The votes are in for the 2025 FedScoop.

See the winners!

Proposed cybersecurity bills would ‘prohibit’ internet-connected voting systems

A pair of comprehensive, complimentary election infrastructure reform bills, which will be first introduced Wednesday in the House of Representatives, seeks to prohibit certain voting systems from being connected to the internet, offers funding for election cybersecurity research and mandates the use of paper ballots across the U.S. by 2018, FedScoop has learned. 

These two pieces of legislation — named the “Election Infrastructure and Security Promotion Act of 2016” and the “Election Integrity Act,” respectively — are being sponsored by Rep. Hank Johnson, D-Ga., a lawmaker whose constituents will rely on paperless ballots to cast their votes in November’s presidential election. 

“In the wake of the DNC server hack and well-documented efforts by states to suppress the vote, citizens are rightly concerned,” Johnson said in a statement. “We must work to reduce the vulnerability of our crucial voting systems, protect the security and integrity of our electoral process, and ensure all Americans have the opportunity to vote.”

The Election Infrastructure and Security Promotion Act of 2016 will require the Department of Homeland Security, or DHS, to designate voting systems as critical infrastructure — an important reclassification move already under consideration by DHS Secretary Jeh Johnson. In practice, this change would result in a budget adjustment that puts election systems on par with power grid protection. 

Notably, the Election Infrastructure Act will seek to compel states to comply with relevant federal rules while incorporating additional security standards and testing measures. Under the rule, the National Science Foundation will be required to stand up a nondescript election technology development program.

Meanwhile, the Election Integrity Act specifically prohibits “election systems responsible for vote casting or tabulating” from being connected to the internet. Today’s voting machines, themselves, are not connected to the internet in U.S. polling places, though other components of the larger process — like states’ voter record databases, or VDRBs, online voter registration forms, or OVR, and e-polling books — rely on connectivity.  

“We’re interested in verifiable paper audit trails, avoiding hair brain ideas for connecting machinery to the public packet switch network and ensuring some security standards get updated and finished,” said Gregory Miller, co-founder of the OSET Institute and Trust the Vote Project. Miller was involved in drafting both pieces of new legislation. 

The Election Integrity Act would work to limit the purchase of any new voting systems that do not provide “voter-verified paper ballots” while adding proposed protocols designed in the case of a voting system failure. 

$600 million in new funding is being requested to ensure that these processes are executed in FY 2017 and 2018. 

“The individual, durable paper record must be able to be verified by the voter before casting; stored in a way to preserve anonymity of the voter; and used as the final authority over electronic records audits/recounts. Recounts and audits must include paper ballots of overseas/absentee voters,” a summary of the Election Integrity Act provided to FedScoop reads. 

Data analyzed by Reuters and collected via the U.S. Census Bureau, Election Assistance Commission and Verified Voting Foundation reveal that 44 million registered voters, or roughly 25 percent of the current national total, live in jurisdictions that will use paperless systems come November. 

Last week, DHS Assistant Secretary for Cybersecurity Andy Ozment said that DHS will not elevate election systems to critical infrastructure in the “near future.” 

“[Importantly,] the security bill dealing with the infrastructure designation does not have [a] timeline component on it demanding DHS reclassify before the Nov. elections,” a spokesperson for Rep. Johnson explained in an email to FedScoop, “but, if the bill becomes law, it would be required to do so.” 

Leidos secures $777 million contract with Army Geospatial Center

leidos

Leidos received a $777 million contract to support the Army Geospatial Center’s High-Resolution, 3-D Geospatial Information program — otherwise known as HR3D.

Under the contract, which the General Services Administration awarded Monday, Leidos is set to collect, process, disseminate, store and maintain HR3D geospatial information. It will also conduct collection operations, process the information and produce geospatial products as needed.

“Leidos has a long history of directly supporting U.S. Army warfighters through vital airborne programs,” said Roger Krone, Leidos’ chairman and CEO. “Our team is excited to continue that support using advanced technologies to produce critical mapping products.”

During the collection, Leidos will integrate advanced light detection and ranging sensor technology at a higher altitude by using a higher velocity aircraft platform. The program will also address the gap between insufficient HR3D geospatial information and working with other nations to expand their capabilities while working towards a sustainable and secure environment.

