The votes are in for the 2025 FedScoop.

See the winners!

Make the most of your cybersecurity capabilities before investing in more

If you’re like many people in today’s app-centric culture, whenever a technology-related challenge arises, your first instinct might be to throw more technology at the problem. Think of when a new security policy is introduced or a previously unknown virus or hack is discovered. It’s understandable if your initial inclination is to look into procuring, or having research and development create, a new application to address the issue.

But what if you already have the answer you need? Maybe it already exists in one of the applications that comprise your technology stack. Or perhaps it’s baked into the operating system that you’re currently using. It might be, but with an ever-growing technology stack, you may not realize that the tool you need may already be at your fingertips.

Let’s take a look at how you can optimize your stack to make the most out of the technology you already have and strengthen your security posture.

What is a “security solution,” anyway?

According to IDC, worldwide spending on security solutions was expected to reach $91 billion last year, and the federal government is one of the biggest spenders. But what constitutes “security solutions” in 2019? Certainly, standalone firewalls, virus protection software, and similar technologies fit the bill. But so do operating systems and other solutions that, 10 years ago, may not have been considered true “security solutions.” Back then, security was often sold as a separate offering. Today, it’s considered table stakes and often baked into many infrastructure technologies and operating systems.

And yet, per the IDC report, agencies are continuing to invest more money in additional applications to bolster their security postures. Perhaps this is because they do not understand the full capabilities of the solutions they have already purchased. Or, maybe their technology stacks have grown so big they no longer have a good grasp on which solutions are included within them. This can pose real issues when FITARA scorecards are introduced, which include regularly updated and maintained software inventories as a key metric.

Fortunately, there are three things you can do to tame your security tech stack and help you get the best possible ROI for the technology you’ve already purchased.

Work with vendors to understand what you’re already paying for

Modern operating systems can contain thousands of packages, many of which you may never use. But if a certain need does arise–a new lock-down script and tooling for better security, for example–it’s a good idea to first check to see if it’s included in your current operating system. This could save you from taking the time to research and potentially acquire a new solution that ends up being duplicative of an untapped feature you’ve already paid for.

Your first step should be to contact your vendor, who can help answer your questions and identify whether or not their software includes the capabilities you need. While any good vendor should willingly do this, those who offer their services as part of a subscription are particularly incentivized to help. These vendors have a vested interest in helping you get the most value from your software investment.

Many of these vendors offer free workshops and individual and group skills assessments. These are designed to help you familiarize yourself with their solutions and provide a baseline evaluation so you can understand where to focus your training. Take them up on these offers. Their experts and training materials can help you understand and uncover tools that you may not have otherwise known about.

Use outside resources and communities

You don’t just have to rely on vendors, however. There’s a wealth of information and resources dedicated to government technology. Use them to help uncover the hidden features of your operating systems and applications or understand whether or not a particular solution is worth your time and money.

There are a number of communities comprised of fellow federal IT professionals who can help answer your questions and guide you in making the right technology decisions. Govsec is an active forum in which government and systems integrator users discuss and explore the latest security best practices. Its purpose is to provide information regarding existing compliance and accreditation strategies so you don’t have to duplicate efforts. You can also use the SCAP Security Guide to share best practices surrounding security. In each case, you can learn from your peers who are going through similar challenges as you and lend your own voice to the community that is solving those challenges.

NIST’s National Checklist Program Repository is also a great resource. With the Checklist, you can receive low-level and authoritative government and vendor guidance on setting the security configurations of various operating systems and applications. It’s a simple and direct way to discover how to implement the security features of the solutions you already have in your stack.

So before you begin researching new applications and start filling out those requisition forms, do yourself a favor. Take a close look at what you’ve got at your disposal. Call your vendors and talk to them about the tools you’ve purchased. There’s a good chance you may already have what you need.

David Egts is chief technologist, North American Public Sector, Red Hat

Coding it Forward team to launch accelerator for students with civic tech ideas

The same students that brought the Civic Digital Fellowship to Washington are now expanding their programming to create a virtual, semester-long accelerator for students interested in creating civic tech or social impact products.

