“There’s a lot of documentation out there. And it’s really hard to kind of see the ties between them all. But they are all interrelated,” said Danny Connelly, chief information security officer for the Americas at Zscaler. “The Cybersecurity and Infrastructure Security Agency and the Office of Management and Budget did a great job in aligning the mandates and policies where in the past, it’s all been, in my opinion, siloed. And agencies are left with multiple different mandates and initiatives and drivers that they try to comply with.”

For example, TIC 3.0 allows agencies to move away from the traditional network-centric security approach. Agencies no longer are required to move traffic back through a data center. It was forward thinking because, previously, agencies were trying to implement the same protections that they had on prem to the cloud environments, which doesn’t scale. So when TIC 3.0 came out and gave agencies the flexibility to really leverage modern solutions, its security capabilities aligned to NIST controls.

The problem is, agencies understand the importance of all of these disparate controls and requirements separately, but they struggle with figuring out how to move forward with all of them.

“They’re thinking that there’s some magical CISA Authorizing Official that says ‘you are TIC compliant.’ There’s no EINSTEIN cop out there,” Connelly said. “It’s supposed to be a joint partnership between the agency security teams, and CISA. And really, it’s up to the risk tolerance of the agency CIO and CISO to define what that TIC 3.0 framework looks like for their agency or what those requirements look like.”

The administration is struggling to find a balance here, Connelly said, between being prescriptive enough that agencies are all on the same page with their implementations, but offering enough flexibility to account for difference in requirements and differences in mission. That’s why the cybersecurity memorandum from the White House begins shifting the focus from compliance towards operational security.

One thing Connelly said he’d like to see additional guidance around is decommissioning VPNs. It’s a 20 year old architecture, and it did work for a long time. But a lot of agencies are slow in acknowledging that it’s outdated, that there’s a significant attack surface, and that it’s time to shift the model to connecting users to apps. That said, Connelly also said that runs the risk of being too prescriptive; it’s a double-edged sword that could help some agencies, but deny others the flexibility they need to function well.

Connelly said agencies have working capital funds and other similar mechanisms to get funding for these efforts. The challenge, he said, is where to start, considering all the different controls and frameworks and guidance to take into account.

That’s when it’s time to go back to CISA’s five pillars of zero trust, he said, and focus on your biggest risk. So, for example, agencies should ensure they have a robust identity access management system or endpoint detection and response put into place. And those efforts need accountability at all levels of the organization, Connelly said.

“CISA is there to help, and agencies that need help should engage with them. It’s a partnership,” he said. “When you’ve been operating in silos for 20 years, between network teams, security teams, identity access management, all just focused on their individual mission, it’s not going to work, because the shift to zero trust is such a monumental change that it really needs everybody to be on the same page. That’s the biggest hurdle. This is agencies’ time. It’s an opportunity.”

And it’s an opportunity that needs to be capitalized upon soon. Connelly said he’s seen technology and security initiatives in the past that had momentum behind them early on, but then turned into short term experiments because there wasn’t enough follow up to set the foundation for a long term change in philosophy. Most of those, he noted, were focused on the old way of protecting networks.

But one way zero trust can move forward is through more mature standards and metrics.

“In the past, zero trust used to always be kind of a marketing term. It meant least privileged, default deny, the things that we always knew as security best practices,” Connelly said. “But now that there are things like 800-207 and the CISA maturity model, it’s now defined and more measurable. Are those measurements effective and adequate? I don’t think we’ll know until organizations are using it.”

The February test lays the groundwork for the Army’s program to establish cloud at commands outside the continental United States (OCONUS).

“The First Corps, based out of Joint Base Lewis–McChord, made it part of one of their experiments to show how they can take mission command on the move using edge computing devices and then to be able to link back to data that was in the enterprise cloud,” Iyer told Federal News Network. “And it showed that [this capability] was not only much more resilient than the existing solutions that they had, but the performance, the reliability and the latency [were] far superior than anything that they’ve been used to. So technically, we know it can work.”

The First Corps was able to perform mission command functions from a C-17 Globemaster III over the Pacific Ocean en route to Guam and then later from a naval ship. The idea is to distribute command and control functions over a series of nodes, rather than centralized in one place, to remain mobile and present less of a target to adversaries.

Building on success of OCONUS cloud edge computing test

Now, Iyer said, the Army is looking at how to cement the test use case as part of its institutional processes and operations. Over the next 18 months, the Indo-Pacific Command (USINDOPACOM) will run roughly 40 exercises to test this functionality, discover best practices and resolve potential weaknesses.

After laying a foundation with OCONUS, the next step will be to take mission command and warfighting functions to the tactical edge and make them cloud native, as part of Army’s ongoing modernization efforts, Iyer said. Because there’s a fundamental difference between OCONUS cloud and tactical cloud, he said.

“An OCONUS cloud is essentially running a commercial cloud, say, at an Army base in Germany or Camp Humphreys in Korea,” Iyer said. “These essentially would be Army installations. And then we just work with a commercial cloud service provider like Google or Microsoft or Amazon, and then have them come in and essentially establish compute and storage, and then run it as a service for us.”

That has the advantage that those services are operating on sovereign land, and the Army has to work around data sovereignty rules, he explained. “Having these OCONUS cloud locations on Army posts will ensure that we are staying compliant with those requirements to have control over our data.”

Those requirements call for a different operating model. The Army provides the physical infrastructure like floor space, cooling and electricity, and the cloud service providers supply the technical infrastructure, provision it and run it. The service is currently working with the Defense Department to establish this in both Germany and Korea as a joint asset because these will be the first programs of their kind in DoD, Iyer said.

Army sets sights on tactical cloud needs

A tactical DoD cloud, on the other hand, must be capable of operating in more austere environments. It could involve satellite communications, for instance. Or, it could also require supporting a unit on the move. Therefore, developing tactical cloud capabilities must involve the additional elements of SATCOM connectivity and transport as well, Iyer said. That’s what the pilot program with USINDOPACOM and First Corps is focused on.

What’s more, this work requires collaboration across DoD, including from the Defense Information Systems Agency and the other military branches because tactical cloud edge computing will typically support combatant commands, he said.

“We meet and chat about this regularly to make sure that we’re not duplicating efforts,” Iyer said. “Because the brain trust for something as complex as this is just not that much out there. And so we want to make sure that we’re leveraging all of the expertise that we each have in our departments.”

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Federal Emergency Management Agency is expanding its footprint in the cloud. And they are doing it in a bit of a usual way.

FEMA is partnering with the Agriculture Department and developing a charge-back model to its mission areas.

Jim Rodd, FEMA’s cloud portfolio manager, said as part of modernizing the National Flood Insurance Program, the agency and USDA are using the Google Cloud platform.

“They’re actually doing it in conjunction with USDA. NFIP is bringing it up in a methodology that will allow us to absorb it into the FEMA enterprise cloud with no issue. It’s all our standards and everything,” Rodd said at the recent ACT-IAC Emerging Technology and Innovation Conference.

Rodd said the reason FEMA looked to partner with USDA is two-fold. First, the two agencies partner to help citizens impacted by floods. But secondly, and maybe most important to the discussion around cloud, is Rodd found USDA among the most mature organizations in applying the charge-back model for enterprise cloud services.

“When I first took the position over, I wanted to speak to some other cloud brokers that were in the federal government, and three that popped up was two at DHS, which were U.S. Citizenship and Immigration Service and the Customs and Border Protection directorates. I’ve talked to them, but neither one of them have a multi cloud solution with a chargeback methodology. So we wanted to make sure we were speaking to somebody in that realm as well. And USDA was pretty much the big dog on the block,” Rodd said. “They had a very mature cloud doing chargeback and it was multi cloud, so it only made sense to go and talk to them.”

Buying cloud services in a new way

This idea of a chargeback model for enterprise services hasn’t been easy for agencies over the last 50-plus years. Federal shared services for financial management and human resources have been out in front of this effort, but the agencies providing these services have struggled to make their case to large agencies for the most part.

The General Services Administration’s Cloud Information Center highlights several acquisition challenges, including advanced metering services from vendors and governance focused on who holds the responsibility of assessing cloud utilization reports for chargeback incentive purposes.

The Office of Management and Budget and the Federal CIO Council have been pushing agencies to implement the Technology Business Management (TBM) framework to measure the cost and value of IT services, not necessarily just cloud services. Agencies had to fully implement TBM cost towers as part of their 2023 budget requests that went to OMB earlier this year. But challenges around data quality and quantity have slowed down this effort over the last five years.

But understanding the costs in a multi-cloud environment is why FEMA is pushing forward with the chargeback model.

