Page 940 | FedScoop

The votes are in for the 2025 FedScoop.

Bid protest of GSA’s $50B telecom deal dismissed

A bid protest on the General Services Administration’s forthcoming $50 billion telecommunications contract vehicle has been dismissed, according to officials and documents Friday.

Mary Davie, the assistant commissioner for the Office of Integrated Technology Services in GSA’s Federal Acquisition Service, revealed in a tweet that the bid protest — filed by Staten Island, New York-based Compuline International prior to the Feb. 22 deadline for proposals on GSA’s Enterprise Infrastructure Solutions contract — had been dismissed by the Government Accountability Office.

Screen-Shot-2016-04-08-at-9.28.29-AM

EIS is GSA’s next-generation telecom contract follow-up to its extremely popular Networx vehicle. Part of the agency’s Network Services 2020 strategy, EIS is set to be even bigger than its predecessor, and draw more competition and business into the marketplace with a range of offerings, like voice, video, cloud, network and data transport services.

In Compuline’s filed protest, it took issue with GSA’s requirement that bidders use the agency’s System for Award Management to submit their bids, because for years the company’s properties have been denied access to SAM, it claimed. Compuline asked to be allowed to submit its proposal instead by email or on thumb drives.

GAO dismissed the protest because Compuline filed comments on GSA’s protest report on April 5, missing the March 28 deadline for comments, according to the decision from Susan Poling, GAO general counsel.

At this point, GSA is still in the process of evaluating EIS proposals. Davie said she hopes soon to update GSA’s Interact platform community page for the EIS contract with an updated timeline so vendors will be able to plan for next steps.

Workshop plots evolution of NIST Cybersecurity Framework

One of the most important cybersecurity initiatives of the entire Obama administration may change over the next couple of years, but not by much — and for officials at the National Institute of Standards and Technology, that’s a good thing.

NIST convened over a thousand people at its Gaithersburg, Maryland campus this week for a workshop to discuss proposed changes and updates to its Cybersecurity Framework — as more and more companies and other organizations adopt it as a guide to getting their own cybersecurity right.

The standards agency put on an RFI last December to learn how organizations are sharing framework best practices, what parts of the framework are utilized more than others and what sections need to be updated.

“Based on the responses and discussions[ around the RFI], there are opportunities to make small changes, clarifications, and maybe to expand some areas where it could be appropriate …. versus a framework 2.0,” or a complete overhaul, NIST Chief Cybersecurity Adviser Donna Dodson told FedScoop.

Dodson and other officials said Wednesday the diversity of the 105 organizations that responded surprised them, given that the framework was originally geared toward protecting critical infrastructure. Submitted comments ranged from aerospace company Boeing to telecom giant AT&T, to trade groups like CompTIA and NASCIO.

“The diversity really blew us away,” said Michael Barrett, the program manager for the framework.

Even with the wide range of organizations that offered suggestions, Dodson said the main goal of gathering feedback was to make sure the best practices detailed in the framework can be applied across a wide range of organizations.

“Best practices are critical to the goal we are all working toward to achieve to achieve stronger cybersecurity across the nation,” Dodson said. “I think that’s a really important topic and one that we as a community we need to continue and discuss and think about.”

The disparate ways the country is using the framework was on display Wednesday, as a panel featuring the U.S. Coast Guard, the American Petroleum Institute and various energy companies talked about how they have used the NIST framework as a catalyst for their work protecting the industrial control systems on tanker ships.

Stakeholders have been working to create a system that manages the cybersecurity risk related to bulk fuel tankers, with the U.S. Coast Guard facilitating discussion due to their responsibility for protecting critical maritime infrastructure.

“Everybody has a good understanding of what the risks are associated with physical security. We’ve done a very good job of mitigating this risk. With cybersecurity, there isn’t as much of an understanding,” said Verne Gifford, Director of Inspections and Compliance for the U.S. Coast Guard. “A lot of times, those things aren’t handled at a corporate level. It’s at a much lower level. We are addressing risk and assessing what vulnerabilities are out there and making a plan on how to mitigate them.”