It’s called Build.

“As students ourselves, we know that it can be difficult to get an idea off the ground,” the web page reads. With the first edition of Build, which is currently accepting applications, students will learn things like user research, product design, prototyping, and iterative testing, all from a curriculum developed by the Coding it Forward team. The goal is for students to take a mere idea and turn it into a minimum viable product with the help of mentorship and lectures.

CIF community manager Emily Fong, a recent graduate of New York University, is taking the lead on Build.

While the new program may seem like a bit of a departure from what Coding it Forward has been focused on thus far, the impetus for Build is actually the same as for the Civic Digital Fellowship. At the end of the day, it’s about getting more young people involved in civic technology.

“We’ve received overwhelming interest in the Civic Digital Fellowship over the past 3 years — but our acceptance rate hovers around 5 percent,” Rachel Dodell, the co-founder and executive director of CIF, told FedScoop in an email. “Since Coding it Forward’s mission is to break down barriers to social impact spaces for as many technology students as possible, we realized that only having one program offering wouldn’t be enough to meet the demand of students who want to engage with this field.”

CIF recently wrapped up its application period for the third edition of the Civic Digital Fellowship. In 2019, accepted students will receive summer-long placements at the Department of Health and Human Services, U.S. Census Bureau, Department of Veterans Affairs, General Services Administration and Citizenship and Immigration Services.

Christine Calvosa officially named FCC CIO

Federal Communications Commission Chairman Ajit Pai announced Monday that he has officially appointed Christine Calvosa to the role of agency CIO.

“I am delighted that Ms. Calvosa will be serving as the FCC’s Chief Information Officer,” Pai said in a statement. “The FCC’s aggressive agenda requires an expert and agile information technology team. That team needs a leader with deep expertise in all aspects of IT development, deployment, and information security.”

Calvosa isn’t new to the role — she’s been serving as acting CIO since summer 2017 when former tech head David Bray left the agency. Prior to that, she worked as the agency’s deputy CIO under Bray.

Bray’s tenure at the FCC has devolved into some controversy since he left the agency. Bray infamously claimed that the agency had been a victim of a distributed denial of service (DDoS) attack in May 2017. Other experts immediately questioned his claims and, eventually, the FCC’s inspector general said it did not occur. Pai has laid blame for the misinformation squarely at Bray’s feet.

“I am deeply disappointed that the FCC’s former Chief Information Officer (CIO), who was hired by the prior Administration and is no longer with the Commission, provided inaccurate information about this incident to me, my office, Congress, and the American people,” he said in a statement at the time of the IG’s report. He also intimated that others working with Bray, as Calvosa was at that time, had doubts about the information.

“Ms. Calvosa has demonstrated the ability to deliver on this agency’s complex information technology requirements,” Pai said in the statement announcing her appointment. “I look forward to continuing to work with her.”

Trump appoints (a different) Roger Stone as White House CIO

President Donald Trump has appointed Roger L. Stone as the director of IT for the White House.

Not to be confused with the recently indicted longtime Trump adviser, Stone replaces Chris Herndon, who served in the position for about two years, beginning when Trump took office.

In the role, Stone will essentially serve as CIO of the Executive Office of the President, the White House and the Office of the Vice President. President Barack Obama created the role in 2015 to “have the primary authority to establish and coordinate the necessary policies and procedures for operating and maintaining the information resources and information systems provided to the President, Vice President, and EOP.”

The role is separate and very different from the federal CIO, which is based in the Office of Management and Budget. Suzette Kent holds that job, which has governmentwide impact.

Prior to his appointment, Stone served on Trump’s National Security Council as deputy senior director of resilience policy and in a variety of roles at the Federal Emergency Management Agency, beginning in the Obama administration, according to his LinkedIn.

DOD unveils enterprise cloud strategy with preference for JEDI

The Pentagon has published its long-awaited enterprise cloud strategy and sent it Monday to Congress.