Rodd said with FEMA already is using Amazon Web Services and Microsoft’s Azure cloud instances and now adding the Google Cloud, it wanted to ensure it knew where and how much it was spending on these services. Former FEMA CIO Lytwaive Hutchinson said earlier this year that the agency’s goal to have at least 50% of all of their systems and services that are cloud ready moved into the cloud by the end of 2022.

“The thing with the chargeback model is being able to offset cost. That’s the name of the game,” he said. “All sudden our current cloud footprint is probably about $2 million-to-$3 million a year. If we can offset some of that, rather than what is happening right now where we’re carrying all of it, as we ingest more clients and more services, we should start to see an offset in costs.”

Big savings over time

Rodd said FEMA mission areas who have turned off on-premise or legacy technology are seeing costs reductions of 30% to 40%.

“It’s giving our internal and external OCIO clients, the opportunity to really be able to plan efficiently by having all of that in one place,” he said. “There’s obviously a massive cultural shift with moving to the cloud and FEMA is just as aware of that need for a culture shift as anybody else. We try to sell it on the scalability and flexibility, the ability to convert our redundant possibilities East Coast, West Coast, north, south, across this CSP, that CSP. We try to show all that, but they don’t really see it because that’s the back end. One of the things we like to do when we are briefing to a prospective client who has no knowledge of the cloud, I don’t make any promises on price because here’s the reality in any government agency for that first year or two, you’re running hybrid. You have to maintain that physical environment, especially for somebody with a mission like ours, where we have to be up no matter what. During that time, obviously, you’re costs are going to be substantially higher. So I actually stay away from that, or I brutally tell them look, this first year or two, it’s actually going to be more expensive. But as soon as we can start turning off your stuff in the physical environment, and shutting that stuff down and killing those contracts, that’s when you’re going to start to see your costs go down.”

Rodd added in a perfect world, he would like his cloud broker office to break even in terms of costs of providing the enterprise services and receiving funding from mission users.

“I don’t really ever think we’re going to get there, but even if we got to 50%, that’d be outstanding,” he said. “We developed a cost model. What we wanted is a one-stop shop so if a client comes to us and tells us their need, or we help them to develop a solution, we didn’t want them to then have to talk to the sustainment folks and get a price and then talk to the license folks and get a price. We tried to make our cost model as inclusive as possible. It covers everything from your basic compute needs, your migration, your authority to operate and your licensing. We’re actually adding cyber to it right now.”

Rodd said FEMA wanted to get a third-party expert to confirm its chargeback model would work, and received solid reviews from Gartner. He called it “elegant.”

FOIA, which celebrated its 56th anniversary on July 4, mandates agencies provide EDCs on all public information requests, although many agencies do not provide them, Alina Semo, director of the Office of Government Information Services (OGIS), said.

The agency’s annual meeting on June 29 comes after OGIS issued their annual Report for Fiscal Year 2021. OGIS is the congressionally mandated agency in charge of reviewing FOIA policies, procedures, compliance and improvement.

The report said OGIS handled 4,200 requests for assistance from both FOIA requesters and agencies. OGIS sees a fraction of the overall public information requests filed to various agencies. 

The FBI, alone, has about 30,000 incoming requests each year, Michael Seidel, the agency’s chief FOIA officer, said.

As agencies are still dealing with the fallout from the pandemic, OGIS reported the number of requests for OGIS assistance involving delays jumped 73%, from 220 cases in 2020 to 380 in 2021. In 85% of the requests about delays, the requester could not get an estimated date of completion from the respective agency. 

“Our assessment found that agencies were challenged even before the pandemic began to provide EDCs and the agency’s responses to such requests were mixed,” Semo said during the meeting.

The Office of Information Policy’s Summary of Agency Chief FOIA Officer Reports for 2021 said by the end of fiscal 2020, 34 agencies had their backlog increased by more than five requests. For example, the Department of Veterans Affairs had more than 1,000 requests backlogged in 2020, the agency’s 2020 annual report said. The VA closed their 10 oldest appeals in 2020. 

A request is backlogged when it is pending beyond the statutory time period for a response. For requests, the statutory time period is 20 working days from receipt of the request, unless there are “unusual circumstances,” as defined by the law, in which case the time period may be extended an additional 10 working days. 

Of the 35 agencies with backlogs, 14 processed more requests than the previous fiscal year, OIP said. Although, 26 medium and high volume agencies reported they reduced the number of requests in their backlog. 

FOIA officers from the Federal Emergency Management Agency, the Postal Service and the FBI laid out five tips agencies may want to consider implementing to reduce backlogs, including being proactive in alerting requesters when records custodians delay EDCs and creating negotiation teams.

Proactive communication about EDCs

Among the most common recommendations from the panelists was open and proactive communication between records custodians and requestees. 

Gregory Bridges, chief of the disclosure branch of the records management division at FEMA, said proactive communication begins with agencies providing an EDC. 

At FEMA, Bridges said getting record custodians comfortable with the concept of providing an EDC was the first struggle. He said agencies with similar issues should base the EDC off the time it would take to complete the request if they worked on nothing else.

“There’s nothing wrong with telling a requester ‘we think it’s going to be ready by this date. If we don’t think we can meet that date, we’ll definitely reach out.’ But you have to reach out. If you’re saying, ‘the 25th,’ by the 20th or the 24th, you should have an idea of if you can meet the 25th and if you know you can’t, let the requester know before the 25th,” Bridges said at the annual meeting.

In his time at FEMA, Bridges said he finds the main complaint from requesters is thinking they have been forgotten. “Even if they don’t like the date being extended, at least they know that you’re actively working on it,” he said. 

He also said providing a clear timeline and EDC to requesters may encourage them to reduce the breadth of the request if they request more records than they need and want the records by a certain day. 

“Even if you have to extend [the EDC], then that could be another opportunity to narrow the scope,” he said. 

Record custodians at FEMA find it helpful to explain to requesters exactly what they are looking for in case it’s more than they need. 

“One of the things we do at our agency is explain to requesters why searching for all of the emails with the word hurricane during hurricane season might produce more records than you’re actually looking for,” Bridges said

Similarly, Nancy Chavannes-Battle, the deputy chief FOIA officer at the USPS, said providing partial responses when files become available if requests are taking longer than originally estimated. 

At the FBI, an online tool can tell requesters what stage their request is in and direct them to a PIO and the negotiations teams, who can answer questions in order to keep communication open throughout the process.

Negotiations teams

The FBI’s negotiations teams review the files and interact with requesters to answer questions. In fiscal 2022, the FBI received over 14,000 emails and over 1,100 phone calls about requests, Seidel said.

“We find that a lot of our requesters engage with our public information officer to get more information about the request and that’s where the discussion about the EDC really happens,” Seidel said. 

Negotiations teams ask requesters what they are looking for such as a specific event, a date range or an interview in order to stop processing unwanted pages, which, in turn, provides records faster. 

“We’re able to serve more requesters and give more requesters more information more frequently,” Seidel said. 

Seidel said the negotiations process has eliminated the processing of over 66 million unwanted pages that were originally requested. 

Automated EDC organization 

The FBI FOIA office uses automated multitrack processing programs to estimate the average number of days it takes to complete a request. 

They organize their requests into four tracks based on page size: small, medium, large and extra large. At the agency, the small track includes requests between 1 and 50 pages and the medium track is 51-to-950 pages, although other agencies who implement similar processes can change track size as needed.

“We’ll look at those dates within those queues of the dates requests were opened, we’ll do the math and compare them to the dates they were closed and we’ll come up with that average number of days it takes to complete a request within that queue,” Seidel said. 

The FBI FOIA office runs those audits every six months. Seidel also said an original challenge when implementing the program was deciding the right frequency for running the audit.

Estimated dates of completion: They’re not just for the requestor

Although EDCs are required by the FOIA, Bridges says, they do not only benefit the requester. 

“You should be establishing EDCs, just for your office’s knowledge,” Bridges said. “It’ll help you gauge your output, what can you expect to go out the door. So even though this does benefit the requesters in a big way, it can also benefit your office from managing your requests in a big way too.” 

He said every agency should incorporate the EDC timeline into the processing of all their records.  

“If you put all of your requests on an EDC that can also help you factor in how long it’ll take you to work on a particular request. Because you’re considering your current workload,” he said. 

Chavannes-Battle, from USPS, said PIOs should break down what increases the time of requests when setting EDCs, such as requests needing to be referred to other offices, going through corporate communications and legal departments. 

Connect with agency leadership

The OGIS assessment found support from agency leadership to be critical to the success in meeting requirements, such as providing EDCs.

At USPS, Chavannes-Battle says their staff training program is an important way PIOs connect with agency leadership to function smoothly. 

At FEMA, Bridges says training staff to work with attorneys at agencies helps set EDCs and return records quicker “especially when you’re dealing with senior managers who aren’t familiar with the FOIA process, and you’re coming into their program, trying to tell them why they need to make our work a priority against their work.” 

