Vote today for the 2025 FedScoop 50 awards.

Cast your vote!

Bill to authorize DHS insider threat program passes House

A bill to codify the Department of Homeland Security’s activities for detecting and mitigating insider threats passed in the House on Tuesday by voice vote.

The same bill passed in November 2015 by a voice vote, but sponsor Peter King, R-N.Y., said on the House floor Tuesday that it did not make it to the president’s desk in the 114th Congress due to “last-minute scheduling issues with the Senate.”

The Department of Homeland Security Insider Threat and Mitigation Act of 2017 (H.R.666) would authorize and expand DHS efforts to detect the potential for leaks and mitigate those threats, King said. He added that the bill requires DHS to develop a strategy around the issue, and make sure employees understand how they are being monitored and what behavior may indicate an insider threat.

“Recent high-profile cases of government employees leaking classified information have caused drastic damage to U.S. national security and diplomacy,” King said Tuesday on the House floor in prepared remarks, evoking Edward Snowden as an example. “In response to these cases it is vital that Congress ensure federal agencies have the tools to detect and disrupt future insider threat situations before damage is done.”

DHS has more than 115,000 employees with access to classified information, King said, and even more with access to sensitive law enforcement information.

Bennie Thompson, D-Miss., said Tuesday during debate on the bill that he was supportive of DHS’s current insider threat program, but was concerned about agencies deploying evaluation programs “without transparency and congressional oversight.”

“I’m concerned that federal agencies, with an understandable urge to protect their IT systems and facilities, are racing to acquire the capability before knowing whether such costly systems are even effective,” Thompson said.

So while Thompson recommended passage of the bill, he also stressed the importance of agencies talking to Congress before deploying employee monitoring technology, such as software that would look at an employee’s credit or social media history. He said those conversations with Congress should not only include cost/benefit information, but what protections are in place for workers being monitored.

GSA still hasn’t notified 8 people involved in 2014 breach

The General Services Administration hasn’t been able to locate eight agency employees or contractors and notify them that their information was compromised in a 2014 breach.

GSA’s inspector general released a series of audits from 2015 last week that revealed details about the 2014 breach in the agency’s Google cloud computing environment, which the IG says affected 907 employees, contractors and job applicants, and made sensitive but unclassified building information accessible to contractors and employees without “a need to know the information.”

“Our limited review of GSA’s Google cloud computing environment, which contains approximately 3.8 million documents, disclosed personally identifiable information that was accessible to employees and contractors without a valid need to know the information,” Marisa Roinestad, associate deputy assistant inspector general for auditing, wrote in the Jan. 29, 2015, audit. “As a result, the [Office of the CIO, who was then Sonny Hashmi] determined that the PII of at least 907 government employees, contractors, and job applicants was accessible Agency-wide.”

The audits weren’t release in 2015 because they “presented existing security vulnerabilities,” the audits says, but were released Jan. 27 because the concerns “no longer exist.”

The IG found the vulnerabilities to be associated with GSA’s Google Groups, Sites and Docs apps, which it said had “improper access settings.” Information accessible in the breach included full or partial Social Security numbers, passport and driver’s license numbers, birth dates and home addresses.

GSA issued breach notifications to the affected people whom it could locate, but the IG initially found those notifications to be inadequate, because they didn’t include information on the timeframe, description and date of the breach, or the actions the agency was taking to investigate it. The agency also described the breach with a “false sense of security,” the 2015 audit said, because the notification explained “that exposed information ‘never went outside the GSA
firewall,'” though it couldn’t ensure that sensitive information wasn’t taken outside the agency.

In a follow-up implementation review released with the original audit last week, the IG found the agency still hasn’t been able to reach eight people affected by the breach.

“For the remaining 8 individuals, the search results did not provide GSA with an acceptable level of confidence to attempt to contact them,” the review says. ‘Therefore, the Agency should determine whether it will take additional action to locate and communicate with these individuals.”

Additionally, the sensitive building information disclosed in the breach included emergency plans for child care centers, courthouse blueprints with vulnerability assessments and the locations of judges’ chambers, details about GSA’s building automation system, and more.

According to the initial 2015 report, GSA defines a data breach as “the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users with an authorized purpose have access or potential access to Personally Identifiable Information, whether physical or electronic.”