The new strategy refers to the cloud as a department priority and “a fundamental component of the global infrastructure that will empower the warfighter with data and is critical to maintaining our military’s technological advantage.” The document lays out the current defense IT operating environment, the department’s strategic objectives, approaches and guiding principles, and how it will implement.

“The DoD Cloud Strategy reasserts our commitment to cloud and the need to view cloud initiatives from an enterprise perspective for more effective adoption,” says the foreword, signed by acting Secretary Patrick Shanahan. “It recognizes our experience over the past five years and identifies seven strategic objectives along with guiding principles to set a path forward. It emphasizes mission and tactical edge needs along with the requirement to prepare for artificial intelligence while accounting for protection and efficiencies.”

Moreover, it emphasizes unity of effort across the DOD as the military increasingly adopts cloud. According to a release from the DOD CIO’s Office, “The department will gradually consolidate the disparate networks, data centers and cloud efforts and manage them at the enterprise level. Consolidation will enable the DOD chief information officer to provide increased security and reliability of the department’s digital infrastructure while achieving greater efficiency and cost savings.”

“This marks a milestone in our efforts to adopt the cloud and also in our larger efforts to modernize information technology across the DOD enterprise,” DOD CIO Dana Deasy said in a statement. “A modern digital infrastructure is critical to support the warfighter, defend against cyberattacks and enable the department to leverage emerging technologies like machine learning and artificial intelligence.”

The strategy comes amid several high profile DOD cloud procurements, such as the $10 billion Joint Enterprise Defense Infrastructure (JEDI) cloud and the $8 billion Defense Enterprise Office Solutions (DEOS) cloud, both of which are single-award contracts. Despite the Pentagon’s plans to award those contracts to a single vendor in each case, which has led to criticism from industry, the new strategy paints a picture of a multi-cloud DOD, but with a preference for JEDI first.

“The enterprise cloud strategy introduces concepts for both general purpose and special purpose clouds for specific mission needs,” the release says. “DOD will remain a multi-cloud environment because the complexity and scale of DOD’s mission requires DOD to have multiple clouds from multiple vendors.”

Essentially, JEDI will be the general-purpose cloud around which other special purpose clouds are built. “The primary implementation bias for DoD will be to utilize General Purpose cloud computing,” the strategy reads. “Only when mission needs cannot be supported by General Purpose will Fit For Purpose alternatives be explored. In such a case, a mission owner will be required to submit for approval an Exception Brief to the Office of the DoD CIO describing the capability and why the General Purpose cloud service does not support their mission.”

Congress too was critical of the JEDI contract during last year’s National Defense Authorization Act conference process, requesting a complete DOD cloud strategy.

In the strategy, cloud appears to be a stepping stone to other next-generation emerging technologies, particularly artificial intelligence. “An enterprise cloud will provide the common data and infrastructure platforms that will enable Al to meet the full promise of warfighter advantage,” the strategy says.

Deasy echoed that sentiment. “Cloud in itself just gives you compute capability,” he said. “It’s what you choose to build on top of that that matters. And in this case, I believe what DOD is going to want to focus on — really embrace and accelerate as fast as we can — is how we adopt and bring artificial intelligence into the organization.”

Additionally, an enterprise cloud environment will also modernize the department’s command, control and communications (C3) and improve cybersecurity, the strategy says.

“I always like to say if you put a great enterprise cloud in place, you then can use that as an enabler to do great things,” Deasy said.

Microsoft brings Azure Government to the ‘tactical edge’

Microsoft unveiled new products Monday that it says will bring the Azure Government cloud to austere, connectivity-limited environments.

In partnership with Dell EMC, the company introduced the Tactical Microsoft Azure Stack, which allows organizations to bring Azure cloud to remote locations — the so-called “tactical edge.” The stack is highly secured and has optional connectivity to Azure Government, Azure Secret, and Azure Top Secret cloud offerings. The move is geared not only toward the military, but also public safety agencies and others that might respond to crises.