“It really is just understanding what that particular manager or leader cares about when it comes to the four year process,” he said. “Do they care that they’re in compliance? Some do, some don’t. Oftentimes, they care about not getting in trouble. They care about not having to spend money, they care about not having to get sued.” 

In FEMA’s FOIA department, PIOs treat senior managers as enforcers to get their staff to comply with FOIA requirements, he said.

Benefits of recommendations

FEMA began to implement the new procedures in 2018. Bridges says the agency has only been sued twice over FOIA records since implementation. While appeals over denied requests were previously between 1,200 to 1,700, they fell to around 45 each year since. 

“It isn’t because we don’t get those kinds of people [watchdogs], it’s because of implementing this new procedure and really establishing these response dates,” Bridges said. “That’s part of setting the expectations with the requesters so once we got people familiar with it, we really started to see appeals and challenges to our final responses reduce significantly.”

“We have some exciting news — our component acquisition executive gets initial procurement authority early July,” CISA Chief Information Officer Robert Costello said during an event hosted by the Homeland Security Defense Forum last week. “That’s a huge, huge deal.”

CISA will have its own contract specialists, Costello said. Currently, CISA relies on outside entities, including the Office of Procurement Operations at Department of Homeland Security headquarters, to carry out its procurement needs.

David Patrick is currently CISA’s chief acquisition executive, according to the agency’s website. Prior to CISA, Patrick served in various leadership roles in acquisition offices at Immigration and Customs Enforcement, DHS headquarters, and U.S. Customs and Border Protection.

Patrick is “leading the realignment of CISA acquisition and procurement activities and the transformation of the Office of the Chief Acquisition Executive,” CISA’s website states.

As one of the newest federal standalone agencies, CISA is still building out management and support operations that other agencies may take for granted. CISA was established as a standalone operational component of DHS in 2018, having previously been the National Protection and Programs Directorate at DHS headquarters.

“There’s a lot of work to do internally just on our own identity and culture,” Costello said. “Now we’re a component of equal rank to [the Transportation Security Administration] or CBP, so we’re developing our own culture here as well.”

CISA procurement plans

CISA is requesting $6.2 million in fiscal 2023 for 50 positions, including 25 full-time equivalents, to establish and build out a procurement team within the Office of the Chief Acquisition executive, budget documents show.

“As a new agency, CISA does not currently have the internal procurement operations and support functions to effectively and efficiently support CISA’s growing and rapidly changing cybersecurity, infrastructure, emergency communications, risk management, stakeholder engagement, and other missions,” the documents state.

The new team will help CISA streamline and improve its procurement planning and execution by working more closely with other CISA divisions and programs, the justification documents continue.

Other goals include “identifying and utilizing existing contractual flexibilities and methodologies to best meet end-user needs in a rapidly changing environment,” as well as partnering more closely with industry through outreach events.

“A CISA procurement activity will operate as a full business partner and serve as a strategic asset dedicated to improving the agency’s overall business performance,” the documents state.

‘Handing out laptops’

Costello joined CISA last year. He has experience at much larger IT divisions in other DHS components, though, including ICE and CBP.

At the cyber agency, Costello said he gets to be more “hands on” as CIO of a relatively new standalone component.

“There have been days where I’m handing out laptops or configuring stuff,” he said during last week’s event.

The CIO’s office has a staff of about 90 people, Costello said. A priority for the coming year, he said, is expanding support to CISA’s growing field operations, including statewide cybersecurity directors, chemical security advisors, and regional directors.

“I’m starting to embed my folks out in the field and provide improved services out there so that they have the same level of technology as we do here at headquarters,” Costello said.

CISA has seen a rapid growth in recent years as both the Biden administration and Congress have looked to the agency to respond to cybersecurity threats in particular. The agency has taken on a lead role in the cybersecurity of the federal civilian executive branch. It’s also working more closely with private industry to combat cyber threats to critical infrastructure.

Costello said his role CIO is to support those growing functions with up-to-date technology. Still, he said the CIO organization at CISA is still a work in progress.

“We’re definitely maturing a lot of our processes, building a component CIO office,” he said. “I really do think it’s going to take a few years to kind of get to the same level of say, an ICE or CBP, where we’re doing all those functions ourselves. And so in some areas, maybe I’ve slowed down some work because we’re not quite there at that maturity level as we stabilize other areas.”

With CISA looking to attract top cybersecurity talent, Costello said the agency needs to use the most up-to-date technology. He said a big focus for him has been supporting different devices, including Macs and Androids, he said. In December, for example, CISA began using Slack for internal collaboration.

“We really need to be a place where people want to come to work for the tech,” Costello said.

Costello is also aiming to set the bar high when it comes to federal cybersecurity by ensuring CISA’s internal security complies with the agency’s mandates and guidance in areas like zero trust architectures.

A big focus for CISA’s internal security developments is identity, credential and access management (ICAM), an area in which Costello said the agency is currently “lacking.” But at the same time, the CIO said he has the advantage of being able to build new, “green field” solutions rather than needing to update an extensive legacy IT environment.

“I had some goals in mind this year,” Costello said. “We met a lot of them. Some of them are going to slip, and that’s okay, because I want to build a really strong foundation that CISA can build on for a decade. And so I’d rather take a six month slip on a project than build a really poor foundation. So that’s what we’re concentrating on: identity, monitoring systems, and building our people and in teams up, deciding what the federal-to-contractor makeup is going to look like, and what skill sets that we need.”

Vulnerable systems are increasingly becoming more of a target for bad actors who have recently elevated their infiltration capabilities through sophisticated AI and automation tools. Now, attackers can easily access, disrupt, retrieve data, and then leave an organization’s cybersecurity system fully undetected. And in light of current geopolitical events, it’s clear that adversaries will continue to relentlessly attack U.S. cyber infrastructure, underscoring the increasing need for proactive measures.

With more threats and vulnerabilities than ever before, IT departments must be trained for today’s challenges and understand the value of outsourcing additional help from trusted managed service providers (MSP) to improve their overall cybersecurity posture.

Training a new generation of IT experts

Reinforcing an organization’s cyber defenses is no easy feat, especially when most IT departments are understaffed. The demand for knowledgeable cybersecurity experts was already mounting before the pandemic, but in the last year, job openings within the industry have increased nearly a third, with over 600,000 cybersecurity positions remaining unfilled.

Short-staffed IT departments are more susceptible to data breaches and ransomware attacks due to fewer eyes monitoring an organization’s system and less technical expertise. Filling these positions will take time, so organizations struggling to maintain adequate cyber protection should look to partner with an accredited MSP in the interim.

Quality MSPs can provide advanced services while backed by the latest certifications that demonstrate their expertise and trustworthiness. When searching for an MSP, agencies should confirm the provider meets these criteria to ensure data protection and high-quality cybersecurity assistance.

Working with an MSP is extremely beneficial, but internal labor and skill gaps still need to be addressed. Educating the next generation of IT professionals is key, and many are looking to future undergraduate students to fill the cybersecurity skills gap. Tech giants like Microsoft are even working with community colleges across the globe to train prospective IT practitioners. While these efforts are admirable, educational institutions simply cannot produce enough college graduates to accommodate this increasing demand. American veterans, however, are eager to join the cyber workforce.

Reskilling veterans for success in cybersecurity

The U.S. is the proud home to more than 18 million veterans, with roughly 200,000 service members retiring their uniforms every year. Unfortunately, many returning veterans often have difficulty readjusting to civilian life. Finding a job is a critical part of this transition, but many veterans lack the experience needed to fairly compete in the labor market, especially in the cyber/IT sector.

Fortunately, nonprofits now offer cybersecurity training programs catered to former military and their spouses. These programs provide proper training and arm their participants with the internationally-recognized credentials, skills and resources they need to pursue self-sustaining cyber careers. Moreover, these lessons are updated regularly by cyber industry experts to ensure participants pursue the most relevant and in-demand certifications possible. Providing courses that reskill veterans will prevent unemployment for these citizens and help eliminate America’s cyber workforce shortage.

Out with the old, in with the new

Another hurdle is outdated technology. Many organizations are tethered to legacy systems and applications, often making their efforts extremely slow, prone to bugs, and thus, subject to cyberattacks. When organizations continue using outdated computing software and/or hardware, it exposes them to new risks.

While seemingly counterintuitive, organizations continue to use these obsolete systems because they don’t want to endanger the stability of their current applications by switching to a new program. Shifting to modern technologies can be costly and often messy. Many IT professionals have expressed their concerns about tampering with a program that already accomplishes its intended purpose.

