistent path we’re all going down together,” Marion said. “It truly is aligned.”

The Navy and Air Force have a long-standing partnership on IT work. The Air Force has looked to build upon the Navy’s momentum and success implementing the Next Generation Enterprise Network (NGEN) contract in developing its own IT and network services program, which it categorizes as enterprise IT-as-a-service (EITaaS).

“We share day in and day out,” Marion said of the relationship between Navy and Air Force.

Marion also revealed how closely the Air Force is working with the Army to help stand up its own ITaaS program. “The Army is all in with us,” Marion said.

As CIO Lt. Gen. Bruce Crawford alluded to in the past, the Army needs to modernize its network as rapidly as possible, and therefore, it’s looking to take advantage of the progress made in industry and with its service partners to shorten that timeline.

In doing that, Marion said, the Army has agreed to “leverage” the Air Force’s Common Cloud Environment, which it recently renamed Cloud One.

“They’re not going to build their own cloud infrastructure, they’re going to leverage what [the Air Force] team has been building over the past couple years to their next level,” he said. “So they’re not going to recreate the wheel.”

Crawford and the Army are also leveraging the Air Force’s work around network-as-a-service and EITaaS, Marion said. “The good news is they’re going down a little bit of a different approach in some areas … we have a pretty recurring meeting where we’re trying to stay synchronized. I honestly think that we couldn’t be in a better time.”

Marion credits Department of Defense CIO Dana Deasy with fostering this great alignment. Deasy is the first DOD CIO to receive the enhanced budget and standards-setting authority provided to the position by the fiscal 2019 National Defense Authorization Act, effective as of Jan. 1, 2019.

“Mr. Deasy has orchestrated the service layer like I have not seen orchestrated before,” Marion said.

The services will also look to leverage Pentagon-level programs, too, where they can. The Air Force anticipates rolling its Cloud Hosted Enterprise Services (CHES) program into the forthcoming DOD-wide $8 billion Defense Enterprise Office Solution (DEOS) back-office collaboration tools cloud contract, Marion said.

Additionally, “All of our cloud initiatives will leverage JEDI when it’s awarded,” he said, referencing the Pentagon’s contentious $10 billion Joint Enterprise Defense Initiative program that’s been held up in the courts for nearly all of 2019. Just yesterday, Oracle — a company whose bid for the contract didn’t make the cut — announced it will appeal a prior federal court decision denying its protest of the single-award contract.

“That gives us an enterprise cloud contract, that’s the bottom line,” Marion said of JEDI. “So we’ll leverage those tools as they get awarded.”

TSA lines up a facial-recognition proof of concept for Las Vegas airport

The Transportation Security Administration is again preparing to test facial recognition technology that could speed up the check-in process for travelers.

The agency has published a privacy impact assessment (PIA) for the “short-term” proof-of-concept project at Las Vegas’ McCarran International Airport. TSA wants to automate the Travel Document Checker process by taking photos of travelers and comparing the live image against an image from the person’s passport or ID.

Participation is opt-in — only certain document checking lanes will be part of the proof of concept. And all travelers, regardless of participation, will have their documents checked the old-fashioned way as well.

The test, as TSA puts it, is one of its “initial steps toward modernizing the airport checkpoint.”

“TSA expects that facial recognition may permit TSA personnel to focus on other critical tasks and expediting security processes — resulting in shorter lines and reduced wait times,” the PIA states. “Biometric matching is also expected to increase TSA’s security effectiveness by improving the ability to detect impostors.”

Not the same as the LAX test

This isn’t TSA’s first experiment with facial recognition for document verification. In January, the agency announced that it would conduct a similar three-week proof of concept at Los Angeles International Airport. But the actual technology will be a little different this time.

At LAX, TSA used an automatic biometric gate to capture real-time images of travelers. At the Las Vegas airport, the task will instead be done using an existing Credential Authentication Technology device with a camera on it.  TSA will use a “proprietary facial matching algorithm” to match the live picture with the travel document picture.

TSA isn’t the only Department of Homeland Security component agency with a strong interest in facial recognition applications. Customs and Border Protection, the agency charged with running the Biometric Exit Program, is looking to expand its use of facial recognition at airports and other points of entry.

“The paradigm will evolve from biographic data focused to biometric data centric,” the agency wrote in a draft request for proposal released earlier this month. “CBP will identify travelers biometrically based on information already in CBP holdings as an alternative to having the traveler present their travel document.”

CBP’s use of the technology has garnered some criticism from lawmakers worried about privacy, however. And recent House Oversight and Reform Committee hearings on facial recognition have revealed strong bipartisan support for regulating the use of the technology.

Oracle appeals federal court’s JEDI dismissal

Oracle will take its protest of the Pentagon’s JEDI cloud contract to a federal appeals court.