Microsoft also announced that it will bring Azure Government cloud to its Azure Data Box family of products, including Azure Data Box Edge, Azure Data Box Gateway, Azure Data Box Disk and Azure Data Box Heavy.

This “unlocks mission scenarios for government agencies that really weren’t possible before” with Microsoft Azure, said Natalia Mackevicius, director of program management for Microsoft Azure. This is particularly significant, she said, “in areas where there is network connectivity issues or intermittent connectivity … it’s very important to still get insights from the data. So we are really looking at providing tactical edge scenarios,” meaning it “provides the capability to have connectivity for survival for mission success.”

Microsoft, however, isn’t the only cloud provider with offerings for the tactical edge. For instance, Amazon Web Services has Snowball Edge, which it promotes as a tool for the Department of Defense to “collect data and analyze that data in remote locations.”

The military use case is an important one, particularly as the DOD is set to award a $10 billion commercial cloud contract, the Joint Enterprise Defense Infrastructure (JEDI), later this spring, which calls for capability at the tactical edge.

Mackevicius pointed to disaster relief as another major use case.

“In a disaster relief organization, you need to have systems available in locations where there might be little to no network connectivity,” she told FedScoop. “Imagine a scenario where there’s no power whatsoever, you’re in a very austere environment, you need to provide disaster relief. So you can take then the Azure Stack systems, provide connectivity to local response vehicles, do local inferencing, so you could have machine learning models that can do machine learning in the cloud and then have those trained models available on an Azure Stack system and actually integrate with devices and sensors.”

Regardless of mission type, these new offerings “meet them where they are,” Mackevicius said, adding that it allows them to pursue a variety of options, including commercial cloud, private cloud and hybrid cloud.

The Dell EMC Tactical Microsoft Azure Stack will be available this quarter and the Azure Data Box Edge is available in preview for Azure Government. The rest of the Data Box products will be available in March.

GSA looking to switch up IT Centers of Excellence acquisition strategy

The General Services Administration is soliciting industry feedback on a proposal that would change the acquisition strategy of the IT Centers of Excellence initiative.

The proposed shift would see GSA issue a Blanket Purchase Agreement for the CoE’s Phase I discovery and assessment efforts, instead of the current single contract approach. The Discovery BPA would create “a pool of multiple awardees with expertise in at least three functional areas” that agencies participating in the program would be able to call on as-needed.

This, GSA says, will add a “new level of flexibility” to the project.

“The desired outcome of the Discovery BPA is to emphasize repeatability and scalability,” Bob De Luca, Executive Director of CoE, said in a statement posted to GitHub. “We want to give every agency that works with CoEs access to private sector partners who can provide the expertise and technological know-how successfully implement IT modernization agency-wide.”

Per an FAQ page about the RFI, the new approach “[builds] on the lessons learned from our current efforts, using the feedback gained from the initial group of vendors we worked with, the vendors who participated in all our previous procurements, as well as our own CoE teams.”

While information about the proposed change is posted to GitHub, vendors who wish to respond must do so via eBuy. Vendors have until Feb. 8 to provide feedback.

The CoE initiative is the administration’s signature attempt at “[building] change management capacity for enterprise-level change in the federal government,” White House special assistant Matt Lira has told FedScoop. In March 2018 GSA announced the contract winners for Phase I of the project at its first host agency — the U.S. Department of Agriculture — and work began in April. USDA is now in Phase II, the implementation phase. In September, the CoE team announced that it would be setting its sights on the Department of Housing and Urban Development next — starting with a “discovery sprint.”

These 3 high-profile DOD systems have persistent operational flaws, according to testing

The Pentagon’s cybersecurity is improving — but not quickly enough to keep pace with the growing capabilities of America’s adversaries, according to the annual report from the Department of Defense’s chief weapons and systems tester.