Partnering with Leidos will be KEYW Corporation, Tenax TM LLC, Neany Inc., Sigma Space Corp., OG Systems LLC, Pixia Corp. and Woolpert Inc.  By teaming up, the organization hopes to provide cost-effective solutions for the ASG program.

“The selection of the Leidos team on this contract solidifies our standing as leaders in airborne capabilities,” said John Fratamico, president of the Leidos Advanced Solutions Group. “We remain dedicated to supporting our customer and providing cost-effective, advanced technology solutions to meet the DoD’s mission requirements.”

The deal is one of the largest since Leidos merged with Lockheed Martin‘s government IT business earlier this year, creating the largest government services provider in the U.S. with a $10 billion annual revenue base.

Accenture group wins $286M VA IT service desk contract

The Department of Veteran Affairs awarded ASM Research a $286-million contract to support its National Service Desk, a key component of the department’s MyVA strategy.

Through the contract, ASM will operate VA’s front-line support for IT services, systems and operations that the National Service Desk provides to more than 350,000 VA employees.

One of Accenture Federal Services’ subsidiaries, ASM’s core areas of business are in human capital systems and support, health IT, enterprise IT systems, and cybersecurity.

The contract has a nine-month base period worth $36.5 million and three one-year options to extend.

“We look forward to strengthening service desk support so VA employees can devote even more time to serving our veterans,” Jim Traficant, president of ASM Research and a managing director at Accenture Federal Services, said in a statement. “It’s an honor to partner with the VA to help transform the VA employee experience. Together, we’re helping deliver the MyVA promise to our veterans.”

The VA will also be working with ASM to support the Continuous Readiness in Information Security Program, known as CRISP, to help reduce information security risks in the department’s systems and its enterprise health management platform, which it’s building to increase interoperability of its electronic health records with the Defense Department.

Startup investors are looking to hackers for help on smart bets

When a company approaches a private equity firm in hopes of raising money, its founders typically come bearing a PowerPoint presentation providing a revenue forecast, tech development plan and go-to-market strategy. But today, investors are also becoming increasingly interested in their portfolio companies’ cybersecurity posture, a group of security experts, lawyers and investors tells FedScoop. 

“There is building concern amongst investors who have had portfolio companies experience breaches,” said Yong-Gon Chon, CEO of Cyber Risk Management, a cyber risk consulting firm that offers penetration testing services through a subsidiary company. “Investors want to understand potential exposure to risk across all of their investments. [So, yes] there has been an uptick in inbound requests,” added Chon. 

Ann Barron-DiCamillo, a former director of the U.S. Computer Emergency Readiness Team and a now venture capitalist with D.C.-based Strategic Cyber Ventures, told FedScoop that this practice — measuring cybersecurity as part of an investors’ due diligence process — is “becoming more and more common.”

“I’d say we have really seen a growth in that particular market over the last five years,” said FusionX CEO Matthew Devost, referring to an uptick in revenue for his business from services purchased by investors. Devost’s company, which was acquired by Accenture in August 2015, leverages offensive cyber capabilities to test clients’ digital defenses. 

FusionX is traditionally employed by investors to conduct tests during a pre-funding stage or in preparation of a merger, acquisition or initial public offering, said Devost. In the past, FusionX has worked closely with clean-tech, biotech and several large software companies to improve cybersecurity on behalf of their investors. Currently, the Reston, Va.-based cybersecurity company is working with a cohort of prominent, well-funded private equity firms that use its services to understand the strengths and weakness of their portfolio companies. Devost, once a senior adviser to the Department of Defense, declined to discuss clients by name.

“The concept of red teaming and adversarial breach simulation is gaining industry traction,” agreed Chris Patten, director of attack and penetration services at Denver-based Optiv.

“Accurately performed breach simulation requires a tolerance for unconventional adversarial techniques that continue to remain difficult for many organizations to accept … leaving the exercise for those that are truly focused on understanding their actual resiliency to threats,” Patten told FedScoop.

Some of the largest investment firms based in or around the Silicon Valley area have slowly become aware in recent years of the threats posed by hackers who look to steal valuable intellectual property from high tech American companies, insiders said.