Moreover, upgrading an IT infrastructure is tedious, time-consuming, and cannot be accomplished overnight. Thankfully, there are new cloud-based solutions that can easily be integrated alongside legacy systems. As a result, IT professionals should confidently be able to store, manage and process information remotely. All while knowing they are backed by the latest certifications and have access to critical features such as backup, recovery and data protection. Housing these capabilities on a unified cloud platform can make IT management easier and more accessible for everyone.

Looking to the future

Today, the threat of cyber warfare is more present than ever. Therefore, strengthening the current cybersecurity workforce with knowledgeable employees and implementing new cloud-based programs alongside legacy systems would significantly protect the U.S. public sector from looming threats.

Thankfully, the federal government continues to enact new legislation to help facilitate some of these needed changes. Last November, an infrastructure bill was passed, designating billions of dollars in new cyber spending over the next few years. Public agencies rejoiced as this is the biggest government investment in state and local cybersecurity to date. Defining how public organizations can apply for these grants, raising awareness of eligibility, and subsequently addressing these obstacles will go a long way towards safeguarding the US from future cyberattacks.

John Zanni is CEO of Acronis SCS.

Bolstering resiliency and overcoming supply chain challenges

The last mile, when we’re looking at the mission segment of the mission space, is literally the most critical element.

Cameron Chehreh

Vice President and General Manager for Public Sector Worldwide, Intel

Ready for radical evolution: 5G, software-defined everything, zero trust and more

Coming out of the pandemic, and being forced to quickly move into a telework or a hybrid work environment, accelerated things [agencies] never thought they were going to ever do or need to do.

Tony Celeste

Executive Director and General Manager, Ingram Micro Public Sector

This is the first article in our series, The Power of Technology.

Digital transformation might be every government organization’s technology goal, but if the last two years have taught federal IT leaders anything about managing during ongoing crises, nothing — transformative or otherwise — can happen without resiliency.

Fresh off the depths of a global pandemic, agencies now are figuring out their hybrid return against the backdrop of a geopolitical crisis. What does that mean for agencies’ lines of business and for managing both administrative services and services to citizens?

Federal News Network sat down with two industry technology experts to get their take: Tony Celeste, executive director and general manager for public sector at Ingram Micro, and Cameron Chehreh, vice president and general manager for public sector worldwide at Intel.

What became clear as the government reinvented itself almost overnight at the start of the COVID-19 pandemic, Chehreh said, is the criticality of that last mile. “The last mile, when we’re looking at the mission segment of the mission space, is literally the most critical element for all mission people — whether you’re a civil servant or a warfighter in the Defense Department or Defense space, or an operator in the community,” he said.

Now, as agencies look ahead, that last mile — computing at the edge and delivering services, as Chehreh said, “at the tip of the spear” — remains as the focus for many IT and management leaders in the government.

Chehreh and Celeste offered insights on three areas where they see government-industry collaboration and technology driving change and helping agencies deliver on their missions to help both users within agencies and citizens at the edge: supply chain, 5G and security.

IT at the edge Insight 1: Minimizing supply chain risks through collaboration

Supply chain hiccups have affected the government and its contractors just as direly as they have other industries.

“It’s been difficult without question,” Chehreh said. In addressing supply chain issues or hurdles, public-private relationships matter as does access to information, he and Celeste noted.

Addressing supply chain issues requires agencies and vendors to work together closely. Chehreh suggested that there needs to be a mechanism for agencies to forecast the technology that they may need to acquire so that vendors can pre-stage tech and services to anticipate dynamic mission demands.

“What this allows us is a healthy balance, leveraging the private sector in the exact way we need to do as a country and remain compliant with the Federal Acquisition Regulation,” he said.

Celeste further added that agencies need to review their distribution channels from end to end, all the way back to the original equipment manufacturers (OEMs), to understand where there are risks and to ensure against introducing potential cybersecurity risks as well.

“Look at all of the components that are involved in building these solutions,” he advised. “From a technological perspective, the government needs to encourage more innovation through competition. It needs to continue to adopt and leverage open standards that have multiple solutions and sources for those solutions.”

IT at the edge Insight 2: Embracing the opportunities that 5G can enable

The arrival of new technologies also have the potential to help the government advance its mission capabilities, Celeste and Chehreh said.

In particular, the advent of 5G networking technology will create opportunities to radically change how agencies work, Chehreh said.

“When you look at the difference between 4G and 5G, it’s really all about the software-defined nature of the delivery,” he said. Chehreh said he expects 5G to usher in a new era of innovation across government as organizations reimagine about how they compute and how they manage data to provide richer experiences for users at the edge.

As an example, he pointed to the work by the Army Futures Command on the Next Generation Combat Vehicle. “It’s extraordinary to think now that vehicle can be a 5G portable cloud while it’s also operating in its mission setting, being able to safely and securely admit what’s necessary from a command and control perspective while in theater, but do it in a highly secure manner for that dismounted soldier. Those are extraordinary use cases where that software workload can be enabled on that vehicle.”

There’s just as much potential for back-office functions to be enhanced as well, Celeste added.

“Coming out of the pandemic, and being forced to quickly move into a telework or a hybrid cloud work environment, accelerated things [agencies] never thought they were going to ever do or need to do,” he said.

The effect has been transformational and sped up the development of capabilities that take advantage of things like 5G, Celeste said. “We’re seeing this

play out in case studies, from the really cool and really complex hard stuff — like the tactical edge that our warfighters are up against — to the sort of mundane everyday operations of keeping the lights on.”

IT at the edge Insight 3: Evolving how the government tackles cybersecurity

As technology use expands at the edge, so do the cybersecurity challenges.

“Today, everybody is looking at cybersecurity,” Celeste said. “As our dependency on technology for everyday life continues to grow exponentially, the threat attack surface area grows, and this is no different for the federal government.”

Chehreh said he sees the adoption and work on zero trust across government as encouraging despite the increase in threats.

“For the longest time, the conventional thinking in cyber, although we talked a lot as an industry about built-in versus bolted on, the practical reality was that bolted on seemed to rule the day,” he said.

Chehreh views the pandemic as playing a role in advancing cyber thinking too. “There’s been a positive effect that’s come out of that strained or even dark environment that the pandemic provided,” he said. “When we think of zero trust, it’s transformed our thinking to allow us to truly do this built in.”

Admittedly, there’s no silver bullet or single product, Chehreh said. But the adoption of this approach

to cyber finally brings together mission users, business users and nontechnical users in a way that will let agencies understand and address “the interlock points from a zero trust perspective” to create more secure environments, he said.

The General Services Administration re-released the solicitation on June 30 with updates to the mentor-protégé and joint venture experience submission requirements, the definition of relevant experience and the documents needed to establish the mentor-protégé or joint venture relationship.

Small businesses have until Aug. 10, to submit their bids, for this 10-year contract that could be worth tens of billions of dollars, but has no specific ceiling. Questions about the RFP are due to GSA by July 12.

“Overall, I think the RFP looks good. It is more in line with the original draft, with respect to mentor-protégé/join ventures, and seems to have clarified many of the ambiguous instructions,” said Courtney Fairchild, the president and CEO of Global Services, a proposal services firm, in an email to Federal News Network. “I think it strikes a good balance between small business prime/subcontractor teams and MPJV teams. Overall, I am not disappointed with the RFP. GSA listened to feedback before final release.”

The mentor-protégé and joint venture submission requirements have been at the heart of the concerns about Polaris over the last few months.

Relevant experience updates

GSA now is requiring mentees to provide at least one example of relevant experience and limits mentors to only three examples. Previously, there were no limits or minimums for either mentor or protégé. This experience can include task orders under the schedules or a blanket purchase agreement, a single contract or subcontract and, just added, other transaction agreements (OTAs).

“It seems like GSA is just following the NITAAC book with the protégé experience requirements — i.e., requiring one experience example from the protégé to show some experience. This is what I thought they were going to do,” said Cy Alba, an attorney with PilieroMazza in Washington, D.C. “The Small Business Administration regulations do not provide direct guidance on this question and so it does seem like agencies have some level of discretion in making the determination about how much experience the protégé would need to show. That said, they cannot discriminate against protégés as that would violate SBA regulations. Unfortunately, the law is not clear on where that boundary lies and, if protested, it will be up to GAO or the Court of Federal Claims to make that determination.  This is consistent with other compromises on the issue though, like CIO-SP4.”

Additionally, the new solicitation tells vendors to detail “the work done and qualifications held individually by each partner to the joint venture as well as any work done by the joint venture itself previously. If any partner or the joint venture itself has no previous work done or no qualifications held, this should be stated” in the submission forms.

A third change would let mentor-protégé teams and joint ventures can submit relevant experience of their subcontractors as part of their bid as long as the experience happened under the joint venture umbrella.