The company filed a motion Monday to appeal a U.S. Court of Federal Claims decision last month denying Oracle’s lawsuit against the Department of Defense’s development and handling of JEDI.

The judge ruled in July against Oracle’s claims that a potential conflict of interest between DOD and intervenor Amazon Web Services impacted the acquisition strategy and that DOD’s requirement of gate criteria, which Oracle failed to meet, prejudiced the potential $10 billion cloud contract. However, the judge found the justification for issuing a single award for the contract to be “flawed.”

In a statement, Oracle focuses on the judge’s issue with the single-award justification as its grounds for appeal.

“The Court of Federal Claims opinion in the JEDI bid protest describes the JEDI procurement as unlawful, notwithstanding dismissal of the protest solely on the legal technicality of Oracle’s purported lack of standing,” says the statement, attributed to Oracle general counsel Dorian Daley. “Federal procurement laws specifically bar single award procurements such as JEDI absent satisfying specific, mandatory requirements, and the Court in its opinion clearly found DoD did not satisfy these requirements.”

Daley also again alleges conflicts of interest that “violate the law and undermine the public trust.”

“As a threshold matter, we believe that the determination of no standing is wrong as a matter of law, and the very analysis in the opinion compels a determination that the procurement was unlawful on several grounds,” he says.

This appeal emerges as JEDI faces a series of internal challenges at the Pentagon — new Secretary of Defense Mark Esper is undertaking a review of the contract, and the department inspector general is conducting an investigation into the alleged conflicts of interest and the acquisition strategy and requirements.

Esper’s decision to review the contract came after a number of Republican lawmakers urged him and Trump to review the acquisition. Lobbyists for Oracle appear to be at the center of the orchestrated efforts to derail JEDI, passing a document around Washington with a flowchart titled “A Conspiracy to Create a Ten Year DoD Cloud Monopoly,” according to a CNN report.

This will mark Oracle’s third time protesting the contract. In addition to the lawsuit in federal claims court, the Government Accountability Office also denied the company’s pre-award protest late last year. Oracle’s appeal goes to the U.S. Court of Appeals for the Federal Circuit.

Backlog of VA medical records awaiting digitization is 5 miles tall

Across the country at Department of Veterans Affairs medical facilities, there’s a massive backlog of documents waiting to be scanned and digitized that, if stacked, would stand more than 5 miles tall.

For reference, that’s taller than 18 Empire State Buildings. It’s just 2,000 feet short of the peak of Mount Everest.

Since 2014, the VA has allowed veterans to seek care outside of its facilities under the Veterans Access, Choice and Accountability Act. When that happens, those non-VA facilities generate records and send them, often as paper copies, to the VA to be integrated digitally with a veteran’s electronic health record.

Veterans have visited community providers — as the non-VA facilities are called — for more than 70 million appointments and counting, each time creating at least one new medical document to send to the VA and integrate into an EHR.

According to a new inspector general’s report, “[s]ignificant medical documentation backlogs have occurred VHA-wide in part because VA medical facility staff did not scan documentation and enter electronic medical records into patients’ EHRs in a timely manner.” The result is a “backlog of paper documentation that measured approximately 5.15 miles high and contained at least 597,000 individual electronic document files dating back to October 2016.”

To make things worse, this could just be the tip of the digitization iceberg. As of June, the MISSION Act allows veterans to see a more expanded network of community providers. With that, there’s “the potential to significantly increase the volume of documentation VA medical facilities will receive from outside providers for scanning, as well as any related backlog,” the IG says.

The IG based its calculation on self-reported “data provided by the eight facilities visited and the 78 facilities interviewed.” And there’s probably quite a bit more than that, as the “totals do not include facilities that lacked quantifiable measures for their backlogs (i.e., those without paper document or electronic file calculations, such as facilities that only noted the age of the oldest document without calculating quantity).”

The paper pileup stems from the lack of “adequate oversight or resources to support the mission of medical document scanning and indexing for quality patient care,” the IG said.

“Inaccurate EHRs put patients at risk and compromise continuity of care because accurate medical diagnoses and treatment depend on complete and current documentation,” the report concludes. “VHA needs to improve supervision and management of scanning activities to ensure medical documents are indexed to patients’ EHRs in a timely manner. This will help ensure veterans receive appropriate, thorough, and timely care.”

The backlog provides yet another layer of challenges the VA faces in developing an effective modernized electronic health records system. The department has struggled for decades to provide a system that will interoperate with the Department of Defense’s, so transitioning service members can access their files when they become veterans.

However, the VA has made progress in recent years, signing a contract with Cerner estimated to be worth $16 billion to develop a modernized system that should work seamlessly with DOD’s Cerner-based system. The VA also touted a “major milestone” this summer,  saying it migrated 78 billion health records, including vital signs, lab tests and others from its legacy systems to the new EHR.