When asked about the cybersecurity techniques and services they relied on when auditing companies’ digital defenses, a New Enterprise Associates spokesperson said the firm did not engage in such practices. Over the past nine months alone, NEA has invested north of $400 million in commercial tech companies based in the U.S. 

The Carlyle Group and large venture capital firms Revolution LLC, Andreessen Horowitz and KPCB either declined or did not respond to FedScoop’s requests for comment. 

The MedSec Fallout

In early September, the broader investment world — spanning both public and private markets — became aware of the damaging impacts felt when an important software vulnerabilities is disclosed to the masses. 

Shortly after news broke that St. Jude Medical Inc.’s pacemakers and other implantable medical devices were found to carry dangerous software vulnerabilities, the company’s stock plummeted more than 8 percent

As additional details of the case emerged, the public became aware of the role played by MedSec Holdings, a cybersecurity firm who privately performed security penetration tests on St. Jude Medical’s devices, but then proceeded to partner with a short-seller rather than directly notify the medical device maker. 

MedSec Holdings’ short-seller, Muddy Waters Capital LLC, bet against St. Jude Medical and subsequently cashed in on tanking stocks — an action that has since prompted lawsuits. 

“This disrupted the market and potentially put people at harm by announcing potential vulnerabilities to the world, including potential wrongdoers, instead of the company who could address the issues and strengthen the security,” said Braden Perry, a regulatory and government investigations attorney with Kennyhertz Perry.

Since 2013, the Food and Drug Administration has been hammering proactive cybersecurity programs. In January, for example, the FDA issued draft guidelines for medical device manufactures to address technology security risks in both premarket and post-market production, explained Perry. 

Just days after St. Jude Medical’s stock was crushed on the New York Stock Exchange, one of St. Jude Medical’s investors reached out to Jason Syversen, a former DARPA program manager and the now CEO of Manchester, NH.-based Siege Technologies, FedScoop learned. Siege Technologies describes itself as providing “offense-driven defensive cybersecurity solutions.” 

“They are worried about the report and future bombshells,” Syversen said. 

Over the last several weeks, this investor — who Syversen declined to name — is also speaking with other offense-oriented cyber firms in an effort to validate MedSec Holdings’ claims.

“The idea is to prevent surprises like this again,” said Syversen. 

As it stands, today, private equity investors are traditionally expected to do their own research to make investment decisions, Jacob Olcott, a vice president at security ratings firm BitSight, said.

“The challenge in cybersecurity is that there is often a lack of information or data for the investor to make a decision,” said Olcott, a former legal adviser to the Senate Commerce Committee and Chairman John D. Rockefeller’s lead negotiator on cybersecurity legislation. 

NCC Group, one of the largest information assurance firms in the world, said they have yet to see any influence on sales following the Med Sec Holdings’ disclosure — though it may be too early to tell. 

“The MedSec/Muddy Waters situation is topical at the moment, but in our experience the demand for security testing services is constant,” said NCC Group Senior Vice President Kevin Dunn, “[the] drivers towards spending money on security will of course vary between companies …. security-relevant events that receive media coverage can serve to highlight a particular risk, but in general the majority of companies [we deal with] have embarked upon a security program in some way.” 

New, stronger crypto standard lacks backward compatibility

The Internet Engineering Task Force is on the verge of approving a new standard for encrypted internet traffic that will make the web a safer place to shop, bank and browse — but it could also break a lot of stuff for people who don’t update their browsers.

Transport Layer Security, or TLS, is an encryption protocol that works with web browsers. It’s the math, and the shared standards, that underlie the green padlock users see — the symbol which gives users the confidence that they are connected to the right site and is private enough to share personal or financial data.

TLS supersedes SSL, or Secure Sockets Layer — a protocol dating back to 1995 that has proven to be thoroughly broken. But the latest TLS version was finalized in 2008 and in recent years has been the subject of many high profile attacks and newly discovered bugs. 

The first draft of TLS 1.3 was offered by the IETF in 2014 and the non-profit, which sets the standards that keep the internet universally compatible and open, has since been working on a final version.  

“There’s no timeline” for the IETF working group to finish drafting the standard, task force spokesman Greg Wood told FedScoop. The 15th draft was published last month. 