“I’m sure some of the experience requirements, like requiring at least 6-months of performance, or how IDIQ contract value is calculated, may bring the ire of some small businesses but I am not sure those requirements are legally objectionable,” Alba said.

Fairchild added the changes GSA made may still give mentor-protégé teams and joint ventures an advantage in the self-scoring system given the probability that large businesses will have more large value projects to offer.

“I like that they brought the minimum period of performance down from one year to 6 months — seems to be more friendly to small businesses,” she said.

Concerns remain about the RFP

Other industry experts were less certain about GSA’s changes.

Larry Allen, the president of Allen Federal Business Partners, said the three and one relevant experience requirement continues to favor large businesses in what is supposed to be a small business contract.

“GSA is really trying to balance the contract so that both experienced small businesses and less experienced, newer market entries can potentially participate on Polaris. The basic idea is to get new participants into the market,” he said. “Also, while offerors using companies that don’t have relevant prior experience must disclose that, I am not sure that such information will automatically disqualify a company. My belief is that GSA will look at the overall team submitting the offer. Again, they want to enable new company participation as much as possible.”

Lisa Mundt, co-founder of the Pulse of GovCon, said GSA may have caused additional confusion, specifically for women-owned small businesses (WOSB).

“The WOSB track RFP states, ‘A minimum of one primary relevant experience project or emerging technology relevant experience project must be from a WOSB.’ However The offeror must submit a MINIMUM OF THREE (3) and may submit a MAXIMUM OF FIVE (5) distinct primary relevant experience projects and a MAXIMUM of three (3) emerging technology relevant experience projects. Does this mean if a bidder submits a maximum of 8 Relevant Experience submissions, that only one needs to be from a WOSB?” Mundt said. “We’re all for minimizing barriers to entry, but if the purpose is to provide access to best-in-class women-owned small businesses, then shouldn’t the bidder’s submission reflect that? Otherwise, the WOSB becomes a front for other companies outside the classification. The WOSB set aside is already abused in the industry with men naming their wives as ‘CEO’ – this just further exploits women business owners as props.”

GSA came under fire when it released the original RFP in March, specifically for last-minute changes it made to the requirements for mentor-protégé and joint venture bidders. After BD Squared filed a protest with the Government Accountability, GSA paused the solicitation to re-look at the requirements and obtain feedback from contractors.

In May, GSA released draft changes to Polaris, seeking industry feedback and then incorporating that into the updated final solicitation.

Sonny Hashmi, the commissioner of GSA’s Federal Acquisition Service, said in May interview that the team was trying to find the best approach to create the most opportunities for small firms.

“There’s going to be a trade-off that we need to find and that’s just reality,” he said. “Depending on the feedback that we get, and then to what extent we need to completely change strategy will determine the timeline. I’m hoping that the adjustment that we’ve made or proposed in our updated criteria is it meets the expectations of industry.”

Roger Waldron, the president of the Coalition for Government Procurement, praised GSA’s approach to improving Polaris

“GSA’s process for addressing the challenges to the Polaris evaluation was transparent, providing interested small businesses and others the opportunity to provide feedback on the proposed changes. This approach was critical in demonstrating GSA’s commitment to developing a reasonable evaluation approach that balances the relative merits of small businesses, joint ventures and contractor teaming arrangements,” he said in an email to Federal News Network. “GSA clearly has moved the ball here, and now, potential offerors will have time to digest the changes and respond by Aug. 10.”

How great to live in a free country. At the time, former Health and Human Services Secretary Margaret Heckler was our representative in Congress. One year, as she passed by in the parade, my father called out, “Cut off funds for the Vietnam War!” She shouted back something to the effect that she had voted for a resolution to do that. I don’t remember the precise words, but I do recall the exchange. No one swore, no one threw anything.

No one went to jail, either. I thought of this in the context of Chinese President Xi Jinping’s visit to Hong Kong, on the 25th anniversary of its transfer to China. How tough it must be to see a leader parade through, who has just imposed stifling laws, crushed dissent, jailed opponents, halted unfriendly press and will no doubt impose the all-encompassing surveillance with its command and control system for individuals already in place on the mainland. What would happen to someone who shouts a challenge to Xi, do you suppose?

Our national discourse seems as bad as ever right now. Yet in the late 1960s and early 1970s, when I went to the local parades, it was pretty tough too. It’s easy to forget the divisiveness of Vietnam and its expansion via the bombing of Cambodia, the original Roe v. Wade decision by the Supreme Court, the campus “unrest” as it was called, the shocking bankruptcy of New York City and a host of other things. It all seemed to culminate in the Watergate affair. Oh my, the vitriol of that roughly 1966-1976 decade!

After Vietnam, though, the military, which had lost much esteem in the public mind, retained enough institutional resilience, and could muster enough political backing, to eventually recover. Now it enjoys a high regard, even if the policies for which it is used are not popular. An important distinction.

Watergate, while exposing the, let’s say, enthusiasm for reelection on the part of some elected, appointed and hired officials, nevertheless ultimately provoked an institutional coming together. For what it’s worth, since the Nixon/Ford administration, Republicans have held the White House for 24 years, Democrats, at the conclusion of President Biden’s current term, 24.

At the moment, the nation’s ears are gripped by the hearings connected to the  Capitol event, variously described as a riot, an insurrection, a break-in and a coup attempt, at the end of the Trump administration. That was not a good day, least of all for the former president. And yet: One theme is how strongly our institutions held. The Electoral College voted. Congress and the then-vice president accomplished their electoral missions, in spite of the dangerous circumstances. What if the nincompoops storming the Capitol had actually gotten their hands on the vote materiel? It’s hard to imagine anything other than that the regular transition of power would nevertheless have occurred. Many of the rioters are in prison.

Federal career employees have taken an oath to the Constitution. With few exceptions, they take it seriously. At least, that’s been my experience in 30 years of covering that workforce and the activities in which it engages.

Government is inherently imperfect because people are imperfect. Still, on the 4th of July, name a country where you’d rather live and claim citizenship. I can’t.

Don’t text while reading this

Fifteen years ago this week, Apple introduced the iPhone. Like the Model T a century earlier, it changed the world. Neither the first smart phone nor the first pocket-sized computer, it nevertheless became a world-changing product in ways the others did not.

The social implications of mobile computing have been thoroughly documented. Many people seemingly can’t live for two seconds without checking their devices.

In the federal environment, the iPhone significantly drove many of the changes it drove in the private sector. Namely, greater demand for mobile-native services, a still-evolving notion of customer experience, and a new idea for how and where employees can work

An irony of the iPhone era is that as a telephone, the iPhone falls short, to be honest. Whether the phone’s own internal electronics, or the limitations of the big wireless networks, but sound remains noisy and scratchy, calls still subject to going kaput. On the other hand, how much business does the average knowledge worker do on the phone any more?

Nearly Useless Factoid

By Robert O’Shaughnessy

Source: Maine Public

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Biden administration is setting a high bar for customer experience across government, but it’s the General Services Administration that’s laying the foundation for those improvements.

GSA, under the administration’s executive order on improving customer experience, is looking to make digital services at other agencies secure and accessible through Login.gov, a shared service for online identity verification across the federal government.

GSA Administrator Robin Carnahan, in a recent interview, said Login.gov has about 40 million users right now across 27 agencies, looking is looking to increase usage to 100 million users by the end of the year.

“We’ve got big aspirations there. My personal view is that this digital identity area is one that is in serious need of attention by the government,” Carnahan told Federal News Network.

Carnahan said that government-issued photo IDs, including driver’s licenses, have long been the “gold standard for identity.” But she said a digital equivalent of that gold standard has not yet come into focus.

“When it comes to digital identity, I think we need to equally let people have access to a digital identity from the government that is secure, that protects their privacy and that is accessible to everyone, so we want to be able to offer this,” she said.

Carnahan pointed to COVID-era fraud and inaccessibility of unemployment benefits earlier in the pandemic as reasons for prioritizing a secure digital identity for online services.

“We also saw that scammers took huge advantage of this, and that billions of dollars were lost, all because of this notion of getting a digital identity, and so we think it’s really important. We think it saves a lot of money for taxpayers, and it helps government deliver at people’s time of need,” she said.

The Biden administration’s customer experience executive order directs GSA to work with the Department of Veterans Affairs to make Login.gov the identity-verification foundation across all VA’s online services.

Carnahan said about 60,000 veterans currently use Login.gov as an identity proofing service, and that those numbers are going to increase.

The VA made progress on that goal this week, when it announced veterans can now use the same through Login.gov username and password to access VA.gov, My My HealtheVet, and VA’s Health and Benefits mobile app.

VA Chief Technology Officer Charles Worthington said in a statement that the rollout of Login.gov at the agency will “streamline how users access government benefits and services.”