NIST’s Don Tobin said projects like this show how the framework is closing the gap between tech-minded people and the c-suite.

“A lot of the time in the IT/infosec community, we forget that we are there to support some kind of mission, whether it’s on the side of generating profits or to protect the systems,” Tobin said. There’s usually a disconnect between the IT side and the mission side on what we are trying to do.”

Closing that disconnect goes along with what NIST was trying to accomplish in the latest RFI. Despite some comments calling for NIST to hand over framework management to a third-party or rework the document altogether, Dodson said NIST doesn’t expect big changes in coming months.

“I think based on the RFI responses and conversations we’ve heard, we haven’t seen anything that leads us to believe an overhaul is needed or required,” she said.

More than handing over control, NIST wants to continue pushing the changes that will continue to make the framework effective in protecting the country’s digital assets.

“We do not envision saying ‘Okay, we have this workshop and now we are finished with the framework,’” Dodson told FedScoop. “How do we continue working with industry and making sure that the purpose of the framework is critical infrastructure, but stay very excited to see it work for other business sectors. That’s a great thing. How do we make sure that industry leadership in its development and use continues and evolves over time?”

Contact the reporter on this story via email at greg.otto@fedscoop.com, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.

Marine Corps pilots faster Windows 10 transition

After a monthlong pilot of its mandatory move to Microsoft Windows 10, the U.S. Marine Corps said it is confident it will complete the transition prior to the deadline next year.

Earlier this spring, the Marine Corps Systems Command launched a test run of Windows 10 in a variety of the Corps’ end-user computing environments — some regularly connected to the garrison network and others that aren’t — to assess the systems’ varying needs. The MCSC conducted the pilot simultaneously in four regions — East, Reserves, National Capital Region and Headquarters Marine Corps — testing its virtualized image of Windows 10, according to a release.

The pilots follow some public doubts from senior marines earlier this year about the corps’ methodology for the transition.

“We targeted 500 clients (125 for each region),” Jeff Wiley, assistant product manager for engineering with Marine Corps Network and Infrastructure Services, said in the release. “We deployed one Marine Corps Client Microsoft engineer and one MCSC engineer to each site, and they worked with the pilot groups to identify their varying needs and how to best address them.”

Deputy Defense Secretary Bob Work issued a memo in February ordering a rapid move by all elements of the huge department to a Windows 10 Secure Host Baseline by Jan. 31, 2017. The U.S. Cyber Command will lead the implementation. “This decision is based on the need to strengthen our cybersecurity posture while concurrently streamlining the IT operating environment,” Work wrote Feb. 26.

With the results of the pilots, the Marine Corps will work to get its Windows 10 image accredited and develop a checklist of how it will facilitate its roll out, either by upgrading software on capable machines or cycling in new systems that can support it.

The latter is a big concern for the Marines, because tens of thousands of devices will need to be replaced before moving to Windows 10.

“With the accelerated timeline we’re expecting to upgrade more than 50,000 devices in FY16,” said Je Lee, product manager for Marine Corps Network and Infrastructure Services. “This compresses almost three years of tech refresh into only six months.”

Earlier this year, however, a top Marine expressed his personal doubts on the transition.

“Windows 10 is huge. It’s going to have some significant security advantages for us,” Ron Zich, executive assistant for command, control, communications and computers at the Marine Corps headquarters, said at a January AFCEA NOVA luncheon. “The Marine Corps is all in on getting it done. If you asked me today, ‘Can we get there?’ [The answer would be:] Absolutely. We just don’t know how yet.”

The issue for the Marine Corps, Zich explained, is the growing number of systems — he said it could be upward of 130,000 — that would need to be updated combined with the complexity of multiple interconnected networks and machines.

“Sounds simple enough, if I had to do it at home,” Zich said. “But we’ve got 90,000 unclassified computers, probably another 30,000 tactical computers, we have programs and records, think of every sort of vehicle — everything is connected now, so how do I do this?”