“It’s a consensus-based process … Once the working group is in agreement, the final standard is sent out for review by wider technical community,” Wood said. 

Any issues raised at that stage have to be addressed before the task force publishes the standard and it comes into force, he explained. 

Nonetheless, Mozilla’s Firefox and Google’s Chrome browsers have implemented preliminary versions of TLS 1.3 in their developer releases — the latest, as yet untested, updates to their software which they share ahead of public release. And there are other programs implementing the new standard, too.

“TLS 1.3 is huge step forward for web security and performance,” wrote Nick Sullivan of Cloudflare, the content delivery company. Cloudflare announced Tuesday that they will be offering TLS 1.3 to all their customers.

Crypto experts agree 1.3 will be faster and much more secure. Older versions of TLS typically require at least three exchanges between the server hosting web content and the browser viewing it before any actual traffic can move. This is known as 3-RTT, for Round Trip Time, and contributes to the latency that sometimes plague encrypted sites. 

The lower the RTT, the faster the web connection. TLS 1.3 aims for a maximum of 1-RTT, according to engineers.

However, one of the ways TLS 1.3 is being made more secure is to eliminate what engineers call backwards compatibility — the ability of websites using the new standard to be viewed with outdated browsers.

“The need for backwards compatibility allows an attacker to force the [encryption] protocol into an older, insecure, version,” wrote Bruce Schneier in 1998  — the year SSL was first introduced.

Backwards compatibility is at the root of many vulnerabilities in earlier versions of TLS — like the POODLE and FREAK attacks. 

To deal with this problem, TLS will eliminate many older, less secure, encryption technologies, including RC4 ciphers, SHA-1 hashes and so-called “export grade” ciphers.

“I think we will see far fewer vulnerabilities and we will be able to trust TLS far more than we have in the past,” concluded Cigital’s Jesse Victors.

Can bug bounty programs solve the cybersecurity workforce shortage?

As cybersecurity turns to top of mind for organizations across the country, more are turning to bug bounty programs for a cheap and effective way to find vulnerabilities that lurk in their systems. From car manufacturers and financial services firms to the Department of Defense, the idea of paying out bounties for bug fixes is an idea that’s catching fire. 

FedScoop recently sat down with Bugcrowd CEO Casey Ellis to get insight into how his company is handling the growing trend, where he sees the market moving and how he is making sure the researchers attracted by his company’s programs don’t break the law. 

___________________________________________________________________________

FedScoop: These bug bounty programs are growing in popularity. Why do you think that has come about? 
 
Casey Ellis: What we’ve seen through our company and through our platform, as well as on other platforms and just people doing it themselves, is an acceleration in launches over the past three to four years. The other thing is the spread from technology companies and traditionally early-adopting organizations to the broader market.

We recently launched programs with Fiat Chrysler and MasterCard. You are starting to see these organizations that you wouldn’t necessarily say are adopting the Facebook or Google model. The core issue that people are realizing is that they are more vulnerable than they are being told. This is a really effective way to get better results. More issues, more creative impact, more eyes on targets and, ultimately, reduced risk.
 
The other thing is that there are just not enough people around, so there’s this sense of — especially out here on the East Coast — we’re having a lot of conversations where the backdrop is just the resource shortage. The way a distributed resourcing model, like a bug bounty program, works is it gives people easier access to more talent to solve problems that they are actually unable to hire for.

FS: How have you seen the landscape change since the Pentagon ran its bug bounty program? 

CE: Hack the Pentagon as a pilot was fantastic because it proved two things: It proved that the Pentagon had vulnerabilities, and it proved that the crowd was able to find them. As a pilot, I was really happy that all went down. We’ve had conversations with all sorts of government departments, DOD included. What we’re also seeing is governments in other countries reaching out and saying, “We didn’t think governments were going to do it for a little while yet, but it seems that they’re making a run at it, so maybe it’s time for us to start talking about it, too.”

FS: One of the alleged participants in the Hack the Pentagon program was arrested and charged with stealing data from the home email accounts of top U.S. security officials. Sometimes, in these bug bounty programs, people want to stay anonymous. Yet, companies are naturally going to worry about opening their networks to the masses. How do you balance the trust factor with each side? 