“As part of the department’s digital transformation efforts focused on continuous improvement, we’re embracing the innovative technology designed by Login.gov to provide our veterans a seamless sign-in experience to better serve, engage and enhance the customer experience,” Worthington said.

Dave Zvenyach, the director of GSA’s Technology Transformation Services, said Login.gov will provide a “secure and seamless digital experience for veterans and those supporting them.”

The service also allows veterans to use the same credentials to access services across multiple federal agencies. Including the Office of Personnel Management and the Small Business Administration.

Carnahan said GSA is also “having lots of conversations with the IRS,” as it plans its own adoption of Login.gov as an identity verification service.

“Obviously this is one of the primary interactions people have with government every year, and we ought to make that seamless. We ought to do it in a way that protects the privacy and ensure security and make sure it’s accessible to everybody,” Carnahan said.

The IRS announced it would pivot to Login.gov after it launched a new identity verification process last year, which initially relied on facial recognition technology from ID.me. The process, however, received strong pushback from Congress and the public.

The administration tapped Carnahan to serve as one of three interagency leads on improving customer experience across government as part of the President’s Management Agenda.

Biden administration, under the PMA, is directing agencies to prioritize customer experience improvements around five cross-cutting priority “life experiences.”

These include helping individuals who are approaching retirement age, recovering from a disaster, or transitioning from active-duty military service.

GSA, as part of this interagency team, is focused on improving public-facing services at 35 agencies and programs designated as High-Impact Service Providers.

“We’re going in and having technology teams that focus on user experience and customer experience look at those journeys to see what that actual interaction is like, and how to streamline the process and make it easier,” Carnahan said. “Part of that’s about communicating in plain language. Part of it’s about how you design the websites. Part of it’s about how many steps there are in the process.”

The Biden administration’s executive order also directs GSA to make USA.gov a “digital front door” for individuals seeking federal services.

“A citizen shouldn’t have to try to figure out what agency to go to for some service and have to understand the structure of government. They ought to be able to go to usa.gov, talk about what their interests or need is, and then be directed to the right place,” Carnahan said.

The administration is focused on ensuring historically underserved communities have access to government services. To achieve that goal, Carnahan said agencies need a diverse range of experts at the table to create these services.

“We don’t pick our customers. It’s all Americans that we’re here to serve. The only way you can do that effectively, is if you have a cross-section of people in the room being talked to about how to make sure the services we’re providing are accessible to everyone,” Carnahan said.

GSA is also looking at ways to support the federal workforce as it looks to improve service to the public. Carnahan said the agency is looking at developing “easier on-ramps to be able to come work in government,” and helping agencies re-imagine their workspaces as part of its “Workplace 2030” initiative.

Through its Workplace 2030 initiative, GSA is also looking at offering federal employees a “home office in a box,” giving workers the option to furnish a home office with work gear needed for their jobs.

Carnahan said GSA is also looking to provide federal co-working spaces where federal employees can work out of the office.

“We’re talking a lot to our customers about what their needs are. But we know the future is going to look different than the past. And GSA is going to try to be on the front lines of serving our customers so they can better serve the public,” Carnahan said.

Description:

During this exclusive CISO Handbook webinar, moderator Justin Doubleday will explore some of the challenges and best practices associated with supply chain security with Gerald Caron, the chief information officer at the Department of Homeland Security’s Office of the Inspector General. Additionally, Kelly White, the co-founder and president of RiskRecon, a Mastercard Company will provide an industry perspective.

Learning objectives:

• Supply Chain Security Best Practices
• The Zero Trust Approach

This program is sponsored by   

Complimentary Registration
Please register using the form on this page or call (202) 895-5023.

At the heart of the problem lies a critical shortage of skilled personnel within the agencies tasked to enforce the sanctions. Faced with the most comprehensive sanctions in a generation and a thinning workforce to implement them, government officials are left with very few options but to take a page from the private sector and integrate AI technology into their investigation operations.

AI’s speed, scope, accuracy and efficiency would optimize sanction enforcement efforts. The technology’s capacity to analyze vast amounts of data and rapidly identify criminal activity and potential risks make it a formidable tool in the enforcement of financial regulations, including international sanctions.

Challenges of scaling Russian sanctions

President Joe Biden recently announced a major scaling-up of Russian sanctions, targeting two of Russia’s largest financial institutions — Sberbank and Alfa-Bank — along with an expanded list of individuals tied to the Kremlin. These joined the already voluminous list of sanctioned entities that were targeted directly or severely limited through exclusion from SWIFT, the global payment system for cross-border trade.

But the West’s capacity to maintain, let alone expand, its current sanctions program is already experiencing significant gaps and limitations. In early 2020 — at the onset of the Coronavirus pandemic — the U.S. Government Accountability Office released a report describing how several U.S. agencies responsible for enforcing sanctions were short-staffed and have been unable to fill enough full-time positions to operate effectively for years.

Without adequate human or technological support, regulators may be compromised in their efforts to counter the bad actors working to circumvent the sanctions. Many of them may be counting on the possibility that overwhelming mountains of data in the global financial system could slow down or block regulators’ actions. If enforcement teams adopt advanced AI technologies to boost sanctioning efforts, however, the same violators would soon realize the unfavorable odds in making such a wager.

Risk discovery, detection speed and accuracy

Risk detection lays the groundwork for all sanction enforcement actions. Moreover, detection speed and detection accuracy, via the elimination of “false positives,” play a critical role in determining the probability of success.

Here’s where the case for AI is most compelling. AI can help private financial institutions more than double the number of risks detected, reduce false positives by 60%, and increase the pace of risk detection by 40%. Through advanced machine learning technologies, AI systems are capable of analyzing large, complex, noisy and incomplete datasets (a.k.a., topological data analysis) to identify the latest and riskiest criminal behaviors. AI detects anomalies in payments and transaction patterns in a discreet manner that doesn’t depend on interrogations and won’t tip off the institutions, companies, or individuals seeking to sidestep sanctions.

AI can also help analysts develop behavioral models based on past sanction violations or similar financial crimes. Based on those models, it can analyze large volumes of data from a variety of sources to automatically pinpoint current violators. It can even identify emerging threats, to uncover the “DNA” of complex crime behaviors on its own.

Equally important is the capacity of an AI application to present its findings in an easy-to-understand format suitable for end users that are not data scientists or IT specialists. And all of this analysis can be executed in just a fraction of the time it would take most trained investigators — a crucial advantage in an endeavor in which time is of the essence, and there’s already an enormous drain on resources, time and capital.

AI could be a game-changing ally for regulatory and law enforcement agencies in their efforts to thwart sanctions violators. And, with political relations with Russia evolving by the day, if not the hour, the sooner support is brought in to help track new and existing sanctions against the country, the better.

Raj Srivatsan is Vice President, Civilian at SymphonyAI.

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

It’s become an unfunny joke. No matter what crucial intellectual property gets developed in the United States, it gets stolen by China or maybe Russia. A special team deep in the Defense Department has been working on one strategy to counteract this. It looks for investments in U.S. companies by suspicious foreigners. For his work collaborating with many other agencies, the team leader is a finalist in this year’s Service to America Medals program. The deputy director of the Office of Foreign Investment Review at DoD, David Rader joined the Federal Drive with Tom Temin.

Interview transcript:

Tom Temin: Mr. Rader, good to have you on.

David Rader: Hi, thanks so much for having me. Good to be here.

Tom Temin: So tell us about the Office of Foreign Investment Review and what you do on that team how the whole thing works.

David Rader: Yeah, you bet. Foreign Investment Review or FIR as we call it, large part is the CFIUS Office. That’s the Committee on Foreign Investment in the United States. That’s a very narrow kind of structure, regulatory process. But what we’ve discovered is a lot of things that pose threats to national security fall outside of CFIUS itself. And so I built a team of data scientists and economists, lawyers, former program managers and project officers, if you will, to really look at sticky national security issues in the financial and economic domain, that are kind of non-traditional, but pose a great risk to us.

Tom Temin: And you say financial and economic domain that are non traditional, maybe explain that a little bit more.

David Rader: Yeah, traditionally, the department or national security apparatus is writ large, never look at economics as a function of warfighting or a warfighting domain, or an area of exploitation is generally viewed as something kind of separate. And so taking that approach or using that lens to look at transactions and what that means for national security is a primary focus of ours.

Tom Temin: And do you focus on investments in technology companies or potential suppliers to the Defense Department? Or do you look at the economy in a larger sense?

