GSA begins pilot using OTA-like streamlined acquisition process

The General Services Administration announced Monday its client support center for acquisitions will use a streamlined process, designed to attract startups, to procure innovative, commercial solutions.

As part of a pilot, GSA’s FEDSIM innovation team will rely on the commercial solutions opening (CSO), a solicitation outside the Federal Acquisition Regulation, to acquire technologies and services in the production phase or adapted from existing products from “traditional and non-traditional government contractors.”

“The goal of this pilot program is to provide a streamlined approach for acquiring innovative commercial products and services,” GSA says.

CSO is a recently created tool with simplified contract terms, which Section 880 of the National Defense Authorization Act for fiscal 2017 authorized GSA to create the pilot. It’s similar to the Other Transaction Authority of defense agencies but differs in that it’s not legally binding, GSA says.

FEDSIM will post solicitations from client agencies for specific projects of technical areas of interest as they open.

New technologies, processes, methods, applications, and adaptations at the time a proposal is submitted will be considered.

The CSO process consists of submission of a written solution brief, an oral presentation if applicable, and a request for proposal.

Currently, FEDSIM is accepting briefs for three Defense Department CSO solicitations: AFWERX Hub, Marine Maker and the Joint Artificial Intelligence Center Humanitarian Assistance and Disaster Relief DAMAGE.

The Defense Innovation Unit also uses CSOs to speed up vendor selection for innovative needs.

Department of Commerce mulls IT support acquisition strategy

The Department of Commerce wants industry’s input on a “potential acquisition strategy” for information technology support in six areas.

DOC issued a request for information Monday on the chief information officer’s Solutions and Partners (S&P) requirement, which aims to help the Office of Enterprise Services and Solutions provide IT departmentwide.

Specifically, the S&P draft statement of work seeks vendors able to deliver lifecycle support of websites, operations and maintenance support for legacy Minority Business Development Agency data, MBDA MedWeek and national conference support, Salesforce integration services, project management, and SharePoint support.

Vendors would be expected to take an agile approach improving existing solutions and developing new ones, regularly communicate project updates and work with agencies so they can request products.

Respondents are asked to submit performance measures, as well as potential pricing structures and contract types.

A solicitation may come out of the RFI with the intent of DOC making a contract award.

Space Development Agency seeks information on its satellite strategy

The Space Development Agency, the Pentagon’s new space agency, plans to use constellations of satellite networks as a part of an initial plan to deter near-peer adversaries in space, according to a recent request for information.

The request seeks industry insight into both the satellite network plan and technical aspects of the satellites themselves. Feedback on satellite bus, payload, applique and launch concepts that can contribute to the new agency’s strategy are all included in the request.

The current plan is to have all the satellites organized into eight constellations, or layers, that will provide different data to the military. The layers, as listed in the RFI, are space transport, tracking, custody, deterrence, navigation, battle management and support. A key element for the success of the satellites will be keeping the data links at each layer in constant contact with ground operations.

The agency was chartered in March by then-acting Defense Secretary Patrick Shanahan to help bolster the military’s push into the final frontier of space. The Air Force houses a Space Command, but President Donald Trump has called for a separate space force. A stand-alone branch dedicated to space has yet to be funded by Congress, but this year’s National Defense Authorization Act could answer those calls in some form.

Much of the strategy outlined in the document focuses on the threat from Russia and China and explains how different layers of satellites would deter the countries’ power.

“[M]aintaining our advantage in space is critical to winning these long-term strategic competitions,” the request states in reference to Russia and China. The “multi-functional constellation of small satellites” is designed with those threats in mind, the request goes on to say.

DOD wants to use virtual reality to train troops for nuclear threats

The Pentagon wants to bring the defense of nuclear threats to (virtual) reality.

A notice seeking sources indicates the Defense Threat Reduction Agency’s interest in adding virtual and augmented reality training to nuclear battlefield drills for soldiers. The training would not replace other types of training requirements, instead adding a new technical layer to nuclear readiness, according to the notice. The agency is looking for technical solutions and hardware assistance in bringing the training environment to warfighters.