CE:  What we do is we use the public programs to attract and onboard people to the platform. Once they’re in there, there are four things that we assess: What kind of skills do they have, what kind of impact are they capable of, what kind of activity are we going to see from them, and the fourth … is trust.

The way that we assess trust over time really comes down to their behavior. We’re looking for their behavior on or off platform: How they interact with the programs that we run, how they interact with our team, and so on. There are a bunch of data points that we collect and, basically, feed into a scoring system. 

The goal is to figure out if [the community] has people we can trust for the clients who have trust requirements. As you’d imagine with 37,000 hackers, some of them understand that you have to wear a suit and tie to work, others don’t. The ones that don’t, they’re more than welcome to participate on the public programs and even some of the private ones where there’s a low level of trust. Once we start getting into more critical situations, we need to be able to tell the client that we’ve done our homework on who these people are and have a degree of certainty that they’re going to behave themselves.

Beyond that, we’ve got identity verification, background checking, and we’re starting to get into a position where we’re checking for clearances. Essentially, we’re mapping the community to make sure that we can deploy them appropriately to the types of things that are being asked of us from the customer.

FS: So the arrested hacker listed on his LinkedIn page that he was an employee of Bugcrowd and HackerOne. I want to talk about that designation a little bit. Do you welcome the public to consider themselves a researcher on your company’s behalf? 

CE: If you look on LinkedIn, we’ve got 600 employees. That’s clearly not true at this point. The researchers are doing the work. They’re either aspiring to be associated with what we’re doing, or they’ve built some sort of credibility on their profile page and they’re wanting LinkedIn to know about it.

In terms of encouraging it, frankly, we do. In [the arrested hacker’s] case, obviously, it’s been awkward, especially for HackerOne and for the Hack the Pentagon project. They asserted a level of trust to the people that they were bringing in. We checked out this guy and he’s only participated in our public programs — we haven’t invited him to anything private. He’s now very much blacklisted on the platform.

That’s one of those things where if [malicious hackers] are going to associate with us, there’s nothing we can really do to stop that. I think in the absence of having full control over it, it’s like, [list us as an employer], because if you’re proud of us then that’s a transitive pat on our back. That creates potential for situations like this, but we’re a crowdsourcing company. It gets a little messy sometimes.

FS: Can you give us a little more detail on how the Fiat Chrysler program came about? 

CE: For them, it’s very much about access to people that have automotive hacking skills, because over the past four years, the connected vehicle has become a 2 ton mobile phone. Basically, you’ve got an industry that’s used to evolving at the pace of automotive manufacturing. They’re pretty progressive, but you’re building a car — you can’t change things that quickly. Now, all of sudden it has to become more convenient at the speed of the internet, because that’s what their customers expect.

You’ve got this product team that’s used to moving at car speed, and then another one that now has to move at internet speed. Then, you’ve got to figure out how to draw a ring around the whole thing and make it safe, which is the part where this is like, “Whoa, that’s a little disconnected from our core safety things that we do with vehicles.”

I think Fiat Chrysler, once they were done taking a deep exhale moment after all the Jeep hack stuff went down, got pretty busy thinking about how they can engage that model proactively. That’s really when we got involved. I think the program itself is phenomenal. They’re great to work with. This whole idea of automotive cybersecurity, and seeing this move from websites and software to stuff now that’s critical to safety, that’s a whole new chapter and automotive is really spearheading that. 

FS: What other industries are going to follow?

CE:  Actually, it’s funny, I called it at Billington in Detroit that [medical device security] would go next, and then critical infrastructure would come after that. I think critical infrastructure definitions start to get pretty difficult with this stuff. Because what is critical infrastructure? Are we talking about a dam or are we talking about a building management system that runs an elevator? Both of them can kill people, but you’ve got corporate level responsibility for one, and state or federal for the other. We’ve had more interest from the medical device community. Critical infrastructure is starting to chat with us, but I would say that one’s still pretty early.

FS: So the bug bounty company space is pretty volatile right now. Your company and HackerOne seem to be the big ones on the block, with startups nipping at your heels. Do you get a sense of rivalry or is everyone in this space in it for the common good of protecting the internet? 