David Rader: Yeah, it’s an unfair answer, but it’s everything. So we look at macroeconomic data to kind of see where the market’s moving directionally, then we’ll look at specific transactions to your point and emerging critical or disruptive technologies, all the way to core military systems that you’re used to protecting. But the world is shifting and civil and military fusion is occurring around the world, both organically and inorganically. And so semiconductors and thrusters and rockets, and lasers, you know, for cutting in factories, or materials are all playing a role in national security and our defense platforms.

Tom Temin: So you’re looking for transactions, then that would indicate someone that we don’t want investing in one of these companies investing in it?

David Rader: Exactly. And relationships. And you know, some of our adversaries are pretty clever, they use some obfuscated ownership or opaque structures to extract technology and try to replicate it or just take it overseas. So joint ventures, their relationships with academia, there’s a lot of ways to go about it. And so we kind of look at everything.

Tom Temin: Fascinating, and what are your sources of data, you say, transactions and who might be behind them, and so forth? How do you ingest the information you need? And where does it come from to do the analytics?

David Rader: Yeah. And so we’re really an aggregator in that sense. So we use our commercial sources, the typical subscription kind of products, news, open source, or OSINT, the intelligence community is a great ally, and partner, the interagency partners, so other governments, you know, will call and say, hey, we heard about this, or have you seen this. And then lastly, is commercial partners. We even have commercial partners, and we do a lot of industry engagement. And that’s one of the best sources for us to understand where the market is going, who’s creating what and with whom they’re interacting.

Tom Temin: And what happens when you find something suspicious, say someone via a shell company in Great Britain, who’s actually Russian invests in Hypersonics-R-Us, for example, that’s doing work with AFWERX?

David Rader: Yeah, so that’s where the secret sauce is made up of various methods, but we tried to pull them into the CFIUS framework, that’s probably the easiest and most well structured, we have some cool authorities and capabilities elsewhere within government that allow us to really, you know, have a meaningful conversation and address the threat.

Tom Temin: Do you find that sometimes the companies themselves don’t realize that they’ve been invested in by people with bad intent?

David Rader: You know, I’d argue that’s probably 50% of the time, I think, you know, companies are really focused on developing their product making money, they might not understand that to your point that Canadian or British shell is actually something else. And then a lot of them don’t understand how they fit into something like made in China 2025. China does a very good job of telegraphing, or, you know, explaining to its people what it’s going after. And so they might say biotech or hypersonics. And so companies, you understand that, you know, we might make a widget and biotech that we don’t think matters for national security. But if China or Russia is looking for it, you’re in our orbit, you’re part of the game now.

Tom Temin: So basically, you’re looking for people that would take our property from the front door and not the back door.

David Rader: Yeah, I mean, we do look at the whole value chain, if you will, but I think that’s a good way to frame it. I mean, it seems like we’re doing all the work. We’re spending the money. We’re doing the research, development, test evaluation, you know, commercializing the product, and then the bad guy show up the last day, take it and get to steal all of our hard work and we’re getting pretty tired of it, I think.

Tom Temin:
Right. What I’m driving at is that they could become a board member or an investor and just simply have access to the information that way, as opposed to hacking in.

David Rader: Oh, absolutely. Yep, board membership, investor relations, accessing data rooms through what seems like normal business transactions or a joint venture. So yeah, they’ll come through the front door 100%.

Tom Temin: We’re speaking with David Rader. He’s deputy director of the Office of Foreign Investment Review at the Defense Department, and a finalist in this year’s Service to America Medals Program. And the category in which you’re a finalist is emerging leaders, which is to say, younger people coming into government, you’re in your mid-30s. What in your background got you to this point, and what attracted you to federal service?

David Rader: I used to be in the Army in a previous life as an infantry man, and you know, had a great experience, all my best friends remained in the business. And so when I stepped away, I went to investment banking at JP Morgan. And I was a M&A consultant at Ernst and Young. And so I enjoyed learning the commercial skills necessary. But I really missed that mission to service. When the opportunity presented itself, I was quick to jump on it because we’re at a critical time right now, where we need to better understand the commercial side and have better relationships and training. But also the Defense Department and national security in general in the U.S. government need really good dedicated public servants who are trying to bring in that next generation, and I was happy to be part of the team.

Tom Temin: Did you get to the Army via enlistment? Or were you a ROTC? Or what was that path?

David Rader: Enlisted right out of high school.

Tom Temin: I’ll be darned. So you’ve had JP Morgan and Ernst and Young level salaries in your short career, and now you’ve got a decent, but it’s a pentagon salary. What effect is that had?

David Rader: There’s some personal adjustments that had to be made.

Tom Temin: But you’re committed to it, it sounds like?

David Rader: Yeah, absolutely. It’s the best place I’ve ever worked. Seen such a diverse group of people from all over the country, you know, kind of all over the world come here to solve really meaningful problems to watch over, you know, America, or investors or innovators, our people. It’s a cliche, but it’s one it’s like, it gets you out of bed in the morning. I really enjoy it. And I have the best boss in the world and great colleagues. So that even makes it easier.

Tom Temin: Yes. And are there any examples of things you’ve uncovered that you might be able to tell us about?

David Rader: Well, sadly, we weren’t quite on the quiet side of the business. There’s quite a few. But I mean, everything that you can imagine where maybe sometimes deals don’t go through or some of the things you’ll read in the headlines. Some, one of us is around there poking around.

Tom Temin: Got it. By the way, you mentioned some of the other DoD and intelligence community elements that you collaborate with. What about the Securities and Exchange Commission, for example, or some of the civil side of government? Is that also part of the CFIUS apparatus?

David Rader: Yeah, absolutely. We’ve expanded the scope, because we’ve realized, you know, if you’re looking at economics, it’s ridiculous to not involve the Securities Exchange Commission. I mean, they’re their regulators for the markets, if you will, the Federal Aviation Administration, the FCC, communication, I mean, kind of the whole panacea of government. We’ve had just excellent partners every time we pick up the phone and say, we have an issue, you know, we think it kind of fits into your authority bucket. But you know, we’d like to collaborate and find a solution for our country. They’ve always said, yeah, come on over. Or, you know, we’ll be there on Monday, and it’s gone really well.

Tom Temin: David Rader is deputy director of the Office of Foreign Investment Review at the Defense Department, and a finalist in this year’s Service to America Medals Program. Thanks so much for joining me.

David Rader: Hey, thanks for having me. Great to see you, Tom.

The Baltimore Ravens football team may be better known for its winning ways on the field and its rabid fans in the stands.

But the Social Security Administration turned to the NFL team because of its prowess in using data to drive customer experience decisions. It also didn’t hurt that SSA headquarters is located in Baltimore County, Maryland, and many of the staff are big fans of the team.

Patrick Newbold, the assistant deputy commissioner and deputy chief information officer at SSA, said the Ravens are known for providing a great customer experience for their fans so it just made sense that the agency would reach out.

“One of the questions we asked the Baltimore Ravens was how business intelligence analytics changed their service delivery model?” Newbold said on Ask the CIO. “The Ravens shared an excellent use case with us on how data was able to challenge one of their assumptions on fan demographics. Early on, when they started to aggregate that data, that data disproved assumptions they had about their season ticket holders. Their fans were a lot younger than the marketing assumed. So that led them to change the music they played, the food and drinks they served and how they engaged those fans. The data provided the Ravens with some insights to fan demographics that they weren’t necessarily tracking and allow them to market to a growing demographic fan base be exposed.”

The Ravens brought their chief data officer or equivalent position to the table to meet with executives from SSA’s CIO, CDO and mission offices.

Like the way Ravens use data to drive decisions about how they serve their fans, SSA is looking to apply the same concepts to how they deliver their services.

“We want to use data to monitor and improve the way we do business and services, and deliver our services to our citizens,” Newbold said. “We also shared several challenges. One was the importance of data collection. The Baltimore Ravens leverage NFL-wide data as well as their Baltimore Ravens-specific data. They use that data to inform decisions. We, at SSA, want to create a primary source of SSA-wide data that is beyond assumptions and that supports that ad hoc, cross-cutting capability to do some data analytics. While we are completely different organizations, we have the same goals and mission desire when it comes to how we can use data to really inform the way we want to move forward.”

SSA’s scores better than average

The Ravens, Newbold said, have a mature data and business intelligence practice so gleaming lessons learned can only help SSA, which scored a 64 on the 2021 American Customer Service Index ratings. The federal government’s overall score was 63.4, while the Interior Department received the highest score under the ACSI with a 77.

SSA’s data for 2020 based on its surveys found 93% of the almost 1,700 respondents rated their field office experience as “satisfactory,” but only 47% called it “excellent.”

Newbold said among the biggest lessons learned from the conversation with the Ravens were about the importance of data governance, because the business intelligence platforms and tools are only as good as the data being put into those capabilities.