GSA moved agencywide to the cloud in June 2011 through a contract with Google.

GSA is working to remediate the pending actions in the review, but otherwise did not comment on the audit.

DHS may require U.S. visitors turn over social media, web history

The Department of Homeland Security is considering a requirement that some foreign visitors to the United States turn over their social media and internet history as part of the “extreme vetting” laid out in President Donald Trump’s executive order Friday.

DHS Secretary John Kelly said Tuesday that many countries — particularly the seven Muslim-majority nations from which the U.S. is not allowing visitors for the next three months under the order — “don’t have the kind of law enforcement record-keeping, that kind of thing, that can convince us that one of their citizens is indeed who that citizen says they are and what their background might be.”

DHS is looking at various other forms of “extreme vetting,” Kelly said, suggesting the restricted period would give DHS to explore “what additional vetting, extreme vetting might look like,” though he stopped short of describing how broadly DHS might implement it.

He added: “We have to be convinced that people that come here, there’s a reasonable expectation that we don’t know who they are and why they’re coming here for and what their backgrounds are.”

“On the other end, when someone comes in and asks for consideration to get a visa, it might be certainly an accounting of what websites they visit, it might be telephone contact information so we can see who they’re talking to,” he said. “But again, all of this is under development. But those are the kinds of things we’re looking at: social media.”

While the DHS secretary described using social media and web history to vet visitors as something the administration was at this point only considering, many lawyers assisting incoming travelers from the affected countries —Iraq, Iran, Syria, Somalia, Sudan, Libya and Yemen — described customs agents coercing them to allow searches of their computers, phones and social media accounts during detainment.

Kelly’s comments Tuesday on “extreme vetting” also echo a CNN report earlier this week that suggested the White House had a preliminary discussion to direct foreign visitors to “disclose all websites and social media sites they visit, and to share the contacts in their cell phones. If the foreign visitor declines to share such information, he or she could be denied entry.”

Last summer, U.S. Customs and Border Protection under the Obama administration explored adding an optional question to customs forms about travelers’ social media activities.

“Collecting social media data will enhance the existing investigative process,” a Federal Register notice from June 2016 said, “and provide DHS greater clarity and visibility to possible nefarious activity and connections by providing an additional tool set which analysts and investigators may use.”

CBP began including the voluntary question in December, according to Politico.

Trump’s executive order restricts travel of citizens from the seven countries for 90 days, suspends the entry of any refugees for 120 days, and bars Syrian refugees indefinitely.

Federal agencies warned of cyber-espionage coming from their landlords

U.S. law enforcement agencies may be putting themselves at risk of cyber-espionage because they are renting office space in foreign-owned buildings, according to a new report published Monday by the Government Accountability Office.

Twenty-six different FBI, Homeland Security, Secret Service and Drug Enforcement Agency offices across the country are based in buildings owned by foreign firms, the report notes. Twenty-two of the 26 offices are owned by entities licensed in non-NATO countries, including China, Israel, South Korea and Japan.

The U.S. Committee on Foreign Investment and the tenant agencies, in consultation with the GAO, have concluded that: “leasing space in foreign-owned buildings could present security risks such as espionage and unauthorized cyber and physical access.”

One-third of all “high-security leases” for agencies are in buildings where ownership information could not be ascertained by investigators.

The General Services Administration, which itself overseas leasing for many federal agencies, is renting space in 20 buildings from foreign owners.

Sen. Tammy Duckworth, D-Ill., Rep. Elijah Cummings, D-Md., and Rep. Jason Chaffetz, R-Utah, have each separately called for a GAO review.

“Our security professionals should know who owns the piping in the buildings that they occupy,” Chaffetz told CNN. “It’s an eye opener.”

An unnamed DHS foreign investment official told the GAO that “threat actors could coerce owners into collecting intelligence about the personnel and activities of the facilities when maintaining the property.”

According to the report, 9 of 14 agencies contacted by the GAO were unaware their offices were owned by foreign firms.

“Because owning property can provide access to the buildings and building systems, foreign ownership of government-leased space can pose security risks particularly regarding cybersecurity,” the report reads. “

FBI officials cited in the GAO report said that they were not concerned with building ownership being involved in any physical or cyber threat aimed at their offices.