CE: It’s interesting, because I consider HackerOne “frenemies,” in the sense that we have a common goal of basically finding vulnerabilities and killing them off, and making the internet more resilient. Then the adjacent goal to that is keeping researchers out of jail, and giving them the opportunity to be productive and interact with the vendors. That part we share.

We get locked in mortal combat over accounts every now and then. We actually have very different models, so in terms of the value that we provide, it looks similar from the outside, but once you get under the hood, it’s very different. The way I look at it is, the opportunity is bigger than both of us combined. Ultimately, if we’re the only ones doing this, I’d be questioning whether or not I was crazy. There’s validation there in the competition. I think for the sake of a healthy marketplace, competition is actually a good thing.

This interview has been edited for length and clarity. 

Administration asserts role in regulating autonomous vehicles

Editor’s note: This article has been updated to reflect comments from a DOT press conference after initial publication. 

The Obama administration clearly defined its role in regulating autonomous vehicles Tuesday with a new federal policy outlining the relationship between state and federal laws for driverless cars.

The policy, most of which went into effect with publication, “sets out an ambitious approach to accelerate the [highly automated vehicle] revolution,” according to the document. It outlines a vehicle performance guide, a model for state policy and current regulatory tools available, as well as future tools the National Highway Traffic Safety Administration could consider seeking.

That agency said in the guidance it expects to build on the policy by further researching areas such as cybersecurity.

Federal government’s responsibility with driverless cars will be mainly setting standards for vehicles and their equipment, including software, as well as managing recalls. States would continue licensing human drivers, and enforcing traffic safety laws and regulations.

“Regulation can go too far,” President Barack Obama wrote in an op-ed Monday. “Government sometimes gets it wrong when it comes to rapidly changing technologies. That’s why this new policy is flexible and designed to evolve with new advances.”

NHTSA Administrator Mark Rosekind noted at a press conference announcing the policy Tuesday that Transportation Secretary Anthony Foxx’s, “vision and strategy, his charge to us, was to create a path for a fully autonomous driver with different designs than what we have on the road today.”

If people look to the policy, Rosekind said, it provides that path.

Obama’s editorial touted the potential of self-driving cars to prevent deadly crashes — 94 percent of which are caused by some human error.

“Autonomous vehicle technology, and specifically the driverless cars, can absolutely be a game changer in behavioral traffic safety,” Colleen Sheehey-Church, national president of Mothers Against Drunk Driving, said at the event Tuesday. “Driverless cars have the potential to eliminate drunk, drugged and drowsy driving.”

In his editorial, President Obama also noted that driverless cars could provide transportation options to senior citizens or the disabled.

At DOT’s press conference, Henry Claypool, policy director at the Community Living Policy Center at the University of California-San Francisco, applauded the administration for bringing a focus on enabling underrepresented groups to use driverless cars as well.

“Autonomous vehicles have the potential to improve the lives of millions of Americans, like me, who because of a disability, age or other condition, are not able to enjoy easy access to personal transportation,” Claypool said.

He added: “In particular, the policy that passengers in fully autonomous vehicles would not be required to have a driver’s license is a critically important step. National leadership is required to set a tone of inclusion and prevent discriminatory policymaking at the state and local levels.”

Under the new state policy model, states were told that autonomous vehicles at the top two levels — SAE International levels of automation four and five — would not require a licensed human driver.

Other groups have reacted positively to the policy. Gary Shapiro, president and CEO of the Consumer Technology Association, called the policy “a welcome approach to avoid patchwork laws.”

An official of the Self-Driving Coalition for Safer Streets (created by Ford, Google, Lyft, Uber and Volvo Cars) called the policy “an important step forward in establishing the basis of a national framework for the deployment of self-driving vehicles.”

“We support guidance that provides for the standardization of self-driving policies across all 50 states, incentivizes innovation, supports rapid testing and deployment in the real world,” David Strickland, coalition spokesperson and general counsel, said in a statement.

And in a blog post, Information Technology Industry Council Vice President Vince Jesaitis wrote: “While we are still fully digesting the new guidance, it appears to take some very positive steps to provide certainty for the private sector to move forward and increase the commitment of significant resources needed to usher in the life-improving benefits this transformational technology offers for safety, efficiency and quality of life.”