“Key points that we learned from Baltimore Ravens and throughout the discussions is really having that strong governance, but also they highlighted how they use data as a tool, not as the final answer,” he said. “That resonates with us because as we invest more beyond technologies as an agency, we also must recognize that other factors inform decisions, so data is critical and important, but not the only factor.”

The Ravens are just one of several public and private sector organizations SSA is meeting with to learn more about how they serve their customers.

Newbold said SSA also has met with JP MorganChase, the Federal Retirement Thrift Investment Board, Fannie Mae and the Target Corp.

“We also met with a couple of thought leaders since June, the former General Motors CIO Ralph Szygenda and the former IRS Commissioner Charles Rossotti,” he said. “We take these conversations and we’ve highlighted about three important lessons learned from these conversations, and we are baking those into our strategy. They are around governance, data and culture.”

New strategy coming

Newbold said SSA is updating its digital transformation strategy to include the customer experience lessons learned from all of these conversations.

SSA is partnering with the U.S. Digital Service on their modernization strategy and effort.

Newbold said his office and the mission areas are working with USDS to further expand their understanding of their customers and their journey to use SSA services.

“A key objective and expansion of our digital service offerings is a redesign of our website to enhance the user experience. To improve the customer service, we plan to deepen our understanding of our customers, including what drives their evolving service. We will learn about our customers’ journeys from various service channels and touch points, and one of those is a voice of the customer feedback. We want to capture real-time customer feedback, not only to use that feedback to assess what we have in place that is working, but to identify customer pain points to help us design those future digital services.”

To better understand those customer journeys, SSA and USDS held about 65 different sessions with multiple groups of people. This led to SSA using human-centered design techniques for the new beta version of their website that launched in April.

“For many of our services, and especially on mobile devices, we really want to ensure that we offer more digital capabilities that can be leveraged on mobile devices and from any location in it. We released an application that allows customers to express a protective intent to file for Social Security supplemental security income benefits online,” he said. “We have also prioritized within our plan the design and the mobile accessible online process that will upload forms and other documentation.”

Newbold added SSA has received positive feedback so far from the upgrades and plans to expand its interactions and testing with customers.

Reducing the burden on customers

Going forward, Newbold said SSA plans to continue to meet with the Ravens and other private sector organizations on a regular basis.

He said all the different public and private sector organizations help the agency learn more about how they can drive better customer experience. SSA also has begun to implement a customer relationship management (CRM) platform to further its efforts.

“By reducing the burden on the public, we want to eliminate requirements to conduct business in person, present hard copies of original documents, remove requirements for signatures on a document or provide electronic signing options. These objectives will require SSA to reimagine business processes, program policies and enabling technologies,” Newbold said. “We also want to modernize our enterprise IT systems. For example, our system that administers benefits have been cited by GAO as one of the 10 IT systems across the executive branch in most need of modernization. We have begun to modernize the claims intake and adjudication software. But we want [to] continue to finish that work and retire the legacy systems and modernize our benefits system remains a focus to us.”

To listen to the Federal Newscast on your phone or mobile device, subscribe in PodcastOne or Apple Podcasts. The best listening experience on desktop can be found using Chrome, Firefox or Safari.

• Federal building alarm systems and security cameras are falling short of expectations. But just how short? Well that’s unclear from a heavily redacted report released by the General Services Administration inspector general this week. Auditors reviewed the security systems and cameras at 14 federal buildings and seemed to find they were in various states of disrepair. One of the IG’s recommendations is for GSA to implement a plan to repair, replace and even install security cameras and alarm systems as part of a nationwide assessment. The IG also says GSA and the Federal Protective Service should revise their memorandum of understanding to clearly identify who’s responsible for maintaining these systems.

• The Government Accountability Office found $206 billion of waste in government spending on personal property like office chairs and cars between 2016 to 2020. GAO found agencies use only 8% of the over 2.6 million excess items. Recommendations include promoting the maximum use out of excess property and advising agencies to review their internal guidance on considering excess property. Tuesday’s report comes two weeks after Comptroller General Gene Dodaro addressed the Senate with ways to limit government overlap earlier this month.

• USPTO is investing in a foundational piece of its zero trust architecture. With what may be the first of its kind in the federal sector, the U.S. Patent and Trademark Office is going all in on SASE or secure access service edge. Jamie Holcombe is the CIO at USPTO and he explains why this is the first foundational piece of the zero trust architecture that they can act upon. “I like SASE as that architectural philosophy so to ensure that we can identify users and devices, and apply the policy-based security controls delivering that secure access to the applications and ensuring that our data is secure.” (Federal News Network)

• Agencies need to prepare for a big change to a widely used email and collaboration service. Microsoft will start disabling Basic Authentication for Exchange Online starting on Oct. 1, and the Cybersecurity and Infrastructure Security Agency is making sure agencies are ready. In new guidance, CISA laid out steps agencies should take to determine to what extent they still rely on basic authentication, if they haven’t already. Microsoft announced the Oct. 1 deadline last year. The company says Basic Authentication is one of the most common ways its customers are compromised, and its shifting to methods that support multifactor authentication.

• The Social Security Administration is looking to replace its current system for managing public records requests. SSA is among the agencies phasing out the FOIA online case management solution. In a request for information, SSA says the new system should allow its FOIA analysts to communicate directly with public requesters. It also should be compatible with an electronic payment system, like Pay.gov. SSA is looking for responses by July 6.

• The Biden administration wants to hear your ideas about sustainability. At the first Federal Sustainability Solutions forum, Federal Chief Sustainability Officer Andrew Mayock asked all federal workers and contractors to share their journeys and experiences with sustainability during their careers in the public, private or nonprofit sectors. Mayock said the government needs to learn from, and copy, the successes achieved in the private sector, whose efforts surpassed those of the government during the last few years, to combat climate change while customizing the ideas to scale across the government.

• The Department of Veterans Affairs adopted Login.gov to improve online customer experience to veterans. With Login.gov veterans can now use the same username and password to access VA.gov, My Health-E-Vet and VA’s Health and Benefits mobile. The service also allows veterans to use the same credentials to access services across multiple federal agencies, including the  the Office of Personnel Management and the Small Business Administration. VA’s adoption of Login.gov meets a key goal of the Biden’s administration’s executive order on improving customer experience.

• The agency in charge of the Thrift Savings Plan is trying to keep up with high call volumes to customer service. Another 100 staff members are likely heading to TSP’s customer service center. The TSP board has so far added 320 representatives, now up to a total of 800 employees. That’s a 66% increase to the agency’s call center — and a record high for the board. The staff increase is an effort to alleviate unprecedented delays and hold times after a major TSP update on June 1. (Federal News Network)

• Agencies get an extension for hiring temporary employees in response to the COVID-19 pandemic. The Office of Personnel Management says agencies can continue to use a special hiring authority to add short-term staff, through March 1, 2023. OPM says agencies have an ongoing need to hire short-term workers, to meet both their missions and responsibilities related to the pandemic. Agencies may continue to fill positions on a temporary basis for up to one year. They can also extend the appointments for an additional year if needed.

• Sean O’Donnell has been serving as the Pentagon’s acting inspector general for more than two years. But the Government Accountability Office says he hasn’t had the authority to serve in the position since last November, and his initial appointment also violated federal law. GAO’s findings are based on its own, new, interpretation of the Federal Vacancies Reform Act, a law designed to limit how long acting officials can serve in Senate-confirmed positions. DoD’s OIG says it’s still reviewing the opinion. DoD hasn’t had a Senate-confirmed inspector general since 2016. (Federal News Network)

• The Defense Department and Air Force are teaming up with Historically Black Colleges and Universities to create a new research center. The military’s 15th academic research center will focus on tactical autonomy, helping the Defense Department develop technologies that involve independent computer systems. The Air Force is committing $12 million a year for five years to the center. DoD will add another $2 million a year. The organization will be a consortium of Historically Black Colleges and Universities, furthering DoD’s push for diversity and inclusion. The Pentagon hopes to use the center to help the schools build out their research capacities and recruit a more diverse workforce. (Federal News Network)

• The Joint Staff approves the military’s first-ever accredited space exercise. The Space Force’s SPACE FLAG exercise joins other approved exercises like the Air Force’s RED FLAG and the Navy’s Fleet Synthetic Training as programs providing capability to provide realistic environments in a joint context. In total there are 37 accredited joint training programs.

• The Supreme Court denies a petition from the National Postal Policy Council to review a federal appeals court’s ruling from last year. U.S. Court of Appeals for the D.C. Circuit found last November that the Postal Regulatory Commission (PRC) struck a careful balance when it allowed USPS to set mail rates higher than the pace of inflation. The commission, however, is reexamining its decision to grant greater pricing flexibility to USPS under a provision of the fiscal 2022 omnibus spending bill. (Federal News Network)