The notice is similar to a recent development from the Army. The branch is pushing a program dubbed the “Synthetic Training Environment” that will enable multiple types of virtual training to equip service members with training in a range of global environments.

The Defense Threat Reduction Agency’s envisioned solution is more targeted at replicating nuclear warfare and “radiological” threats. The solicitation is looking for coding language, hardware requirements and other specific information about systems that could be implemented.

The “[p]urpose is to test warfighter scenarios and decision-making to provide users realistic outcomes to support training and course-of-action selection when faced with radiological/nuclear threats,” the solicitation states.

Here’s the role the government should play in setting AI standards, according to NIST

The National Institute of Standards and Technology has some ideas about the actions the federal government should take in developing artificial intelligence standards — and the suggestions have a lot to do with understanding the “trustworthiness” of the technology.

Continuing its role as set out in President Trump’s executive order on AI, the agency recently published a draft “plan for federal engagement in AI standards.” The document is the outcome of both a request for information published May 1 and a workshop held May 30.

“America’s success and prospects as the global AI leader demands that the Federal government play an active role in developing AI standards,” the draft plan reads. “The Federal government should commit to deeper, consistent, long-term engagement in AI standards development activities to help the United States to speed the pace of trustworthy AI technologies.”

Specifically, the plan has four suggested actions. The federal government should:

1. Bolster AI standards-related knowledge, leadership, and coordination among Federal agencies to maximize effectiveness and efficiency.
2. Promote focused research to advance and accelerate broader exploration and understanding of how aspects of trustworthiness can be practically incorporated within standards and standards-related tools.
3. Support and expand public-private partnerships to develop and use AI standards and related tools to advance trustworthy AI.
4. Strategically engage with international parties to advance AI standards for U.S. economic and national security needs.

The draft plan points to “trustworthiness” as a central element of artificial intelligence — for example, it suggests that NIST should develop metrics that can be used to assess “trustworthy attributes of AI systems.”

The draft plan is also, however, careful not to place too much emphasis on what the government alone brings to the table. “The government’s meaningful engagement in fulfilling that role is — but not sufficient — for the nation to maintain its leadership in this competitive realm,” it reads. “Active involvement and leadership by the private sector, as well as academia, is required.”

Michael Kratsios, deputy assistant to the president for technology policy, called the plan “another critical step in implementing the American AI Initiative, our national strategy to maintain and strengthen America’s leadership in AI.”

NIST is accepting public comment on the draft plan until July 19 — a final version is due August 10.

DOE teams with industry on pipeline cybersecurity

The Department of Energy is working with industry to craft recommendations in the next several months for increasing cybersecurity around pipeline critical infrastructure.

Private entities and key agencies formed a consortium over concerns industrial control systems (ICS) are increasingly being targeted by nation-states, hacktivists and advanced persistent threats, but such incidents aren’t being discussed.

Companies worry share prices will be impacted or they’ll become the target of even more attacks if they share the information, with the end result being that cyberthreats remain unclear, Jason Haward-Grau, chief information security officer at PAS Global LLC, told FedScoop.

“The first rule of cybersecurity fight club is you do not discuss cybersecurity fight club,” Haward-Grau said.

PAS Global, an ICS cybersecurity and operational technology (OT) company, is part of the consortium offering insight into the significant increase in European Union governmental regulation and oversight of critical infrastructure — given its European clientele. The EU had to wake up to threats faster, after the Ukraine power grid cyberattack in December 2016, with its network and information systems directive, Haward-Grau said.

While President Trump’s executive order on strengthening cybersecurity of critical infrastructure did something similar, the Government Accountability Office found in May that the Transportation Security Administration lacks a process for updating pipeline security guidelines.

TSA currently oversees the physical security and cybersecurity of more than 2.7 million miles of computerized, interstate pipeline systems transporting oil, natural gas and other hazardous products  — making them “attractive targets for hackers and terrorists,” GAO reported.