The DOD Office of the Director of Operational Test & Evaluation’s 2018 report keyed in on traditional weapons and operational systems’ dependence on software as a key trend that “will continue as more complex and capable software platforms and algorithms make their way into the battlespace.” And with that, comes the need to defend and “test all systems having data exchanges for the resilience to complete missions in a cyber-contested environment.”

DOT&E performed a number of such tests in 2018 and found generally that “there were an increasing number of instances where the cyber Red Teams employed during DOT&E assessments experienced greater difficulty in penetrating network defenses or maintaining previously acquired accesses,” Director Robert Behler wrote in the annual report. “These improvements are both noteworthy and encouraging, but we estimate that the rate of these improvements is not outpacing the growing capabilities of potential adversaries, who continue to find new vulnerabilities and techniques to counter the fixes and countermeasures by DOD defenders.”

While the report cites a number of improvements DOD has made in the cyber domain in the past year, DOT&E also found many persisting vulnerabilities through its tests. Here are three critical systems in particular that testers found to be operating inadequately:

The F-35 Joint Strike Fighter’s brain is malfunctioning

The F-35 Joint Strike Fighter is meant to “bring cutting-edge technologies to the battlespace of the future,” but for now, the brains behind the aircraft appear to be holding it back from seeing combat anytime soon. It was designed, in a sense, to be a flying supercomputer. But the fighter’s logistics system — the Autonomic Logistics Information System (ALIS) — is plagued with problems, OST&E found in various tests.

“ALIS is designed to bring efficiency to maintenance and flight operations, but it does not yet perform as intended,” the new report says.

The problems fall into three main areas: Users must create numerous workarounds to make ALIS functional, there are “pervasive problems with data integrity and completeness on a daily basis,” and users generally lack confidence in the system, causing them to maintain “separate databases to track life usage.”

The report explains that ALIS will give pilots and others mixed signals on the health of a fighter: “ALIS incorrectly reports the status of aircraft as NMC in the Squadron Health Management application based on HRCs (faults). Meanwhile, a separate application – Customer Maintenance Management System, which relies on the Mission Essential Function List (MEFL) – reports the same aircraft as mission capable.”

The system also faces a variety cybersecurity vulnerabilities.

DOD EHR woes continue

The Defense Healthcare Management System Modernization’s struggle to get operational approval the modernized MHS Genesis electronic health record is not new — earlier reports from DOT&E highlighted the issue. However, DHMSM continues to face challenges and still is “not operationally suitable because of poor system usability, insufficient training and documentation, and inadequate dissemination of system change information.”

In this new report, there are also details about MHS Genesis’ cybersecurity vulnerabilities. “MHS GENESIS is not survivable in a cyber-contested environment,” it says, explaining that the Joint Interoperability Test Command and Space and Naval Warfare Systems Command (SPAWAR) Red Team “successfully executed three cybersecurity attacks against the system as an insider, near-sider, and outsider.”

The program office leading the system’s development has since created the Cyber Integrated Work Group, identifying “34 specific tasks assigned to the appropriate parties, focused upon incident response and intrusion detection as well as prioritization and mitigation of identified vulnerabilities. ”

Joint Regional Security Stack (JRSS) needs a pause

One of the biggest cyber takeaways from the DOT&E report is its conclusion that the department should stop operation of the Joint Regional Security Stack until “the system demonstrates that it is capable of helping network defenders to detect and respond to operationally realistic cyber-attacks.”

JRSS is meant to provide “a suite of equipment intended to perform firewall functions, intrusion detection and prevention, enterprise management, and virtual routing and forwarding, as well as provide a host of network security capabilities” in a centralized manner for the DOD Information Network.

Simply put, the version of the JRSS the office tested “is unable to help network defenders protect the network against operationally realistic cyber-attacks.”

“JRSS performed poorly, and showed little improvement” from the previous test. “JRSS operators did not detect the Air Force 177th Information Aggressor Squadron as it portrayed a cyber adversary attacking the Enclave Control Node logically situated behind JRSS defenses,” the report says.