DHS acquisition management bills set for House passage

Two bills scheduled for a vote in the House on Tuesday seek to improve the way Department of Homeland Security officials oversee and document certain acquisition programs.

Similar legislation was introduced in the last session, and watchdogs have long identified a need for overhauling the way the department manages its acquisition programs. The Government Accountability Office in a March 2016 report noted that while DHS management has made some progress, “the department has struggled to effectively manage its major programs, including ensuring that all major acquisitions had approved baselines and that they were affordable.”

And according to DHS Inspector General John Roth, “although its acquisition policy includes best practices, DHS routinely approves moving forward with major acquisition programs without appropriate internal oversight,” Roth wrote in 2016 testimony for Senate Committee on Homeland Security and Governmental Affairs.

The bills are expected to pass under suspension of the rules, an expedited process reserved for generally noncontroversial bills.

Documenting major acquisition programs

New Jersey Democrat Bonnie Watson Coleman’s “DHS Acquisition Documentation Integrity Act of 2017” (H.R. 347) calls for the relevant DHS component head to maintain certain information on its major acquisition programs. The documentation would have to include operational requirements, a complete lifecycle cost estimate, cost-benefit analysis and a schedule. A “major” acquisition program as defined by the bill costs $300 million or more.

The requirements can be waived only under specific circumstances — such as if the program is not yet in full-rate production, or has a reasonable cost estimate already established. And waivers would have to be reported to relevant congressional committees.

Similar legislation to Coleman’s bill passed the House in the previous Congress, and the Congressional Budget Office estimated it would cost less than $500,000 annually.

Documenting border security technology acquisition programs 

Under the other bill, major programs for acquiring border security technology would be required to have an approved budget baseline, and officials would have to document that they are meeting the cost, schedule and performance goals set forth by the baseline.

The Border Security Technology Accountability Act of 2017, or H.R. 505, was introduced by Martha McSally, R-Ariz. The bill also passed the House during the previous Congress. 

Sen. John McCain, R-Ariz., who introduced a companion bill in the Senate, said in a statement at the time, “New technologies such as video and radar surveillance are critical to securing our borders. However, widespread mismanagement and a lack of accountability within our federal bureaucracy has prevented us from using these technologies to stop illegal immigration, put an end to human trafficking and reduce crime in communities in Arizona and across the Southwest.”

The bill also would require the DHS undersecretary for management, in coordination with the commissioner of U.S. Customs and Border Protection, to monitor those major acquisition programs to make sure they are on schedule and on budget.

The bill also would require a plan to be submitted to Congress for “testing and evaluating new border security technologies to ensure taxpayer dollars are being used efficiently and effectively,” McCain said.

“This bill is a no-brainer,” McSally said when the bill was introduced. “These important accountability tools should be standard practice across the federal government to ensure taxpayer dollars are used as efficiently as possible.” 

How the hiring freeze could impact the federal IT and cybersecurity workforce

One of Donald Trump’s first actions as president was to sign an executive order implementing an across-the-board hiring freeze in federal government.

The specific details of that freeze and its immediate impacts on IT are still being worked out — particularly whether any of those positions might be granted exemptions for national security and public safety purposes. But experts say the freeze and the forthcoming federal workforce attrition plan from the Office of Management and Budget could make the government an unattractive employer in a competitive market for a small pool of talent.

Mallory Barg Bulman, the Partnership for Public Service’s vice president for research and evaluation, told FedScoop there are almost three times more information technology employees in government older than 60 than younger than 30. That trend will likely worsen, she said, as the Trump administration’s policies kick in.

OMB was directed to recommend, within 90 days of the memorandum’s publishing, its own plan for decreasing the size of government through attrition.

“The federal IT workforce, a larger percentage of it is retirement eligible than the general population of the federal government, so if we’re moving toward shrinking the government through attrition it would adversely affect the IT workforce,” Bulman said. “Also, the federal government has a really hard time hiring federal IT talent. And so anything that slows that process down, even I suspect the suggestion of a hiring freeze, slows that down moving forward.”

Rep. Gerry Connolly, D-Va., slammed the decision to initiate the hiring freeze, calling an across-the-board hiring freeze “one of the most mindless approaches to management.”