But with the results of the pilot and an aggressive plan in place, the Marines seem to believe they will meet the deputy secretary’s accelerated orders.

“Implementing Windows 10 servicewide has been on our radar for some time,” said Michael Cirillo, cyber lead for Marine Corps Systems Command said this week. “The compressed timeline just speeds up the process for full implementation, making us more secure sooner.”

Contact the reporter on this story via email at Billy.Mitchell@FedScoop.com or follow him on Twitter @BillyMitchell89. Subscribe to the Daily Scoop to get all the federal IT news you need in your inbox every morning at fdscp.com/sign-me-on.

Sen. Warner wants updates on agencies’ DATA Act progress

The author of the Digital Accountability and Transparency Act wants an update from federal agencies on how they are implementing the 2014 law’s mandate to make their budget data machine readable.

Sen. Mark Warner, D-Va., issued a letter Wednesday to more than 35 federal agencies asking if they are on time with the law’s deadlines, how much it has spent on the fulfilling the law’s mandates and what budgetary or other resources would be needed to close any additional gaps.

“I recognize the challenges that ongoing implementation of the law may present for agencies, including budget constraints, dependence on government-wide guidance from the Office of Management and Budget and the Department of the Treasury, and the complexity of incumbent systems and business processes,” Warner writes. “However, by prioritizing implementation of the law and fully leveraging its potential, I believe that the opportunities for your agency outweigh these challenges.”

The law sets a deadline of May 9, 2017, for agencies to make their financial, budget, payment, grant and contract data machine readable when published to USASpending.gov, the federal government’s hub of publicly available financial data. The data would allow the public to track money through multiple points of the spending process, from appropriation to awards to dissemination, and to easily incorporate it into software applications that can then be used to track government spending.

The Treasury Department and OMB have been working with agencies through various deadlines and pilot programs over the last year. Treasury has been updating progress through an open beta on USASpending.gov. Meanwhile, the Department of Health and Human Services is in the middle of a two-year pilot to test how data standardization will work across agencies.

[Read more: HHS to lead 2-year DATA Act pilot]

Despite this work, the Government Accountability Office issued a report in January saying the Obama administration has to do a better job of tightening data standards and issuing technical guidance related to the act. Additionally, Gene Dodaro, Government Accountability Office comptroller general, told the Senate Budget Committee Wednesday that federal financial data is still unreliable.

“If a publicly-owned company on the stock market was unable to be audited because of the poor conditions of its records, investors would run away from it. But we can’t run away from a government in which we are all stakeholders. This is an enterprise in which we – and our children — are all invested,” Sen. Mike Enzi, R-Wyoming, said in release.

“Passing legislation is just the first step, and I will continue to press administration and agency officials to move forward to effectively implement and fully leverage the results of this powerful new tool for fiscal transparency,” Warner said in a statement Wednesday.

Read Warner’s full letter below.

As you are aware, on May 9, 2014 President Obama signed into law the Digital Accountability and Transparency (DATA) Act of 2014 (Pub.L. 113–101), which I introduced in Congress. When fully implemented the DATA Act will create transparency for federal funds, set government-wide financial data standards, reduce recipient reporting requirements, and improve overall data quality. The efforts of individual federal agencies are essential to achieving the aims of the law, and I write to bring attention to those efforts at your agency.

The DATA Act presents both challenges and opportunities for federal agencies. Improving the quality and completeness of spending data, including by fully linking financial and account data, will enable agencies to improve internal management and to target resources for maximum impact. While data informs policy making and financial decision-making in government, as well as for external stakeholders, without consistent data standards these decisions are often made in the absence of some existing information. I also recognize the challenges that ongoing implementation of the law may present for agencies, including budget constraints, dependence on government-wide guidance from the Office of Management and Budget (OMB) and the Department of the Treasury, and the complexity of incumbent systems and business processes. However, by prioritizing implementation of the law and fully leveraging its potential, I believe that the opportunities for your agency outweigh these challenges.