The new policy also recommends automakers conduct a voluntary 15-point safety self-assessment for autonomous cars to “certify that their vehicles are ready for public roads.” The assessment covers areas such as data recording and sharing, vehicle cybersecurity, and ethical considerations.

While that self-assessment is voluntary for now, Foxx noted DOT intends to possibly change that in the future.

“We do expect that companies will want to engage with us on that 15-point assessment, much in the same way that folks want to engage with us on the NCAP [New Car Assessment Program] standards,” Foxx noted. “It’s a good business practice for them, and frankly, it provides some assurance that they’ve thought comprehensively about safety.”

But the policy also suggests other routes NHTSA could consider, such as pursuing pre-market approval authority. It could inspect and approve new technologies before they go to market instead of leaving certification up to automakers, or have a hybrid approach that combines both the self-assessment and pre-market approval, the policy explains.

A senior DOT official said choosing to regulate through pre-market approval or the hybrid approach would be a “very significant change that would have implications both for how vehicles are regulated but also for the resources of the agency.”

DOT is seeking public comment on the policy and plans to get input through public outreach efforts. The department expects to update the policy annually, Foxx said at the press conference.

Feds more satisfied, engaged for 2nd straight year

Federal employees are more engaged and more satisfied for the second year in a row, according to the Office of Personnel Management’s annual survey of employees governmentwide.

The government as a whole saw one point increases in both categories — scoring 61 percent for global satisfaction and 65 percent in employee engagement — after experiencing a four-year downturn prior to 2015.

OPM’s Federal Employee Viewpoint Survey is an important tool for agency managers to gauge to mindset of their workforce and improve their recruitment strategies for positions that are typically seen as less attractive than those in the private sector.

“This FEVS data provides agency leaders with valuable information they can use to evaluate current procedures, while encouraging their front-line supervisors to further engage and mentor their employees,” OPM acting Director Beth Cobert said in a release. “We know that employee engagement drives performance and engaged and motivated employees are essential to the health of the Federal workforce.”

OPM released the initial two data sets on its UnlockTalent.gov website, a data visualization dashboard for the annual survey’s results. OPM will release more data from the survey later this fall.

A standout in this year’s survey because of such poor results in past years, the Department of Homeland Security saw a three point jump to 56 percent in employee engagement after six straight years of decline.

DHS Secretary Jeh Johnson said that swing back in the right direction has a lot to do with his employees’ dedication to the department’s mission of protecting the nation from outside threats.

“I am incredibly proud and pleased at this year’s FEVS results, but there is something more important to know: Year after year our employees continually tell us in surveys that they understand the importance of their homeland security mission and are willing to do whatever it takes to get the job done,” Johnson said. “This week, for example, thousands of our personnel are working overtime for the security of the United Nations General Assembly in New York City. This week and every week, our people protect the American people and their homeland, in the air, on land, at sea, and in cyberspace.”

Though DHS’ improvement was “the largest increase of any cabinet department our size,” Johnson said, it still falls below the government average and far behind governmentwide standouts, like the Federal Trade Commission (82 percent), NASA (80 percent), and the Office of Management and Budget (78 percent), who lead large agencies in the engagement category.

For global satisfaction, OMB (79 percent), NASA (78 percent), and the Securities and Exchange Commission (77 percent) lead large agencies.

Small agencies tend to score better in employee engagement and satisfaction, likely because of the less bureaucratic nature of their organizations. Employees at the Marine Mammal Commission absolutely love their jobs (96 percent) and are very engaged (92 percent). The same can be said for those at the Occupational Safety and Health Review Commission, which received ratings of 87 percent and 90 percent for satisfaction and engagement, respectively.

Leaked NSA cyber weapons were more damaging to Cisco than originally thought

Though more than a month has past since a mysterious group leaked a toolset of supposedly NSA-linked cyber weapons online, the impacts of the disclosure are still being felt by one of the largest companies affected by those exploits. 

On Friday, internet network technology developer Cisco published yet another security advisory concerning a newly discovered software vulnerability. 

Researchers at the company were prompted to scan Cisco’s IOS, IOS XE and IOS XR products for shared flaws that were also found to affect older versions of a popular firewall appliance. The aforementioned firewall software flaw — evident in older versions of Cisco PIX — was first publicized by a hacking collective calling themselves the Shadow Brokers on Aug. 15. 