“It is important for TSA to update its policies to reflect cybersecurity threat conditions, and establish a realistic cyber-attack response plan,” Tamara Anderson, a vice president and general counsel at PAS Global, said in a statement. “It’s also appropriate to question whether TSA continues to be the best agency to carry an appointment of responsibility for monitoring and securing our nation’s pipelines.”

That’s because pipelines don’t operate like transportation infrastructure and most running today provide energy in some shape or form, Haward-Grau said.

DOE, not TSA, is leading the consortium’s recommendation effort.

PAS Global developed a passive way to inventory IT and OT systems for its clients. A pipeline operator may only need to secure 500 IT devices, but on the OT side of the security equation there may be as many as 28,500 endpoints where digital meets physical infrastructure, Haward-Grau said.

Aside from being complex, the OT landscape is full of proprietary systems between 18 and 20 years of age on average — compared to IT systems that are replaced every three to five years. Air gapping doesn’t work like it used to, and hackers increasingly understand how ICS works, Haward-Grau said.

In 2014, hackers breached a large, German steel smelting plant when control engineers ordered a pizza from a contaminated website with the same credentials used to access their IT environments. The attackers poked around and, not understanding the OT system, accidentally triggered the shutdown of a blast furnace causing massive damage.

OT relies on independent layers of protection including alarms and a safety system, independent of the ICS, that shuts everything down safely as a last resort. But Triton malware has penetrated even that, Haward-Grau said.

Internet of Things devices are now being co-opted in distributed denial-of-service attacks as OT systems are increasingly digitized and connected to business systems wirelessly to save money. And more reliable fifth-generation wireless infrastructure is being installed across plants without security necessarily being considered.

“There’s a significant opening up of the attack surface,” Haward-Grau said.

The compromise of a target-rich OT environment means it can be ransomed, he added.

Unlike IT, where the priorities are confidentiality and system integrity, OT’s focuses are safety, reliability and resource availability. Design, management, and maintenance of ICS requires cyber skills not being taught to enough IT technicians because it means educating them on those differences, Haward-Grau said.

“There are about 2 million vacancies across the cyber landscape right now,” he said.

USCIS integrates additional case management systems within myUSCIS

The U.S. Citizenship and Immigration Service is integrating a number of its existing case management systems with the myUSCIS portal to expand the types of immigration requests that can be filed electronically.

The agency published a privacy impact assessment (PIA) last week revealing that it is updating myUSCIS to include:

• Computer Linked Application Management System 3, or CLAIMS 3, which is used to manage the adjudication process for most domestically filed immigration benefit filings.
• Global, which supports the screening of individuals during the credible fear, reasonable fear, affirmative asylum, defensive asylum, and Nicaraguan Adjustment and Central American Relief Act (NACARA) processes.
• The Investor File Adjudication Case Tracker (INFACT), which fills the case management needs in support of the FOD Immigrant Investor Program Office.

The PIA also announced that myUSCIS is integrating with “data streaming services” to share data between applicable USCIS systems.

MyUSCIS is the agency’s front door for “a personalized and seamless immigration experience,” the PIA states. It launched in 2015, the result of a partnership between the U.S. Digital Service, 18F and USCIS.

Since launch, the myUSCIS portal has been continuously expanded to include a variety of ways in which people might need to interact with the immigration agency — like check case status, see appointment dates and file critical paperwork. Last summer, for example, USCIS announced that it had expanded its Freedom of Information Act Immigration Records SysTem (FIRST) to allow people who file FOIA requests with the agency to track those requests online within a myUSCIS account.

Bipartisan bill would mandate DHS to keep a close eye on deepfakes

A bipartisan bill making its way through Congress would require the Department of Homeland Security to keep its eye on deepfakes content and technologies used to create it.

Under the”Deepfakes Report Act of 2019,” the secretary of homeland security would need to file reports every 18 months on the national security impacts of deepfake content — fake video or audio produced with advanced technology to look or sound real.