I appreciate your efforts thus far to implement the DATA Act and fully leverage this potential. To date, agencies should also be adhering to the steps outlined in the DATA Act Implementation Playbook issued by the Department of the Treasury, and to other guidance issued by Treasury and OMB. Leading agencies have issued individual implementation plans in line with OMB guidance, formed DATA Act teams, participated in government-wide deliberations on standards, developed an inventory of data, identified systems containing relevant data, and assessed needed policy and technical changes. Crucially, your agency should also have designated a DATA Act lead, a senior accountable official responsible for planning and implementing changes to systems and business processes, determining how best to map data elements from existing systems to the DATA Act Schema, and overseeing the testing and submission of data. By learning from best practices at leading agencies and providing adequate funding for implementation, your agency can leverage these requirements for better internal management and overall governance in the long term.

I remain strongly committed to robust oversight of DATA Act implementation and to ensuring that federal agencies are able to fully implement this crucial law. To that end, I would appreciate you sharing the following information with me:

1 – What resources has your agency spent on implementation of the DATA Act to date? Does your agency have any existing contracts aimed at facilitating implementation?

2 – Has your agency issued a DATA Act implementation plan in line with the DATA Act Playbook? If so, please share this plan with me.

3 – How has implementation to date varied from your expectations, and what challenges have you encountered?

4 – What resources does your agency anticipate needing in order to fully implement the DATA Act moving forward?

If I can be of assistance in addressing implementation challenges at your agency, please contact my office at 202-224-2023. Thank you again for your efforts to prioritize the implementation of the DATA Act and to fully leveraging the potential of this exciting opportunity to transform federal spending and governance.

Sincerely,

Mark R. Warner
United States Senator

GSA targets tech startups with simplified schedules process

The General Services Administration wants to make it easier for small tech startups to do business with the government through its largest IT contract.

GSA introduced a collection of new programs Thursday under an initiative dubbed Making It Easier, which will simplify the language around its IT Schedule 70 offer process to new vendors, and ease the burden for those innovative up-starts to get on board the acquisition vehicle.

GSA Administrator Denise Turner Roth explained in a blog post the predicament GSA faces with the on-boarding new companies to the schedules.

“Every year, tens of billions of dollars go through GSA’s Multiple Award Schedules — and we’ve heard time and time again from the vendor community that getting a Schedule contract is too hard and it takes too long,” Turner Roth wrote. “And then once you’re there, it can be difficult to make changes to a contract.”

[Read more: GSA’s contracts revamp could help small IT companies]

FedScoop previously reported GSA’s efforts to use plain language and increase access to its Multiple Award Schedules program presented during a March agency industry day, focused around the MAS transformation, an effort to bring improvements to the long-term governmentwide contracts that provide more than 25 million products and services to agencies with shorter procurement times and lower administrative costs

“Imagine contracting that uses plain language English,” Judith Zawatsky, GSA’s program manager for the Multiple Award Schedules transformation, said in March. “We really need to help our partners understand how to do business with us.”

With that in mind, GSA created a plain language roadmap for IT Schedule 70, which “does a wonderful job of explaining the Schedule 70 offer process for new vendors in clear and simple terms,” Turner Roth said. Likewise, those vendors new to the schedule will receive a new standardized welcome package to explain what comes next.

It usually takes IT companies 110 days to get on Schedule 70. A new program called FASt Lane will reduce that to 45 days, and cut the time it takes to modify their existing contracts to just one or two days.

Another tool, the IT Schedule 70 Startup Springboard, will offer an alternative to younger companies that don’t meet the schedules’ two-year professional experience requirement. Instead, those innovative companies use the professional experience of their executives or key personnel, the project experience of key personnel, or documentation that demonstrates the company’s financial responsibility.

“This initiative will make it easier for these companies to get access to over $15 Billion in annual federal, state, and local IT opportunities,” according to a rundown of the new tool.