Cisco has yet to deploy a patch for the IOS flaw, but already released IPS signatures and Snort rules as part of a risk mitigation effort. The vulnerability affects Cisco IOS XR versions 4.3.x, 5.0.x, 5.1.x and 5.2.x, while all IOS XE releases and various versions of IOS are impacted. 

“The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests,” Cisco wrote in its advisory. “An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests.”

Cisco’s IOS product line offers network infrastructure software, which is used in a range of different routers by commercial and enterprise clients.

“Based on the Shadow Brokers disclosure, Cisco started an investigation on other products that could be impacted by a vulnerability similar to BENINGCERTAIN, which the PIX IKE exploit[ed],” Omar Santos, principal engineer part of Cisco’s Product Security Incident Response Team, or PSIRT, told FedScoop. 

“It is not exactly the same as BENINGCERTAIN, but could lead to the same end results,” he added. 

The newly found vulnerabilities hidden in the IOS product line were discovered by an internal security testing team at Cisco, according to Santos. 

BENINGCERTAIN works by sending “an Internet Key Exchange, or IKE, packet to the victim machine, causing it to dump some of its memory. The memory dump [could] then be parsed to extract an RSA private key and other sensitive configuration information,” security researcher Mustafa Al-Bassam wrote

Cybersecurity firm Kaspersky previously linked this BENINGCERTAIN tool to the Equation Group, an elite hacking squad with reported connections to the NSA. 

Agencies overstate use of incremental development — audit

Several agencies overstated how many of their software development projects would deliver incremental functionality every six months, according to a government watchdog.

The Office of Management and Budget mandates agencies use incremental development practices on major IT investments. And while 22 agencies said on the IT Dashboard 64 percent of their software projects in fiscal year 2016 would see such functionality in six months, an audit of seven departments revealed only about half of their projects actually did.

In one striking disparity, the Commerce Department reported on the IT Dashboard that 93 percent of its software development met the incremental development threshold but during the audit told the GAO only about half of its projects saw functionality within six months.

Delivering 93 percent of software development projects incrementally would make the department “world class,” said Dave Powner, director of IT management issues at GAO and lead on the audit. He told FedScoop the Commerce Department’s data “didn’t look quite right” initially.

“There’s a lot of attention on incremental development; it’s not totally where we want it to be,” Powner told FedScoop. “Probably the self-reporting is a bit overstated.”

The idea of incremental development is to break up big investments into smaller projects with capabilities rolled out every six months, he said. Incremental development can help government avoid the pitfalls of investing billions in something that ends up delivering nothing.

The GAO also noted in a letter accompanying the report that it put the “management of IT acquisitions and operations” on its high-risk list in 2015.

“We want the reporting on the dashboard to be as accurate as possible,” Powner said.

Due to the data disparity, the GAO recommended all seven agencies update their data for better accuracy and asked OMB to clarify guidance “regarding what IT investments are and are not subject to requirements on the use of incremental development and how CIOs should report the status of projects that are not subject to these requirements.”

Department officials, however, told the GAO “management and organizational challenges and project complexity and uniqueness impact their ability to deliver incrementally.”

Powner said complexity and uniqueness of projects are two reasons why agencies actually should deliver incrementally.

“Each agency has these mission critical things that are unique, complex, but those are even more reasons why we want to break them into small manageable chunks,” he said.

GAO also noted that some of the seven departments do not have a process for their CIOs to certify that major IT investments use incremental development practices as required.

The departments of Education, Treasury, and Health and Human Services said they were working on establishing such processes, while the Defense Department doesn’t have an explicit process and, according to the report, doesn’t “intend to institute a separate process for the CIO to certify incremental investments because the department believed that its existing processes were sufficient to ensure that investments were appropriately implementing incremental strategies.”

In its recommendations, the GAO asked the four departments without finalized policies to establish them.

GAO will continue looking at the CIO certification process in its upcoming research, Powner said.

“There’s going to be a lot more to come,” he said.

Ultimately, he noted it’s not about the process but about getting more projects functional in a shorter period of time.

“The bottom line is we just don’t want these waterfall approaches where we’re spending years and years and not delivering anything,” Powner said.