He told FedScoop the freeze is “the cheap way out, and it doesn’t distinguish between critical missions and noncritical missions.”

Connolly later added: “It makes federal service even less attractive in the current context, and that will make it harder to recruit and retain the workforce we need, as we face 30 and 40 percent retirement over the next few years.”

Alan Chvotkin, executive vice president and counsel for the Professional Services Council, said to FedScoop that a short hiring freeze may have a minimal impact on the IT workforce. But if it continues for a long period of time, “it will begin to have a significant impact on the workforce because these jobs are difficult to fill.”

“The longer it take to fill the more vulnerable the federal systems are without the key personnel to design, develop and operate and maintain them,” he said. “And then… [it] creates a perception or implication that the government is not interested in hiring or as new employees are looking for work that the government is not going to be the employer of choice for those employees. And that will just make the government’s ability to attract a workforce at any point that much more difficult.”

Bulman also said that while the hiring freeze isn’t permanent, “there really is going to be a permanent piece in some way to reduce the size of the federal workforce, and my concern is that it would really adversely affect the federal IT workforce because you want to create a culture that the federal government is a great place to come, that it’s a place for opportunity, and giving things like shrinking the size of the federal workforce is not going to help with that perception.”

Exemptions and waivers for IT jobs?

The freeze will “force everyone to have to get waivers and exceptions to beef up critical areas we need beefed up,” Connolly said.

“And that’s everything from trying to make sure we have the resources to eat into the Veterans Administration’s health backlog for veterans, [to] cybersecurity capabilities, unless Donald Trump doesn’t want to protect us from Russian hacking,” Connolly said.

Department or agency heads can issue exemptions for positions that are “necessary to meet national security or public safety responsibilities.” And Rep. Will Hurd, the chairman of a House subcommittee on federal IT, said in a statement to FedScoop agency heads would likely consider IT infrastructure needs to be eligible for those exemptions.

“The hiring freeze would not affect national security or public safety personnel. As a result, it is up to the discretion of the agency heads to determine what meets that standard. Given the tremendous public safety and national security risks associated with the federal government’s IT infrastructure, it is unlikely that agency heads will choose not to meet IT standards necessary to ensure the safety and security of the American people,” said the Texas Republican via email.

Chvotkin said some vacant IT positions could potentially be brought in under those exemptions immediately.

“I think what the agencies are going to be most interested in is being able to address the pipeline that they’ve already selected, but haven’t started, or where they’ve made offers and the individuals haven’t started,” Chvotkin said. “I suspect there will be a number of those appeals being made fairly quickly.”

The recently-appointed official in charge of cybersecurity at the U.S. Department of Health and Human Services told FedScoop that there were “about 30” vacancies in his office that he hoped to be able to fill despite the freeze.

HHS CISO Christopher Wlaschin told FedScoop: “We hope to fill these critical vacancies under the guidance” that OMB said it will issue on the freeze. Wlaschin started work Jan. 9.

The acting secretary of the VA announced some exemptions to the freeze in a memo published Friday.

Shaun Waterman contributed to this report.

EPA looks for help in agile overhaul

The Environmental Protection Agency wants industry’s help embedding agile software development practices across its enterprise.

The agency is launching a request for information from software contractors whose help it needs building agile development practices into EPA’s enterprisewide acquisition process. The RFI is expected sometime in February.

EPA’s Office of Digital Services and Technical Architecture enlisted the General Services Administration to assist with the acquisition using its Schedule 70 multiple award contract for IT.

The agency held an industry day in 2016 during which it proposed an agile BPA, similar to that created by GSA’s 18F digital services team, comprised of a pre-approved pool of agile vendors that would bid for work in areas like mobile app development, web app development, commercial-off-the-shelf customization or upgrades, data analysis and modeling, and new system development.

EPA’s vision for the agile contract has evolved since then, however, with added emphasis on cultural change and lasting, enterprisewide agile implementation.

The eventual acquisition would consist of three different contracts, the agency explains in a special announcement:

The contract “will provide access to multiple IT service vendors to yield cost and time savings, as well as, efficiency, agility, public availability, interoperability, and sustainability improvements of applications that are used to support the Agency’s mission of protecting human health and the environment.”