GSA preps launch of IT services contract for disabled vets

The General Services Administration is gearing up to launch the $5-billion successor to its governmentwide vehicle featuring IT services from veteran-owned businesses later this month.

GSA’s Office of Integrated Technology Services posted the pre-solicitation for its Veterans Technology Services 2, or VETS 2, governmentwide contract to FedBizOpps Tuesday, announcing that the actual solicitation will go live on or after April 21.

According to the pre-solicitation, GSA intends to make awards under the vehicle — which offers IT services provided by service-disabled, veteran-owned small businesses — sometime in 2017.

The initial $5 billion VETS contract launched in February 2007 with a period of performance expiring Feb. 1, 2017, listed 44 vet-owned businesses offering customized IT services. VETS 2 will feature a similar structure of a five-year base period with a five-year optional extension, again with a $5 billion ceiling.

In October, GSA issued a draft solicitation for VETS 2, allowing potential bidders to help shape the eventual contract with their feedback.

Many agencies used the original VETS contracts for their custom IT needs. According to GSA, the Department of Veterans Affairs worked with a vendor on the contract to build a network to deliver wireless communications across 300 VA sites. Veteran-owned small businesses on the vehicle also provided around-the-clock help desk support to the Air Combat Command and supported the $97-million contract for the Next Generation Radar network, operated by the National Weather Service, the Federal Aviation Administration and the Air Force.

U.S. officials: World needs to follow our lead on cyber norms

Even as the U.S. government shores up its own beleaguered cyber defenses, its officials are touting their progress setting cybersecurity standards — saying the rest of the world should follow the U.S. to protect itself online.

Two U.S. officials — Deputy Homeland Security Secretary Alejandro Mayorkas and State Department Coordinator for Cyber Issues Chris Painter — implored a roomful of global cybersecurity experts at the Billington International Cybersecurity Summit Tuesday to examine the various security frameworks and legislation the U.S. has crafted and use it as a model for their home governments.

In remarks at the National Press Club, Mayorkas touted the National Institute of Standards and Technology cybersecurity framework as a document that has lifted cybersecurity awareness in private companies, showing how companies should communicate and build accountability when it comes to mitigating threats.

“I would encourage those of you in the private sector, domestically and internationally to think of this framework as a framework of accountability,” he said. “To understand that the cure of one should be the cure for many. When one sees a competitor suffer, one can look at their watch and tick off the seconds until the same harm can be met on the threshold of one’s own company.”

He also talked about the department’s recently launched Automated Indicator Sharing platform, which takes advantage of new information sharing legislation passed as part of the massive omnibus funding deal last year. The new law grants companies liability protection if they share threat indicators. Mayorkas framed this effort as a collaborative one that protects not just various parts of the economy, but the entire online environment.

“The legislation that was passed at the end of this past year will greatly facilitate that effort because it protects liability and provisioning of information,” he said. “The sharing of information we advocated … is critical to the framework of enhancing the security of the cyber ecosystem.”

For his part, Painter highlighted progress made in the administration’s efforts on a global level, touting President Barack Obama’s international strategy for cyberspace as a way for countries to create what he calls a “peaceful cyber environment.”

“One of the real transitions I’ve seen, people thought of [cybersecurity] as a tech issue whereas now it is thought of as a core issue of national policy, a core issue of foreign policy,” Painter said.

He also talked about more recent efforts like the planned ICANN transition and the agreement at the November 2015 G-20 meeting that curbed theft of intellectual property as moves toward international standards for behavior on the internet — crafted by the community that runs the global network.

“This is the idea that the internet, for it to do the things that we really want to do, that it’s not just on the governments to figure this out, but it’s governments, the private sector, civil society, academics, internet wise guys, people who really know these things,” Painter said. “That’s how the internet has grown up. That’s a foreign concept for a lot of governments who are used to controlling this. If governments controlled the internet, we would not have this explosion we’ve had, we would not have the penetration we have.”

Even with the progress that Painter sees, he knows security efforts will have to be fluid if the world is to keep up with ever-changing threats.