The threat deepfakes pose could have wide-ranging impacts on elections, national security and media with content spreading false messages that sow discord in a realistic way. Already, a doctored video of House Speaker Nancy Pelosi and deepfake of Facebook founder Mark Zuckerberg have shown the devastating potential of internet forgery.

Without technology to determine what content is a deepfake, unflattering yet true videos could be labeled fake to avoid political backlash.

“We cannot allow our enemies to use these tools to threaten our nation’s security and democracy,” said Rep. Stephanie Murphy, D-Fla., one of the bill’s sponsors who was also a former national security specialist at the Department of Defense.

The bill would mandate the report to include information on the underlying technologies producing deepfakes, assessments of how foreign governments and their proxies could use deepfakes and other ways deepfakes could impact national securities. It calls for congressional hearings to accompany the unclassified reports.

In September, lawmakers on the House Intelligence Committee called for the intelligence community to study foreign adversarial use of deepfakes.

While the secretary of DHS and undersecretary of the department’s Science and Technology Directorate would be responsible for producing the report, they would need to coordinate with other agencies, such as members of the intelligence community, the Department of Defense, White House and others.

DOD’s artificial intelligence center wants pitches from industry this fall

The Department of Defense’s Joint Artificial Intelligence Center will take pitches on a range of cybersecurity and AI-related initiatives from select private sector companies in the coming months.

The center says it’s particularly interested in the topics of autonomous cyberdefense; user activity monitoring and attribution; social media and dark web analysis; DevOps techniques; network mapping; and data engineering. The Pentagon is currently accepting applications to attend the meeting and plans to host it in the Northern Virginia area in late summer or early fall of 2019, according to a notice.

The JAIC is the Pentagon’s hub for AI initiatives, and it has worked to get private industry involved in developing military applications.

The meeting’s notice also lists more detailed areas of need that the JAIC is interested in hearing pitches on, including vulnerability identifying, autonomous patching, self-generating code and retrospective and prospective analysis.

The meeting will be hosted by the DOD’s Rapid Reaction Technology Office on behalf of the JAIC’s Cyberspace National Mission Initiative.

Selected companies that present technology matching the DOD’s needs could be selected for pilot projects or experimentation, the notice said.

Taxpayer First Act reinstates streamlined IT hiring at the IRS

A bill signed Monday by President Trump gives the IRS the ability to quickly hire temporary employees with critical IT skills.

The Taxpayer First Act brings back “streamlined critical pay,” an authority first granted by the IRS Restructuring and Reform Act of 1998. It expired in 2013, and since then IRS leaders have advocated for its return.

“There’s 300,000 cyber positions available in our country with a 0 percent unemployment rate,” IRS Commissioner Charles Rettig said during a congressional hearing in April. “We’re competing with all the other entities that you can imagine. Onboarding people is a difficult process outside of that,” as it takes almost a year to bring new personnel onboard. Streamline critical pay would “allow us to be somewhat competitive with the private sector,” he went on.

Streamlined critical pay (SCP) allows the IRS to hire up to 40 people at one time in four-year-long technical positions critical to the success of the agency. It also authorizes the agency to pay higher base salaries to these hires.

A 2014 review of streamlined critical pay by the Treasury Inspector General for Tax Administration found that the IRS used this authority “appropriately.”

“We determined that the critical pay positions were adequately justified, the need to recruit or retain exceptionally well-qualified individuals was demonstrated, pay limitations were adhered to,” the report reads. TIGTA did state, however, that if the program were to be reinstated it would recommend more clearly defined oversight.

“If Congress chooses to once again authorize the IRS SCP authority for a specific period of time, or permanently, we believe it would be beneficial to clearly define the extent of any independent oversight the program should have and who would be designated to provide the oversight,” it said.

The Taxpayer First Act includes a number of other technology-related clauses as well. It codifies the role of the IRS CIO, a role that is currently filled on an acting basis by Nancy Sieger. It also directs the CIO to “develop and implement a multiyear strategic plan for the information technology needs of the Internal Revenue Service” and update that plan on an annual basis.