The EPA is currently on a contracting freeze directed by President Donald Trump’s administration. The constraints of the stoppage are unclear, and if it continues long enough, could threaten EPA’s ability to award this contract.

“A blunt, across the board halt on contracting actions will disrupt core government operations, drive away hard-to-find workers, and may cost more to restart than it saves by stopping,” PSC Professional Service Council President and CEO David Berteau wrote in a letter to EPA acting Administrator Catherine McCabe. “Absent problems with specific contracts, we strongly recommend that these actions be of the shortest duration possible.”

The EPA did not respond to FedScoop’s request for comment on how the contracting freeze could impact IT contracts, such at this one.

New CIA director inherits an agency that is quickly developing cyber capabilities

The CIA’s Directorate of Digital Innovation is now delivering the kinds of cyber-espionage tools and intelligence-gathering capabilities that the agency was seeking when then-Director John Brennan created it two years ago, says a senior official with the program.

The unit has moved beyond its initial period of integration with the spy agency, said Sean Roche, the DDI’s associate deputy director. It’s now “delivering capabilities that will enable CIA to transform the business of intelligence,” he said, at a time when the CIA is transitioning to new leadership.

“We are creating agile digital environments to enhance our ability to collaborate as an Agency and Intelligence Community,” Roche said. “The vision is to create pathways for persistent clandestine and open-source collection that feed data exploitation and curation.”

The Langley, Virginia-based office’s mission is to streamline and integrate digital and cybersecurity capabilities into the CIA’s espionage, counterintelligence, all-source analysis, open-source intelligence collection and covert action operations.

The DDI’s progress also comes as Donald Trump’s administration evaluates the role, responsibility and mission of nearly every federal organization. On Monday, the Senate confirmed Trump’s pick to replace Brennan, Mike Pompeo.

“The DDI is firing on all cylinders,” Roche said of the unit’s momentum.

Pompeo, formerly a House member from Kansas, steps into Langley with the benefit of a DDI that has been working for more than a year to broadly modernize the premier U.S. intelligence agency — an effort that includes the adoption of cloud data-storage technologies and secure dev-ops coding projects, as well as “digital collaboration environments and mobility through wireless,” Roche said.

Roche is a career federal employee with 35 years of service in the government. Prior to his current job, he held various executive positions with the CIA’s Directorate for Science and Technology — a research and development arm with a national security focus. Roche’s boss, DDI Director Andrew Hallman, is CIA veteran with decades of leadership experience. 

“A digital world challenges the way we work in a clandestine world. We have to come up with new ways to operate in a much more connected environment and still be clandestine,” Hallman said in an interview with DefenseOne. “The way we help people use digital and cyber techniques, [the DDI] will raise it to a new level.”

Last summer, Brennan said the DDI would help the spy agency succeed in an era of “big data,” which requires that analysts mine through vast volumes of digital information to find actionable intelligence.

“I felt a special responsibility since I served 25 years in CIA to do what I could here on the organizational front to make sure that we’re postured well for the future,” Brennan said in a December interview with NPR. “I’ve talked to Mike [Pompeo] about the modernization program we have underway here. He is very familiar with it … I told him that to me, the modernization process should never end because we have to constantly adapt to the realities that we have to deal with in the outside world.”

The launch of the DDI represented the CIA’s first new Directorate since 1963. Little is known about how the office specifically functions or if it deploys “offensive” cyber capabilities.

The CIA declined to discuss whether the DDI’s staff size has grown since the unit’s conception in early 2015. Publicly viewable CIA job postings show that the spy agency is currently hiring for digital forensic engineers, cyberthreat analysts, cybersecurity officers and operations officers. Qualified applicants for these positions will come with some knowledge of “network penetration testing, network defense, operating systems, communication technologies, network security” and “reverse engineering.” 

In the past, the CIA has traditionally worked “very closely with the intelligence community and law enforcement colleagues, including the NSA, FBI, Homeland Security Department, and other agencies, to address” cyberthreats aimed at the U.S., said CIA spokesperson Heather Fritz Horniak. 

One of the CIA’s primary responsibilities pertaining to cybersecurity includes the collection of human and digital, or signals, intelligence to identify foreign hackers. What sets the CIA apart from its counterparts is the agency’s ability to collect human intelligence from a clandestine network of agents operating around the globe. 