“All of these things are non-static. All of these things need to be built on. As much as we have been able to accomplish in the past five years, we have to build on all of that activity,” he said.

“This is not an issue that is going to slip off the front page. The threats are going to be there. We also need to make sure we have the policies and we are working together to implement them.”

Underwriters Laboratories rolls out Cybersecurity Assurance Program

Scientific safety organization Underwriters Laboratories, whose trademark “UL” insignia can be found adorning the labels of most modern household appliances, launched a new set of standards to assess cybersecurity in connectable devices — with the particular goal of safeguarding critical infrastructure.

The announcement Tuesday comes as technology research firm Gartner has predicted that up to 50 billion connected devices will be in use by 2020. According to Anura Fernando, Global Principal Engineer, UL, this explosive growth of the Internet of Things underscores the need for a cybersecurity baseline — something he said UL’s new Cybersecurity Assurance Program will facilitate.

“Malicious users have become all too prominent across many industry sectors,” Fernando told FedScoop. “As we looked at places where, traditionally, UL products have found themselves, it has been close to critical national infrastructure. CAP is a response to the natural evolution of technology, the unfortunate evolution of people’s behavior as they interact with that technology, and a fundamental need across the nation to protect critical infrastructure.”

UL developed CAP in response to outreach from the White House, whose Cybersecurity National Action Plan calls for a proactive solution to critical infrastructure vulnerabilities. Through collaboration with government organizations like the National Institute of Standards and Technology, as well as public-private partnerships like the Software and Supply Chain Assurance Forum, UL identified the best practices and standards that emerged across industries and compiled them into a testable set of criteria for new technology.

Although UL is known primarily for its safety testing, Fernando said that the leap to security has been ongoing.

“Many people think of us as strictly a safety company, but for many decades we’ve been dealing with a variety of aspects of security, ranging from physical security — looking at things like safes — to ATMs and embedded card chips,” he said. “With an increasing prevalence of embedded software, we’ve seen that that software has to be very carefully scrutinized and evaluated.”

According to Fernando, the launch of CAP will encourage developers to bolster their cybersecurity efforts.

“There are products going off manufacturing lines with malware already in them, or malware vulnerabilities already in them — sometimes due to the use of open source software, sometimes due to the inexperience of developers in understanding secure development lifecycle,” said Fernando. “Identifying those critical issues, making sure we have this cybersecurity baseline established where products stop going off the line with malware and vulnerabilities — that is the goal of CAP: to ensure the low hanging fruit in some of the big problem areas is tackled.”

Senators consider splitting NSA/CyberCom director position

The Senate Armed Services Committee will this year consider legislation splitting the two-in-one jobs of leading U.S. Cyber Command and running the National Security Agency, both currently held by Adm. Michael Rogers.

The committee held a hearing Tuesday with Rogers to discuss, among other issues, elevating CyberCom to be a unified combatant command, on a par with geographical commands like the U.S. Central Command. CyberCom, co-located with the NSA at Ft. George G. Meade in Maryland, would be the 10th such command — the units in the U.S. military that actually wage war.

Currently, CyberCom — created in 2009 with the intent to be fully operational with a 6,200 member force drawn from all four service branches and the national guard by fiscal year 2018 — is a subordinate command of the U.S. Strategic Command, the military unit that controls America’s nuclear arsenal.

In elevating CyberCom to a unified combatant command, committee members said it would make sense to split Rogers’ current roles, though he demurred.

“I’m finding it harder and harder to justify your holding two jobs given the complexity,” said Sen. Angus King, D-Maine. “I mean this arrangement was created in 2009, which in technological terms is a century ago. I understand the relationship between NSA and Cyber Command, but particularly if we move in the direction, and I think we are, of setting up Cyber Command as its own independent combatant command, to have the same person trying to run those two agencies I just think is impractical and almost impossible.”