The report keys in on a handful of specific underlying issues: difficulty managing large amounts of data within a JRSS stack; lagging training; a lack of codified JRSS joint tactics, techniques, and procedures; and insufficient manning.

Shutdown sets back $5 billion Justice IT contract launch

The solicitation for the FBI’s $5 billion Justice Department-wide IT services contract will come a little later than expected.

FBI was set to release the final request for quotes on its Information Technology Supplies and Support Services (ITSSS) Blanket Purchase Agreement recompete Friday, but due to the 35-day partial shutdown, the bureau will have to delay it.

FBI’s IT Acquisitions Unit announced the delay Thursday on FedBizOpps:

“ITAU is diligently working on all aspects of the new vehicle will be and getting the information and draft documents out on FBO as soon as they are completed. The recent Government Shut Down 12/22/18 – 1/25/2018 delayed ITAU by more than a month. The previous schedule will be adjusted accordingly. Keep watching FBO for documents and information. As new data/documents are made available, ITAU will post them. Individual requests for Information will not be responded to.”

The Department of Justice was one of several Cabinet-level departments shuttered by the recent government shutdown, which ended Jan. 25. During that time, the planned key milestones for the ITSSS contract, including issuing a draft request for quotes and answering questions from industry, none of which occurred.

The recompete will replace FBI’s original $30 billion ITSSS contract, a BPA which provided an array of IT services from  46 vendors with whom any DOJ agency could contract. That initial BPA expired in October 2018. The FBI has made no mention of a bridge contract to fill the gap between it and the launch of the award of the new contract. According to the FBI, only about $2 billion was spent under the original BPA, hence the lower ceiling for the recompete.

The FBI is planning to make awards to companies on the General Services Administration’s (GSA) IT Schedule 70, like it did for the first BPA. The bureau anticipates making 15 to 22 awards per track on the contract. Ten to 15 of those would go to large businesses, and five to seven would be for small businesses in each track. Those numbers may change depending on what the agency needs.

The recompete also differs in that it is built around a framework used by chief information officers and other tech leaders called Technology Business Management. The BPA will be broken down into six tracks: end-user services, business application services, delivery services, platform services, infrastructure services and emerging services.

Rep. Susie Lee to lead House Veterans Affairs Technology Modernization subcommittee

Freshman Congresswoman Susie Lee, D-Nev., may be brand new on Capitol Hill, but this fact hasn’t held her back from winning important committee gigs.

House Veterans Affairs Committee Chairman Mark Takano, D-Calif., announced Thursday that he has chosen Lee to head the Subcommittee on Technology Modernization — the oversight body created last summer to oversee the creation of the VA’s new electronic health record system.

A nonprofit executive from Las Vegas, Lee seems ready to dig in to the issue of IT modernization at this massive agency. “It is critical that those who have put their lives on the line for our country are given proper care quickly, which means modernizing the VA and investing in the right technology to do so,” she said in a statement. “This Subcommittee will make sure that the VA is doing this in the most effective way so that our veterans are cared for in a timely manner without abusing taxpayer dollars.”

The VA’s EHR development contract with Cerner, which is worth more than $10 billion over 10 years, was finalized in May 2018. The goal is to transition the VA from its current system, VistA,  to one that is “similar” to that used by the Department of Defense. This, theoretically, will allow patient data will be “seamlessly” shared between the two.

The DOD faced various issues in implementing its modern EHR, but VA leadership has maintained that it will benefit from learning from these missteps. “VA and DoD are collaborating closely to ensure lessons learned at DoD sites will be implemented in future deployments at DoD as well as VA,” Secretary Robert Wilkie has said. “We appreciate the DoD’s willingness to share its experiences implementing its electronic health record.”

Now. it will be Lee’s job to make sure that Congress holds the VA accountable to this goal.

Joining Lee on the subcommittee will be Reps. Julia Brownley, D-Calif., Conor Lamb, D-Penn., and Joe Cunningham, D-S.C. Rep. Jim Banks, R-Ind., who led the subcommittee in the past Congress, will be its ranking member.