“Cyber-defense is very much a team sport across the [government]. As an all-source overseas collector, CIA leverages the widest range of HUMINT, collection platforms, and technical capabilities to discover the plans and intentions of hostile foreign cyber actors,” Horniak said. “The intelligence reports generated by DDI officers inform our partners across the federal government in order to support their cyber-incident responses.”

According to classified budget documents shared with the Washington Post, the CIA’s computer network operations budget for fiscal year 2013 was $685.4 million. The NSA’s budget was roughly $1 billion at the time.

‘Failure to confront is permission to continue,’ says female former IT leader to women in federal tech

During Donald Trump’s administration, women in federal IT should be “even more vocal,” the former deputy CIO for policy and planning at the Department of Agriculture said Thursday.

Joyce Hunter, a political appointee, was asked during an event Thursday in Washington how to approach mentoring and advocating for women in IT, given what Trump has said about women in the past. Asked how important it is to push women’s involvement in federal IT in this administration, she responded immediately, “I think it’s very important.”

“Failure to confront is permission to continue,” she said to applause at the luncheon in Washington hosted by the Association for Federal Information Resource Management.

“I think you have to confront it head on,” she said. “There are always going to be people who are going to try and bully their way through their lives. There are going to be people who are going to be there to try to demand their way through life. However, I think it’s important for us as women in this arena to continue to support the young women and say, ‘you know, yeah yeah that’s what he says. But keep going. Keep going. Until they tell you to stop, keep moving.’”

She said that while at the Agriculture Department she always encouraged people to come to her with an idea so they could work through it together.

“I don’t believe in no. I don’t believe in can’t. I don’t believe in shouldn’t. I don’t believe in wouldn’t,” she said. “Let’s figure it out together and then let’s move forward.”

Earlier during the lunch Hunter, who has an undergraduate degree in sociology and an MBA in marketing, said that there were very few people who looked like her in leadership positions when she got out of graduate school. Often the only person of color, or the only woman in the room, she said people often didn’t pay attention to her.

When she spoke up during meetings “either it was discounted or else somebody would say something five minutes later — the same exact thing — and it was all awesome,” she said. “So I decided that early on that I was going to think outside of the box and get coalition of the willing. And even though I was told no, I’d do it anyway. Yeah I’d get yelled at along the way, but I knew in my heart that I enjoyed whatever customer I was working for.”

Answering the question about women in IT during the Trump administration, Hunter said: “Given the current tenor of the administration I would say we have to be even more vocal.”

“If you’re not in trouble you’re not doing anything right,” she said.

HHS gets Navy vet as new cybersecurity chief

The Department of Health and Human Services has a new CISO, a Nebraska Navy vet who has worked in IT inside and outside government.

Christopher Wlaschin retired after 28 years in the Navy in 2008 as a lieutenant commander and has held a variety of civilian jobs since, including several stints at major health care companies in his home state. He came to HHS from the Nebraska-based, for-profit National Research Corporation, where he was senior director for information security and infrastructure for NRC Health.

His last stint with a federal agency was for the troubled Department of Veterans’ Affairs, where he was associate deputy assistant secretary for security operations for one year beginning in August 2012. He joined VA from Military Sealift Command, where he was the civilian CIO 2010-12. Prior to that, he was the assistant director for unified communications at the Missile Defense Agency.

“As a member of the U.S. government’s Senior Executive Service … Wlaschin will lead the cybersecurity program across HHS, with a goal to foster an enterprise-wide secure and trusted environment in support of HHS’ commitment to better health and well-being of the American people,” the department said in a statement.

The HHS position is not politically appointed. Wlaschin, who started work earlier this month, got in under the wire of the new administration’s hiring freeze — which affects all current vacancies and any new hires with a start date after Feb. 22 — but said HHS has several open cybersecurity positions that might be frozen.

“We hope fill these critical vacancies under the guidance” interpreting the freeze that will be issued shortly, Wlaschin told CyberScoop.

The hiring freeze includes exceptions for vital national security and public safety positions, but until the guidance is issued, it’s not clear what that means or who has the authority to invoke it.