Committee Chair Sen. John McCain, R-Ariz., said he and ranking member Sen. Jack Reed, D-R.I., hope to propose the split on an upcoming markup of the National Defense Authorizations Act for fiscal year 2017 “subject to the will of the entire committee,” as they further consider CyberCom as a combatant command.

Rogers, having like his predecessor worked both positions “dual hatted” for the past two years, disagreed there was a need to split them — saying CyberCom was too intertwined with and reliant on the NSA to divide their boss’ job.

“Part of that is the very premise that when we built Cyber Command six years ago, we said we were going to maximize the investment the nation had already made in NSA in terms of infrastructure and capability,” he said. “Because of that, we didn’t have a huge military construction program … we said we were going to take NSA’s existing space as a vehicle to do that.”

Rogers continued: “Based on the very model we created Cyber Command, where we really in many ways tightly align these two organization, that at the current time it would be difficult — not impossible, I’m the first to acknowledge that — or less than optimal in my opinion to try to separate them now. But I’ve also argued that we need to continue to assess that over time.”

All in all, though, he acknowledged the benefit that could come with the elevation of CyberCom as the 10th combatant command.

“A combatant command designation would allow us to be faster, which would generate better mission outcomes,” Rogers said. “I would also argue that the department’s processes of budget, prioritization, strategy and policy are all generally structured to enable direct combatant command input into all of those processes — that’s what they’re all optimized for. And I believe that cyber needs to be a part of that.”

What keeps Rogers up at night?

In addition to his larger concerns about cyberattacks on critical American infrastructure and the growing ability of adversary nations to not only access vital data but also manipulate it, Rogers expressed worry during the hearing about the evolving cyberthreat from non-state actors, like ISIS or other terror groups.

Currently, ISIS uses the digital domain almost purely as a place for recruitment, communications and the spread of propaganda, as well as to generate revenue and move money, Rogers said. But he worries that cyber — what he called “the great equalizer” — could give the terrorist group offensive capabilities, to wage attacks. That the internet could become a “weapon system… a vehicle to inflict pain against the United States and others.”

“That would be a troubling development,” he said.

“I have not seen groups yet make huge investments in this. But I worry that it’s a matter of time, because it wouldn’t take long,” Rogers said. “One of the challenges of cyber is … it doesn’t take billions of dollars of investment, it doesn’t take decades of time and it doesn’t take a dedicated workforce of of tens of thousands of people that you see most nation states work with.”

Correction: April 6, 2016
An earlier version of this story misidentified Sen. Angus King as Sen. Martin Heinrich.

FTC debuts web tool for health app makers

The Federal Trade Commission unveiled a new online tool to help mobile health app developers figure out what federal laws and regulations might apply to their products.

The tool asks developers a series of yes-or-no questions, each related to one of four possibly applicable laws: the Health Insurance Portability and Accountability Act, the Federal Food, Drug, and Cosmetic Act, Federal Trade Commission Act, and FTC’s Health Breach Notification Rule. The tool was created with the Department of Health and Human Services and the Food and Drug Administration.

Along with the tool, the FTC released a guidance to help developers “comply with the FTC Act, by building privacy and security into their apps.”

In a release, Bakul Patel, associate director for digital health in the FDA’s Center for Devices and Radiological Health, said the growth in the mobile health field underscores the need to clarify what rules apply to what products.

During a House science subcommittee hearing last month, app makers and lawmakers talked about the challenges of encouraging innovation in the field while still ensuring users’ privacy and security. Some suggested HIPAA, a major health law to safeguard patients’ health information, was due for an overhaul.

“Much of the guidance around remote patient access to data on HIPAA predates the iPhone,” Morgan Reed, executive director of ACT | The App Association trade group, complained at the time.

Later, a group of lawmakers urged HHS Secretary Sylvia Burwell to further clarify HIPAA’s privacy and security standards as they apply to mobile apps.

“Advances in mobile health technology have the potential to dramatically improve patient outcomes and the accessibility of health care,” the letter said. “This innovation is coming at a rapid pace, but your agency has done little to demonstrate it can manage the significance.”